closing ssh port

einstien · 06-20-2005, 07:14 PM

hallo all

i just scanned my self and found out this:

22/tcp open ssh
25/tcp open smtp
111/tcp open rpcind
631/tcp open ipp

i want to close the ssh service
how do i do that?...

are the other 3 ports that are open dangerus for me?

and i have another question

i have fc3 where are the firewall setting located?

the last time i sow them was a long time ago and now i dont remember where they are

please help

Matir · 06-20-2005, 07:19 PM

SSH is the *SAFEST* of those.

I would *SUBSTANTIALLY* worry about ports 111 and 631, not ssh. And if you're not running a mailserver, then port 25 might not be a great idea either.

Oh, but in answer to your question... you can use iptables to drop packets for those ports, but hopefully you already have a firewall set up and just need to delete the EXCEPTION rules.

einstien · 06-20-2005, 07:22 PM

ok and if i want to close all of those services
and to check if my firewall is set up how do i do that?

Noth · 06-20-2005, 10:05 PM

How did you scan yourself? It's possible some of those are only listening on the loopback adapter.

a1ex_007 · 06-21-2005, 01:00 AM

fixing that problem is really simple.

goto /etc/sysconfig directory

and edit the iptables file. this is the donfiguration file for the firewall.

in the file, remove the line containing the port u want to close.

jonlake · 06-23-2005, 01:50 PM

Remove the services from the startup scripts, and as was mentioned earlier, how did you scan yourself?

saltron · 06-26-2005, 08:15 PM

First of all you should not have any services running if not needed. So,
cd /etc/rc.d
ls
rm -f rc.x -- where 'x' is the service name.
e.g) rm -f /etc/rc.d/rc.sshd
^^ would remove sshd from starting up on boot (so you won't worry about killing the process later) --

Also to kill the process:
killall sshd

~saltron

blackdragonblood · 06-27-2005, 02:48 PM

Again, how did you scan yourself?

int0x80 · 06-27-2005, 03:41 PM

Code:

#!/bin/bash

BAD_PORTS="22 25 111 631"
for PORT in $BAD_PORTS; do
   iptables -I INPUT -p tcp -i eth0 --dport $PORT -j DROP
done

You can dump this into a file, then execute it. Also removing the services from startup (/etc/rc*) as previously recommended should work.

Digalante · 06-27-2005, 05:11 PM

Quote:

rm -f rc.x -- where 'x' is the service name.

I think in Fedora it's a bit easier to do "/sbin/chkconfig --levels 0123456 sshd off" rather than delete the startup script. This would ensure that sshd doesn't get started, but just in case he wants to use sshd later he can turn it back on. A second solution would just be remove the executable bit from each of the startup scripts instead of deleting them.

The dangers of each of those services really does depend on how you scanned yourself. Like others have said, those services may just be listening on the loopback adapter.

Noth · 06-27-2005, 05:34 PM

Quote:

Originally posted by Digalante
I think in Fedora it's a bit easier to do "/sbin/chkconfig --levels 0123456 sshd off" rather than delete the startup script. This would ensure that sshd doesn't get started, but just in case he wants to use sshd later he can turn it back on. A second solution would just be remove the executable bit from each of the startup scripts instead of deleting them.

chkconfig just deletes the symlinks for you. Yes, deleting the startup script itself as saltron would be dumb, but deleting the proper symlink in /etc/rcX.d would be fine.

DaWallace · 06-27-2005, 05:48 PM

Quote:

Originally posted by saltron
First of all you should not have any services running if not needed. So,
cd /etc/rc.d
ls
rm -f rc.x -- where 'x' is the service name.
e.g) rm -f /etc/rc.d/rc.sshd
^^ would remove sshd from starting up on boot (so you won't worry about killing the process later) --

Also to kill the process:
killall sshd

~saltron

that wouldn't work in fedora.. you'd have to rename the sshd symlink in /etc/rcX.d where X is the runlevel you want this for. you would change the S to a K.

and for christ's sake don't delete the init scripts. I've had to get a friend out of that situation not more than a week ago, whoever originally dumped this misinformation into the internet should be beaten with a unix permissions tutorial. you set the script non-executable, that is the correct way of doing that with slack-style init scripts. deleting them is dumb. chmod -x NOT rm -f.

I'm sure there's an easier way in fedora than editing the init scripts. but that's the way I know.

Jessard · 06-27-2005, 09:32 PM

Well, if you just want to close those ports to the outside, system-config-securitylevel is an ultra-simple RedHat graphical tool for that sort of thing. (Maybe this is the sort of "easier way" DaWallace mentioned?)

primo · 06-27-2005, 11:26 PM

For rpcbind, this is the rpc portmapper, run "rpcinfo -p" to see if you're using rpc services... The portmapper is usually compiled with tcp-wrappers support. If you want to use it locally, then check the files /etc/hosts.allow & /etc/hosts.deny (man hosts.allow)

An example of a default-deny configuration:

/etc/hosts.deny:
ALL: ALL

/etc/hosts.allow:
ALL: 127.0.0.1
sshd: ALL

If you're paranoid, run the ssh server on some obscure port and firewall your machine. Use secure passwords. Many scanners are being run on the internet just to find ssh servers, and they begin trying combinations in a wordlist. They now have some sofistication as to try your language.

Also, try not to type any sensitive passwords on machines you don't know to avoid keyloggers... If you do, remotely shutdown the machine after connecting and change your password.

If you really want to run a mailserver, take the time to find a secure configuration (ie, the server itself, chroot, etc)

Check the cups documentation to see if it uses the tcp-wrappers library (libwrap)

An easy way to disable these init scripts is to create a directory with any name (ie, "disabled") and move them there... You don't need to reboot, you just run the script with "stop" as argument, i.e.:
cd /etc/rc.d/init.d/
./sshd stop
mkdir disabled/
mv sshd disabled/

If you want to scan yourself then download & run nmap.
First, scan your loopback interface, that is 127.0.0.1
Run ifconfig to see your configured interfaces and their ip's, and use the -e option to nmap to specify interfaces to send & receive packets, and scan the ip of any non-loopback interface. This is to scan yourself as you would be perceived from the Internet.

Be careful as some services are configured to run on any interface (with an ip of 0.0.0.0), and some services detect any interfaces and bind a port to it. This usually occurs at startup, but if any service of this 2nd kind is restarted _after_ your adsl or ppp interface is setup, then they will bind to both 127.0.0.1 and ppp, etc...

Note that you don't need to scan yourself to detect your open ports... Run netstat. See the manpage of netstat, and run netstat -tnlu
netstat -tnlup & rpcinfo -p gives you all the info you need about listening ports

tkedwards · 06-28-2005, 06:49 PM

Quote:

Run ifconfig to see your configured interfaces and their ip's, and use the -e option to nmap to specify interfaces to send & receive packets, and scan the ip of any non-loopback interface. This is to scan yourself as you would be perceived from the Internet.

This absolutely will not work. No matter what IP address you use it will still be seen as a scan coming from the local computer, not from the internet.

Think about it logically - if you're internet IP is say 211.11.11.11 and you scan that IP from the local machine where on the Internet is the kernel routing code going to send the packets? 69.69.69.69? Detroit? Finland? Lala Land? If the interface is already bound to that address then the kernel already knows where it is and will simply send the packets to itself - over the loopback.

IP addresses are properties of hosts *NOT* interfaces.

If you want to scan your machine 'from the Internet' head over to one of the websites which offer this service such as http://grc.com