LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-21-2007, 02:55 AM   #1
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637

Rep: Reputation: Disabled
Closing ports 25 + 631 still running smtp and CUPS


I am currently securing my box. Thus I shut down all services with open ports except smtp and CUPS -- logical, since I need printing services and the mailed messages from the system. "nmap" tells me: 631/tcp open ipp cups 1.1 and 25/tcp open smtp postfix MTA.

BTW: This is a stand alone workstation, no chance for an external scan.

How can I close ports 25 + 631 to external connection attempts?

<Edit>: In the meantime I found out for CUPS ... change
/etc/cups/cupsd.conf
#Listen *:631
Listen 127.0.0.1:631

Sorry guys, the search for similar threads only gave me a very small "popup" so I found the solution for CUPS only now...

Last edited by JZL240I-U; 03-21-2007 at 03:47 AM. Reason: partial solution found
 
Old 03-21-2007, 01:58 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
127.0.01 = localhost which means the host you are on. Every TCP/IP machine has it.

Your solution for CUPs is a clue to what you need for Postfix. I don't use Postfix but it likely has a config file where you can specify listen only to 127.0.0.1 (localhost).

If not you can modify your firewall (usually iptables) rules to restrict access to port 25 to only localhost (or localhost and your hosts real IP address). That way even though the port is still there nothing else can attach to it.
 
Old 03-22-2007, 03:13 AM   #3
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jlightner
Your solution for CUPs is a clue to what you need for Postfix. I don't use Postfix but it likely has a config file where you can specify listen only to 127.0.0.1 (localhost).
I'll have a look for it...
Quote:
Originally Posted by jlightner
If not you can modify your firewall (usually iptables) rules to restrict access to port 25 to only localhost (or localhost and your hosts real IP address). That way even though the port is still there nothing else can attach to it.
I could do that. But then one gets a unisono advice to close all ports available to the outside and I'm trying to follow that advice...

BTW I used the solution for CUPS, worked flawlessly according to netstat and nmap .

Last edited by JZL240I-U; 03-22-2007 at 03:15 AM.
 
Old 03-22-2007, 03:46 PM   #4
pileofrogs
LQ Newbie
 
Registered: Mar 2007
Location: Seattle
Distribution: CentOS, Fedora, Ubuntu
Posts: 17

Rep: Reputation: 0
You should absolutely do both. Make it listen only to localhost and block with a firewall.
 
Old 03-28-2007, 01:47 AM   #5
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637

Original Poster
Rep: Reputation: Disabled
Postfix: configuring not to listen at the Internet

I want to configure postfix in a way, that it is only listening locally (for system messages) but not on the internet interface. Essentially I need to close ports *.*.*.*:25 except for 127.0.0.1:25.

Normally the Postfix/master process is listening at port 25 as found out by "netstat -pantu" and "nmap -sV -v -p 0-65535 127.0.0.1". I can't shut the sevice down entirely, since I need the mailed messages from the system.

I tried /etc/postfix/main.cf, /etc/postfix/master,
/etc/postfix/access but no luck there (changed the inet_interface to 127.0.0.1, nothing happened). Where would be the config file, and what to change there?

BTW: This is a stand alone workstation, no chance for an external scan.

Any Ideas?

Last edited by JZL240I-U; 03-28-2007 at 01:50 AM.
 
Old 03-28-2007, 04:59 AM   #6
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637

Original Poster
Rep: Reputation: Disabled
Arrrgh.

When I add in /etc/cups/cupsd.conf
Code:
Listen 127.0.0.1:631
I get an error "cupsd: Child exited with status 98!" and cupsd and thus CUPS is down.

What is more, I got an outside scan with my firewall off and 631 is open

What now?
 
Old 03-28-2007, 07:11 AM   #7
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
In my cupsd.conf:

#
# End of "$Id: cupsd.conf.in,v 1.17 2005/01/03 19:29:45 mike Exp $".
#
# Lines below are automatically generated - DO NOT EDIT
<Location /printers/lp2100>
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
AuthType None
</Location>
Browsing On
BrowseProtocols cups
BrowseOrder Deny,Allow
BrowseAllow from @LOCAL
Listen 127.0.0.1:631
 
Old 03-29-2007, 02:23 AM   #8
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637

Original Poster
Rep: Reputation: Disabled
Failure .

