Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
03-21-2007, 02:55 AM
|
#1
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Rep:
|
Closing ports 25 + 631 still running smtp and CUPS
I am currently securing my box. Thus I shut down all services with open ports except smtp and CUPS -- logical, since I need printing services and the mailed messages from the system. "nmap" tells me: 631/tcp open ipp cups 1.1 and 25/tcp open smtp postfix MTA.
BTW: This is a stand alone workstation, no chance for an external scan.
How can I close ports 25 + 631 to external connection attempts?
<Edit>: In the meantime I found out for CUPS ... change
/etc/cups/cupsd.conf
#Listen *:631
Listen 127.0.0.1:631
Sorry guys, the search for similar threads only gave me a very small "popup" so I found the solution for CUPS only now...
Last edited by JZL240I-U; 03-21-2007 at 03:47 AM.
Reason: partial solution found
|
|
|
03-21-2007, 01:58 PM
|
#2
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
127.0.01 = localhost which means the host you are on. Every TCP/IP machine has it.
Your solution for CUPs is a clue to what you need for Postfix. I don't use Postfix but it likely has a config file where you can specify listen only to 127.0.0.1 (localhost).
If not you can modify your firewall (usually iptables) rules to restrict access to port 25 to only localhost (or localhost and your hosts real IP address). That way even though the port is still there nothing else can attach to it.
|
|
|
03-22-2007, 03:13 AM
|
#3
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Quote:
Originally Posted by jlightner
Your solution for CUPs is a clue to what you need for Postfix. I don't use Postfix but it likely has a config file where you can specify listen only to 127.0.0.1 (localhost).
|
I'll have a look for it...
Quote:
Originally Posted by jlightner
If not you can modify your firewall (usually iptables) rules to restrict access to port 25 to only localhost (or localhost and your hosts real IP address). That way even though the port is still there nothing else can attach to it.
|
I could do that. But then one gets a unisono advice to close all ports available to the outside and I'm trying to follow that advice...
BTW I used the solution for CUPS, worked flawlessly according to netstat and nmap .
Last edited by JZL240I-U; 03-22-2007 at 03:15 AM.
|
|
|
03-22-2007, 03:46 PM
|
#4
|
LQ Newbie
Registered: Mar 2007
Location: Seattle
Distribution: CentOS, Fedora, Ubuntu
Posts: 17
Rep:
|
You should absolutely do both. Make it listen only to localhost and block with a firewall.
|
|
|
03-28-2007, 01:47 AM
|
#5
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Postfix: configuring not to listen at the Internet
I want to configure postfix in a way, that it is only listening locally (for system messages) but not on the internet interface. Essentially I need to close ports *.*.*.*:25 except for 127.0.0.1:25.
Normally the Postfix/master process is listening at port 25 as found out by "netstat -pantu" and "nmap -sV -v -p 0-65535 127.0.0.1". I can't shut the sevice down entirely, since I need the mailed messages from the system.
I tried /etc/postfix/main.cf, /etc/postfix/master,
/etc/postfix/access but no luck there (changed the inet_interface to 127.0.0.1, nothing happened). Where would be the config file, and what to change there?
BTW: This is a stand alone workstation, no chance for an external scan.
Any Ideas?
Last edited by JZL240I-U; 03-28-2007 at 01:50 AM.
|
|
|
03-28-2007, 04:59 AM
|
#6
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Arrrgh.
When I add in /etc/cups/cupsd.conf
Code:
Listen 127.0.0.1:631
I get an error "cupsd: Child exited with status 98!" and cupsd and thus CUPS is down.
What is more, I got an outside scan with my firewall off and 631 is open
What now?
|
|
|
03-28-2007, 07:11 AM
|
#7
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
In my cupsd.conf:
#
# End of "$Id: cupsd.conf.in,v 1.17 2005/01/03 19:29:45 mike Exp $".
#
# Lines below are automatically generated - DO NOT EDIT
<Location /printers/lp2100>
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
AuthType None
</Location>
Browsing On
BrowseProtocols cups
BrowseOrder Deny,Allow
BrowseAllow from @LOCAL
Listen 127.0.0.1:631
|
|
|
03-29-2007, 02:23 AM
|
#8
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Failure .
I amended my cups.conf exactly in the spot where it says <location /printers/name> with your lines by copy and paste (I did not forget to change the printer name to HL2040 either). Same error as before (cupsd: Child exited with status 98!).
Then I looked into /var/log/cups/error_log and found this:
Code:
I [29/Mar/2007:09:07:27 +0200] Listening to 0:631
I [29/Mar/2007:09:07:27 +0200] Listening to 7f000001:631
I [29/Mar/2007:09:07:27 +0200] Loaded configuration file "/etc/cups/cupsd.conf"
I [29/Mar/2007:09:07:27 +0200] Configured for up to 100 clients.
I [29/Mar/2007:09:07:27 +0200] Allowing up to 100 client connections per host.
I [29/Mar/2007:09:07:27 +0200] Full reload is required.
I [29/Mar/2007:09:07:27 +0200] LoadPPDs: Read "/etc/cups/ppds.dat", 3765 PPDs...
I [29/Mar/2007:09:07:27 +0200] LoadPPDs: No new or changed PPDs...
I [29/Mar/2007:09:07:27 +0200] Full reload complete.
E [29/Mar/2007:09:07:27 +0200]
StartListening: Unable to bind socket for address 7f000001:631 -
Address already in use.
Note the last line where the numbers are 127.0.0.1:631 when one reconverts from hex. What could cause this? What "socket" should bind to what? Why? I just want to close it...
