How to block FTP and SMTP service?

pinga123 · 09-08-2010, 01:08 AM

Hi guys i would like to block FTP and SMTP service as a part of linux server hardening.

How would i do the same?

jmc1987 · 09-08-2010, 01:12 AM

Firewall. Depending on your firewall settings may differ. Them you simply just open the ports you wish to allow example you may want to block port 21 ftp but allow http and https. You would open ports 80 and 443 for http and https and block 21 for ftp. Then if you wanted to be the onlyone to be able to access ftp you would add your ip to a white list.

pinga123 · 09-08-2010, 01:27 AM

Quote:

Originally Posted by jmc1987

Firewall. Depending on your firewall settings may differ. Them you simply just open the ports you wish to allow example you may want to block port 21 ftp but allow http and https. You would open ports 80 and 443 for http and https and block 21 for ftp. Then if you wanted to be the onlyone to be able to access ftp you would add your ip to a white list.

Thanks for the useful information.My machine detail is as below .

How would i make changes to firewall?

Code:

# lsb_release -a
LSB Version:    :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: EnterpriseEnterpriseServer
Description:    Enterprise Linux Enterprise Linux Server release 5.2 (Carthage)
Release:        5.2
Codename:       Carthage

Code:

# uname -a
Linux TomcatServer 2.6.18-92.el5 #1 SMP Fri May 23 22:17:30 EDT 2008 i686 i686 i386 GNU/Linux

pinga123 · 09-08-2010, 02:44 AM

I would also like to know if i can disable the service instead of blocking the port.

I m reffering to following link which explain how to disable the service.
http://www.governmentsecurity.org/fo...showtopic=1695

Quote:

1. To disable Telnet, you must edit the /etc/xinetd.d/telnet file. Open the Telnet file, using vi or an editor of your choice.
2. Comment out the service telnet line by adding a number sign (#) before service telnet: #service telnet
3. Write and quit the file.

I m not able to get telnet file under /etc/xinetd.d/

sem007 · 09-08-2010, 02:55 AM

Quote:

Originally Posted by pinga123

I would also like to know if i can disable the service instead of blocking the port.

I m reffering to following link which explain how to disable the service.
http://www.governmentsecurity.org/fo...showtopic=1695

I m not able to get telnet file under /etc/xinetd.d/

Transient services are managed by xinetd daemon and configuration of these services are located under /etc/xinetd.d/ directory.

in redhat/centos 4,5 telnet service name is krb5-telnet

Code:

[root@localhost xinetd.d]# ls | grep telnet
ekrb5-telnet
krb5-telnet

you can also use tcp wrappers to control service access.
tcp wrappers files are

Code:

/etc/hosts.allow
/etc/hosts.deny

HTH

pinga123 · 09-08-2010, 04:09 AM

Quote:

Transient services are managed by xinetd daemon and configuration of these services are located under /etc/xinetd.d/ directory.

in redhat/centos 4,5 telnet service name is krb5-telnet

Code:

[root@localhost xinetd.d]# ls | grep telnet
ekrb5-telnet
krb5-telnet

I think this service is disabled by default.

Code:

# cat krb5-telnet
# default: off
# description: The kerberized telnet server accepts normal telnet sessions, \
#              but can also use Kerberos 5 authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/kerberos/sbin/telnetd
        log_on_failure  += USERID
        disable         = yes
}

you can also use tcp wrappers to control service access.
tcp wrappers files are

Code:

/etc/hosts.allow
/etc/hosts.deny

HTH[/QUOTE]

I have used tcp wrapper files to disable communication between server and other machines. I didnt know it can be used for blocking services as well.

sem007 · 09-08-2010, 04:15 AM

Quote:

I have used tcp wrapper files to disable communication between server and other machines. I didnt know it can be used for blocking services as well.

Tcp wrapper is used to allow or deny service.

If you want disable system V services stopping service is a best way to disable.

suprstar · 09-08-2010, 06:27 AM

chkconfig vsftpd off
service vsftpd stop

chkconfig sendmail off
service sendmail stop

repeat for any services you want to shut off and STAY off.

jmc1987 · 09-08-2010, 06:37 AM

Just to add to the above post you can ad the --levels option to set it to start to stop on specific runlevels

chkconfig --levels 235 vsftpd off

something like that

pinga123 · 09-09-2010, 01:06 AM

This is what i have done for disabling FTP and Telnet session.

