|
IPtables open ports
Hi there,
I run a RH7.3 server to act as a NAT and firewall for my cable modem. I recently popped to the grc.com site to test my firewall (I do this occasional as the probes are constantly being improved). I ran the new test there that test all the first 1056 ports. To my horror some where not stealthed and one was open! I run Firestarter to generate my ruleset. I have read Iptables howtos and cannot make head nor tail of them! I got rid of most of the problem's but there are still several closed but not stealthed ports on my system. I will include the output from the grc portscanner at the end of this message. I have found Firestarter to be an easy to use program. Can anyone advise me on an equally easy to use system or how to close these holes. I want to be completely stealthed on the net. Thank you Paul ---------------------------------------------------------------------- GRC Port Authority Report created on UTC: 2003-10-09 at 20:42:39 Results from scan of ports: 0-1055 0 Ports Open 34 Ports Closed 1022 Ports Stealth --------------------- 1056 Ports Tested NO PORTS were found to be OPEN. Ports found to be CLOSED were: 67, 68, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, 1042, 1043, 1044, 1045, 1046, 1047, 1048, 1049, 1050, 1051, 1052, 1053, 1054, 1055 Other than what is listed above, all ports are STEALTH. TruStealth: FAILED - NOT all tested ports were STEALTH, - NO unsolicited packets were received, - NO Ping reply (ICMP Echo) was received. ---------------------------------------------------------------------- |
Most the GUIs for iptables like Firestarter and Guarddog make some pretty heinous scripts for your firewall, usually they come with some kind of warning not to edit them, because of that complexity and because you might mess up the operation of the front-end if something is changed in the wrong way in the script. To double-check your results you should check out pcflank.com and hit up the advanced port scanner, you can do a batch check on those specific ports that showed up as closed in the grc scan. I'm guessing that the reason that your 1024-1055 ports were reported as 'CLOSED' is because those ports are being used for making data connections and whatnot over the net while you are doing all of this, so I wouldn't worry too much about those. I'm sure that you can stealth them somehow with FS, (/etc/firestarter/stealth*?), but as a simple to use, very effective firewall I suggest Guarddog. The default rules are to allow nothing through the firewall either way, and to stealth all ports, including all the ones you are concerned about. It comes with a very good configuration setup where you can select the various types of communication you want to let through, (FTP, ssh, traceroute, ping, jabber, yahoo, whatever). Everything besides the things you specifically select are blocked, which I think is a damn good security model.
|
Also an easy way to setup a simple firewall for a server is to use something like FS or GD to configure your various rules and generate a script, then you can simply use your rc.firewall/firewall.sh script on your server and remove the overhead of running X and a desktop like Gnome or KDE. Of course for an important server I'd want to write my own iptables rules and make sure I knew exactly what was running, but the what I outlined above is an easy alternative, especially if you don't want to futz with learning much about iptables.
|
Thanks for the advice.
Looking at the port discriptions for the open ports around 1024 they are used by windows processes apparently. As I have windows computers behind my firewall (the shame!) they may be using those ports through NAT. Though I have no idea what they where doing. Trouble is I dont think Microsoft would know either. I will look at the products that you suggest. The reason I am investigating my firewall was I noticed an increase in hits in the log files. About a 3 fold increase! My isp changed my IP address recently as they do about once every month and I think I have gotten one that must have belonged to a popular computer to hack! Thanks Paul |
| All times are GMT -5. The time now is 12:52 PM. |