LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 06-05-2003, 01:24 AM   #1
Tigger
Member
 
Registered: May 2003
Posts: 168

Rep: Reputation: 30
port scan


Hi

i have been looking at the security of my linux red hat 8 server.

When i use languard to do a port scan from the internet it comes up i have ports 161 snmp and rip 520 open.

How can i block these from being seen from the internet and what are the implications if i try to disable these altogether?

thanks
 
Old 06-05-2003, 08:07 PM   #2
pjcp64
Member
 
Registered: Dec 2002
Location: Omaha, NE
Distribution: Ubuntu Server and SuSE
Posts: 69

Rep: Reputation: 15
The setup is pretty easy. Reference the thread started by Smooth called "Firewall Setup".

As far as the implications of port 161 and 520. Try doing a:
lsof | grep ESTABLISH and a
lsof | grep LISTEN

You can also replace the lsof with a "netstat -a"
This should give you some idea of what is using those two ports.
 
Old 06-05-2003, 10:51 PM   #3
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
i edited my services file and commented these two services out for the time being. Is this OK to do?

thanks
 
Old 06-05-2003, 10:52 PM   #4
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
161 is snmp and 520 is rip
 
Old 06-06-2003, 05:19 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
i edited my services file and commented these two services out for the time being. Is this OK to do?
No, it isn't. The services file is just a mapping and should be left untouched unless you add service/port mappings.

If these services are run, make sure you need then, and they correspond with the daemon that is sposed to run that service.

If you don't need to run these services, make sure they don't get started in /etc/rc.d/rc(runlevel).d if standalone, or in Xinetd. Uninstalling them would be the best solution. If you need to run these services, but only accessable to some IP addresses or ranges, place the right restricitions in their own configs (and check your SNMP community strings setup), and Xinetd (where applicable), and the firewall, and TCP Wrappers. If you do, you'll be reasonably safe as there isn't a single point of failure then.
 
Old 06-06-2003, 05:57 AM   #6
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
how do i uninstall these services?

thanks again
 
Old 06-06-2003, 06:09 AM   #7
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
why would i need snmp and rip?
 
Old 06-06-2003, 12:56 PM   #8
Electboy
Member
 
Registered: May 2003
Location: VietNam
Distribution: RedHat 9.0
Posts: 79

Rep: Reputation: 15
Have u blocked them by Iptables?

iptables -A INPUT -i ppp+ -p TCP --dport 0:1023 -j DROP
iptables -A INPUT -i ppp+ -p UDP --dport 0:1023 -j DROP
 
Old 06-06-2003, 06:26 PM   #9
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
is this all i need to do to block snmp and rip? How come they use the same dport?

yes, it looks like i have blocked them when i look at my iptables by typing iptables -L. I just did not know what i was looking at.

thanks
 
Old 06-07-2003, 06:49 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
how do i uninstall these services?
rpm -e <package name>.
 
Old 06-07-2003, 02:34 PM   #11
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
thanks again, but how do i find out the package name?
 
Old 06-07-2003, 05:39 PM   #12
pjcp64
Member
 
Registered: Dec 2002
Location: Omaha, NE
Distribution: Ubuntu Server and SuSE
Posts: 69

Rep: Reputation: 15
I would recommend simply disabling them at first. If that works without a hitch, then you can consider removing them.

All you have to do to stop them and have them not startup again is go to Server Setting ==> Services
Here you can stop, start, and determine if you want the service to startup at boot. Normally, you'll start with RunLevel 5 displayed. You would also want to disable these services in the lower levels.

To actually answer your question though...
rpm -qa | grep snmp ==> will show all of the RPMs that have snmp in them.
rpm -qa net-snmp.......... ==> will give details on that package
rpm -e net-snmp ==> will delete the package
man rpm ==> will give all this info and more

Sometimes, you'll try "rpm -e" and it will give an error indicating that other packages are dependent on the one you are trying to delete. At this point, with the help of "rpm -qi", you have to decide if you wish to decide the packages that are dependent too.

IF you do, you can list the original package you want to delete as well as the package that is dependent on it when you do the "rpm -e" a second time.
e.g. rpm -e net-snmp 2nd_Package

However, I'd still recommend holding off until you've run the system a while without using these packages.
 
Old 06-07-2003, 05:41 PM   #13
pjcp64
Member
 
Registered: Dec 2002
Location: Omaha, NE
Distribution: Ubuntu Server and SuSE
Posts: 69

Rep: Reputation: 15
Oops,

change that goofy sentence to:

At this point, with the help of "rpm -qi", you have to decide if you wish to remove the packages that are dependent too.
 
Old 06-08-2003, 01:18 AM   #14
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
you must have installed some routing stuff that you didnt need. rip is a routing
protocol (Routing Information Protcol) and snmp = Simple Network Management Protocol.....you probably dont need a RIP router...it is used
for advertising routes that you know about and recieving routes from other
routers (it updates the routing table). You probably really dont need this. You
did a "install everything" huh?
 
Old 06-08-2003, 06:28 AM   #15
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
yes, robert0380, i did install everything and now i am regretting it!!

Thanks pjcp64, i will try this tomorrow and let you know how i go.

These groups have been a great help to me. I really appreciate everyones help!!
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
port scan. bruse Linux - Networking 1 10-23-2005 05:41 PM
mysqld running and reading for connections on port 3306, no port 3306 found from scan darkenigmaa Linux - Networking 7 09-21-2005 10:10 AM
Port Scan (nmap -st) TroelsSmit Linux - Newbie 2 05-22-2004 03:13 PM
Port Scan on 135 ghight Linux - Security 6 12-15-2003 12:40 PM
Port scan luser Linux - Networking 4 10-11-2002 01:37 PM


All times are GMT -5. The time now is 11:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration