LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-27-2005, 04:52 PM   #1
onmountain
LQ Newbie
 
Registered: Oct 2005
Distribution: Debian
Posts: 16

Rep: Reputation: 0
Can't close all ports using shorewall


Hi. Pulling my hair out after 3 days of debugging:
I have debian linux server running. Am running shorewall as stand-alone server. I was able to implment port knocking, secure my ssh port, etc.

Seems to work great, except when I ran tests from Tenable NeWT Security Scanner on one of my PCs, I continue to see 3 ports open that I can't explain:
ftp port 21/tcp
smtp port 25/tcp
pop3 port 110/tcp

I have no processes using those ports - output of netstat -natu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN
tcp 0 0 192.1.2.15:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.1.2.15:1980 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:32782 127.0.0.1:9999 ESTABLISHED
tcp 0 232 192.1.2.15:22 192.1.2.195:4705 ESTABLISHED
tcp 0 0 127.0.0.1:9999 127.0.0.1:32782 ESTABLISHED

I will go thru them:
9999 is a zoe server (used in zope/plone websites), on my internal local machine.
80 is my pound server dishing out the webpages (see below)
8081 is internal local machine again, a zeo client taking stuff from 9999 and sending it out to previous pound on an exposed port 80
22 is my ssh (I secure thsi using a port knocking scheme)
1980 is webdav, part of the zope system

So I understand what is listening and using the ports, but why would this port scanner show those 3 open? I even downloaded GFI LANGuard and got same results.

My /etc/shorewall/rules file is as follows (at its end):
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT fw net icmp
DROP net fw tcp ftp
DROP net fw tcp 25
DROP net fw tcp 110
AllowWeb net fw
SSHKnock:info net fw tcp 22,6698,6699,6700
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


I even tried REJECT instead of the DROP for those three... Any help woudl be appreciated.

BTW, my IP's listed above are all in my LAN so are not realworld :-)
 
Old 10-28-2005, 01:19 PM   #2
onmountain
LQ Newbie
 
Registered: Oct 2005
Distribution: Debian
Posts: 16

Original Poster
Rep: Reputation: 0
Could it be that I used ftp or SMTP from "inside"?

I am really perplexed, but have one partial thoery. I know I have used apt-get and installed or updated parts of my system - could it be that the port "remembers" somehow that ftp was used from the "inside" to download stuff from the outside. I want that to be enabled, just want to keep people from getting to the port from the outside.

SMTP may also be used by zope/plone to get mail SENT out from the website. It never gets email sent in, so got rid of all the email stuff from my system - or so I believe. I also have never implmented or configured anything involving pop3 on this box. This was form a clean install.

 
Old 10-30-2005, 05:16 PM   #3
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 51
What's in your /etc/shorewall/policy file? If you comment out the DROP entries (DROP net fw tcp ftp
DROP net fw tcp 25
DROP net fw tcp 110) what happens then?
 
Old 10-31-2005, 03:30 PM   #4
onmountain
LQ Newbie
 
Registered: Oct 2005
Distribution: Debian
Posts: 16

Original Poster
Rep: Reputation: 0
My /etc/shorewall/policy just has the following at the end:


#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


I don't think I changed anything from the defaults when I installed it. As far as the DROP statements, I added that in and have also removed them - they have no effect when I run the port scans.


This is what I get when I run the NeWT Security Scanner - and basically the same when I run the GFI LanGuard scanner:

smtp (25/tcp)
Port is open
Plugin ID : 11219


ftp (21/tcp)
Port is open
Plugin ID : 11219


pop3 (110/tcp)
Port is open
Plugin ID : 11219


http (80/tcp)
Port is open
Plugin ID : 11219


The 80 makes sense, but the others do not.

 
Old 10-31-2005, 05:00 PM   #5
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 51
Try running shields up https://www.grc.com/x/ne.dll?bh0bkyd2 and see what ports are open
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Close Ports janderson622 Linux - Security 21 01-04-2007 06:59 PM
close all my ports pixelV Slackware 18 12-30-2004 06:49 AM
How can I close ports? nectron101 Linux - Networking 3 11-28-2004 12:22 AM
shorewall and mandrake, some ports open i can't close chil326 Linux - Security 1 11-01-2004 11:28 PM
How do I close ports ksgill Linux - Newbie 9 10-09-2003 10:06 PM


All times are GMT -5. The time now is 09:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration