LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-15-2010, 08:33 AM   #1
g_paschoal
Member
 
Registered: Oct 2009
Posts: 131

Rep: Reputation: 15
Ports


How do I close ports?

For exemple. I run nmap on my server and I found some open ports. How do I close them?

Thanks
 
Old 07-15-2010, 08:47 AM   #2
SciFi-Bob
Member
 
Registered: Aug 2008
Location: Denmark
Distribution: Ubuntu
Posts: 62

Rep: Reputation: 18
The best way is to configure a firewall on the server.

If that is not possible, or not an option, then you have to modify (or close) the application that is listening to the port.

Just to be clear - a port is not just "open" by it self, there is always an application that is listening on that specific port.
As soon as that application are closed, then the port is gone, as in "stealth".
Some applications can be configured to listen only on a specific network interface, but if that is not possible then a firewall is the only solution.
 
Old 07-15-2010, 01:06 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Additionally, you should figure out what the services are that are listening. If you do not need them, they should 1) not be running/listening; 2) not even be installed in some cases.

Code:
# netstat -ltunp
 
Old 07-15-2010, 02:58 PM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by g_paschoal View Post
How do I close ports?

For exemple. I run nmap on my server and I found some open ports. How do I close them?

Thanks
Quote:
Originally Posted by SciFi-Bob View Post
The best way is to configure a firewall on the server.

<snip>
You close a port by turning off services. You can't turn off a service by blocking with a firewall. All you'd be doing is blocking (the service would still be running).

Turn off the service/app first, as that's the proper way to disable such things. You can use a FW as an additional security layer to you doing the correct thing (disabling the service).
 
1 members found this post helpful.
Old 07-15-2010, 09:13 PM   #5
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Ubuntu, Debian, OS X
Posts: 1,305

Rep: Reputation: 107Reputation: 107
Quote:
Originally Posted by g_paschoal View Post
How do I close ports?

For exemple. I run nmap on my server and I found some open ports. How do I close them?

Thanks
You can block(or close) ports through iptables too.

Code:
 
iptables -A INPUT -p tcp --dport 23 -j REJECT
service iptables save
Here, I am blocking a telnet port 23 for all TCP connections. For UDP you can use udp instead of tcp in the above example.

Try, this and get back if you get any problems.

To test whether a particular port is blocked or not you can use,

telnet IP port.

For eg
telnet 192.168.1.100 23

Also, see this you might find it suitable for your requirement.
 
Old 07-16-2010, 07:58 AM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Several people have offered that iptables can solve the OP's situation. Again (as I stated in my previous post above), that method will block the communication but NOT actually turn off the service. If someone gains access to the machine, they'd have local access to the running services that they could possibly exploit. That's one reason why it is better to outright turn off the service (vs. using the FW to block the network connections to the service).
 
Old 07-17-2010, 09:51 AM   #7
g_paschoal
Member
 
Registered: Oct 2009
Posts: 131

Original Poster
Rep: Reputation: 15
But what if we need the service to be running? We cannot close the service
 
Old 07-17-2010, 11:11 AM   #8
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,920

Rep: Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016
Quote:
Originally Posted by g_paschoal View Post
But what if we need the service to be running? We cannot close the service
This makes absolutely no sense. If you "need" the service, but block access to it, it's the same as not having it run at all. What's the point???

If you need the service, leave it open and accessible. If you don't, turn it off. That's real security...if it's not running, it can't be exploited.
 
Old 07-17-2010, 04:58 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by TB0ne View Post
This makes absolutely no sense.
But it does. It depends on the service and usage though. Some can be configured to listen to Unix sockets or for instance TCP/IP (say database connections). Then there's interfaces on different networks (say running your MTA for local machine use only).

The OP should be way more specific by now though. Details g_paschoal!
 
Old 07-17-2010, 09:57 PM   #10
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,920

Rep: Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016Reputation: 8016
Quote:
Originally Posted by unSpawn View Post
But it does. It depends on the service and usage though. Some can be configured to listen to Unix sockets or for instance TCP/IP (say database connections). Then there's interfaces on different networks (say running your MTA for local machine use only).

The OP should be way more specific by now though. Details g_paschoal!
True, but you wouldn't TOTALLY block the service, like in the case of a DB connection. You'd block it from everywhere BUT certain clients...if you TOTALLY blocked it, there's no point in a network listener. Same with the different interfaces...you'd leave the service open on that ONE address...but still open. But the socket program, good point.

I'm reading it as just use IP tables to totally block the port, not use it as a custom solution, as it can be. But as you say...details!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need to block all ports and open only select ports on Ubuntu 7.1 Mr.J Linux - Networking 1 11-18-2008 02:45 AM
open ports for utorrent using iptables n close smpt to that ports shtorrent00 Linux - Networking 2 09-30-2008 03:34 PM
Problem opening ports - ports appear open, but do not work. computer_freak_8 Linux - Software 10 09-20-2008 09:39 PM
how? redirect apache2 outbound ports to specific ports w/iptables? nowshining Linux - Security 5 05-27-2008 02:46 AM
are outbound ports converged while local ports are ok ? inanc Linux - Networking 0 02-06-2007 10:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration