SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I gave myself a project about a week ago, and its done. I started posting questions 2 or 3 times, but eventually figured it out. This one I am stuck on.
Background -
I had a dual PII/266, 512MB, 2x 9.1GB SCSI Server sitting around. I installed Slackware 10 (full install) and using shilo's fantastic instructions setup an apache webserver using a dyndns.com domain. I have cable for my internet access. I have a linksys BEFSR41 router/switch/firewall. I currently have 3 computers hooked up to it. The server w/ slackware 10, MY computer running Slackware 10 (primarily) & suse 9.1 (secondly), and a win98 computer the rest of the family can't live without (games for the kids).
All is well - finally, but I am uncertain about security for my computer and the win98 computer. In the router I forwarded port 80 to the IP address of the server. At work I have tested and can access the simple little index.html test page I made.
I tried going to linuxquestions.org security forum, but to be honest, it is all a bit (a lot) over my head. I have always found this slackware forum to be VERY helpful and friendly - so here I am.
My question reduced to its simplest form is - How can I test/make sure that the 2 other computers (and I guess the rest of the server) is safe/secure while still allowing access to the webserver (and soon to be ftp server)??
Code:
On my computer:
"nmap localhost" results in:
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
37/tcp open time
113/tcp open auth
587/tcp open submission
631/tcp open ipp
6000/tcp open X11
and "nmap -sU localhost" results in:
37/udp open time
68/udp open dhcpclient
512/udp open biff
On the server:
"nmap localhost" results in:
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
37/tcp open time
80/tcp open http
113/tcp open auth
587/tcp open submission
6000/tcp open X11
and "nmap -sU localhost" results in:
37/udp open time
68/udp open dhcpclient
512/udp open bif
Any thoughts, suggestions, or directions where I should check?
Did I give too much information? Not enough??
Thanks a lot in advance - tw
(edited & unrelated)
I recieved my slackware 10 CD's today in the mail!!!! Wanted to help the cause.
Well, nmapping localhost will scan that system only (loopback). It also seems from what the ouput is, that you have many vulnerable services open. Though you only have port 80 forwarded, it would be wise to disable all uneeded services on both computers. If someone were to exploit Apache (which can be exploited), they then can scan the network for computers within the LAN; the open services just make it easier for an attacker to exploit the computer, as it raises the number of workable exploits that can be used on the system and those within the network. No network can be 100% secure; security is an ongoing process. Not to be 100% paranoia inducing, but all your computers are vulnerable (especially the win98 pc), but as long as you practice some form of ongoing security (patches, reading bugtraq, securing running daemons, etc), you'll at least rule out the least determined attacker from exploiting your computer.
PS:
Congratulations on your new system, and for supporting the community!
First of all, I'm clad that you found the guide useful. On to your questions...
Quote:
On my computer:
"nmap localhost" results in:
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
37/tcp open time
113/tcp open auth
587/tcp open submission
631/tcp open ipp
6000/tcp open X11
and "nmap -sU localhost" results in:
37/udp open time
68/udp open dhcpclient
512/udp open biff
This is your computer that IS NOT a server. I don't know exactly what you are using the computer for, but I will guess that you can close the following ports without any trouble at all:
22/tcp open ssh --- As long as you don't want to ssh into this box
25/tcp open smtp --- Since you probably aren't running a mail server from this box
37/tcp open time --- Since you probably aren't running any time services from this box
68/udp open dhcpclient --- I believe that you can get rid of this, as your Router takes care of all things dhcp, but what do I know.
512/udp open biff --- You can ditch this if you want. It just notifies you of new mail that is coming in.
6000/tcp open X11 --- Since you probably aren't running X services remotely (I know I don't)
That leaves the following open:
113/tcp open auth --- I don't know what this is. Try closing it and see if anything breaks
587/tcp open submission --- I think this is for Samba, but I could be wrong. You can try shutting that down.
631/tcp open ipp --- I believe this is for some forms of printing. You can try shutting this down, too.
You can use this guide to figure out what you don't want running on your server,as well.
