Last remaining ports to close

I've edited inetd.conf, unexecuted unneccessary files in /etc/rc.d, and turned off all processes I don't need. I've done my best to close as many ports as possible in the interests of of security. I've run nmap against localhost to see what else has been left opened. My results are as follows; and I've, thus far, been unable to figure out how to close them.

Code:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1598 ports scanned but not shown below are in state: closed)
Port        State    Service
111/tcp     open     sunrpc
113/tcp     open     auth
6000/tcp    open     X11

Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

sunrpc is a NFS-related service, and I was running KDE at the time, so that explains port 6000. Any way I can stealth these ports, or close them?

Is it obvious I'm a *nix newbie yet?

RPC processes are run in either /etc/rc.d/rc.nfsd, rc.yp, or rc.inet2. You can turn them off by commenting them out of the file (don't erase the lines, you may decided you needed them in the future).
You can disable identd in /etc/inetd.conf and then doing a "kill -HUP $PID" where $PID is the process id of inetd (DON'T just kill it, the -HUP (hang up) says keep running but reread your config file).

Thanks; I've done the inetd.conf "reboot" a few times sofar after changes. I looked through inet2 but didn't see RPC. I'll poke around in the others. I thought I had unexec'ed nfsd, but I'll double-check (could have been on an earlier install). Any idea about the other ports?

You can't turn off the X11 port if you are using X. Nobody is going to be able to do much with it anyway. If you have a router or firewall, you may be able to block incoming (non localhost) connections to the X port, but then you won't be able to run any remote X apps.
In my slack9.0 installation, the /etc/inetd.conf file contains a line that starts identd, I've commented this out and done a:

Code:

kill -HUP `ps auxww | grep inetd | awk '{print $2}'`

to restart the inet server. This gets rid of the open port 113.
To figure out what is keeping port 111 open, do a:

Code:

netstat -lnp | grep 111

This gives you (in the last column) the process ID and process name that is attached to the port. Run ps auxww | grep $ID and you will find what has the port open. grep for that in /etc/rc.d/* and you will find where it was started. Edit the file and comment out the relevant lines (or chmod -x the entire file if it's safe to do so).
For example:

Code:

root@andromeda:/etc# netstat -lnp | grep 111
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      61/rpc.portmap      
udp        0      0 0.0.0.0:111             0.0.0.0:*                           61/rpc.portmap      
root@andromeda:/etc# ps auxww | grep -w 61
rpc         61  0.0  0.1  1516  540 ?        S    May15   0:00 /sbin/rpc.portmap
root@andromeda:/etc# grep "/sbin/rpc.portmap" /etc/rc.d/* 
/etc/rc.d/rc.inet2:if [ -x /sbin/rpc.portmap ]; then
/etc/rc.d/rc.inet2:  echo "Starting RPC portmapper:  /sbin/rpc.portmap"
/etc/rc.d/rc.inet2:  /sbin/rpc.portmap
root@andromeda:/etc#

So, I would edit rc.inet2 and comment out the portmapper stuff. This would probably cause problems for the nfs stuff, so I would chmod -x rc.nfsd.

Wow, thank you very much; this was exactly the information I was looking for (and hey, I learned a few things to boot!). I wasn't terribly worried about the X11 port, just something I wanted to see if I could close; I think I'll leave it enabled so (as you said) I can run X from remote locations.

Wow, lots of useful and very helpful info there, thanks again.



Edit: I do have a question though; you said you commented out the line that starts inetd, and replaced it with a command that kills the current inetd process, right? How does inetd get started on boot if you commented out the line to start it?

No, I commented out the line that starts identd, if I said inetd, I was wrong. The line in the /etc/inetd.conf is:

Code:

# auth  stream  tcp     wait    nobody  /usr/sbin/in.identd     in.identd -P/dev/null

I then restarted the inetd server with the command in post #4 above. Sorry I wasn't too clear on that. . .

Hmmm ... oddly enough, I had already commented out the portmap stuff, I've come to find. When I run "netstat -lnp | grep 111" the result doesn't spring out anything after the port (final column). Doing a search for the port turns out that it was called from rpc.portmap, which happened to already be commented out, as I said, in rc.inet2. I've "chmod -x"'ed rpc.portmap.

After restarting inetd, I ran another nmap and still sunrpc and auth were up and running. I'm going to try rebooting and see where that leads me. ... perfect; all the ports were closed (granted I wasn't running X at the time).

Thank you for the help, man; I'm glad to get these ports closed