I amended my cups.conf exactly in the spot where it says <location /printers/name> with your lines by copy and paste (I did not forget to change the printer name to HL2040 either). Same error as before (cupsd: Child exited with status 98!).

Then I looked into /var/log/cups/error_log and found this:
Code:
 I [29/Mar/2007:09:07:27 +0200] Listening to 0:631 
I [29/Mar/2007:09:07:27 +0200] Listening to 7f000001:631 
I [29/Mar/2007:09:07:27 +0200] Loaded configuration file "/etc/cups/cupsd.conf" 
I [29/Mar/2007:09:07:27 +0200] Configured for up to 100 clients. 
I [29/Mar/2007:09:07:27 +0200] Allowing up to 100 client connections per host. 
I [29/Mar/2007:09:07:27 +0200] Full reload is required. 
I [29/Mar/2007:09:07:27 +0200] LoadPPDs: Read "/etc/cups/ppds.dat", 3765 PPDs... 
I [29/Mar/2007:09:07:27 +0200] LoadPPDs: No new or changed PPDs... 
I [29/Mar/2007:09:07:27 +0200] Full reload complete. 
E [29/Mar/2007:09:07:27 +0200] 
StartListening: Unable to bind socket for address 7f000001:631 - 
Address already in use.
Note the last line where the numbers are 127.0.0.1:631 when one reconverts from hex. What could cause this? What "socket" should bind to what? Why? I just want to close it...

Last edited by JZL240I-U; 03-29-2007 at 09:48 AM.
 
Old 03-29-2007, 08:32 AM   #9
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
I'm assuming you did restart the Cups service . The error you got says that there's something still listening on 631 probably Cups or something else which is running on 631..another printing service???

What happens when tyou try and run Cups from another port? Make it listen on say 6335 or some funny port and access it with a web interface.

Google searches reveal that one must remove all references of 127.0.0.1 from the config file ....

Post back though.

Cheers
Arvind
 
Old 03-29-2007, 09:27 AM   #10
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
Stop cupsd then run "lsof -i :631". If anything is actually using port 631 it should show it to you. If not you should be able to start it. The message is complaining that something else is using 631.

lsof will show you the PID of the process using 631 if something is using it and you can check out why that would be using 631.
 
Old 03-29-2007, 09:44 AM   #11
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637

Original Poster
Rep: Reputation: Disabled
Nothing but CUPS is listening at 631:
Code:
 
linux:/home/me # lsof -i :631 
linux:/home/me # 
linux:/home/me # lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME 
master 8150 root 11u IPv4 40171 TCP localhost:smtp (LISTEN) 
linux:/home/me #
@live_dont_exist I'll try next, but see above...

Code:
linux:/home/me # lsof -i
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
master  8780 root   11u  IPv4  42474       TCP localhost:smtp (LISTEN)
cupsd   8853   lp    0u  IPv4  42763       TCP *:6311 (LISTEN)
cupsd   8853   lp    2u  IPv4  42764       UDP *:ipp
linux:/home/me # netstat -pantu
Aktive Internetverbindungen (Server und stehende Verbindungen)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:6311            0.0.0.0:*               LISTEN      8853/cupsd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      8780/master
tcp        0      1 217.184.144.118:21614   216.239.59.104:80       FIN_WAIT1   -
tcp        0      1 217.184.144.118:18633   216.239.59.103:80       FIN_WAIT1   -
udp        0      0 0.0.0.0:631             0.0.0.0:*                           8853/cupsd
linux:/home/me # nmap -sV -v -p 0-65535 127.0.0.1

