hi, I run a port scan of localhost and this is what I got

Port State Service
25/tcp open smtp
111/tcp open sunrpc
631/tcp open ipp
6000/tcp open X11

I did a little investigation n here's what I found so far

port 25: email
port 111: I made a connection via telnet but after a few keystrokes the connection closes
port 631: I made a connection via telnet and the same thing happens.
port 6000: I get this- <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1>Bad Request</BODY></HTML>

OK, being a newbie, I have no idea what all this means. and it scares me that anyone can use telnet to use my beloved personal computer.
COuld someone please explain to me what each of these port mean and what they do and how to turn em off? Thanks soo much.

Hi there,

First, the scan you did is of localhost, so you seeing those ports open doesn't mean that someone trying to get from outside can do. If, for example, you connect to the Internet with a DSL router than includes a firewall (many do) then these ports are probably not visible from the internet. It might even be the case that with a standalone PC, ports visible from localhost are not visible from outside.

For someone to connect with telnet requires you to be running telnetd (the telnet daemon) which listens on port 23 by default. Since port 23 isn't open, someone can't telnet to your computer. What you've found is that you can use a telnet client to connect to other ports; but (unless there's some software bug that can be exploited) this won't give anyone command line access because the daemons listening don't provide that.

Port 25 being open means you are running a mail server such as sendmail (most likely) or postfix. Port 631 is internet printing protocol. Port 111, sunrpc, is linked to NFS (amongst others) - mounting filesystems over the network from other servers. Port 6000 is X11 - allowing you to use graphics (e.g. KDE, Gnome). None of these are terrible in themselves.

If you want easy instructions on stopping these, it will help to post which distro. and version you are running.

Lastly, it's generally considered better manners to post a descriptive title for your post - something like "How do I close off network ports?" is somewhat better than "Help!".

hey thanks. that really helped. My distro is Mandrake. any ideas on how to close the ports, and will closing them affect how my sytem runs at all? Thanks.

by the way, I used to live in Cheshire. Lymm, Chesire to be exact. Everytime it rains, huge slugs craws out and lays everywhere! but I love the place.... ahem, please do pardon my inappropriateness for being off topic, mate

In general terms, you can use the command "netstat -lnp" to see which ports are listening and which processes are doing the listening.

For example, on my system I have the line
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1174/portmap
The 0.0.0.0:111 says that port 111 is open. Process portmap with PID 1174 is listening there. If I want to disable it, I need to stop that process starting up.

Now you know who the bad guys are. In Mandrake you can launch the Mandrake Control Center --> System --> DrakXServices. From here you should be able to disable the services you have listening (as well as clicking the info button for more information).

(You make Lymm sound very tempting - must visit there sometime).

Yo, I tried it and came up with these interesting things

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -

now, nmap only shows the last four, but netstat -lnp shows one more than nmap.

I once heard that ports with high numbers are bad, and 32768 seems pretty bad. Unix pros: Any ideas?

*also*
why isn't my netstat -lnp displaying the PID part???

If you run that as root it will show the pid.

Right on the money! Thanks!

After the help from u guys, I decided that I don't need port 25, and I decided that cupsd is safe.

But I have 2 more questions:

1. I checked the high port deamon and its just xinetd, and after googling it I found that it is a master deamon that saves memory by controling others, and is really not a security hazard. Am I right?

2. I googled portmap and found that it is something to do with RPC and cross-platform thingy. Do I really need this service?

Again, thanks a lot.

If your computer is not acting as a server or you do not have any computers on a network then you don't need any of those services. Turn them all off, unless of course you need them.
Do you need it? You don't need it to print locally. Type cupsd exploit into google and see what you get. Still think it is safe? Sure, the exploits may not apply to your version, but are you sure that there isn't an exploit for your version? An un-needed service or daemon is an un-needed risk.

I don't know what that port 32768 thing is but I know I've never had it running on my computers. Fortunately, it is only listening on 127.0.0.1 so it isn't so bad. But you should still look into stopping the service

QUOTE: You don't need it to print locally :QUOTE

you know, that's what I'm trying to do. Turn off ALL services I don't need. but I don't know what each service means and if my system needs it operating.

But taking your advice, I turned off all services so that all ports that are listening is the X port, which I think I need to startx.

Thanks for the input, and if by stopping these services I run into any serious problems I'll post again with the details. Otherwise I think I have a pretty secure system with no listening ports at all, which means that theoretically no one can hack into my computer (?)

You can turn of the x port (port 6000). Search this forum and google. I know you can find it like that.

You also need to implement a firewall. I don't use mandrake, but I think I've read there is an easy to use gui for a firewall. If not, you can download firewall interfaces. Again, search the forum for tips on good firewalls.

One last thing. Turning off services is a step towards good security. You also need to implement the firewall. The only way to truely insure not getting hacked is to unplug your computer from the net permenantly. Anything you do only reduces the chances of intrusion. But your on the right path. Keep it up.

I got the firewall going (mandrake very friendly) and unchecked everything that the internet can have access to.

Now I ssh to a remote shell account and tried to scan the only listening port, X11 on 6000, and I couldn't. It reports: telnet: connect: A remote host did not respond within the timeout period. Looks like the firewall is at work!

After reading about how one can potentially hack into port 6000 and do stuff like closing unsaved x windows and monitor the victim's keyboard and mouse inputs, I'm glad I can't just telnet into port 6000 of my box.

Thanks for walking me through security.

http://www.linuxquestions.org/questi...hreadid=138674

read post 4. this should help you close port 6000