LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Help Securing My Box (https://www.linuxquestions.org/questions/slackware-14/help-securing-my-box-129943/)

datadriven 12-29-2003 09:11 PM
Help Securing My Box
 
Below is the result of running nmap on the box I want to secure

Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-12-29 21:55 EST
Interesting ports on 192.168.1.102:
(The 1649 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
587/tcp open submission
3306/tcp open mysql
6000/tcp open X11

I am a web developer and intend to use the box for previewing sites for customers before I put them on my dedicated server elsewhere. I know I need the first 4 ports but am not sure about the last 4. The box is running slack 9.1. Does mysql need a port open in order to function in my PHP websites? Do i need the other 3?

Netizen 12-29-2003 10:14 PM
587 is used by Sendmail
6000 is used by X. If you close 6000 you wont be able to open X Apps when in X, I think

Netizen

h3pc4t 12-29-2003 10:25 PM
MySQL always runs on port 3306. Just set it up so that all accounts are @localhost only, and you'll be safe.

rpcbind can probably be disabled by stopping and disabling one of the scripts in /etc/rc.d

Also, you might consider using SFTP (which uses SSH) - FTP is totally unencrypted!

datadriven 12-29-2003 11:15 PM
Right now I have my linksys router handling dyndns and the box in the DMZ. Would I be better off just to forward the necessary ports to the box instead of using the DMZ?

Got a url for SFTP?

h3pc4t 12-30-2003 03:39 AM
It would probably be safer to forward only the needed ports from the router. I don't bother, but it is the absolute safest way.

sftp is part of ssh. If ssh is enabled, you can connect to your machine with sftp. scp is also useful....

datadriven 12-30-2003 07:12 AM
Is there another secure ftp client. I MUST HAVE BOOKMARKS. I have many sites to maintain and typing both a username & password every time I connect is simply not an option. I was using ncftp because I had some problems with gftp corrupting some of my files.

littleking 12-30-2003 07:47 AM
why not just use iptables

php 12-30-2003 09:28 AM
You definitely won't need that X one open.

For now on startx with 'startx -- -nolisten tcp' This will keep that 6000 port closed.

The 111 you won't need either. You can disable this in /etc/rc.inet2

datadriven 12-30-2003 10:13 AM
I downloaded the guarddog package from linuxpackages.net

Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-12-30 11:08 EST
Interesting ports on 192.168.1.102:
(The 1649 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp closed https
8000/tcp closed http-alt
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook

Nmap run completed -- 1 IP address (1 host up) scanned in 71.428 seconds

Doe that look better?

CyberSp00k 12-30-2003 12:41 PM
Why the lockdown?
 
Quote:
Originally posted by datadriven
Interesting ports on 192.168.1.102:
(The 1649 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp closed https
8000/tcp closed http-alt
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook
Pardon my ignorance, but did I understand (from your initial posting) that you're using this system to demonstrate ("preview") to your clients websites you're building prior to deployment? Wouldn't you want to emulate the port assignments of the deployment environment? I assume that some will be using SQL servers or will want to support secure http. How can you demonstrate those capabilities with the ports shut?

For that matter, why the urge to lock down this machine at all? It's on your local network with an unroutable address, so presumably you've got some sort of NAT between you and the big, bad Internet. If you've got a robust, bi-directional firewall between your local net and the Internet, you really don't need to lock this system down that tightly, aside from general good network hygiene (practice safe hex!). If it's just a demo machine, and not your only development machine, you should really consider it a sacrificial lamb - a candidate for low-level format and reload - at all times.

Just my :twocents:

subekk0 12-30-2003 03:15 PM
preconfigured firewalls
 
There are also numerous preconfigured firewalls "rc.firewall" out there that would work with minimal tweaking. Check out http://firewall.lutel.pl/firewall this is the one that I use with some signature tweaking that routes to honeypots, etc. but maybe you don't need anything that solid?? If you do play around with it don't forget the popular "flush-iptable" script.

datadriven 12-30-2003 06:16 PM
Cyberspook, if you connect to MySQL on localhost it seems to work fine with the ports blocked, I used guarddog to set up iptables and it was pretty easy.

The machine is in the DMZ, which is outside my firewall, with a dyndns domain pointing at it. Which is why i wanted to lock it down. I scanned it via the local ip so I wouldn't post my url in a public forum.

CyberSp00k 12-30-2003 07:12 PM
Fair enough, Datadriven. That was the missing piece of information that makes your concerns clear. Thanks for passing it along. Best wishes to you in the New Year.

datadriven 12-30-2003 07:16 PM
Thanks to everyone for their assistance.


All times are GMT -5. The time now is 08:29 AM.