Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would *SUBSTANTIALLY* worry about ports 111 and 631, not ssh. And if you're not running a mailserver, then port 25 might not be a great idea either.
Oh, but in answer to your question... you can use iptables to drop packets for those ports, but hopefully you already have a firewall set up and just need to delete the EXCEPTION rules.
First of all you should not have any services running if not needed. So,
cd /etc/rc.d
ls
rm -f rc.x -- where 'x' is the service name.
e.g) rm -f /etc/rc.d/rc.sshd
^^ would remove sshd from starting up on boot (so you won't worry about killing the process later) --
I think in Fedora it's a bit easier to do "/sbin/chkconfig --levels 0123456 sshd off" rather than delete the startup script. This would ensure that sshd doesn't get started, but just in case he wants to use sshd later he can turn it back on. A second solution would just be remove the executable bit from each of the startup scripts instead of deleting them.
The dangers of each of those services really does depend on how you scanned yourself. Like others have said, those services may just be listening on the loopback adapter.
Originally posted by Digalante
I think in Fedora it's a bit easier to do "/sbin/chkconfig --levels 0123456 sshd off" rather than delete the startup script. This would ensure that sshd doesn't get started, but just in case he wants to use sshd later he can turn it back on. A second solution would just be remove the executable bit from each of the startup scripts instead of deleting them.
chkconfig just deletes the symlinks for you. Yes, deleting the startup script itself as saltron would be dumb, but deleting the proper symlink in /etc/rcX.d would be fine.
Originally posted by saltron First of all you should not have any services running if not needed. So,
cd /etc/rc.d
ls
rm -f rc.x -- where 'x' is the service name.
e.g) rm -f /etc/rc.d/rc.sshd
^^ would remove sshd from starting up on boot (so you won't worry about killing the process later) --
Also to kill the process:
killall sshd
~saltron
that wouldn't work in fedora.. you'd have to rename the sshd symlink in /etc/rcX.d where X is the runlevel you want this for. you would change the S to a K.
and for christ's sake don't delete the init scripts. I've had to get a friend out of that situation not more than a week ago, whoever originally dumped this misinformation into the internet should be beaten with a unix permissions tutorial. you set the script non-executable, that is the correct way of doing that with slack-style init scripts. deleting them is dumb. chmod -x NOT rm -f.
I'm sure there's an easier way in fedora than editing the init scripts. but that's the way I know.
Well, if you just want to close those ports to the outside, system-config-securitylevel is an ultra-simple RedHat graphical tool for that sort of thing. (Maybe this is the sort of "easier way" DaWallace mentioned?)
For rpcbind, this is the rpc portmapper, run "rpcinfo -p" to see if you're using rpc services... The portmapper is usually compiled with tcp-wrappers support. If you want to use it locally, then check the files /etc/hosts.allow & /etc/hosts.deny (man hosts.allow)
An example of a default-deny configuration:
/etc/hosts.deny:
ALL: ALL
/etc/hosts.allow:
ALL: 127.0.0.1
sshd: ALL
If you're paranoid, run the ssh server on some obscure port and firewall your machine. Use secure passwords. Many scanners are being run on the internet just to find ssh servers, and they begin trying combinations in a wordlist. They now have some sofistication as to try your language.
Also, try not to type any sensitive passwords on machines you don't know to avoid keyloggers... If you do, remotely shutdown the machine after connecting and change your password.
If you really want to run a mailserver, take the time to find a secure configuration (ie, the server itself, chroot, etc)
Check the cups documentation to see if it uses the tcp-wrappers library (libwrap)
An easy way to disable these init scripts is to create a directory with any name (ie, "disabled") and move them there... You don't need to reboot, you just run the script with "stop" as argument, i.e.:
cd /etc/rc.d/init.d/
./sshd stop
mkdir disabled/
mv sshd disabled/
If you want to scan yourself then download & run nmap.
First, scan your loopback interface, that is 127.0.0.1
Run ifconfig to see your configured interfaces and their ip's, and use the -e option to nmap to specify interfaces to send & receive packets, and scan the ip of any non-loopback interface. This is to scan yourself as you would be perceived from the Internet.
Be careful as some services are configured to run on any interface (with an ip of 0.0.0.0), and some services detect any interfaces and bind a port to it. This usually occurs at startup, but if any service of this 2nd kind is restarted _after_ your adsl or ppp interface is setup, then they will bind to both 127.0.0.1 and ppp, etc...
Note that you don't need to scan yourself to detect your open ports... Run netstat. See the manpage of netstat, and run netstat -tnlu
netstat -tnlup & rpcinfo -p gives you all the info you need about listening ports
Run ifconfig to see your configured interfaces and their ip's, and use the -e option to nmap to specify interfaces to send & receive packets, and scan the ip of any non-loopback interface. This is to scan yourself as you would be perceived from the Internet.
This absolutely will not work. No matter what IP address you use it will still be seen as a scan coming from the local computer, not from the internet.
Think about it logically - if you're internet IP is say 211.11.11.11 and you scan that IP from the local machine where on the Internet is the kernel routing code going to send the packets? 69.69.69.69? Detroit? Finland? Lala Land? If the interface is already bound to that address then the kernel already knows where it is and will simply send the packets to itself - over the loopback.
IP addresses are properties of hosts *NOT* interfaces.
If you want to scan your machine 'from the Internet' head over to one of the websites which offer this service such as http://grc.com
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.