A side note: I'm not super anal when it comes to security. You can try running a port scanner from work on your home box. You will probably find that even though these ports are open on your LAN, your router/switch/firewall is blocking them from the WAN (Internet). I'm happy enough with that. Though there are exploits for Apache (and every OTHER server that you will run on your box), I am happy with the security provided by my router/switch/firewall.
Let me know if you need any help shutting some of the ports down. I will help as much as I can.
I think you are on the right track tw. I am a Slack boy too, and am waiting on my Slack 10 CD's in the mail as we speak! . I have Slack 9 and 9.1 and am eager to get ahold of 10. But that is neither here nor there. I actually had a simmilair problem and here is what I discovered, I will tell you what each of those items are in your nmap list and help you determine if you need them.
SSH - This is Secure SHell which is the most awesome remote access service I have ever used. I wish Windoze had something this nice. I use it daily but you may not need it if you aren't doing any remote administration. It basically lets you login to the shell from anywhere.
SMTP - if you are not planning on running a mail server or a web server that needs SMTP access then you can close this port. I keep it open because alot of my web servers have forms and the like that need to use the SMTP for their various duties.
Time- You are right on the dime there, no need to use it.
Auth- This port is actually one to keep open as it authenticates for FTP, SSH, and others. Everytime I turn this off, it causes FTP and SSH to flub up. I would leave it on if I were you.
Submission - I can never get this one to go away no matter what I do but it hasn't seemed to cause and security holes, especially if it is not forwarded through the router.
IPP- Never seen this one, it may be part of the newer distro so unforunately my assistance is limited there.
You should be able to edit the ones I mentioned by going sudo (if not root) /etc/rc.d/inetd and commenting out where those holes are located just in case you didn't know.
As far as I can tell, you should have no prob getting on the net or getting others in from the net with those services changed. But always make a back up of the file to save yourself a headache!
tw - you may want to head over to Sygate and run their port scan. I don't have a lot of experience with your situation, but I believe that this scan would be checking the ports on your router. which in my opinion is the place to start, because if you have all the unnecessary ports closed on the router, it is that much harder for someone to get to your LAN.
nmap localhost
113/tcp open auth
6000/tcp open X11
and nmap -sU localhost
68/udp open dhcpclient
and everything still works. I need 113/tcp for the internet, I have read conflicting reports on disabling 6000/tcp, and 68/udp is dhcp bootstrap protocol client - this is the transmit port, not the listening port so it all should be OK.
I will now follow my notes and perform the same modifications on the server (leaving the ones I need for the website and ftp ON of course.)
I am not one for tight security on my computer, but opening port 80 on my router made me nervous - thats what brought all this on.
Once all is well - I will post a simple how-to on this thread - maybe It'll help someone else some day so they don't have to waste as much time as I did looking all this stuff up.
thanks for your help everyone - and if I missed something - let me know.
Since most systems are different, here is a breif rundown of my system and setup.
I have cable access to the internet.
My cable modem is a motorola SB4101
That is connected to my Linksys BEFSR41 router w/switch & firewall
I did a clean install of Slackware 10.
When I ran nmap - here were the results:
"nmap localhost" results in:
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
37/tcp open time
113/tcp open auth
587/tcp open submission
631/tcp open ipp
6000/tcp open X11
and "nmap -sU localhost" results in:
37/udp open time
68/udp open dhcpclient
512/udp open biff
We will go 1 at a time.
========================================================
22/tcp ssh - Since I never planning on accessing my system from anywhere except
from here at my desk, I wanted this off.
You can do it manually by editing /etc/rc/d/rc.inet2
Change this:
# Start the OpenSSH SSH daemon:
if [ -x /etc/rc.d/rc.sshd ]; then
echo "Starting OpenSSH SSH daemon: /usr/sbin/sshd"
/etc/rc.d/rc.sshd start
fi
to this:
# Start the OpenSSH SSH daemon:
# UNCOMMENTED BY DEFAULT ***********************************************
# if [ -x /etc/rc.d/rc.sshd ]; then
# echo "Starting OpenSSH SSH daemon: /usr/sbin/sshd"
# /etc/rc.d/rc.sshd start
# fi
I made the # UNCOMMENTED BY DEFAULT **** line so it would be easier to find if I never
need to enable it again.
