port scan

Tigger · 06-05-2003, 01:24 AM

Hi

i have been looking at the security of my linux red hat 8 server.

When i use languard to do a port scan from the internet it comes up i have ports 161 snmp and rip 520 open.

How can i block these from being seen from the internet and what are the implications if i try to disable these altogether?

thanks

pjcp64 · 06-05-2003, 08:07 PM

The setup is pretty easy. Reference the thread started by Smooth called "Firewall Setup".

As far as the implications of port 161 and 520. Try doing a:
lsof | grep ESTABLISH and a
lsof | grep LISTEN

You can also replace the lsof with a "netstat -a"
This should give you some idea of what is using those two ports.

Tigger · 06-05-2003, 10:51 PM

i edited my services file and commented these two services out for the time being. Is this OK to do?

thanks

Tigger · 06-05-2003, 10:52 PM

161 is snmp and 520 is rip

unSpawn · 06-06-2003, 05:19 AM

i edited my services file and commented these two services out for the time being. Is this OK to do?
No, it isn't. The services file is just a mapping and should be left untouched unless you add service/port mappings.

If these services are run, make sure you need then, and they correspond with the daemon that is sposed to run that service.

If you don't need to run these services, make sure they don't get started in /etc/rc.d/rc(runlevel).d if standalone, or in Xinetd. Uninstalling them would be the best solution. If you need to run these services, but only accessable to some IP addresses or ranges, place the right restricitions in their own configs (and check your SNMP community strings setup), and Xinetd (where applicable), and the firewall, and TCP Wrappers. If you do, you'll be reasonably safe as there isn't a single point of failure then.

Tigger · 06-06-2003, 05:57 AM

how do i uninstall these services?

thanks again

Tigger · 06-06-2003, 06:09 AM

why would i need snmp and rip?

Electboy · 06-06-2003, 12:56 PM

Have u blocked them by Iptables?

iptables -A INPUT -i ppp+ -p TCP --dport 0:1023 -j DROP
iptables -A INPUT -i ppp+ -p UDP --dport 0:1023 -j DROP

Tigger · 06-06-2003, 06:26 PM

is this all i need to do to block snmp and rip? How come they use the same dport?

yes, it looks like i have blocked them when i look at my iptables by typing iptables -L. I just did not know what i was looking at.

thanks

unSpawn · 06-07-2003, 06:49 AM

how do i uninstall these services?
rpm -e <package name>.

Tigger · 06-07-2003, 02:34 PM

thanks again, but how do i find out the package name?

pjcp64 · 06-07-2003, 05:39 PM

I would recommend simply disabling them at first. If that works without a hitch, then you can consider removing them.

All you have to do to stop them and have them not startup again is go to Server Setting ==> Services
Here you can stop, start, and determine if you want the service to startup at boot. Normally, you'll start with RunLevel 5 displayed. You would also want to disable these services in the lower levels.

To actually answer your question though...
rpm -qa | grep snmp ==> will show all of the RPMs that have snmp in them.
rpm -qa net-snmp.......... ==> will give details on that package
rpm -e net-snmp ==> will delete the package
man rpm ==> will give all this info and more

Sometimes, you'll try "rpm -e" and it will give an error indicating that other packages are dependent on the one you are trying to delete. At this point, with the help of "rpm -qi", you have to decide if you wish to decide the packages that are dependent too.

IF you do, you can list the original package you want to delete as well as the package that is dependent on it when you do the "rpm -e" a second time.
e.g. rpm -e net-snmp 2nd_Package

However, I'd still recommend holding off until you've run the system a while without using these packages.

pjcp64 · 06-07-2003, 05:41 PM

Oops,

change that goofy sentence to:

At this point, with the help of "rpm -qi", you have to decide if you wish to remove the packages that are dependent too.

Robert0380 · 06-08-2003, 01:18 AM

you must have installed some routing stuff that you didnt need. rip is a routing
protocol (Routing Information Protcol) and snmp = Simple Network Management Protocol.....you probably dont need a RIP router...it is used
for advertising routes that you know about and recieving routes from other
routers (it updates the routing table). You probably really dont need this. You
did a "install everything" huh?

Tigger · 06-08-2003, 06:28 AM

yes, robert0380, i did install everything and now i am regretting it!!

Thanks pjcp64, i will try this tomorrow and let you know how i go.

These groups have been a great help to me. I really appreciate everyones help!!