Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-19-2007, 03:56 AM
|
#1
|
Member
Registered: Apr 2006
Posts: 509
Rep:
|
Closing these vulnerable ports!
I just ran: nmap <myipaddress> and this is what I got:
Quote:
(The 1597 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
80/tcp open http
5190/tcp open aol
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
|
I never opened any of these ports and the funniest thing about all this is that I don't even have AOL. How do I close these ports? Thanks.
|
|
|
02-19-2007, 04:12 AM
|
#2
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,200
|
You didn't mention your distro to help us be more specific, but you can generally close the first 2 ports from /etc/inetd.conf (if your distro uses inetd) by commenting out the respective entries, or from /etc/xinetd.d/* by removing the respective files.
Port 80 is used from apache, so find its startup script and make in no-executable, or move it to another place. The same goes for port 5190 (I guess it's aim).
Regards
|
|
|
02-19-2007, 05:27 AM
|
#3
|
Member
Registered: Apr 2006
Posts: 509
Original Poster
Rep:
|
Well, I use RedHat 9. I guess you forgot to see my distro on the left hand side. :D
My distro does not have inetd.conf. These are the contents of /etc/xinetd.d:
Quote:
amanda cups-lpd eklogin ipop3 pop3s services time
amandaidx daytime finger klogin rexec sgi_fam time-udp
amidxtape daytime-udp gssftp krb5-telnet rlogin swat
chargen dbskkd-cdb imap kshell rsh talk
chargen-udp echo imaps ktalk rsync telnet
comsat echo-udp ipop2 ntalk servers tftp
|
Are you certain that the respective files must be removed? Since telnet is one of the files, I'll show you its content:
Quote:
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}
|
As you can see, "default:on" has been commented; and "disable=yes" is written. I think that this file is fine, but I'm not sure-- I'm a newbie. Thank you for the help.
P.S. What does this folder signify?
Last edited by gregorian; 02-19-2007 at 05:31 AM.
|
|
|
02-19-2007, 08:10 AM
|
#4
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,200
|
Changing "disable=yes" does the job. The folder /etc/xinetd.d contains control files for all the services that can be start at system startup. Since you use RH you can also use the "chkconfig" utility to control the services you want to start or no. Take a look at for details.
Regards
|
|
|
02-19-2007, 09:14 AM
|
#5
|
Member
Registered: Apr 2006
Posts: 509
Original Poster
Rep:
|
Huh? Should I change disable=yes to disable=no? Wouldn't that be the exact opposite of what I want?
I used the chkconfig utility in this manner:
Code:
chkconfig --list telnet
It gave me:
I'm a bit confused over here. When I went to www.whatismyip.com, I obtained an IP address. I "nmaped" that IP and got the four ports I mentioned earlier, but when I run nmap localhost, I get:
111/tcp open sunrpc
6000/tcp open X11
Anyway, I telneted to the first IP address and actually got a prompt! It gave me:
Code:
BCM96338 ADSL Router
Login:
I'm thoroughly confused now.
|
|
|
02-19-2007, 10:01 AM
|
#6
|
Member
Registered: Apr 2004
Distribution: Debian -unstable
Posts: 700
Rep:
|
Quote:
Closing these vulnerable ports!
|
What exactly makes them vulnerable? Not every open port means a security risk. If you're that concerned about sec; I think you might want to reconsider the choice for your distribution.
As for the router.. learn what they are and how they work.. or simply forget about it and live just as happily.
|
|
|
02-19-2007, 07:57 PM
|
#7
|
Member
Registered: Apr 2006
Posts: 509
Original Poster
Rep:
|
Quote:
Originally Posted by introuble
What exactly makes them vulnerable? Not every open port means a security risk. If you're that concerned about sec; I think you might want to reconsider the choice for your distribution.
|
I ran an online security scanner and it listed the ports as vulnerable. I ran nmap to confirm that the ports were open. RH9 is the only distribution I have access to.
Quote:
As for the router.. learn what they are and how they work.. or simply forget about it and live just as happily.
|
Did you read my previous post completely? I never stated that I wanted to learn what a router was and how it worked. I wanted to know the difference between scanning localhost and scanning the IP I had obtained by going to that particular website. I simply provided more information.
|
|
|
02-19-2007, 08:09 PM
|
#8
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Rep:
|
Sorry if I missed soemthing, but later redhats you'd use
chkconfig (relevant service name goes here) off
service (relevant service b=name goes here) stop
use chkconfig --list
to see services
|
|
|
02-19-2007, 08:38 PM
|
#9
|
Member
Registered: Apr 2006
Posts: 509
Original Poster
Rep:
|
Thanks for the help billy-- I already tried that two posts ago. I just want to know why I get a different result from nmapping localhost and from nmapping the IP as shown on www.whatismyip.com
|
|
|
02-19-2007, 10:03 PM
|
#10
|
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290
|
Probably the services you get when nmaping localhost are only listening on the local interface. Daemons can listen on only the loopback interface (and in fact this is quite normal for X11 and other services that would only expect to be accessed locally).
|
|
|
02-19-2007, 11:40 PM
|
#11
|
Member
Registered: Apr 2006
Posts: 509
Original Poster
Rep:
|
Ok, so I dont have to worry about the ports which are open on the IP address displayed on whatismyip.com, right?
|
|
|
All times are GMT -5. The time now is 08:59 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|