nmap outputs this on my system:
well ipp is CUPS web server X11 is the X-window server, but what are the other 2 ports. Do I need them open? how do I close them?. I haven't configured iptables, so not having unneeded ports open is important for me. Can you suggest a really easy to use firewall or an easy guide for iptables?
I don't have time to learn those stuff right now.

Edit /etc/inetd.conf and comment the line about time, auth services to disable them,
then restart inetd (killall -s HUP inetd)

If you don't need time and auth, and have no other services, just kill inetd.
Also, if you don't need X listening for incoming connections, you can add this to /usr/X11R6/bin/startx
(replacing the original serverargs="" already there)

Hi

I used "chmod -x rc.inetd", and modified "startx", and I now only have 631 and 6000 open.

I thought that modifying startx would have closed 6000/tcp X11.

I take it 631 has to be open to print with cups
and 6000 open to use X

When checking from the internet grc.com both these ports are reported as stealth.

Can all ports be closed or am I just being stupid.

samac

The easiest firewall I have come across, and it seems to be "hard as nails", is:
projectfiles.com/firewall/

Hope this helps

samac

thank you both.
Although after commenting time and auth I had no inetd listening port, i killed it completely.
I also added the nolisten tcp and there is no open port waiting for X11 connections.
Right now Only 631 is open and will refuse any connection outside 127.0.0.1
AM I secure? DO I need a firewall?
A port scan will show to someone that 631 is open, he may also do a OS detection and find out I'm using linux with the 2.4 kernel series. Is there a way to crack my system?
Also, what's the use of time and auth?
If i want my sisters pc to use mine as a gateway to connect to the internet, (I'm thinking of buying ethernet cards), do i need to relaunch inetd?

did you restart X? You should not have 6000 open if you did it correct.

Also check etc/cups/cupsd.conf. By default you probably have something like:
which means all connections outside your pc in 631 will be denied.

Hi

port 6000 now closed

Yes cupsd.conf has those options.

Thanks

samac

I found these open:

bash-2.05b$ nmap localhost

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-02-28 14:42 EST
Interesting ports on localhost (127.0.0.1):
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
587/tcp open submission
631/tcp open ipp
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 0.431 seconds
bash-2.05b$

I'm using guarddog. Can someone tell me how to close the unneeded ports?

WilliamS:

You're running sshd (ssh) and sendmail (smtp)
That should leave you with 631 (CUPS) and 6000 (X, see my previous post about how to close that one)

Guarddog won't close the ports for you, but it can restrict access to them.

perfect_circle:

As to whether a firewall is necessary on top, I would say better safe than sorry. Since I run no services, my firewall rules will not forward packets, and drop any incoming packets that are coming to ports that I have *not* opened (but leaving 127.0.0.1, the local loopback, unaffected). It's easier than coding half a dozen different rules in different programs. Let the firewall/iptables do the hard work first!

You can write your own firewall script, and drop it in as /etc/rc.d/rc.firewall and chmod +x it, or use something like guarddog to build one for you.

Edit:

For a gateway, you don't need inetd, you just need to configure iptables using a firewall script. You need to forward requests from your sisters PC to the net, and vice versa. I'm not that knowledgeable on this, so try searching the board or use Google to see if you can find more.

the startup services are in /etc/rc.d/
If you don't want something remove the execute permission.
e.x. ssh is secure shel deamon. If you don't want to be able to remotelly connect to this pc so:
to stop the service
and then To make sure that ssh is not loaded at startup.
smtp is the mail server. If you don't need to run a mail server do the same as above for rc.sendmail
I don't have a clue what 587 port is for..

It worked for sendmail port, but there seems to be no rc.ssh in my system.
bash-2.05b# /etc/rc.d/rc.sshd stop
bash-2.05b# chmod -x /etc/rc.d/rc.ssh
chmod: cannot access `/etc/rc.d/rc.ssh': No such file or directory
bash-2.05b# find / -name *rc.ssh
/usr/share/a2ps/sheets/a2psrc.ssh
/home/usr/share/a2ps/sheets/a2psrc.ssh
bash-2.05b#

After having no choice but to use buttons that are labelled "submit", I've acquired an attitude toward that word. Would love to be rid of that port too.

sorry... its chmod -x /etc/rc.d/rc.sshd
The same script you stoped, it was just a spelling mistake, I've corrected it
sshd= secure shell deamon

Take a look at webmin.org, I use webmin to configure IPTables and it works great for me. My iptables is rather simple, I block all incoming and forwarding connections and allow loopback full access and then eth0 (respective interface) to accept incoming and forwarded connections if they are established and related. However this is just a simple security wall for me since I am also behind a NAT router with a firewall of its own.
Hope this helps you

Thanks, got sshd port closed, so now nmap shows
PORT STATE SERVICE
631/tcp open ipp
6000/tcp open X11

Nmap run completed

although /usr/X11R6/bin/startx has serverargs="-nolisten tcp"

I hope I've made no typos, I must be the world typo champion.