Last edited by JZL240I-U; 03-29-2007 at 09:48 AM.
|
|
|
03-29-2007, 08:32 AM
|
#9
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
I'm assuming you did restart the Cups service . The error you got says that there's something still listening on 631 probably Cups or something else which is running on 631..another printing service???
What happens when tyou try and run Cups from another port? Make it listen on say 6335 or some funny port and access it with a web interface.
Google searches reveal that one must remove all references of 127.0.0.1 from the config file ....
Post back though.
Cheers
Arvind
|
|
|
03-29-2007, 09:27 AM
|
#10
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
Stop cupsd then run "lsof -i :631". If anything is actually using port 631 it should show it to you. If not you should be able to start it. The message is complaining that something else is using 631.
lsof will show you the PID of the process using 631 if something is using it and you can check out why that would be using 631.
|
|
|
03-29-2007, 09:44 AM
|
#11
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Nothing but CUPS is listening at 631:
Code:
linux:/home/me # lsof -i :631
linux:/home/me #
linux:/home/me # lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
master 8150 root 11u IPv4 40171 TCP localhost:smtp (LISTEN)
linux:/home/me #
@ live_dont_exist I'll try next, but see above...
Code:
linux:/home/me # lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
master 8780 root 11u IPv4 42474 TCP localhost:smtp (LISTEN)
cupsd 8853 lp 0u IPv4 42763 TCP *:6311 (LISTEN)
cupsd 8853 lp 2u IPv4 42764 UDP *:ipp
linux:/home/me # netstat -pantu
Aktive Internetverbindungen (Server und stehende Verbindungen)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:6311 0.0.0.0:* LISTEN 8853/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 8780/master
tcp 0 1 217.184.144.118:21614 216.239.59.104:80 FIN_WAIT1 -
tcp 0 1 217.184.144.118:18633 216.239.59.103:80 FIN_WAIT1 -
udp 0 0 0.0.0.0:631 0.0.0.0:* 8853/cupsd
linux:/home/me # nmap -sV -v -p 0-65535 127.0.0.1
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-03-29 16:53 CEST
Initiating SYN Stealth Scan against localhost (127.0.0.1) [65536 ports] at 16:53
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 6311/tcp on 127.0.0.1
The SYN Stealth Scan took 12.67s to scan 65536 total ports.
Initiating service scan against 2 services on localhost (127.0.0.1) at 16:53
The service scan took 5.13s to scan 2 services on 1 host.
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
6311/tcp open ipp CUPS 1.1.23
Nmap finished: 1 IP address (1 host up) scanned in 19.259 seconds
Raw packets sent: 65546 (2.62MB) | Rcvd: 131077 (5.24MB)
linux:/home/me #
Last edited by JZL240I-U; 03-29-2007 at 09:56 AM.
|
|
|
03-29-2007, 10:10 AM
|
#12
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
Quote:
master 8150 root 11u IPv4 40171 TCP localhost:smtp (LISTEN)
|
cupsd is NOT listening - something called "master" is.
On my system I see:
cupsd 16076 root 0u IPv4 67693168 TCP myserver.mydomain.com:ipp (LISTEN)
cupsd 16076 root 3u IPv4 67693169 UDP *:ipp
Type "ps -ef |grep 8150" to see the process for 8150 (e.g. is it a child process of something else?).
You can also run "lsof -p 8150" to see more detail about what file handles that process has open which may give a clue as to what it is doing.
The fact that the port shows up as "smtp" rather than "631" or "ipp" in your output suggests your mail server may be using the port for some reason.
EDIT: oops just reread your post and realized you'd done two different lsof commands - one specifying 631 and one without specifying it. smtp is typically port 25 (grep smtp /etc/services).
Additional edit - It shows you're using 6311 rather than 631 for cupsd in your nmap. Perhaps a typo where you appended an extra 1 in the config file? Check ipp definition in /etc/services.
Last edited by MensaWater; 03-29-2007 at 10:14 AM.
|
|
|
03-29-2007, 11:15 AM
|
#13
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
This might not be the most elegant solution, but you could configure iptables so that the firewall only allows port 25 connections from 127.0.0.1. That is what I do with sendmail and it seems to work.
|
|
|
03-30-2007, 12:58 AM
|
#14
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Yes, but that is only one part of it. One gets always the advice to first close any port not needed from the outside (or rather stop the services responsible), and only then secure the machine by firewall.
That's what I'm trying to do...
|
|
|
03-30-2007, 01:31 AM
|
#15
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
"master" is a subprocess / child of postfix (there is /usr/lib/postfix/master and also a master.cf file in /etc/postfix dirctory). postfix in itself is never listening, it is done by master or smtp(d), depending from the program you are testing your ports with. Your "ps -ef |grep 8150" shows that, too. And yes, it is smtp on 127.0.0.1:25.
What command did you use to obtain your posted lines?
Code:
On my system I see:
cupsd 16076 root 0u IPv4 67693168 TCP myserver.mydomain.com:ipp (LISTEN)
cupsd 16076 root 3u IPv4 67693169 UDP *:ipp
Port 6311 was briefly used on the suggestion of live_dont_exist, see her / his post above. ipp has 631 for udp and tcp in /etc/services.
Well, what now? There must be a way, I noted that I have exactly the same version of cups as you have from your second post:
#In my cupsd.conf:
#
# End of "$Id: cupsd.conf.in,v 1.17 2005/01/03 19:29:45 mike Exp $".
That is identical with my file. Why does it work on one machine but not the other
|
|
|
All times are GMT -5. The time now is 01:14 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|