Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222
Rep:
Can/should I close NetBIOS ports 137, 138, 139 ?
I had a quick look at the site http://scan.sygate.com which will scan your machine for TCP or UDP ports. It said that none of ports responded as open (presumably because inetd is doing it's job) but there are three ports which are open:
137 NetBIOS-NS which is for Windows/Samba file and print sharing
138 NetBIOS-DGM for the same
139 NetBIOS for network neighbourhood
I think I'm being paranoid because they're presumably always open for Windows machines, and possibly can't be closed(?). Hmmm. Is it a security risk or is the website trying to sell me their duff beer product?
Well they certainly can be closed...and unless you want to share a drive with the internet, there's very little reason to leave them open to the wild as it were.
Basically you can use your firewall to close 'em to the outside world but leave them open to your internal network so you can have a samba share without problems.
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222
Original Poster
Rep:
So no-one knows how to close a UPD port ? Well, this doesn't do it:
/sbin/iptables -A OUTPUT -p tcp --sport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --sport 139 -j DROP
/sbin/iptables -A OUTPUT -p tcp --sport 138 -j DROP
/sbin/iptables -A INPUT -p tcp --sport 138 -j DROP
/sbin/iptables -A OUTPUT -p tcp --sport 137 -j DROP
/sbin/iptables -A INPUT -p tcp --sport 137 -j DROP
/sbin/iptables -A OUTPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A OUTPUT -p tcp --dport 138 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 138 -j DROP
/sbin/iptables -A OUTPUT -p tcp --dport 137 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 137 -j DROP
I can find no way of shutting this port off. I actually think it's not possible. You learn something new every day.
Well I wish I could help, I haven't learned how to use IPtables yet...my server uses IPchains still. Once I get around to making the upgrade I plan, then I'll learn.
However just LOOKING at the rules you posted have you tried changing tcp for udp? I mean its not impossible, THAT much I can tell you...
# Any udp not already allowed is logged and then dropped.
$IPTABLES -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
$IPTABLES -A INPUT -i $IFACE -p udp -j DROP
$IPTABLES -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
$IPTABLES -A OUTPUT -o $IFACE -p udp -j DROP
Is what I use to log and drop any udp packets not specifically allowed.
$IPTABLES=/sbin/iptables
$IFACE=ppp0 (or what ever your external interface might be)
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222
Original Poster
Rep:
Quote:
Originally posted by m0rl0ck # Any udp not already allowed is logged and then dropped.
$IPTABLES -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
$IPTABLES -A INPUT -i $IFACE -p udp -j DROP
$IPTABLES -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
$IPTABLES -A OUTPUT -o $IFACE -p udp -j DROP
Why is IPTABLES a shell variable here? When I type
echo $IPTABLES
nothing is returned ... where is the file you've taken this from?
Thanks
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222
Original Poster
Rep:
I got it. OK - the script is /etc/sysconfig/iptables (which is the config file for iptables, and is separate from the startup script - trust redhat to screw things up!)
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222
Original Poster
Rep:
Nope. The UDP scanner here still thinks ports 137, 138 and 139 are open. Can someone try the test? It's bugging me but of course they are selling a firewall product ...
If it tells anyone that their 137, 138 and 139 (NetBIOS) ports are closed, could someone post their iptables config file?
Thanks for your help, everyone.
Q*Bert
note : don't go to the page above unless you want your ports to be scanned .
m0rl0ck already posted his part, and that should work. From your last post I'm not sure if you incorporated those rules and changed the variables to reflect your system, or if you're still trying your own.
If you're still trying your own then you should change the protocol (-p) to read "udp", watch the d/sports, and add an interface, or it'll activate this rule on any interface unless overridden, but that's a minor detail.
For instance:
/sbin/iptables -A INPUT -i eth# -p udp --dport 137 -j DROP
/sbin/iptables -A OUTPUT -i eth# -p udp --sport 137 -j DROP
Reload the fw, then test.
If you've incorporated m0rl0ck's rules, just add variables for
$IPTABLES and $IFACE. The main difference with his rules is he pushes the packets tru a LOG target first, which is a good thing to add if you're testing.
In any case maybe it would be better if you post your whole config in a readable format, cut-outs usually ain't right working w these kinds of scripts, unless you perfectly know what you're doing IMHO.
* Maybe also check the LQ Security references, post 2, and you'll find some valuable resources for working with Iptables scripts and rules.
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222
Original Poster
Rep:
Curioser and curioser. I did try m0rl0ck's suggestions and they didn't work.
I've added those rules (although for OUTPUT I think you have to use -o for output interface), restarted iptables and it still doesn't work!.
This is really confusing me because I've looked at the iptables tutorials and the scan on that page tells me something different to what I understand is my iptables setup!
Here's my iptables config.
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 62.30.192.113 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 62.30.192.114 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
-A INPUT -i eth0 -p udp --dport 137 -j DROP
-A OUTPUT -o eth0 -p udp --sport 137 -j DROP
-A INPUT -i eth0 -p udp --dport 138 -j DROP
-A OUTPUT -o eth0 -p udp --sport 138 -j DROP
-A INPUT -i eth0 -p udp --dport 139 -j DROP
-A OUTPUT -o eth0 -p udp --sport 139 -j DROP
# -A INPUT -i $IFACE -p udp -j DROP
# -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
# -A OUTPUT -o $IFACE -p udp -j DROP
COMMIT
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[i]:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT[i]
3 "builtin" chains, and 1 custom chain defined, and chain policy is ACCEPT.
Input from INPUT jumps (-j) to RH-Lokkit-0-50-INPUT, which means the "decision" for each packet is made in the RH-Lokkit-0-50-INPUT chain instead of INPUT, cuz first match wins AFAIK.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.