prevent nmap to show open/close port of my server

unclesamcrazy · 06-27-2014, 12:13 AM

I have a linux server and it can be accessed by IP inside LAN and outside LAN.
If anyone installs nmap or similar program, one can see the open/closed ports of my server.
Is there any setting so no one should be able to see my server's ports in any condition?

Lots of things are installed on it like openfire, webmin, ftp, ssh, mailserver(smtp), svn, apache, mysql etc
It shows them like an open book, anyone can know list of installed programs through ports and try to break them.

Please help.

pan64 · 06-27-2014, 12:22 AM

that makes no sense for me. If you want to use those apps you need to open those ports... From the other hand you can use a firewall to restrict access to that box. (blocked ips will not see anything, allowed ips will see what was allowed to them).

unSpawn · 06-27-2014, 04:06 AM

Quote:

Originally Posted by unclesamcrazy

Lots of things are installed on it like openfire, webmin, ftp, ssh, mailserver(smtp), svn, apache, mysql etc
It shows them like an open book, anyone can know list of installed programs through ports and try to break them.

Learn that scans will happen and since you do not control remote end points you can not prevent them from happening. Having a router in front of the machine may restrict access using isolation (DMZ) and limit access by carefully choosing the ports to be forwarded (also see reverse proxy).

So. What you should do first is harden your machine according to your Linux distributions (security) documentation. That step should include anything from using separate unprivileged user accounts, strong passwords, no root access but pubkey-only SSH access via unprivileged users, setting up regular auditing and reporting etc, etc. and testing your setup from remote, to make the machine more resilient. This step should never be skipped for networked machines.

Building on top of that next determine which services need to be exposed (publicly for all, limited access or not at all) and then set access restrictions accordingly. For example you should not expose certain services until they're actually used from remote like MySQL (make it use a UNIX socket) and there is no valid reason (at all) to expose certain services like Webmin and OpenFires web-based administration panels publicly (firewall IP address range white listing, .htaccess).

Also be aware a web server may provide multiple points of entry due to what services it provides: statistics, shopping carts, photo galleries, bulletin boards, web logs, any (third party!) themes and plug-ins all should be secured according to 0) system, 1) web servers and 2) product documentation, next to general recommendations or Best Practices.

If you need to provide certain services to the world then see if you can get away with providing only the SSL-ized version (IMAPS, HTTPS, FTPS) or providing access via a SSH tunnel. Make them use rate limiting, have fail2ban or an equivalent and Logwatch watch logs for anomalies and attacks.

If and when you have done all of that, then you can concentrate on probes and scans that successfully penetrated your setup. Not the other way around, that's simply not an effective admin approach.

Madhu Desai · 06-27-2014, 08:30 AM

Install psad.

TB0ne · 06-27-2014, 09:31 AM

Quote:

Originally Posted by mddesai

Install psad.

How would that prevent someone from doing a port-scan?

John VV · 06-27-2014, 12:41 PM

iptables normally is set for "stealth"
so no response is the normal and not ( open / closed)

unSpawn · 06-30-2014, 11:42 AM

Quote:

Originally Posted by John VV

iptables normally is set for "stealth"

No, it isn't and it normally shouldn't even be.

JeremyBoden · 07-01-2014, 07:10 PM

For example

Code:

jeremy@hector:~$ nmap -v -A www.linuxquestions.org

Starting Nmap 6.40 ( http://nmap.org ) at 2014-07-02 01:04 BST
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 01:04
Scanning www.linuxquestions.org (75.126.162.205) [2 ports]
Completed Ping Scan at 01:04, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:04
Completed Parallel DNS resolution of 1 host. at 01:04, 0.01s elapsed
Initiating Connect Scan at 01:04
Scanning www.linuxquestions.org (75.126.162.205) [1000 ports]
Discovered open port 80/tcp on 75.126.162.205
Discovered open port 443/tcp on 75.126.162.205
Completed Connect Scan at 01:04, 8.87s elapsed (1000 total ports)
Initiating Service scan at 01:04
Scanning 2 services on www.linuxquestions.org (75.126.162.205)
Completed Service scan at 01:04, 6.43s elapsed (2 services on 1 host)
NSE: Script scanning 75.126.162.205.
Initiating NSE at 01:04
Completed NSE at 01:05, 22.89s elapsed
Nmap scan report for www.linuxquestions.org (75.126.162.205)
Host is up (0.15s latency).
Not shown: 988 filtered ports
PORT     STATE  SERVICE            VERSION
25/tcp   closed smtp
53/tcp   closed domain
80/tcp   open   http               nginx
|_http-favicon: Unknown favicon MD5: 156AE67BD1AC56523C1F096815917C35
|_http-methods: No Allow or Public header in OPTIONS response (status code 403)
| http-robots.txt: 31 disallowed entries (15 shown)
| /questions/attachment.php /questions/avatar.php 
| /questions/editpost.php /questions/member.php /questions/memberlist.php 
| /questions/misc.php /questions/moderator.php /questions/newreply.php 
| /questions/newthread.php /questions/online.php /questions/postings.php 
| /questions/printthread.php /questions/private.php /questions/private2.php 
|_/questions/report.php
|_http-title: HTTP Error 403
110/tcp  closed pop3
143/tcp  closed imap
443/tcp  open   http               nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=www.linuxquestions.org
| Issuer: commonName=GeoTrust DV SSL CA/organizationName=GeoTrust Inc./countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2012-06-23T18:25:28+00:00
| Not valid after:  2014-08-26T13:05:52+00:00
| MD5:   fcaa 0b27 af2c 5c5a c330 fe51 89cd 144a
|_SHA-1: c38a 6737 f2b6 b65c 5322 0444 71b1 877d bec6 04c2
|_ssl-date: 2014-07-02T00:04:52+00:00; -1s from local time.
2323/tcp closed 3d-nfsd
4662/tcp closed edonkey
6346/tcp closed gnutella
6699/tcp closed napster
6881/tcp closed bittorrent-tracker
7778/tcp closed interwise

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.93 seconds
jeremy@hector:~$