LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-27-2001, 08:09 AM   #1
janderson622
LQ Newbie
 
Registered: Mar 2001
Posts: 6

Rep: Reputation: 0
Question


Hi all,

I'm new to this list, so I hope this hasn't been asked before. I friend of mine (a java developer) wrote a little TCP Port scanning tool for me and it's showing some open ports and I was wondering if you could point me in the right direction to get them closed.

I've got 2 different servers I'm working on, one is Red Hat 6.2 and the other is Red Hat 7.

Here are the TCP ports:

111
113
513
514
515

Also, Port 53 is open on TCP for DNS, but I do not do any zone transfers, cna (and how) do I shut that port down.

Thanks in advance,


--John
 
Old 03-29-2001, 07:43 PM   #2
Mike_the_Man
Member
 
Registered: Jan 2001
Location: work
Distribution: Redhat, Mandrake
Posts: 33

Rep: Reputation: 15
Talking

You can try going into your inetd.conf and commenting out the services that pertain to that port. See if that works. I had the same problem and that is how I solved it.


Mike
 
Old 03-30-2001, 06:40 AM   #3
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 269Reputation: 269Reputation: 269
Remember though, RH 7 doesn't have inetd anymore, its xinetd.
 
Old 03-30-2001, 01:32 PM   #4
Mike_the_Man
Member
 
Registered: Jan 2001
Location: work
Distribution: Redhat, Mandrake
Posts: 33

Rep: Reputation: 15
Thats right, you can try commenting it out in /etc/services, right?
 
Old 03-30-2001, 02:07 PM   #5
Copenhagen Cowboy
Member
 
Registered: Mar 2001
Location: D/FW
Posts: 75

Rep: Reputation: 15
Yes, you can comment it out there.
 
Old 04-02-2001, 09:00 AM   #6
janderson622
LQ Newbie
 
Registered: Mar 2001
Posts: 6

Original Poster
Rep: Reputation: 0
Hi - That's the sneaky thing about this, 111 is commented out in the /etc/services, but that port is still accepting connections.

Any thoughts?


--John
 
Old 04-02-2001, 02:23 PM   #7
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,597

Rep: Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080
Port 111 is for portmapper (which is used for NFS). If you kill portmapper it will close the port.
 
Old 04-05-2001, 07:01 AM   #8
janderson622
LQ Newbie
 
Registered: Mar 2001
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks jeremy, that did it.

--John
 
Old 11-26-2003, 10:30 PM   #9
tommytomato
Member
 
Registered: Nov 2003
Location: Narrogin Western Australia
Distribution: GUI Ubuntu 14.0.4 - Server Ubuntu 14.04.5 LTS
Posts: 963

Rep: Reputation: 32
Hi guys i'm working on the same thing.

I've used the command nmap myIP

and my result is


Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-27 00:28 WST
Interesting ports on 10.x.x.x:
(The 1652 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https

Nmap run completed -- 1 IP address (1 host up) scanned in 8.013 seconds


now to close a port you stay comment out the ones you want right ?

sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP

Is it both of them? like so

#sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
#sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP



tommytomato
 
Old 11-27-2003, 08:28 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Is it both of them? like so

#sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
#sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP


Yes, that's how you comment out stuff, but what file are you editing?
I hope it's not /etc/services...
 
Old 11-27-2003, 09:10 AM   #11
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
It won't help to just comment out lines in /etc/services when you want to close ports. Shut down the daemons listening; for some distros you can list the running services with chkconfig --list, and then shut down the unwanted services with some other chkconfig option(s); see the man page. And then set up iptables using your favourite editor or quicktables or shorewall or whatever other frontend.
 
Old 11-27-2003, 01:22 PM   #12
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
tommytomato:
If you don't need the running services at all do this:
look for the symlinks to the scripts in /etc/rcX.d (where X is the runlevel number) and delete them.
Then stop them:
/sbin/service <nameservice> stop (for RH compatible I believe)
/etc/init.d/<nameservice> stop (the rest?)

Maybe they get started through xinetd, in that case you should search for them in
/etc/xinetd.d , edit the script and set disable yes.
Then restart xinetd: /sbin/service xinetd restart (for RH compatible) or just /etc/init.d/xinetd.d restart (the rest?)
 
Old 11-27-2003, 06:44 PM   #13
tommytomato
Member
 
Registered: Nov 2003
Location: Narrogin Western Australia
Distribution: GUI Ubuntu 14.0.4 - Server Ubuntu 14.04.5 LTS
Posts: 963

Rep: Reputation: 32
Thanks guys,

what i'm trying to do is make my server as sercue as possible.

