Can't close all ports using shorewall
Hi. Pulling my hair out after 3 days of debugging:
I have debian linux server running. Am running shorewall as stand-alone server. I was able to implment port knocking, secure my ssh port, etc. Seems to work great, except when I ran tests from Tenable NeWT Security Scanner on one of my PCs, I continue to see 3 ports open that I can't explain: ftp port 21/tcp smtp port 25/tcp pop3 port 110/tcp I have no processes using those ports - output of netstat -natu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN tcp 0 0 192.1.2.15:80 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 192.1.2.15:1980 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:32782 127.0.0.1:9999 ESTABLISHED tcp 0 232 192.1.2.15:22 192.1.2.195:4705 ESTABLISHED tcp 0 0 127.0.0.1:9999 127.0.0.1:32782 ESTABLISHED I will go thru them: 9999 is a zoe server (used in zope/plone websites), on my internal local machine. 80 is my pound server dishing out the webpages (see below) 8081 is internal local machine again, a zeo client taking stuff from 9999 and sending it out to previous pound on an exposed port 80 22 is my ssh (I secure thsi using a port knocking scheme) 1980 is webdav, part of the zope system So I understand what is listening and using the ports, but why would this port scanner show those 3 open? I even downloaded GFI LANGuard and got same results. My /etc/shorewall/rules file is as follows (at its end): ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net fw icmp 8 ACCEPT fw net icmp DROP net fw tcp ftp DROP net fw tcp 25 DROP net fw tcp 110 AllowWeb net fw SSHKnock:info net fw tcp 22,6698,6699,6700 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE I even tried REJECT instead of the DROP for those three... Any help woudl be appreciated. BTW, my IP's listed above are all in my LAN so are not realworld :-) |
Could it be that I used ftp or SMTP from "inside"?
I am really perplexed, but have one partial thoery. I know I have used apt-get and installed or updated parts of my system - could it be that the port "remembers" somehow that ftp was used from the "inside" to download stuff from the outside. I want that to be enabled, just want to keep people from getting to the port from the outside.
SMTP may also be used by zope/plone to get mail SENT out from the website. It never gets email sent in, so got rid of all the email stuff from my system - or so I believe. I also have never implmented or configured anything involving pop3 on this box. This was form a clean install. :( |
What's in your /etc/shorewall/policy file? If you comment out the DROP entries (DROP net fw tcp ftp
DROP net fw tcp 25 DROP net fw tcp 110) what happens then? |
My /etc/shorewall/policy just has the following at the end:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE I don't think I changed anything from the defaults when I installed it. As far as the DROP statements, I added that in and have also removed them - they have no effect when I run the port scans. This is what I get when I run the NeWT Security Scanner - and basically the same when I run the GFI LanGuard scanner: smtp (25/tcp) Port is open Plugin ID : 11219 ftp (21/tcp) Port is open Plugin ID : 11219 pop3 (110/tcp) Port is open Plugin ID : 11219 http (80/tcp) Port is open Plugin ID : 11219 The 80 makes sense, but the others do not. :confused: |
Try running shields up https://www.grc.com/x/ne.dll?bh0bkyd2 and see what ports are open
|
All times are GMT -5. The time now is 05:52 AM. |