Request you to correct me if i m wrong.

Enable FTP Service:

To check FTP is running or not:
This can be done by loging into the server or any other machine connected to server.All you need to do is type a command called.
ftp
Example:
If 10.180.18.222 is my server's ip address.

Code:

# ftp 10.180.18.222
ftp: connect: Connection refused
ftp>

Above output shows that ftp is not enabled on my server.

To enable the ftp you need to edit gssftp file under
/etc/xinetd.d directory.

You should modify disable parameter to no.

Code:

# cat gssftp
# default: off
# description: The kerberized FTP server accepts FTP connections \
# that can be authenticated with Kerberos 5.
service ftp
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/ftpd
server_args = -l -a
log_on_failure += USERID
disable = no
}

Once you have modified the file you should restart xinetd

Code:

#/etc/rc.d/init.d/xinetd restart

To check if FTP is running or not:

Code:

# ftp 10.180.18.222
Connected to 10.180.18.222.
220 TomcatServer FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Unspecified GSS failure. Minor code may provide more information
GSSAPI error minor: No credentials cache found
GSSAPI error: initializing context
GSSAPI authentication failed
334 Using authentication type KERBEROS_V4; ADAT must follow
KERBEROS_V4 accepted as authentication type
Kerberos V4 krb_mk_req failed: You have no tickets cached
Name (10.180.18.222:root):

Above output shows now you can able to use ftp.

Disable Telnet:

Telnet is a service using which we can remotely communicate with server.However ssh is more secure alternative to it.Therefore we should disable this service by default.

Here is what you need to do if you are using redhat/centos 4,5.

This service is usually named as krb5-telnet.
You just need to edit file under /etc/xinetd.d/krb5-telnet.
Following is the content of file where telnet is disabled .

Code:

# cat /etc/xinetd.d/krb5-telnet
# default: off
# description: The kerberized telnet server accepts normal telnet sessions, \
# but can also use Kerberos 5 authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
disable = yes
}

Just restart xinetd service.

Code:

#/etc/rc.d/init.d/xinetd restart

Telnet should be disabled now.

pinga123 · 09-09-2010, 01:08 AM

Now i m confused which method to follow.
Tcp wrapper files
Chkconig method
or
/etc/xinit.d .
Please suggest.

Tinkster · 09-09-2010, 01:12 AM

Go with the chkconfig method. Easier maintenance in the long run.

14moose · 09-09-2010, 01:13 AM

Firewall - your first line of defense. Do it.

Disable any unused services - your second line of defense. Do it, too.

Vigilence - keep an eye on your logs, keep up-to-date with patches. Perhaps install an IDS (Intrusion Detection Software) and periodically run "nmap" (verify the ports you *think* you closed are in *fact* closed).

Security is an ongoing process.

IMHO ..

sem007 · 09-09-2010, 02:43 AM

Quote:

Originally Posted by pinga123

Now i m confused which method to follow.
Tcp wrapper files
Chkconig method
or
/etc/xinit.d .
Please suggest.

If your service is running and you want to deny/allow particular ip or subnet then Tcp Wrapper files or iptables (Firewall) is used.

chkconfig command used to start or stop service at boot time.

Transient services scripts (/etc/xinetd.d/*) are used to enable/disable services. (you can also set some advance parameters like only_from, max connections per ip)

It depends you what method you have to follow.

HTH

suprstar · 09-09-2010, 07:16 AM

Quote:

Originally Posted by suprstar

chkconfig vsftpd off
service vsftpd stop

chkconfig sendmail off
service sendmail stop

repeat for any services you want to shut off and STAY off.

Do this if you don't want the service running at all, for anyone, ever. That's what you said you wanted, and that's the safest thing of all anyway - if there's nothing to connect to, then it doesn't matter if you block the port, limit subnets, ip's, connections, etc..

chkconfig sendmail off

sets your server so that the service doesn't start at boot.

service sendmail stop

kills the service if it's running right now. That's the answer. All the rest of this talk about xinetd, hosts.[allow|deny], firewalls, tcp wrappers, etc. is about configuring and controlling access to a running service.