I have my server hooked up to a ADSL unit and port 80 is the only one open.

so it should be safe.

but when i run nmap localhost

i get this

[root@www root]# nmap localhost

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-27 20:27 WST
Interesting ports on www.rockinghamgateway.com (127.0.0.1):
(The 1647 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
783/tcp open hp-alarm-mgr
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt

Nmap run completed -- 1 IP address (1 host up) scanned in 2.751 seconds

and then if i run the IP eth0 #nmap 10.1.1.9

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-27 20:34 WST
Interesting ports on 10.1.1.9:
(The 1650 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp <---- IS FTP
22/tcp open ssh <----sshd
80/tcp open http <-----Apache webserver
111/tcp open rpcbind <-----I think its portmapper
443/tcp open https <---sercue webserver
3306/tcp open mysql <---- is mysqld
10000/tcp open snet-sensor-mgmt <--- is this webmin ???

Nmap run completed -- 1 IP address (1 host up) scanned in 23.011 seconds




Iceman47 ,so your saying to do it like this ?

Then stop them:
/sbin/service <rpcbind> stop (for RH compatible I believe)
/etc/init.d/<rpcbind> stop (the rest?)

My OS is Fedora Core 1 running just a shell no GUI, i have startx working
and most of my setup is done..apart from blocking ports

I am at a lost to this...the main ones i would be looking to block is port 111,783,631....

As i am a new user i dont know alot about it!
can any one explanie this in simple terms. as in do i need to block or dont I need to block any ?

tommytomato
 
Old 11-27-2003, 07:38 PM   #14
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
Quote:
Originally posted by tommytomato
"10000/tcp open snet-sensor-mgmt <--- is this webmin ???"
Yes
Quote:

Iceman47 ,so your saying to do it like this ?

Then stop them:
/sbin/service <rpcbind> stop (for RH compatible I believe)
/etc/init.d/<rpcbind> stop (the rest?)
If you want to stop rpcbind do /sbin/service portmap stop.
But that won't survive a reboot, so you have 2 options:
* remove the actual script (<-not that smart in case you do need it at a later date)
* remove the symlink to the script.

A symlink is a symbolic link to a file, like a shortcut in windoze.
You'll find those symlinks in the runlevel folders (/etc/rc0.d -> /etc/rc6.d)
So if you want to disable portmap (rpcbind) remove all the symlinks ending with
portmap in /etc/rc0.d through /etc/rc6.d.
Reboot and you'll notice portmapper (rpcbind) won't run anymore

repeat for everything you want to see disabled

Others get started from xinetd like I said before, but I think that explenation
was clear.

What you want to disable is up to you, just disable services you don't need.
 
Old 11-27-2003, 09:07 PM   #15
tommytomato
Member
 
Registered: Nov 2003
Location: Narrogin Western Australia
Distribution: GUI Ubuntu 14.0.4 - Server Ubuntu 14.04.5 LTS
Posts: 963

Rep: Reputation: 32
thank you,
i'll work though it.

I do have a prob i think

my site wont show, if i switch to the XP IIS it works, but if i switch back to the linux webserver, we get page cant be found.

do my per look ok..
?

[root@www root]# ls -al /var/www/html
total 84
drwxrwxr-x 5 root gateway 4096 Nov 27 09:22 .
drwxr-xr-x 7 root root 4096 Nov 27 03:11 ..
drwxr-xr-x 11 tommytomato tommytomato 4096 Nov 27 09:24 community
-rw-r--r-- 1 tommytomato tommytomato 2494 Nov 27 08:24 favicon.ico
drwxr-xr-x 3 tommytomato tommytomato 4096 Nov 27 08:24 images
-rw-r--r-- 1 tommytomato tommytomato 7575 Nov 27 08:24 index_behind.php
-rw-r--r-- 1 tommytomato tommytomato 8040 Nov 27 08:24 index.php
-rw-r--r-- 1 tommytomato tommytomato 30737 Nov 27 08:24 mm_menu.js
-rw-r--r-- 1 tommytomato tommytomato 8362 Nov 27 09:07 notes.txt
drwxrwxr-x 2 root gateway 4096 Nov 27 09:52 usage
[root@www root]#


I wondering if i have to add index.php in using webmin, i think it's only got index.html

tommytomato
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Which of these ports can I close? buddhahat Linux - Security 6 06-13-2005 07:40 AM
How can I close ports? nectron101 Linux - Networking 3 11-27-2004 11:22 PM
how to close ports hudy Linux - Security 4 06-23-2004 12:07 PM
How do I close ports ksgill Linux - Newbie 9 10-09-2003 09:06 PM
how do i close ports. KidTonz Linux - Security 3 12-18-2001 02:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration