I'm somewhat puzzled, after hearing that linux security is better,

I ran an nmap scan on a winxp computer and got:
Host 192.168.1.101 appears to be up ... good.
Interesting ports on 192.168.1.101:
(The 1660 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 00:06:25:17:AB:CA (The Linksys Group)
Device type: load balancer|general purpose
Running: F5 Labs embedded, Microsoft Windows 2003/.NET
OS details: F5 Labs BIG-IP Load balancer Kernel 4.1.1PTF-03 (x86), Microsoft Windows .NET Enterprise Server RC2 (Version 5.2, build 3718.dnsrv.021114-1947)
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Incremental

Nmap finished: 1 IP address (1 host up) scanned in 144.817 seconds
Raw packets sent: 6688 (268KB) | Rcvd: 18 (940B)


TCP prediction says truly random and has a high difficulty number.

But scanning my linux computer (scanning myself, if this makes a differece) and I get this:
Initiating Connect() Scan against 192.168.1.100 [1663 ports] at 21:26
Discovered open port 80/tcp on 192.168.1.100
Discovered open port 139/tcp on 192.168.1.100
Discovered open port 111/tcp on 192.168.1.100
Discovered open port 888/tcp on 192.168.1.100
Discovered open port 631/tcp on 192.168.1.100
Discovered open port 10000/tcp on 192.168.1.100
Discovered open port 445/tcp on 192.168.1.100
Discovered open port 835/tcp on 192.168.1.100
The Connect() Scan took 0.10s to scan 1663 total ports.
For OSScan assuming port 80 is open, 1 is closed, and neither are firewalled
Host 192.168.1.100 appears to be up ... good.
Interesting ports on 192.168.1.100:
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
835/tcp open unknown
888/tcp open accessbuilder
10000/tcp open snet-sensor-mgmt
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.7 (x86)
TCP Sequence Prediction: Class=random positive increments
Difficulty=4431935 (Good luck!)
IPID Sequence Generation: All zeros

Nmap finished: 1 IP address (1 host up) scanned in 2.022 seconds


difficulty is much lower number, class is not "truly random"
also seems linux has more open ports... how do I close them? do I need them open?

now, I'm still somewhat a newbie with linux, especially with securing linux so I don't understand much of what the scans reveal...

What should I do to make linux more secure? (on linux, I'm running firestarter with its default settings. on win xp i'm using sygate free version)

I'm rather a newbie at Linux, too, but can make the following advice: close up the ports you don't need. I can't speak for firestarter, but I found the documentation for shorewall quite informative. You may have set up firestarter correctly, and those are simply the defaults --- but I had another firewall script that supposedly worked on Debian systems which failed on mine for reasons I never fully understood. In failing, it left the system open.

If your system is providing a service, you need to have the appropriate port(s) open, but otherwise, not. Right now, my Linux system has ports 22 (for SSH) and 80 (for http) open. It allows me remote access (through SSH) and acts as a web server (hence port 80).

Besides this forum, I have found a book, "Maximum Linux Security, 2nd Ed." quite informative and readable.

As to which is more open, XP or Linux - both have open ports by your scans. I know how to close the Linux ports.

[I'm assuming you're running the scans remotely...

I also find it interesting that the XP scan finds 1660 ports "filtered" in 144 seconds, but finds 1655 ports "closed" in 2.something seconds for Linux...?]

Just re-read your post - you say "scanning myself" - you can't detect what ports are open externally by scanning yourself, or so I'm given to understand. Try using your XP machine to scan the Linux machine. There are versions of nmap that run under windows.

Hope this helps a bit. Good luck.

Agreed. Most firewalls have much more relaxed policies for local traffic, including scanning yourself, than they do for external traffic. Try scanning remotely instead to get a better idea. It does look like you have a number of services running that you should turn off unless you are using, like all the rpc/nfs stuff (portmapper, nfs, nfslock, rpc, etc).

As for tcp number prediction, no, linux does not have the most random number generation. If that is important to you, then a number of patches like grsecurity are available that offer more random implementations.

The XP can be used as a scanning relay:
http://www.insecure.org/nmap/idlescan.html

For the open ports , without a further analysis on the services behind, you can't tell which one will be easier to hack.

For sequence numbers, it still seems very hard to fool the linux you are showing. A more detailed analysis has been done here (maybe outdated but it shows you that nmap "difficulty" is nonsense):
http://lcamtuf.coredump.cx/newtcp/

Having more open ports means nothing. An OS with only one open port that can be exploited 72 different ways through that port is far less secure than an OS with 50 open ports that can't be exploited through any.

"Computer system security" does not reside in a brand-name .. it depends on how well the system is understood, administered and used. Period.

most distros these days have GUIs to enable/disable installed services.
i see that you were scannning 192.168.1.100, obviousley your using some kind of a router, but how many computer are connected to this? if all the computers that are connected to the router are trusted, you really dont have anything to worry about because your router acts as a firewall, all the incoming traffic (if any) from the internet gets accepted by the router, and unless the router is told to forward it somewhere, from my experience, it will not.
one last thing, nmap is just a port scanner, it does not test for exploits. as UK MAdMaN said, it doesnt matter if ports are open, as long as they are secure. if you really want to test the security of your computer, use an exploit scanner like nessus.

thanks for all the replies.

So, I know that I have some ports open, I've tried the idlescan with nmap. So i'll search on the forums on how to close some of those open ports.

I'll give nessus a try.. but I really don't know what an exploit is...

Best way to close ports is with iptables

I can have 100 open ports on a perfectly secure linux computers and 4 open ports on a very easily hackable windows xp computer. Computer Security is a process, not a "check the box" kind of thing. Linux comes from a much more secure foundation (Unix and the POSIX standard) whereas Windows comes from a much less secure foundation (DOS) with singleuser and zero security.

It does, since most firewalls don't have rules for the loopback interface. Even if these results were true and you actually did have a lot more ports open on the Linux box it says nothing about the security of either Linux or Windows for reasons that others have pointed out.

Since you're using Mandrake just go into the Mandrake Control Centre and activate the firewall. If you want more control over it then either edit the /etc/shorewall files directly (http://www.shorewall.net/2.0/) or uninstall shorewall and install Guarddog or Firestarter using Mandrake's software installer (see my sig).