Hi all,

I'm having a few dificulties (again), I'm not sure why, but I have a couple of ports open that I don't think need to be open.

I noticed the open ports after a port scan, I then checked netstat -pant and got the following

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.100:139 0.0.0.0:* LISTEN 1032/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 666/portmap
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 32049/perl
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1002/X
tcp 0 0 192.168.1.100:53 0.0.0.0:* LISTEN 775/named
tcp 0 0 213.xxx.xx.xx:53 0.0.0.0:* LISTEN 775/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 775/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1025/sendmail: acce
tcp 0 0 192.168.1.100:139 192.168.1.104:1445 ESTABLISHED 19976/smbd
tcp 0 0 :::22 :::* LISTEN 717/sshd
tcp 0 0 192.168.1.100:22 192.168.1.101:1298 ESTABLISHED 32140/sshd

The lines in bold are the ones I'm unsure about, all the others should be running services although these need proper configuration but I'll leave that for another time/thread if I cant sort it out.

The ones I'm concerned about are running on ports 111 & 6000 as these are the ones the online port scanner warned about.

I found some info saying that if I enter -nolisten tcp to the Xservers file this would stop it running but this didn't work for me.

Ideally I'd like to stealth almost all my ports and just have the ports open that I need open, like 53 for DNS. I guess I could run a shell script to alternate between configurations once I know what each one will do.

Could anyone advise on how I could close these two ports (111 & 6000)?

Thanks in advance

Hi - im a newbie to this forum and with Linux, so please excuse any stupid obvious remarks from me - he he....
Anyways, dont you have a "firewall" installed ? - i just downloaded "Guarddog", did a port scan at grc.com and had "stealth" on all the ports. The programme was easy to install and configure with a good online manual as well. Found it here:
http://www.simonzone.com/software/guarddog/

As regards those "open" ports though - sorry, cant help you as to what they are or why they are open.

Peace
UKMan

Thank's UKMan, I'm a bit of a newbie also and it's all good :-)

I'll check this out, and see if it will suit my needs.

Anyone know if iptables work better in this case?

Cheers

I downloaded Guard Dog, but when I ran the config prog I got errors, saying that there was no acceptable cc path found in $PATH, read through the doc but couldn't find anything to help.

Well...in slack I just edit the /etc/inetd.conf to stop whatever services I don't need running, that generally helps a lot

If you're just wanting to close the open ports, then it depends which kernel you're running. I'll assume you're running 2.4.x. What you need to do is make sure that iptables are compiled into your kernel, for help on that check out www.netfilter.org. Once you make the new kernel with iptables, you can do this.
For example, if you wanted to close off the sendmail port, you would do this:
IPTABLES -A INPUT -p tcp --dport 1025 -j DROP
To close the others ones you want, use the same commant above, but replace 1025 with the port you want. Just make sure you're aware that you're only closing it to tcp connections, not udp.

Now, on another note, you probably don't want to close your portmapper and you probably want to leave the X one open too. Sendmail, unless you need it, probably doesn't need to run. I would like to know though, do you use samba and nfs at all? Are you sharing any directories on that machine? If you aren't, then it's just a security risk and you should take samba off the machine. Finally, if you really want a secure machine, you should set iptables to drop any incoming packets then only turn on ones you want. That process is also explained at www.netfilter.org. But if you PM me, I'd be happy to give you a little script.

Good luck.

Nice one Astro, I tried what you said and went into the inetd.conf file and the only thing I could see that remotely looked like any of the services running in the above list was for send mail:

smtp stream tcp nowait root /usr/sbin/sendmail senmail -L sendmail -Am -bs

I removed this line and rebooted but when i ran netstat -pant all the same services were still running?

Also remember some aren't ONLY in the inetd.conf file...they are actual programs running from your startup files....in slackware which is in /etc/rc.d/rc.M for example or rc.local... you might need to comment them out in there. Which is where sendmail might be... sorry I don't know much about the startups of other distros, only slackware ones :-)

Thanks again Astro,

I guess I'll be able to locate and stop the send mail service but not so sure about X on 6000, I think this may need something else??

I can stop portmap from running but this is a manual process also until I can locate where the start up file is with this info?

Could anyone advise on how to block X from port 6000 with iptables?

Thanks

for proto in tcp udp; do
iptables -A INPUT -s 0/0 -d 0/0 -p ${proto} --dport 6000 -j DROP
done

HTH

Ben.

X11 port is a range from TCP/6000 to TCP/6063, so if I transmogrify German's solution it'll look like:

XWIN_PORTS="6000:6063"
iptables -A INPUT -p tcp -d 0/0 $XWIN_PORTS -s 0/0 -j DROP

If you want to be alerted on someone probing for these ports just add a logging rule before the DROP rule.

thanks, I didn't know how to do port ranges previously... That just halved the size of my firewall script.

B.

Generally you do not want X Windows to have ports open to the outside, unless you want to run X apps remotely. Firewalling them (as per unSpawn's instructions) is a good idea.

Now, if you don't need a mail daemon (you only need it for running a mail server, not for using smtp/pop/imap), kill sendmail as well; for slackware, execute '/etc/rc.d/rc.sendmail stop', do 'chmod a-x rc.sendmail', and that should take care of it. If you want to remove sendmail, 'cd /var/log/packages; removepkg sendmail*'. For (almost) all other distributions, look in the directories "/etc/rc?.d" (where '?' is a number between 1 and 5 corresponding to the runlevel). They hold symlinks to scripts in '/etc/init.d'; if it starts with a 'K' it is killed when entering that runlevel, and if it starts with an 'S' it is started when entering that runlevel. Check those startup scripts. When you find it, execute it with the 'stop' option, then delete each of those symlinks in each runlevel directory ('/etc/rc?.d'). If you find that you do need an SMTP transfer agent (because you can't find a good one, and you ISP didn't give you one), check out nbsmtp. It does not run as a daemon, has no config files to worry about, and is generally painless for simple use.

And for port 111; that is the portmapper. It is required if you are running a fileserver (nfs). To run the nfsd fileserver, you need to leave that port open so the various utilities can find each other; however, if you only need to mount remote nfs volumes, you need the portmapper running, but you do not need that port exposed; firewall it too.

When in doubt: log and drop incoming ports, log and reject outgoing ports. If an application complains, check the logs.

-t.