LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-20-2005, 07:14 PM   #1
einstien
Member
 
Registered: Sep 2004
Distribution: fedora
Posts: 98

Rep: Reputation: 15
closing ssh port


hallo all

i just scanned my self and found out this:

22/tcp open ssh
25/tcp open smtp
111/tcp open rpcind
631/tcp open ipp

i want to close the ssh service
how do i do that?...

are the other 3 ports that are open dangerus for me?

and i have another question

i have fc3 where are the firewall setting located?

the last time i sow them was a long time ago and now i dont remember where they are


please help
 
Old 06-20-2005, 07:19 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 128Reputation: 128
SSH is the *SAFEST* of those.

I would *SUBSTANTIALLY* worry about ports 111 and 631, not ssh. And if you're not running a mailserver, then port 25 might not be a great idea either.

Oh, but in answer to your question... you can use iptables to drop packets for those ports, but hopefully you already have a firewall set up and just need to delete the EXCEPTION rules.
 
Old 06-20-2005, 07:22 PM   #3
einstien
Member
 
Registered: Sep 2004
Distribution: fedora
Posts: 98

Original Poster
Rep: Reputation: 15
ok

ok and if i want to close all of those services
and to check if my firewall is set up how do i do that?
 
Old 06-20-2005, 10:05 PM   #4
Noth
Member
 
Registered: Jun 2005
Distribution: Debian
Posts: 356

Rep: Reputation: 30
How did you scan yourself? It's possible some of those are only listening on the loopback adapter.
 
Old 06-21-2005, 01:00 AM   #5
a1ex_007
LQ Newbie
 
Registered: Mar 2005
Location: Imphal
Distribution: Fedora Core 3 x86_64
Posts: 26

Rep: Reputation: 15
fixing that problem is really simple.

goto /etc/sysconfig directory

and edit the iptables file. this is the donfiguration file for the firewall.

in the file, remove the line containing the port u want to close.
 
Old 06-23-2005, 01:50 PM   #6
jonlake
Member
 
Registered: Apr 2004
Distribution: Slackware 11.0, Gentoo
Posts: 252

Rep: Reputation: 31
Remove the services from the startup scripts, and as was mentioned earlier, how did you scan yourself?
 
Old 06-26-2005, 08:15 PM   #7
saltron
LQ Newbie
 
Registered: Jun 2005
Posts: 6

Rep: Reputation: 0
First of all you should not have any services running if not needed. So,
cd /etc/rc.d
ls
rm -f rc.x -- where 'x' is the service name.
e.g) rm -f /etc/rc.d/rc.sshd
^^ would remove sshd from starting up on boot (so you won't worry about killing the process later) --

Also to kill the process:
killall sshd

~saltron
 
Old 06-27-2005, 02:48 PM   #8
blackdragonblood
Member
 
Registered: May 2005
Location: Minneapolis, MN
Distribution: Debian
Posts: 217

Rep: Reputation: 30
Again, how did you scan yourself?
 
Old 06-27-2005, 03:41 PM   #9
int0x80
Member
 
Registered: Sep 2002
Posts: 310

Rep: Reputation: Disabled
Code:
#!/bin/bash

BAD_PORTS="22 25 111 631"
for PORT in $BAD_PORTS; do
   iptables -I INPUT -p tcp -i eth0 --dport $PORT -j DROP
done
You can dump this into a file, then execute it. Also removing the services from startup (/etc/rc*) as previously recommended should work.
 
Old 06-27-2005, 05:11 PM   #10
Digalante
LQ Newbie
 
Registered: Jun 2005
Distribution: Slackware
Posts: 1

Rep: Reputation: 0
Quote:
rm -f rc.x -- where 'x' is the service name.
I think in Fedora it's a bit easier to do "/sbin/chkconfig --levels 0123456 sshd off" rather than delete the startup script. This would ensure that sshd doesn't get started, but just in case he wants to use sshd later he can turn it back on. A second solution would just be remove the executable bit from each of the startup scripts instead of deleting them.

The dangers of each of those services really does depend on how you scanned yourself. Like others have said, those services may just be listening on the loopback adapter.
 
Old 06-27-2005, 05:34 PM   #11
Noth
Member
 
Registered: Jun 2005
Distribution: Debian
Posts: 356

Rep: Reputation: 30
Quote:
Originally posted by Digalante
I think in Fedora it's a bit easier to do "/sbin/chkconfig --levels 0123456 sshd off" rather than delete the startup script. This would ensure that sshd doesn't get started, but just in case he wants to use sshd later he can turn it back on. A second solution would just be remove the executable bit from each of the startup scripts instead of deleting them.
chkconfig just deletes the symlinks for you. Yes, deleting the startup script itself as saltron would be dumb, but deleting the proper symlink in /etc/rcX.d would be fine.
 
