How does one disable ports that change daily after reboot in regards to a port scan?
One day port 708 is open . lsof -i command shows that it is in a LISTEN mode and I am able to telnet my localhost to that port. The next time I reboot , a remote port scan shows a different port opened like port 745. All the ports are in the 708-781 range but only one port is opened
each time I turn my computer on.
I tried updating inetd. Nothing in inetd.conf (which is a very sparse in Debian) or /etc/services
that I see in reference to those ports.
Never seen anything like this before.
I have pmfirewall and security updates in place.
Thank for any help.

try nmap to get an idea what is using the port. then you can decide if its required, if not stop the service.

(It's not "How does one disable ports", but how does one stop opened sockets from being publicly accessable...)
I'd say for now (as a quick measure in case you can't pinpoint the process) just block the range you mentioned, I haven't seen any IANA registered services in the range you mentioned.
"lsof -ni tcp:[portnumber]" (or netstat -panl -A inet) should give you process names and ID's to look at. Please post as much details as you can. Anyway. Is this a production box? What services does it run? Who has access to it? Root access? Any chance in verifying integrity of the files on the box? You say you telnetted in. What output was shown, or was it a true telnet session?

I ran a tiger scan with output:
# Checking listening processes
--WARN-- [lin003w] The process `portmap' is listening on socket 111 (TCP on every interface) is run by daemon.
--WARN-- [lin003w] The process `portmap' is listening on socket 111 (UDP on every interface) is run by daemon.
--WARN-- [lin002i] The process `rpc.statd' is listening on socket 781 (TCP) on every interface.
--WARN-- [lin002i] The process `rpc.statd' is listening on socket 775 (UDP) on every interface.
--WARN-- [lin002i] The process `rpc.statd' is listening on socket 778 (UDP) on every interface.

this is part 1 of 6

I believe this is the issue. I just have to do some reading to stop portmap and rpc.statd.

This is part of the netstat -panl -A inet output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:742 0.0.0.0:* LISTEN 3104/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2566/portmap
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2956/exim4
udp 0 0 0.0.0.0:736 0.0.0.0:* 3104/rpc.statd
udp 0 0 0.0.0.0:739 0.0.0.0:* 3104/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 2566/portmap

This is a end user machine not a production server.
my recent install notes:
http://users.lmi.net/subjazz/debian3.1.txt
Thanks

Good to see you're running Tiger. OK, RPC stuff. If you don't need it by all means uninstall it. If you don't know for sure (dependencies) just deactivate it and try some (for instance 'find -type f -name portmap' should show results in /etc/init.d/ and /etc/rc${RUNLEVEL}.d/.). If you know you need it, at least firewall services in the 0-1024 range to something meaningful (LAN/"known-good" hosts vs publicly accessable).

Debian/GNU BIBLE
P.411 "Remove from rc*.d all services you don't use.. by renaming the link.
$ mv /etc/rc2.d/S20exim /etc/rc2.d/_S20exim
Now, whenever the system starts, the exim mail service will not start
p.496 " PORTMAP - This is installed by default ........which runs at boot time to mount any remote file systems. The portmapper then translates between the service numbers and the available port numbers".

debian@debian:~$ rpcinfo -p debian
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 752 status
100024 1 tcp 755 status

http://security.sygatetech.com/tcpscan.html security scan tells me that port 755 is open .
"With portmapper running , you can query it using rpcinfo to list the registered programs".

Do you think I'm on the right track with the removal of unwanted services mentioned above and unwanted mount connections?
find -type f -name portmap provides no output
I have already firewalled unmeaningful services using PMfirewall , but it was a quick install and I need to check it out.


Thanks for your help

I dont know Debian at all but does it have chkconfig?

if so you should be able to use

then when you find the service you want to stop

But i have a suspicion this is only used on RH/FC

http://chris.quietlife.net/2003/12/1...reat-wide-open
this link solved my problem. I want to keep ssh and exim is easy to remove as mentioned in the Debian Bible

debian:/etc/init.d# /etc/init.d/portmap stop
Stopping portmap daemon: portmap.
debian:/etc/init.d# lsof -n | grep LISTEN
exim4 2957 Debian-exim 3u IPv4 5565 TCP 127.0.0.1:smtp (LISTEN)
sshd 2991 root 3u IPv6 5753 TCP *:ssh (LISTEN)
rpc.statd 3105 root 6u IPv4 5960 TCP *:743 (LISTEN)

debian:/etc/init.d# /etc/init.d/nfs-common stop
Stopping NFS common utilities: statd.
debian:/etc/init.d# lsof -n | grep LISTEN
exim4 2957 Debian-exim 3u IPv4 5565 TCP 127.0.0.1:smtp (LISTEN)
sshd 2991 root 3u IPv6 5753 TCP *:ssh (LISTEN)
Problem solved!. The link above also explains how remove portmap.
example:
/etc/init.d#update-rc.d -f portmap remove

to remove
rpc.statd

/etc/init.d#update -rc.d -f nfs -common remove