Disabling ports 708-781?
How does one disable ports that change daily after reboot in regards to a port scan?
One day port 708 is open . lsof -i command shows that it is in a LISTEN mode and I am able to telnet my localhost to that port. The next time I reboot , a remote port scan shows a different port opened like port 745. All the ports are in the 708-781 range but only one port is opened each time I turn my computer on. I tried updating inetd. Nothing in inetd.conf (which is a very sparse in Debian) or /etc/services that I see in reference to those ports. Never seen anything like this before. I have pmfirewall and security updates in place. Thank for any help. |
try nmap to get an idea what is using the port. then you can decide if its required, if not stop the service.
|
(It's not "How does one disable ports", but how does one stop opened sockets from being publicly accessable...)
I'd say for now (as a quick measure in case you can't pinpoint the process) just block the range you mentioned, I haven't seen any IANA registered services in the range you mentioned. "lsof -ni tcp:[portnumber]" (or netstat -panl -A inet) should give you process names and ID's to look at. Please post as much details as you can. Anyway. Is this a production box? What services does it run? Who has access to it? Root access? Any chance in verifying integrity of the files on the box? You say you telnetted in. What output was shown, or was it a true telnet session? |
I ran a tiger scan with output:
# Checking listening processes --WARN-- [lin003w] The process `portmap' is listening on socket 111 (TCP on every interface) is run by daemon. --WARN-- [lin003w] The process `portmap' is listening on socket 111 (UDP on every interface) is run by daemon. --WARN-- [lin002i] The process `rpc.statd' is listening on socket 781 (TCP) on every interface. --WARN-- [lin002i] The process `rpc.statd' is listening on socket 775 (UDP) on every interface. --WARN-- [lin002i] The process `rpc.statd' is listening on socket 778 (UDP) on every interface. this is part 1 of 6 I believe this is the issue. I just have to do some reading to stop portmap and rpc.statd. This is part of the netstat -panl -A inet output: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:742 0.0.0.0:* LISTEN 3104/rpc.statd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2566/portmap tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2956/exim4 udp 0 0 0.0.0.0:736 0.0.0.0:* 3104/rpc.statd udp 0 0 0.0.0.0:739 0.0.0.0:* 3104/rpc.statd udp 0 0 0.0.0.0:111 0.0.0.0:* 2566/portmap This is a end user machine not a production server. my recent install notes: http://users.lmi.net/subjazz/debian3.1.txt Thanks |
Good to see you're running Tiger. OK, RPC stuff. If you don't need it by all means uninstall it. If you don't know for sure (dependencies) just deactivate it and try some (for instance 'find -type f -name portmap' should show results in /etc/init.d/ and /etc/rc${RUNLEVEL}.d/.). If you know you need it, at least firewall services in the 0-1024 range to something meaningful (LAN/"known-good" hosts vs publicly accessable).
|
Debian/GNU BIBLE
P.411 "Remove from rc*.d all services you don't use.. by renaming the link. $ mv /etc/rc2.d/S20exim /etc/rc2.d/_S20exim Now, whenever the system starts, the exim mail service will not start p.496 " PORTMAP - This is installed by default ........which runs at boot time to mount any remote file systems. The portmapper then translates between the service numbers and the available port numbers". debian@debian:~$ rpcinfo -p debian program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 752 status 100024 1 tcp 755 status http://security.sygatetech.com/tcpscan.html security scan tells me that port 755 is open . "With portmapper running , you can query it using rpcinfo to list the registered programs". Do you think I'm on the right track with the removal of unwanted services mentioned above and unwanted mount connections? find -type f -name portmap provides no output I have already firewalled unmeaningful services using PMfirewall , but it was a quick install and I need to check it out. Thanks for your help |
I dont know Debian at all but does it have chkconfig?
if so you should be able to use Code:
chkconfig --list Code:
chkconfig --level 0123456 service_name off |
http://chris.quietlife.net/2003/12/1...reat-wide-open
this link solved my problem. I want to keep ssh and exim is easy to remove as mentioned in the Debian Bible debian:/etc/init.d# /etc/init.d/portmap stop Stopping portmap daemon: portmap. debian:/etc/init.d# lsof -n | grep LISTEN exim4 2957 Debian-exim 3u IPv4 5565 TCP 127.0.0.1:smtp (LISTEN) sshd 2991 root 3u IPv6 5753 TCP *:ssh (LISTEN) rpc.statd 3105 root 6u IPv4 5960 TCP *:743 (LISTEN) debian:/etc/init.d# /etc/init.d/nfs-common stop Stopping NFS common utilities: statd. debian:/etc/init.d# lsof -n | grep LISTEN exim4 2957 Debian-exim 3u IPv4 5565 TCP 127.0.0.1:smtp (LISTEN) sshd 2991 root 3u IPv6 5753 TCP *:ssh (LISTEN) Problem solved!. The link above also explains how remove portmap. example: /etc/init.d#update-rc.d -f portmap remove to remove rpc.statd /etc/init.d#update -rc.d -f nfs -common remove |
All times are GMT -5. The time now is 05:55 AM. |