Help Securing My Box
Below is the result of running nmap on the box I want to secure
Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-12-29 21:55 EST Interesting ports on 192.168.1.102: (The 1649 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 587/tcp open submission 3306/tcp open mysql 6000/tcp open X11 I am a web developer and intend to use the box for previewing sites for customers before I put them on my dedicated server elsewhere. I know I need the first 4 ports but am not sure about the last 4. The box is running slack 9.1. Does mysql need a port open in order to function in my PHP websites? Do i need the other 3? |
587 is used by Sendmail
6000 is used by X. If you close 6000 you wont be able to open X Apps when in X, I think Netizen |
MySQL always runs on port 3306. Just set it up so that all accounts are @localhost only, and you'll be safe.
rpcbind can probably be disabled by stopping and disabling one of the scripts in /etc/rc.d Also, you might consider using SFTP (which uses SSH) - FTP is totally unencrypted! |
Right now I have my linksys router handling dyndns and the box in the DMZ. Would I be better off just to forward the necessary ports to the box instead of using the DMZ?
Got a url for SFTP? |
It would probably be safer to forward only the needed ports from the router. I don't bother, but it is the absolute safest way.
sftp is part of ssh. If ssh is enabled, you can connect to your machine with sftp. scp is also useful.... |
Is there another secure ftp client. I MUST HAVE BOOKMARKS. I have many sites to maintain and typing both a username & password every time I connect is simply not an option. I was using ncftp because I had some problems with gftp corrupting some of my files.
|
why not just use iptables
|
You definitely won't need that X one open.
For now on startx with 'startx -- -nolisten tcp' This will keep that 6000 port closed. The 111 you won't need either. You can disable this in /etc/rc.inet2 |
I downloaded the guarddog package from linuxpackages.net
Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-12-30 11:08 EST Interesting ports on 192.168.1.102: (The 1649 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 443/tcp closed https 8000/tcp closed http-alt 8080/tcp closed http-proxy 8888/tcp closed sun-answerbook Nmap run completed -- 1 IP address (1 host up) scanned in 71.428 seconds Doe that look better? |
Why the lockdown?
Quote:
For that matter, why the urge to lock down this machine at all? It's on your local network with an unroutable address, so presumably you've got some sort of NAT between you and the big, bad Internet. If you've got a robust, bi-directional firewall between your local net and the Internet, you really don't need to lock this system down that tightly, aside from general good network hygiene (practice safe hex!). If it's just a demo machine, and not your only development machine, you should really consider it a sacrificial lamb - a candidate for low-level format and reload - at all times. Just my :twocents: |
preconfigured firewalls
There are also numerous preconfigured firewalls "rc.firewall" out there that would work with minimal tweaking. Check out http://firewall.lutel.pl/firewall this is the one that I use with some signature tweaking that routes to honeypots, etc. but maybe you don't need anything that solid?? If you do play around with it don't forget the popular "flush-iptable" script.
|
Cyberspook, if you connect to MySQL on localhost it seems to work fine with the ports blocked, I used guarddog to set up iptables and it was pretty easy.
The machine is in the DMZ, which is outside my firewall, with a dyndns domain pointing at it. Which is why i wanted to lock it down. I scanned it via the local ip so I wouldn't post my url in a public forum. |
Fair enough, Datadriven. That was the missing piece of information that makes your concerns clear. Thanks for passing it along. Best wishes to you in the New Year.
|
Thanks to everyone for their assistance.
|
All times are GMT -5. The time now is 08:29 AM. |