Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've edited inetd.conf, unexecuted unneccessary files in /etc/rc.d, and turned off all processes I don't need. I've done my best to close as many ports as possible in the interests of of security. I've run nmap against localhost to see what else has been left opened. My results are as follows; and I've, thus far, been unable to figure out how to close them.
Code:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1598 ports scanned but not shown below are in state: closed)
Port State Service
111/tcp open sunrpc
113/tcp open auth
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
sunrpc is a NFS-related service, and I was running KDE at the time, so that explains port 6000. Any way I can stealth these ports, or close them?
Distribution: Slackware, (Non-Linux: Solaris 7,8,9; OSX; BeOS)
Posts: 1,152
Rep:
RPC processes are run in either /etc/rc.d/rc.nfsd, rc.yp, or rc.inet2. You can turn them off by commenting them out of the file (don't erase the lines, you may decided you needed them in the future).
You can disable identd in /etc/inetd.conf and then doing a "kill -HUP $PID" where $PID is the process id of inetd (DON'T just kill it, the -HUP (hang up) says keep running but reread your config file).
Thanks; I've done the inetd.conf "reboot" a few times sofar after changes. I looked through inet2 but didn't see RPC. I'll poke around in the others. I thought I had unexec'ed nfsd, but I'll double-check (could have been on an earlier install). Any idea about the other ports?
Distribution: Slackware, (Non-Linux: Solaris 7,8,9; OSX; BeOS)
Posts: 1,152
Rep:
You can't turn off the X11 port if you are using X. Nobody is going to be able to do much with it anyway. If you have a router or firewall, you may be able to block incoming (non localhost) connections to the X port, but then you won't be able to run any remote X apps.
In my slack9.0 installation, the /etc/inetd.conf file contains a line that starts identd, I've commented this out and done a:
to restart the inet server. This gets rid of the open port 113.
To figure out what is keeping port 111 open, do a:
Code:
netstat -lnp | grep 111
This gives you (in the last column) the process ID and process name that is attached to the port. Run ps auxww | grep $ID and you will find what has the port open. grep for that in /etc/rc.d/* and you will find where it was started. Edit the file and comment out the relevant lines (or chmod -x the entire file if it's safe to do so).
For example:
Wow, thank you very much; this was exactly the information I was looking for (and hey, I learned a few things to boot!). I wasn't terribly worried about the X11 port, just something I wanted to see if I could close; I think I'll leave it enabled so (as you said) I can run X from remote locations.
Wow, lots of useful and very helpful info there, thanks again.
Edit: I do have a question though; you said you commented out the line that starts inetd, and replaced it with a command that kills the current inetd process, right? How does inetd get started on boot if you commented out the line to start it?
Hmmm ... oddly enough, I had already commented out the portmap stuff, I've come to find. When I run "netstat -lnp | grep 111" the result doesn't spring out anything after the port (final column). Doing a search for the port turns out that it was called from rpc.portmap, which happened to already be commented out, as I said, in rc.inet2. I've "chmod -x"'ed rpc.portmap.
After restarting inetd, I ran another nmap and still sunrpc and auth were up and running. I'm going to try rebooting and see where that leads me. ... perfect; all the ports were closed (granted I wasn't running X at the time).
Thank you for the help, man; I'm glad to get these ports closed
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.