Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-27-2007, 03:11 AM
|
#1
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Rep:
|
Postfix/master: How to close Port 25?
I want to secure my box but can't get closed port 25 . The Postfix/master process is listening here (as found out by "netstat -pantu" and "nmap").
I can't shut the sevice down entirely, since I need the mailed messages from the system. I tried /etc/postfix/main.cf, /etc/postfix/master, /etc/postfix/access but no luck there (changed the inet_interface to 127.0.0.1, nothing happened).
Where would be the config file, and what to change there?
BTW: This is a stand alone workstation, no chance for an external scan.
Any ideas?
Last edited by JZL240I-U; 03-27-2007 at 03:13 AM.
|
|
|
03-27-2007, 03:46 AM
|
#2
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Rep:
|
Well postfix needs to listen on something, so you can change port (I guess that doesn't help) or close port 25 to external pareties using iptables or other firewall.
If its' truly a standalone workstation with no chance for an external scan, why do you care?
|
|
|
03-27-2007, 07:15 AM
|
#3
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Quote:
Originally Posted by billymayday
Well postfix needs to listen on something, so you can change port (I guess that doesn't help) or close port 25 to external pareties using iptables or other firewall.
|
No, I want to make it listen only to 127.0.0.1:25, I need the functionality ... in short; I want to close the port against external connection attempts. Firewall comes next additionally...
Quote:
Originally Posted by billymayday
If its' truly a standalone workstation with no chance for an external scan, why do you care?
|
What I meant is, I have no network (LAN). I connect the machine via 56k modem to the internet.
|
|
|
03-27-2007, 03:20 PM
|
#4
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Rep:
|
OK. Now I'm not very good at master.cf, but I think you can replace:
Code:
smtp inet n - n - - smtpd
with
Code:
127.0.0.1:smtp inet n - n - - smtpd
|
|
|
03-28-2007, 04:53 AM
|
#5
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Thank you, I'll try that.
BTW. I found a site which is doing network scans on ones own machine. Funny enough, port 25 seems to be closed from the outside ...
|
|
|
03-28-2007, 05:03 AM
|
#6
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Rep:
|
Probably the default firewall
|
|
|
03-28-2007, 05:19 AM
|
#7
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Tried it. Results: mixed . From "netstat -pantu" I still have
Code:
...
tcp 0 0 127.0.0.1:25 0.0.0.0:25 LISTEN Postfix/master
while
Code:
...
tcp 0 0 ::1:25 :::* LISTEN Postfix/master
is gone.
Now what the...
|
|
|
03-29-2007, 02:29 AM
|
#8
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Quote:
Originally Posted by billymayday
Probably the default firewall
|
No, I toggled it on and off scanning repeatedly, ports changed between "closed" and "not available" (? if memory serves right), certainly not "listen"...
|
|
|
03-29-2007, 03:50 AM
|
#9
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Rep:
|
Listen just means some program is listening on a particular port - as you point out, a firewall can't listen in itself, it just directs traffic (including dropping it).
From what I can find, 0.0.0.0 is just the default gateway, exactly what that means is a little unclear to me but would seem to be purely local, and I suspect null.
The other setting in main.cf is inet_interfaces. If this is only set to localhost, then a portscan shouldn't find anything listening on port 25 of you network IP.
|
|
|
03-29-2007, 09:27 AM
|
#10
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Doesn't work here. After following your suggestion I get:
Code:
linux:/home/me # netstat -pantu
Aktive Internetverbindungen (Server und stehende Verbindungen)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 5428/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 7386/master
tcp 0 0 127.0.0.1:4153 127.0.0.1:25 TIME_WAIT -
tcp 0 0 127.0.0.1:5018 127.0.0.1:631 TIME_WAIT -
udp 0 0 0.0.0.0:631 0.0.0.0:* 5428/cupsd
linux:/home/me # nmap -sV -v -p 0-65535 127.0.0.1
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-03-29 16:22 CEST
Initiating SYN Stealth Scan against localhost (127.0.0.1) [65536 ports] at 16:22
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
The SYN Stealth Scan took 12.97s to scan 65536 total ports.
Initiating service scan against 2 services on localhost (127.0.0.1) at 16:22
The service scan took 5.10s to scan 2 services on 1 host.
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
(The 65534 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
631/tcp open ipp CUPS 1.1.23
Nmap finished: 1 IP address (1 host up) scanned in 19.667 seconds
Raw packets sent: 65543 (2.62MB) | Rcvd: 131077 (5.24MB)
linux:/home/me #
And you'll notice netstat saying "port 25 LISTEN" and nmap saying "open port 25/tcp", so that blasted thing is open ...
|
|
|
03-29-2007, 10:46 AM
|
#11
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Rep:
|
But only on localhost, so where's the issue?
|
|
|
03-30-2007, 01:06 AM
|
#12
|
Senior Member
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,637
Original Poster
Rep:
|
Quote:
Originally Posted by billymayday
But only on localhost, so where's the issue?
|
The issue? I'm blinded by my own whishes, obviously . That is exactly what I wanted to achieve. Thank you for helping and your patience .
And now for CUPS...
|
|
|
All times are GMT -5. The time now is 09:16 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|