Flirting with developing a filter to find listening ports to be closed on a desktop.
Two problems:
1) all the experts simply seem to advise to close unnecessary ports. But, no one seems to bother to make rules of thumb as to what might not be critical.
I need some advise on this.
2) If I see a Listening port open it is likely that if it is to be used by a hacker it will be ESTABLISHED by the time I make another pass looking for that port. I could look for the port but this seems to me to be extremely circuitous as there could be valid reasons for it to be established.
Is there a direct way with "netstat" to run it so as to determine who has what and when. Yes, I could build a table of IPs and MACs per port and validate against it even if established. Is this the method that is commonly used?

Not a security expert by any means, but I've seen lots of advice for configuring routers, and etc and the advice was to turn it all off and then turn on stuff incrementally as you determine that you need it. This way, you don't have to guess, except when considering enabling a port and then questioning why you would need to enable that particular port.

@rtmistler: Hey TNX U R on the way to getting a handle on networking.
We agree on my point 1).
Still looking for some info on cycling times etc. Like if I see a listening port with a wild card on pass 1 then see an IP on pass 2 am I too late to close a port which was intentionally left open?
Example port 53 (DNS official port) is open and looks to me like it should be left that way. Someone could jump on it between passes of 3-4 sec and plant tulips in that much time. How can one know when to leave it open and for what. My list of port names and purposes does not cover the detail need to know what I might need 53 for.

Does any one know if it is at all possible for someone probing over the net to gain access to listening ports of the DOMAIN type? I know the INTERNET type definitely are.
Also if the connection is "established" can the service be terminated instantly?

No idea what you're talking about with that whole pass 1 pass 2 stuff. A protocol port is either open or closed. For a well known port number to be used for different means than the defined protocol type it was selected for, both ends of the connection must agree that the port is being re-used for a custom protocol type. Then all the best you can do is sniff that traffic and determine that it's not matching the protocol type it originally required.

Encrypt your WIFI for starters and then anyone invading cannot use it in the first place.

Use MAC security to ensure that known MAC addresses are using the router. Yes, someone who knows one of the valid addresses can then still get in, but you should not be giving those addresses out. Same for the WIFI keys, you don't give those freely out. The more difficult you make it for starters, the better off you'll be.

This might be better off in the Linux Security forum. If you'd like to request it being moved, then click REPORT on one of the posts and just ask if the thread could be moved to that forum. It might get someone's attention who is a bit more focused on network security. Although this current forum is also a pretty good choice.

Not sure if this will help, but maybe these commands may help you make some decisions. apt-cache depends NameOfProgram (shows what depends on that program to run) apt-cache rdepends NameOfProgram (shows what THAT program depends on to run) apt-cache unmet (shows dependencies you don't have which can be useful for resolving issues like understanding why a program isn't working) Also look into hosting services in a VM to keep ports off your physical machine.

just my 2 cents, closed also unnecessary services that is not being used.

Even though the port is open if ever, if there is no service listening to the particular port and an attempt to connect to the port the connection will be closed since no service to accept the connection.

I think the SELinux if configured properly it will accomplished what you're trying to do.

Search the web about SELinux.