LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-04-2012, 10:36 AM   #1
SinclairJ
LQ Newbie
 
Registered: Oct 2012
Posts: 6

Rep: Reputation: Disabled
How to disable particular port on centos


I want to disable a specific port on a centos base server.
I have already try disable port from csf and iptables by adding drop rule. But it does not work out for me. Does any one know any other way or the exact process if I done it by wrong method.

Thanks in advance.
Sinclair J

Last edited by colucix; 10-05-2012 at 12:42 PM. Reason: removed unrelated link
 
Old 10-04-2012, 12:51 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,075
Blog Entries: 14

Rep: Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251
dropping traffic and disabling a port aren't the same thing.

What port?

Is this inbound to your machine? Outbound from it?

Why are you trying to "disable" it?

If you run "lsof -i :<port>" for the port in question do you see anything on it?

What exactly do you have in your iptables configuration (entire config - not just the line you think should have fixed it - location in the rules makes a difference).

If you have a service listening on a given port rather than creating rules to drop traffic to it there would be more sense in simply NOT starting that service.

What version of CentOS (cat /etc/issue)?

If you tell us the answer to the above questions we may be able to give you better answers.
 
Old 10-04-2012, 01:06 PM   #3
SinclairJ
LQ Newbie
 
Registered: Oct 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks for reply,

centos version is
cat /etc/redhat-release
CentOS release 6.3 (Final)


I want to disable 2086 port no, So no one can access my WHM panel through insecure connection.

lsof -i:2086
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cpsrvd-do 24115 root 4u IPv4 740338056 0t0 TCP *:2086 (LISTEN)


Regards,
Sinclair J.
 
Old 10-04-2012, 01:42 PM   #4
rosehosting.com
Member
 
Registered: Jun 2012
Location: Missouri, USA
Posts: 223

Rep: Reputation: 62
hi,

port 2086 do not use 'ssl', but you can force your users to use secure connection by selecting the 'always redirect to ssl' under the 'tweak settings' in your whm at https://your-domain.tld:2087.

hope that's what you wanted to achieve.
 
1 members found this post helpful.
Old 10-04-2012, 03:01 PM   #5
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,075
Blog Entries: 14

Rep: Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251
So you didn't post your iptables setup.

If you run "service iptables status" what does it show?

Essentially if you have iptables turned on and have NOT opened a given port it is by default closed to use on anything other than "localhost". That is because by default both the INPUT and FORWARD chains reject everything as last rule and you have to insert rules to open things:

Code:
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED tcp dpt:5432
6    ACCEPT     tcp  --  192.168.1.1          0.0.0.0/0           state NEW,ESTABLISHED tcp dpt:5666
7    ACCEPT     tcp  --  192.168.1.5          0.0.0.0/0           state NEW,ESTABLISHED tcp dpts:666
8    ACCEPT     tcp  --  192.168.1.7          0.0.0.0/0           state NEW,ESTABLISHED tcp dpts:667
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED tcp dpt:13724
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED tcp dpt:1311
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED tcp dpt:13782
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED tcp dpt:1556
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED tcp dpt:5433
14   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
The above ruleset specifically allows certain IPs to get to certain ports and allows everyone to get to others (e.g. port 22) but any port NOT allowed before the REJECT line will not be accessible because that rule says to reject everything. Also as an alternative to rejecting the port completely you can do as is seen for port 5666 for example and allow only one IP to reach it - all other IPs would get rejected. You can also set restrictions to certain networks/subnets.

Rose's idea may be a better one for what you want to achieve. I've not done this in a WHM/Cpanel setup.
 
Old 10-05-2012, 05:55 AM   #6
SinclairJ
LQ Newbie
 
Registered: Oct 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks again,

I tried to reject 2086 port for all ips and add this rule

DROP tcp -- default anywhere tcp dpt:2086
DROP tcp -- default anywhere tcp dpt:2086
DROP tcp -- anywhere anywhere tcp dpt:2086
DROP udp -- anywhere anywhere udp dpt:2086
REJECT tcp -- anywhere anywhere tcp dpt:2086 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:2086 reject-with icmp-port-unreachable


But still whm page get access. So what should I do to get this thing right.

Regards,
Sinclair J.
 
Old 10-05-2012, 10:21 AM   #7
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,075
Blog Entries: 14

Rep: Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251
Again - please post your ENTIRE iptables output. The location of the rules makes a difference and by simply showing us a subset means we can't determine if you have placed them properly.

Also you shouldn't need both "DROP" and "REJECT" for the same port. You can combine udp/tcp into one by using "all" rather than specifying "tcp" and "udp" on the separate lines.

Also did you try what Rose wrote?
 
Old 10-05-2012, 10:30 AM   #8
henrycoffin
Member
 
Registered: Dec 2006
Distribution: RHEL Debian
Posts: 42

Rep: Reputation: 15
Where have you added those iptables rules? Have you reloaded iptables once the rules have been added?

Easiest way would be to run something like

# iptables -I INPUT 'line number you want to insert the rule' -p tcp --dport 2086 -j REJECT

do the same for udp and the run service iptables save to save across reboots!
 
Old 10-05-2012, 10:48 AM   #9
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,075
Blog Entries: 14

Rep: Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251
Quote:
Originally Posted by henrycoffin View Post
# iptables -I INPUT 'line number you want to insert the rule' -p tcp --dport 2086 -j REJECT
The insert is a good way to do things but "line number you want to insert" is very important. Typically you have to determine the number of lines in the specific chain (e.g. INPUT chain) then insert no less than TWO lines above the last line there for proper placement.

Since the OP isn't letting us know his full setup its difficult to say where he has the rules.

Also we haven't talked about ip6tables - it is barely possible he has IPV6 accessibility and is somehow tripping on that.
 
Old 10-05-2012, 12:49 PM   #10
SinclairJ
LQ Newbie
 
Registered: Oct 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thank you for everyone , specially MensaWater.

# iptables -I INPUT 'line number you want to insert the rule' -p tcp --dport 2086 -j REJECT

I have tried this. One more thing I have notice improper sequence of accept and reject rule. Then I reload iptables rule, Now my problem is get resolved.

Please clear my one more doubt, IF server have csf then whether it get stuck with iptables rule while working or not. Because when I flush iptables rule server get hang for me.


Thanks in advance.


Regards,
Sinclair J.
 
Old 10-05-2012, 01:05 PM   #11
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,075
Blog Entries: 14

Rep: Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251
I'm not familiar with CSF so can't offer assistance on that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS + Qmailtoaster - how to disable clamd? sokha Linux - Server 3 10-13-2010 02:44 AM
CentOS 5: iptables - cannot open port 80 and nat to port 8080 for Tomcat steve willett Linux - Networking 4 09-24-2010 05:03 AM
Disable Disk Check - CentOS deibertine Linux - Newbie 4 08-09-2010 02:00 PM
How to disable a port, such as 21? iclinux Linux - Networking 2 01-10-2005 05:48 AM
Disable Port 80 dvong3 Linux - Security 2 09-19-2003 09:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration