Newbie here: Are these ports ok to have open?

mymojo · 10-18-2003, 09:25 PM

PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
6000/tcp open X11

this is a personal desktop computer - how do I close ones I don't need open? is this relatively secure?

ToniT · 10-18-2003, 10:23 PM

If you do not work as a mail server you should close the smtp-port.
And even if you want to deliver mail directly, you should check that your computer doesn't work as an open relay.

111 is used by remote portmapper most commonly seen in nfs. If you don't want tho
have nfs exports, you should close this port too.

631 is used to access your printing system. If you don't want to do that from the internet, you should also close this port.

6000 gives a way to communicate with your X server from outside world. If you don't want that, you should close the port.

How to close a port? Either shutdown the service listening to the port or use iptables
to prevent traffic to the port from outside.

example:
Prevents all the connections to all ports except the ones you have established from your side (that is, for example, you request a web page(by clicking a link in the browser) and they send you one), local loopback connections and the ssh port:

Code:

iptables --flush
iptables --policy INPUT DROP
iptables --append INPUT --in-interface lo -j ACCEPT
iptables --append INPUT --in-interface eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append INPUT --in-interface eth0 -p tcp --destination-port ssh -j ACCEPT

Other example:
Blocks the connnections to port 25/smtp from the ethernet device eth0

Code:

iptables --append INPUT --in-interface eth0 -p tcp --destination-port smtp -j REJECT

What comes to the security issues, if all those services are properly configured,
they can be secure in a functional sense. Though I wouldn't use nfs or X11 over internet
(without ssh tunneling) because they are totally unencrypted and nfs has some design
issues.

mymojo · 10-18-2003, 10:33 PM

Thanks!

Do these permenantly block the ports (not just current session)?

chort · 10-19-2003, 04:41 AM

iptables will block it as long as the kernel module is loaded. If you reboot and you don't have those commands in your init scripts, or if you remove the iptables module from the kernel, you will lose the rules.

A better solution would be to disable portmapper, unless you're exporting nfs mounts. There is probably a init script for it in /etc/rc.d/something. For IPP, that is probably being made available by CUPSd. Read the CUPS documentation for how to make it bind only to local interfaces (or add an ACL to the CUPS config file to disallow any IPs that aren't on your LAN). For X11 you want to put the tcp nolisten option in your configuration.

MsMittens · 10-19-2003, 10:22 AM

This might help as well. Firewall is the first defense but closing or turning off services that do not need network access is the other:

http://jetblackz.nabaza.org/Removing...icesTools.html

unSpawn · 10-19-2003, 05:59 PM

IMHO I would turn that around and say removing unnecessary SW is the first line of defense. Application config based, libwrap and firewall ACL's next and blocking fw rules last.

frieza · 10-19-2003, 06:14 PM

that's right, your security as only as strong as it's weakest link, so anything you can do to protect your computer is good, and if you don't use the services that run on those ports then by all means close them...

mymojo · 10-20-2003, 04:09 AM

Excellent, I want to have a relatively secure linux system, any URLS you've stumbled across that describe the basics and advanced concepts of securing your desktop (not server stuff - I don't swing that way) please post.

Any way of keeping up-to-date with new software patches?