Old 06-27-2005, 05:48 PM   #12
DaWallace
Member
 
Registered: Feb 2004
Location: Southern Maine, United States
Distribution: Slackware Ubuntu Debian FreeBSD
Posts: 418

Rep: Reputation: 31
Quote:
Originally posted by saltron
First of all you should not have any services running if not needed. So,
cd /etc/rc.d
ls
rm -f rc.x -- where 'x' is the service name.
e.g) rm -f /etc/rc.d/rc.sshd
^^ would remove sshd from starting up on boot (so you won't worry about killing the process later) --

Also to kill the process:
killall sshd

~saltron
that wouldn't work in fedora.. you'd have to rename the sshd symlink in /etc/rcX.d where X is the runlevel you want this for. you would change the S to a K.

and for christ's sake don't delete the init scripts. I've had to get a friend out of that situation not more than a week ago, whoever originally dumped this misinformation into the internet should be beaten with a unix permissions tutorial. you set the script non-executable, that is the correct way of doing that with slack-style init scripts. deleting them is dumb. chmod -x NOT rm -f.

I'm sure there's an easier way in fedora than editing the init scripts. but that's the way I know.
 
Old 06-27-2005, 09:32 PM   #13
Jessard
Member
 
Registered: Jun 2005
Location: Boston, USA
Distribution: Gentoo, CentOS
Posts: 82

Rep: Reputation: 16
Well, if you just want to close those ports to the outside, system-config-securitylevel is an ultra-simple RedHat graphical tool for that sort of thing. (Maybe this is the sort of "easier way" DaWallace mentioned?)
 
Old 06-27-2005, 11:26 PM   #14
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
For rpcbind, this is the rpc portmapper, run "rpcinfo -p" to see if you're using rpc services... The portmapper is usually compiled with tcp-wrappers support. If you want to use it locally, then check the files /etc/hosts.allow & /etc/hosts.deny (man hosts.allow)

An example of a default-deny configuration:

/etc/hosts.deny:
ALL: ALL

/etc/hosts.allow:
ALL: 127.0.0.1
sshd: ALL

If you're paranoid, run the ssh server on some obscure port and firewall your machine. Use secure passwords. Many scanners are being run on the internet just to find ssh servers, and they begin trying combinations in a wordlist. They now have some sofistication as to try your language.

Also, try not to type any sensitive passwords on machines you don't know to avoid keyloggers... If you do, remotely shutdown the machine after connecting and change your password.

If you really want to run a mailserver, take the time to find a secure configuration (ie, the server itself, chroot, etc)

Check the cups documentation to see if it uses the tcp-wrappers library (libwrap)

An easy way to disable these init scripts is to create a directory with any name (ie, "disabled") and move them there... You don't need to reboot, you just run the script with "stop" as argument, i.e.:
cd /etc/rc.d/init.d/
./sshd stop
mkdir disabled/
mv sshd disabled/

If you want to scan yourself then download & run nmap.
First, scan your loopback interface, that is 127.0.0.1
Run ifconfig to see your configured interfaces and their ip's, and use the -e option to nmap to specify interfaces to send & receive packets, and scan the ip of any non-loopback interface. This is to scan yourself as you would be perceived from the Internet.

Be careful as some services are configured to run on any interface (with an ip of 0.0.0.0), and some services detect any interfaces and bind a port to it. This usually occurs at startup, but if any service of this 2nd kind is restarted _after_ your adsl or ppp interface is setup, then they will bind to both 127.0.0.1 and ppp, etc...

Note that you don't need to scan yourself to detect your open ports... Run netstat. See the manpage of netstat, and run netstat -tnlu
netstat -tnlup & rpcinfo -p gives you all the info you need about listening ports


Last edited by primo; 06-27-2005 at 11:54 PM.
 
Old 06-28-2005, 06:49 PM   #15
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 52
Quote:
Run ifconfig to see your configured interfaces and their ip's, and use the -e option to nmap to specify interfaces to send & receive packets, and scan the ip of any non-loopback interface. This is to scan yourself as you would be perceived from the Internet.
This absolutely will not work. No matter what IP address you use it will still be seen as a scan coming from the local computer, not from the internet.

Think about it logically - if you're internet IP is say 211.11.11.11 and you scan that IP from the local machine where on the Internet is the kernel routing code going to send the packets? 69.69.69.69? Detroit? Finland? Lala Land? If the interface is already bound to that address then the kernel already knows where it is and will simply send the packets to itself - over the loopback.

IP addresses are properties of hosts *NOT* interfaces.


If you want to scan your machine 'from the Internet' head over to one of the websites which offer this service such as http://grc.com
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Closing port 4000. gbowden Linux - Security 3 10-10-2005 11:04 AM
closing rpc3 port flubber Slackware 1 05-10-2004 01:55 PM
closing port 68/udp? antik Linux - Security 1 09-26-2003 12:26 PM
closing port 25 using sendmail sidkdbl07 Linux - Software 5 08-02-2003 04:46 AM
Closing port 111 psyklops Linux - General 3 05-01-2002 12:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration