Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What is the best way to close udp and tcp ports. I ran nmap against my system at home running SUSE 9.0 and iptables and it came up with a couple of ports that I had concerns about. I wanted to know why is it that one day I will run a port scan and it will say that a majority of my ports are closed and another day it will say open:filtered and how do I closed ports that appear to be open. Here is a snippet from the nmap scan for different days:
Hi
Filtered tells you that a firewall is not telling you whether it is opened or not.
It can be open or closed.
So I guess sometimes your firewall is ON, sometimes it is not..
if you want to know which application opens a port, use
lsof | grep IP
And the best way to close a port is to kill the application that opens it.
If this truly is your system, then you may want to wipe it and install with updated versions of everything. You may have been owned, repeatedly. Keep your applications updated, and consider using a kernel patch such as grsecurity.
In regards to your question, the proper way to deny (external) access to a port is to use a firewall such as iptables. Using 31337/udp as an example:
iptables -A INPUT -i eth0 -p udp --dport 31337 -j DROP
why is one day saying open:filtered and other days it is saying closed?
UDP is a connectionless protocol which means that packets are 'fire-and-forget', ie. the app on the other end may not respond, even if it has received the packets correctly. So open|filtered means that the port is either open and accepting connections or closed and dropping packets - in other words you can't tell which one it is by doing a port scan. closed would usually mean that a firewall is blocking it and sending back a packet notifying that it has blocked you.
Its normal for X to listen on that port, many distros don't disable it listening for connections by default. If I were you I'd just install something like firestarter, guarddog or shorewall and use them to configure your firewall.
BTW you can see which programs are listening on which ports with
I am just having trouble understanding why one day my nmap scans are saying everything is closed but the ports that I have allowed in and the next day there are saying that they are opened and filtered. That is very confusing and backwards. Netfilter has some bugs. My firewall is either blocking the ports and closed and have open ports but filtered to only allow certain traffic through so why are there these inconsistencies when scanning my firewall. My current version of iptables is iptables v1.2.8
I'm not sure why it'd do that either, but I doubt its a bug in iptables. Its used in millions of computers around the world and a bug that big would have long since been noticed and fixed (that's not to say there aren't bugs in iptables of course).
If you're like me and you find those iptables scripts hard to read and don't trust yourself to get them right I'd definately install shorewall or firestarter and use those to configure iptables. Then try rescanning the machine.
I will run a port scan and it will say that a majority of my ports are closed and another day it will say open:filtered and how do I closed ports that appear to be open.
Maybe you are not saving the iptables rules to a file. To make the rules persistent across reboots. For that you use the command:
# iptables-save > filename
And you have to enter a line in the /etc/rc.d/rc.local (for redhat - for debian it is different file) :
iptables-restore < filename
That will load your rules back to memory at time of booting.
No, I am running nmap from work to my home server. Can you please explain the difference. I know that when you ping the local host from inside you network your are going to see applications listening in the inside and that can be very confusing. Is that correct?
Last edited by metallica1973; 10-23-2005 at 02:09 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
). 