OR you could simply run 'pkgtool' -> setup -> services, select services and remove the
'X' in front of rc.sshd
=========================================================
25/tcp smtp - Since my computer will not be a mail server, nor will I use 'sendmail'
I wanted this off too.
You can do it manually by editing /etc/rc.d/rc.sendmail
change this:
# Start the sendmail daemon:
if [ -x /etc/rc.d/rc.sendmail ]; then
. /etc/rc.d/rc.sendmail start
fi
to this:
# Start the sendmail daemon:
# NEXT # LINES ORIGINALLY UNCOMMENTED **************************************
# if [ -x /etc/rc.d/rc.sendmail ]; then
# . /etc/rc.d/rc.sendmail start
# fi
OR once again, you could do it automatically by running
'pkgtool' -> setup -> services, select services and remove the 'X' in front of rc.sendmail
=========================================================
37/tcp time - I do not update my computers time setting via the internet automatically, so
I wanted this off too. This will also get rid of "37/udp open time"
You can do it manually by editing /etc/inetd.conf
change this:
time stream tcp nowait root internal
time dgram udp wait root internal
to this:
# COMMENTED OUT time stream tcp nowait root internal
# COMMENTED OUT time dgram udp wait root internal
587/tcp submission - This is a port for Message Submission protocol - it is part of
'send mail'. By removing sendmail, this open port is also removed from the list.
631/tcp ipp - This is the Internet Printing Protocol. If you use the CUPS print server,
this port is opened.
To disable it, 'pkgtool' -> setup -> services, select services and remove
the 'X' in front of rc.cups - If you use CUPS as a print manager, keep it.
==========================================================
6000/tcp X11 - Apparently you can disable this - although I have read many conflicting reports
on the issue. I use KDM as a login manager, so I am unsure how and unable to find information
on how to close this port manually. any help on this issue would be nice
68/udp open dhcpclient - This I left open. 68/udp is dhcp bootstrap protocol client - I
have yet to find good info on this. I can say that this is the transmit port, not a
listening port so it all should be OK. At the current time I don't know how to disable it
==========================================================
512/udp biff - Since I don't use biff, I don't need it.
You can close this port by editing our good friend /etc/inetd.conf
Change this:
# The comsat daemon notifies the user of new mail when biff is set to y:
comsat dgram udp wait root /usr/sbin/tcpd in.comsat
to this:
# The comsat daemon notifies the user of new mail when biff is set to y:
# COMMENTED OUT comsat dgram udp wait root /usr/sbin/tcpd in.comsat
===========================================================
So thats it. Now, when I run nmap:
"nmap localhost" results in:
113/tcp open auth
6000/tcp open X11
and
"nmap -sU localhost" results in:
68/udp open dhcpclient
I hope this helps someone. Till my next problem and/or visit... - tw
Just a quick remark on the commenting out of rc scripts.
I find that if you admin a fairly large no. of boxes (20+) and you find that you need to activate a service that you disabled a few months ago and have since forgotten about, it is more sensible to simply change the permissions on the rc scripts, i.e. chmod 644 /etc/rc.d/rc.sshd to disable sshd, and then chmod 755 to enable it again.
It is better to keep the scripts themselves as generalised as possible so that you can scp them between machines when you break stuff .
I'm glad I helped you a bit! All the posters here are correct; since this is your personal computer only apache needed to be run, you need no service running on any port except apache on port 80.
Router/switch/built-in firewall protection would be sufficient in your case. Ways exist to circumvent such protections, but since this is a personal server, the potential damage inflicted to you should be only to your pride if someone (ie: common script kiddie) should decide to bypass your securities, compared to the vast financial damages inflicted upon networks.
Slack is a great distro, and Slack10 should be a great release, have fun!
Great thread! Just to toss in my two cents, you can use Shields Up from grc.com to test your firewall from the outside. My firewall script has all ports stealthed except 113, which is closed to connections. Other tests can check a Windows box as well.
(grc.com is the website of the guy (Steve Gibson) who does spinrite software for hard drives.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.