LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-09-2001, 12:17 PM   #1
Stephanie
LQ Addict
 
Registered: May 2001
Location: Arizona
Distribution: 9.2 Mandy 1.4 Gentoo 5.1 FreeBSD WinXP
Posts: 1,166

Rep: Reputation: 45

Can anyone tell me how to close up port 53, or how to close ports gernerally. I am new to Linux networking systems, so please be specific.
 
Old 05-09-2001, 12:21 PM   #2
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,032

Rep: Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758
To close a port you need to shutdown the program that is using the port. IN the case of port 53 you need to stop the name server (probably BIND).
 
Old 05-16-2001, 04:04 AM   #3
r3b00t
Member
 
Registered: May 2001
Distribution: OpenBSD 3.0-beta
Posts: 50

Rep: Reputation: 15
Or use netfilter (2.4) or ipchains (2.2) to close the port, although I don't see why you need to close port 53. You want dns to work right???
 
Old 05-16-2001, 03:47 PM   #4
Stephanie
LQ Addict
 
Registered: May 2001
Location: Arizona
Distribution: 9.2 Mandy 1.4 Gentoo 5.1 FreeBSD WinXP
Posts: 1,166

Original Poster
Rep: Reputation: 45
I do want DNS to work, but at the same time port 53 seems to have several vulnerabilities.

Is there a way to block all activity that would require running a script or pogram without a users permission?
 
Old 05-16-2001, 05:35 PM   #5
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,032

Rep: Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758Reputation: 3758
You do NOT need to run BIND (or any DNS server) to get DNS to work. You only need a DNS server if you are authoratative for a zone and want to have full control over the server.
 
Old 05-17-2001, 03:25 AM   #6
r3b00t
Member
 
Registered: May 2001
Distribution: OpenBSD 3.0-beta
Posts: 50

Rep: Reputation: 15
True.

If you use netfilter (dunno about ipchains) and you want to allow incoming trafic on port 53, but not let people connect to it, use the following rule:

iptables -i <your ext interface> -s <address of dns server> -d <your ext ip addr> -p udp --sport 53 --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -i <your ext interface> -s <address of dns server> -d <your ext ip addr> -p udp --sport 53 --dport 53 -m state --state NEW -j DROP

This will allow all but NEW connections to port 53. What happens is: Your resolver makes a NEW connection to your DNS server, which then responds. Because the response of the DNS server is not a new connection (state ESTABLISHED,RELATED), it is allowed in. If the server tries to make a connection to your box (state NEW) it will be silently dropped
 
Old 05-17-2001, 09:23 AM   #7
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Shadowhacker,

You have 2 options.
1) you want to access yours ISP's DNS server as configured in your /etc/resolve.conf file or
2) You want to run your own Domain that you have authoritative zone control on.

If it's (1) then you shouldn't have port 53 open on your server, named daemon is running. kill it by looking in /erc/rc.d/rcx.d directories for it's Startup script ID.
You do need a firewall to allow your ISP's DNS connection resolve back to you.
UDP and TCP both needed for DNS.

As r3b00t gave you an iptables example for 7.1, if your using 7.0 then in ipchains you'll want:

ipchains -A output -p tcp -s youripaddress 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s yourdnsipaddress --sport 53 -d 212.38.186.134 1023:65535 -j ACCEPT
ipchains -A output -p udp -s youripaddress 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp -s yourdnsipaddress --sport 53 -d 212.38.186.134 1023:65535 -j ACCEPT

The sync flag is only allowed on incoming DNS connections from your ISP only, so someone can't spoof them without you asking for a request first.

If the answer is (2) then you'll need to keep BIND patched and up-to-date to stop people exploiting your system.

/Raz

 
Old 05-22-2001, 04:16 PM   #8
Stephanie
LQ Addict
 
Registered: May 2001
Location: Arizona
Distribution: 9.2 Mandy 1.4 Gentoo 5.1 FreeBSD WinXP
Posts: 1,166

Original Poster
Rep: Reputation: 45
I will try to implement what all of you have given me, but one last quesiton. It sounds to me like everyone is saying that unless I am running a server, and all I do is surf the web and pull email from my cable speed company that I dont need BIND at all. Is this true? If not, then how do I shut down that service at boot time?
 
Old 05-23-2001, 03:14 AM   #9
r3b00t
Member
 
Registered: May 2001
Distribution: OpenBSD 3.0-beta
Posts: 50

Rep: Reputation: 15
This is true, you don't need a dns server to surf etc... Look for either something like "named", "bind" or the like in (depending on your distro) /etc/rc*.d... Remove these symlinks, and bind will not start after a reboot...
 
Old 05-23-2001, 01:11 PM   #10
#!
Member
 
Registered: May 2001
Distribution: RedHat, 'drake, suse, slack, gentoo, beehive, lfs...
Posts: 43

Rep: Reputation: 15
If you are running Redhat or another SysV based distribution, you should be able to go into /etc/rc.d/rc3.d and find something like 'S45named'. This is a link to a script in /etc/init.d. Instead of removing the link, what you might consider is simply changing the 'S' at the beginning of the name to a lower case 's'. This way, if you want it later for testing or playing, you can just rename it again, plus, it's a good thing to do for newbies 'cos you might need to trace your steps back later. Easier to do it that way than to remove it and forget it was ever there.

Just a tip.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Closing ports??? NCC-1701&NCC-1701-D Linux - Security 6 05-29-2005 10:23 AM
Closing these ports... greygoose80 Slackware 2 12-20-2004 12:12 AM
Closing Some Ports wonderpun Linux - Security 8 08-17-2003 04:09 PM
Closing Ports PionexUser Linux - Newbie 1 07-17-2003 08:55 AM
closing ports im1crazyassmofo Linux - Security 2 01-02-2003 10:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration