LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-07-2003, 04:53 PM   #1
Tezdread
Member
 
Registered: Aug 2002
Location: England
Distribution: SuSE 8.1
Posts: 84

Rep: Reputation: 15
Question Open Ports - Do they need closing?


Hi all,

I'm having a few dificulties (again), I'm not sure why, but I have a couple of ports open that I don't think need to be open.

I noticed the open ports after a port scan, I then checked netstat -pant and got the following

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.100:139 0.0.0.0:* LISTEN 1032/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 666/portmap
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 32049/perl
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1002/X
tcp 0 0 192.168.1.100:53 0.0.0.0:* LISTEN 775/named
tcp 0 0 213.xxx.xx.xx:53 0.0.0.0:* LISTEN 775/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 775/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1025/sendmail: acce
tcp 0 0 192.168.1.100:139 192.168.1.104:1445 ESTABLISHED 19976/smbd
tcp 0 0 :::22 :::* LISTEN 717/sshd
tcp 0 0 192.168.1.100:22 192.168.1.101:1298 ESTABLISHED 32140/sshd

The lines in bold are the ones I'm unsure about, all the others should be running services although these need proper configuration but I'll leave that for another time/thread if I cant sort it out.

The ones I'm concerned about are running on ports 111 & 6000 as these are the ones the online port scanner warned about.

I found some info saying that if I enter -nolisten tcp to the Xservers file this would stop it running but this didn't work for me.

Ideally I'd like to stealth almost all my ports and just have the ports open that I need open, like 53 for DNS. I guess I could run a shell script to alternate between configurations once I know what each one will do.

Could anyone advise on how I could close these two ports (111 & 6000)?

Thanks in advance
 
Old 06-08-2003, 10:14 AM   #2
UKMan
LQ Newbie
 
Registered: Jun 2003
Posts: 19

Rep: Reputation: 0
Re: Open Ports - Do they need closing?

Quote:
Originally posted by Tezdread
Hi all,

.........

Ideally I'd like to stealth almost all my ports and just have the ports open that I need open, like 53 for DNS. I guess I could run a shell script to alternate between configurations once I know what each one will do.

Could anyone advise on how I could close these two ports (111 & 6000)?

Thanks in advance
Hi - im a newbie to this forum and with Linux, so please excuse any stupid obvious remarks from me - he he....
Anyways, dont you have a "firewall" installed ? - i just downloaded "Guarddog", did a port scan at grc.com and had "stealth" on all the ports. The programme was easy to install and configure with a good online manual as well. Found it here:
http://www.simonzone.com/software/guarddog/

As regards those "open" ports though - sorry, cant help you as to what they are or why they are open.

Peace
UKMan

Last edited by UKMan; 06-08-2003 at 10:17 AM.
 
Old 06-08-2003, 02:16 PM   #3
Tezdread
Member
 
Registered: Aug 2002
Location: England
Distribution: SuSE 8.1
Posts: 84

Original Poster
Rep: Reputation: 15
Thank's UKMan, I'm a bit of a newbie also and it's all good :-)

I'll check this out, and see if it will suit my needs.

Anyone know if iptables work better in this case?

Cheers
 
Old 06-08-2003, 02:45 PM   #4
Tezdread
Member
 
Registered: Aug 2002
Location: England
Distribution: SuSE 8.1
Posts: 84

Original Poster
Rep: Reputation: 15
I downloaded Guard Dog, but when I ran the config prog I got errors, saying that there was no acceptable cc path found in $PATH, read through the doc but couldn't find anything to help.
 
Old 06-11-2003, 01:47 PM   #5
Astro
Member
 
Registered: Jan 2003
Location: Ballston Lake, NY
Distribution: Slackware, Debian
Posts: 665

Rep: Reputation: 30
Well...in slack I just edit the /etc/inetd.conf to stop whatever services I don't need running, that generally helps a lot
 
Old 06-11-2003, 03:37 PM   #6
blueplazma
Member
 
Registered: Jun 2002
Distribution: Debian/Ubuntu
Posts: 56

Rep: Reputation: 15
If you're just wanting to close the open ports, then it depends which kernel you're running. I'll assume you're running 2.4.x. What you need to do is make sure that iptables are compiled into your kernel, for help on that check out www.netfilter.org. Once you make the new kernel with iptables, you can do this.
For example, if you wanted to close off the sendmail port, you would do this:
IPTABLES -A INPUT -p tcp --dport 1025 -j DROP
To close the others ones you want, use the same commant above, but replace 1025 with the port you want. Just make sure you're aware that you're only closing it to tcp connections, not udp.

Now, on another note, you probably don't want to close your portmapper and you probably want to leave the X one open too. Sendmail, unless you need it, probably doesn't need to run. I would like to know though, do you use samba and nfs at all? Are you sharing any directories on that machine? If you aren't, then it's just a security risk and you should take samba off the machine. Finally, if you really want a secure machine, you should set iptables to drop any incoming packets then only turn on ones you want. That process is also explained at www.netfilter.org. But if you PM me, I'd be happy to give you a little script.

Good luck.

Last edited by blueplazma; 06-11-2003 at 03:38 PM.
 
Old 06-11-2003, 05:31 PM   #7
Tezdread
Member
 
Registered: Aug 2002
Location: England
Distribution: SuSE 8.1
Posts: 84

Original Poster
Rep: Reputation: 15
Nice one Astro, I tried what you said and went into the inetd.conf file and the only thing I could see that remotely looked like any of the services running in the above list was for send mail:

smtp stream tcp nowait root /usr/sbin/sendmail senmail -L sendmail -Am -bs

I removed this line and rebooted but when i ran netstat -pant all the same services were still running?
 
Old 06-11-2003, 08:37 PM   #8
Astro
Member
 
Registered: Jan 2003
Location: Ballston Lake, NY
Distribution: Slackware, Debian
Posts: 665

Rep: Reputation: 30
Also remember some aren't ONLY in the inetd.conf file...they are actual programs running from your startup files....in slackware which is in /etc/rc.d/rc.M for example or rc.local... you might need to comment them out in there. Which is where sendmail might be... sorry I don't know much about the startups of other distros, only slackware ones :-)
 
Old 06-12-2003, 08:17 AM   #9
Tezdread
Member
 
Registered: Aug 2002
Location: England
Distribution: SuSE 8.1
Posts: 84

Original Poster
Rep: Reputation: 15
Thanks again Astro,

I guess I'll be able to locate and stop the send mail service but not so sure about X on 6000, I think this may need something else??

I can stop portmap from running but this is a manual process also until I can locate where the start up file is with this info?

Could anyone advise on how to block X from port 6000 with iptables?

Thanks
 
Old 07-11-2003, 09:50 AM   #10
german
Member
 
Registered: Jul 2003
Location: Toronto, Canada
Distribution: Debian etch, Gentoo
Posts: 312

Rep: Reputation: 30
for proto in tcp udp; do
iptables -A INPUT -s 0/0 -d 0/0 -p ${proto} --dport 6000 -j DROP
done

HTH

Ben.
 
Old 07-11-2003, 10:25 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
X11 port is a range from TCP/6000 to TCP/6063, so if I transmogrify German's solution it'll look like:

XWIN_PORTS="6000:6063"
iptables -A INPUT -p tcp -d 0/0 $XWIN_PORTS -s 0/0 -j DROP

If you want to be alerted on someone probing for these ports just add a logging rule before the DROP rule.
 
Old 07-11-2003, 10:30 AM   #12
german
Member
 
Registered: Jul 2003
Location: Toronto, Canada
Distribution: Debian etch, Gentoo
Posts: 312

Rep: Reputation: 30
Thumbs up

thanks, I didn't know how to do port ranges previously... That just halved the size of my firewall script.

B.
 
Old 07-11-2003, 09:56 PM   #13
beltorak
LQ Newbie
 
Registered: Dec 2002
Distribution: slackware 8.1
Posts: 15

Rep: Reputation: 0
Post ports

Generally you do not want X Windows to have ports open to the outside, unless you want to run X apps remotely. Firewalling them (as per unSpawn's instructions) is a good idea.

Now, if you don't need a mail daemon (you only need it for running a mail server, not for using smtp/pop/imap), kill sendmail as well; for slackware, execute '/etc/rc.d/rc.sendmail stop', do 'chmod a-x rc.sendmail', and that should take care of it. If you want to remove sendmail, 'cd /var/log/packages; removepkg sendmail*'. For (almost) all other distributions, look in the directories "/etc/rc?.d" (where '?' is a number between 1 and 5 corresponding to the runlevel). They hold symlinks to scripts in '/etc/init.d'; if it starts with a 'K' it is killed when entering that runlevel, and if it starts with an 'S' it is started when entering that runlevel. Check those startup scripts. When you find it, execute it with the 'stop' option, then delete each of those symlinks in each runlevel directory ('/etc/rc?.d'). If you find that you do need an SMTP transfer agent (because you can't find a good one, and you ISP didn't give you one), check out nbsmtp. It does not run as a daemon, has no config files to worry about, and is generally painless for simple use.

And for port 111; that is the portmapper. It is required if you are running a fileserver (nfs). To run the nfsd fileserver, you need to leave that port open so the various utilities can find each other; however, if you only need to mount remote nfs volumes, you need the portmapper running, but you do not need that port exposed; firewall it too.

When in doubt: log and drop incoming ports, log and reject outgoing ports. If an application complains, check the logs.

-t.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot Open Mail Server Ports 25, 110, and 220. Other Ports will open. Binxter Linux - Newbie 9 11-29-2007 03:03 AM
Closing Ports Murdock1979 Linux - Security 1 09-23-2005 10:44 AM
closing ports Tigger Linux - Newbie 15 06-11-2003 03:23 PM
Slackware n()()b and closing open ports/services osx Slackware 8 03-10-2003 01:51 PM
CLOSING PORTS Stephanie Linux - Security 9 05-23-2001 01:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration