Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need to prevent some application to listen port.
So, when application executed it starts to listen port.
I want Linux, to ignore application port request.
How to prevent any applications to get a port or port for their usage.
I need to prevent some application to listen port.
What application? Why?
Quote:
Originally Posted by nimnull22
So, when application executed it starts to listen port.
I want Linux, to ignore application port request.
How to prevent any applications to get a port or port for their usage.
Here's some weak / strong options until you explain your situation details:
- if it's a fixed port bind something to the port beforehand ('nc'?),
- if it's a port below 1024 run the application from an unprivileged account,
- if it's a port below 1024 take away CAP_NET_BIND ('man capabilities'),
- run GRSecurity and the application under an account w/o port bind rights,
- run SE Linux and take out any port listening rules,
- run anything that intercepts the applications bind() system call,
- run the application as an isolated virtualization guest.
Because it is not "open source", and I do not know what to expect.
Quote:
Originally Posted by unSpawn
Here's some weak / strong options until you explain your situation details:
- if it's a fixed port bind something to the port beforehand ('nc'?),
- if it's a port below 1024 run the application from an unprivileged account,
- if it's a port below 1024 take away CAP_NET_BIND ('man capabilities'),
- run GRSecurity and the application under an account w/o port bind rights,
- run SE Linux and take out any port listening rules,
- run anything that intercepts the applications bind() system call,
- run the application as an isolated virtualization guest.
Set your default Rule/Profile in iptables INPUT to drop, then only explicitly allow in the ones you expect.
That way, even if it (app) binds to a port, it won't get/see any incoming cxns.
Set your default Rule/Profile in iptables INPUT to drop, then only explicitly allow in the ones you expect.
That way, even if it (app) binds to a port, it won't get/see any incoming cxns.
Or, rather than trying to edit iptables rules himself, he could use 'ufw'. This program has a much simpler and more logical syntax, yet is flexible enough to do what he seems to want. It then edits the iptables rules for you.
One of the good decisions Canonical made was to put 'ufw' on all Ubuntu systems.
But the word 'seems' is key here: we really don't know what the OP wants, since he does not seem to understand the proper use of indefinite articles and quantifiers in English. Does he have in mind one specific application, which he does not want to allow to connect to any port? Or does he want to allow only a 'whitelist' of applications to connect to any port?
Whichever it really is, he should be able to figure out from the man page for 'ufw' how to do this -- unless he really is trying to do something impossible
If it is impossible to completely disable bind port for SOME application, I allow to go OUT only trusted programs.
Why "some", because it is not important which one, idea was to disable AT ALL. But looks like it is not easy.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.