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-03-29 16:53 CEST
Initiating SYN Stealth Scan against localhost (127.0.0.1) [65536 ports] at 16:53
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 6311/tcp on 127.0.0.1
The SYN Stealth Scan took 12.67s to scan 65536 total ports.
Initiating service scan against 2 services on localhost (127.0.0.1) at 16:53
The service scan took 5.13s to scan 2 services on 1 host.
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE VERSION
25/tcp   open  smtp    Postfix smtpd
6311/tcp open  ipp     CUPS 1.1.23

Nmap finished: 1 IP address (1 host up) scanned in 19.259 seconds
               Raw packets sent: 65546 (2.62MB) | Rcvd: 131077 (5.24MB)
linux:/home/me #

Last edited by JZL240I-U; 03-29-2007 at 09:56 AM.
 
Old 03-29-2007, 10:10 AM   #12
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
Quote:
master 8150 root 11u IPv4 40171 TCP localhost:smtp (LISTEN)
cupsd is NOT listening - something called "master" is.

On my system I see:
cupsd 16076 root 0u IPv4 67693168 TCP myserver.mydomain.com:ipp (LISTEN)
cupsd 16076 root 3u IPv4 67693169 UDP *:ipp

Type "ps -ef |grep 8150" to see the process for 8150 (e.g. is it a child process of something else?).

You can also run "lsof -p 8150" to see more detail about what file handles that process has open which may give a clue as to what it is doing.

The fact that the port shows up as "smtp" rather than "631" or "ipp" in your output suggests your mail server may be using the port for some reason.

EDIT: oops just reread your post and realized you'd done two different lsof commands - one specifying 631 and one without specifying it. smtp is typically port 25 (grep smtp /etc/services).

Additional edit - It shows you're using 6311 rather than 631 for cupsd in your nmap. Perhaps a typo where you appended an extra 1 in the config file? Check ipp definition in /etc/services.

Last edited by MensaWater; 03-29-2007 at 10:14 AM.
 
Old 03-29-2007, 11:15 AM   #13
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
This might not be the most elegant solution, but you could configure iptables so that the firewall only allows port 25 connections from 127.0.0.1. That is what I do with sendmail and it seems to work.
 
Old 03-30-2007, 12:58 AM   #14
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637

Original Poster
Rep: Reputation: Disabled
Yes, but that is only one part of it. One gets always the advice to first close any port not needed from the outside (or rather stop the services responsible), and only then secure the machine by firewall.

That's what I'm trying to do...
 
Old 03-30-2007, 01:31 AM   #15
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637

Original Poster
Rep: Reputation: Disabled
"master" is a subprocess / child of postfix (there is /usr/lib/postfix/master and also a master.cf file in /etc/postfix dirctory). postfix in itself is never listening, it is done by master or smtp(d), depending from the program you are testing your ports with. Your "ps -ef |grep 8150" shows that, too. And yes, it is smtp on 127.0.0.1:25.

What command did you use to obtain your posted lines?
Code:
On my system I see:
 cupsd 16076 root 0u IPv4 67693168 TCP myserver.mydomain.com:ipp (LISTEN)
 cupsd 16076 root 3u IPv4 67693169 UDP *:ipp
Port 6311 was briefly used on the suggestion of live_dont_exist, see her / his post above. ipp has 631 for udp and tcp in /etc/services.


Well, what now? There must be a way, I noted that I have exactly the same version of cups as you have from your second post:
#In my cupsd.conf:
#
# End of "$Id: cupsd.conf.in,v 1.17 2005/01/03 19:29:45 mike Exp $".

That is identical with my file. Why does it work on one machine but not the other
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Closing port 631 (IPP) jrdioko Linux - Security 3 03-21-2007 02:39 AM
closing cupsd port 631 drove me crazy, now closed, mdv 2007 Emmanuel_uk Mandriva 1 11-14-2006 04:52 AM
cups +localhost:631 trscookie Linux - Software 5 12-05-2005 07:15 AM
CUPS http://localhost:631/ LUB997 Linux - Software 1 09-26-2005 07:52 PM
CUPS Problem - can not access localhost:631 ch.keller Linux - Hardware 3 06-06-2005 05:56 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration