How do I close ports?

For exemple. I run nmap on my server and I found some open ports. How do I close them?

Thanks

The best way is to configure a firewall on the server.

If that is not possible, or not an option, then you have to modify (or close) the application that is listening to the port.

Just to be clear - a port is not just "open" by it self, there is always an application that is listening on that specific port.
As soon as that application are closed, then the port is gone, as in "stealth".
Some applications can be configured to listen only on a specific network interface, but if that is not possible then a firewall is the only solution.

Additionally, you should figure out what the services are that are listening. If you do not need them, they should 1) not be running/listening; 2) not even be installed in some cases.

You close a port by turning off services. You can't turn off a service by blocking with a firewall. All you'd be doing is blocking (the service would still be running).

Turn off the service/app first, as that's the proper way to disable such things. You can use a FW as an additional security layer to you doing the correct thing (disabling the service).

1 members found this post helpful.

You can block(or close) ports through iptables too.

Here, I am blocking a telnet port 23 for all TCP connections. For UDP you can use udp instead of tcp in the above example.

Try, this and get back if you get any problems.

To test whether a particular port is blocked or not you can use,

telnet IP port.

For eg
telnet 192.168.1.100 23

Also, see this you might find it suitable for your requirement.

Several people have offered that iptables can solve the OP's situation. Again (as I stated in my previous post above), that method will block the communication but NOT actually turn off the service. If someone gains access to the machine, they'd have local access to the running services that they could possibly exploit. That's one reason why it is better to outright turn off the service (vs. using the FW to block the network connections to the service).

But what if we need the service to be running? We cannot close the service

This makes absolutely no sense. If you "need" the service, but block access to it, it's the same as not having it run at all. What's the point???

If you need the service, leave it open and accessible. If you don't, turn it off. That's real security...if it's not running, it can't be exploited.

But it does. It depends on the service and usage though. Some can be configured to listen to Unix sockets or for instance TCP/IP (say database connections). Then there's interfaces on different networks (say running your MTA for local machine use only).

The OP should be way more specific by now though. Details g_paschoal!

True, but you wouldn't TOTALLY block the service, like in the case of a DB connection. You'd block it from everywhere BUT certain clients...if you TOTALLY blocked it, there's no point in a network listener. Same with the different interfaces...you'd leave the service open on that ONE address...but still open. But the socket program, good point.

I'm reading it as just use IP tables to totally block the port, not use it as a custom solution, as it can be. But as you say...details!!