-   Linux - Security (
-   -   Close unused ports and SSH (

annielee 11-22-2006 10:57 AM

Close unused ports and SSH

Recently our security team ran port scanning on one of my server, and found some open ports, which need to be closed.

How can I closed those unused ports. (and how do i check whether anyone is using the open ports or not)

And how do i disable root login to the system using ssh. (meaning all users can ssh to the system, but they need to issue su to get root access)


bit128_linux 11-22-2006 11:30 AM

In the SSH daemon config file, you have a line like this:

PermitRootLogin Yes

If the line if commented(starts with #), then uncomment it and change that 'Yes' with 'No. After that, you should restart your SSH daemon.

annielee 11-22-2006 12:46 PM

erm..where's the ssh config file and how do i restart the ssh daemon?

bit128_linux 11-22-2006 02:16 PM

Well, that depends on distribution. In Slackware Linux the file path is '/etc/ssh/sshd_config' and you restart the server with this command(executed as root, of course):

/etc/rc.d/rc.sshd restart

Please post which distribution you use along with it's version.

denver1980 11-22-2006 11:30 PM

And to know which port is opened, compare the 2 lists obtained by

$ netstat -a | grep -i listen
$ netstat -an | grep -i listen

By comparing them, you will see which service runs on what port.
If one port is numerical even in the -a list, googlize it :study:

Hope it helps

annielee 11-23-2006 07:40 AM

one more question, when a new user is created, by default they can ssh to the server, right??

chort 11-23-2006 11:01 PM

Yes, unless you're using the AllowUsers statement in /etc/ssh/sshd_config.

jiml8 11-23-2006 11:52 PM

...and using the AllowUsers directive is a really, really, really good idea, from a security perspective.

annielee 11-24-2006 08:30 AM

i've created a new user using useradd..but the new user cant login using ssh.

i didnt use AllowUsers in the sshd_config file.

please assist.

jiml8 11-24-2006 12:32 PM

what is the error message? Where is the user logging in from? You created the new user on the ssh server, right?

annielee 11-24-2006 09:02 PM

it just said authentication failed. yup, i've created the user in the ssh server..

jiml8 11-24-2006 09:29 PM

so, your new user does an "ssh myservername" and the server responds "username" and the user enters "myusername", to which the server responds "password" and the user enters "mypassword", then after a pause, the server says "authentication failed". Is that right?

Can this user log on at the server? Does this user have shell access as part of the account?

You should list the contents of your sshd_config file here.

annielee 11-28-2006 05:36 AM

i dun have the file with me now, (the server is at some other location).

but i didnt change the anything in the file.(it's original since day 1 after installation)

boToo 11-28-2006 08:18 AM

You are at somewhere!! But can you log in to server with ssh? you can use putty if you are using windoes, and open sshd_config in putty, select all, and then just paste it here. It might help.

chort 11-28-2006 12:08 PM

Does the new user have a password? SSH does not allow logins with blank passwords, by default.

annielee 11-29-2006 04:30 AM

Beloa is the sshd_config file...Please help..

#$OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#RSAAuthentication yes

#PubkeyAuthentication yes


# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

PasswordAuthentication yes

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication mechanism.

# Depending on your PAM configuration, this may bypass the setting of

# PasswordAuthentication, PermitEmptyPasswords, and

# "PermitRootLogin without-password". If you just want the PAM account and

# session checks to run without PAM authentication, then enable this but set

# ChallengeResponseAuthentication=no

#UsePAM no

UsePAM yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/

#MaxStartups 10

#ShowPatchLevel no

# no default banner path

#Banner /some/path

# override default of no subsystems

[root@CKPG-MWTM ssh]#
[root@CKPG-MWTM ssh]#

jiml8 11-29-2006 10:16 AM

Is there a question in here someplace?

chort 11-29-2006 12:43 PM

You have UsePAM set to "yes", that could potentially override a lot of the authentication settings in sshd_config, depending on what the various PAM policies are. It could be that your PAM configuration does not allow logins with weak passwords, or something like that...

Also, "PasswordAuthentication yes" is the default. You do not need to add that extra, uncommented line saying the same thing. All the commented-out settings in sshd_config are the defaults. Only remove the comments if you change their value (or add the statement again, with the new value, if you don't want to alter the original).

annielee 12-04-2006 12:46 PM

tried that..but still cannot login..

All times are GMT -5. The time now is 01:30 PM.