Linux Port Help

***Lansing_Banda*** · November 22nd, 2003, 11:00 PM

Okay here is my nmap

Port State Service
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open sunrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp open netbios-ssn
443/tcp open https
631/tcp open ipp
953/tcp open rndc
1241/tcp open msg
2049/tcp open nfs
6000/tcp open X11
7100/tcp filtered font-service
10000/tcp open snet-sensor-mgmt
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7

I am running Mandrake 9.0. I have an apache server, a cups printer, and I want ssh to be open. What all should I close and how do I do it. I have googled all day and I have more or less found plenty of confilcting opinions on how to close ports. Help would be much appreciated.

***skiddieleet*** · November 23rd, 2003, 01:30 AM

I would say you could close these:
25 if you don't send any mail
111 I have this open also, don't think you need it
137-139 Is this a Samba server, I assume yes, so leave them open, if you don't want it to be close them
631-2049 Don't know what they do, but I don't think you need them
7100-32772 Don't know but you shouldn't need them

To close them just disable the services associated with them. I have RH9 and I go to the main menu in the bottom left and I have System Settings>server settings>services and I select services. This is where I can manipulate what services are running at startup and I can remove them from startup and stop them from running. If you just remove them from startup they are still running for the current session so you also have to stop them.

For now I would disable 25 and 137-139(disable these if you are not sharing files with other computers) and possibly 111. And wait on the others, because I don't know what they do and you could possibly need them for something. Please hold off on disabling services until you get confirmation. Sorry I couldn't detail how to disable them, but I'm on redhat, and I don't really know mandrake.

My computer is like this:
21 open ftp
22 open ssh
80 open http
111 open srpc
3306 open mysql
6000 open X11
32768 open unknown(What is this? maybe a backdoor?)

**!mitationRust** · November 23rd, 2003, 04:32 AM

Your right its hard to find some linux stuff concerning your problem on google.
What firewall are you using I have Iptables in GUI mode running?

Here are some mediocre sites and articles on closing the ports
http://www.linuxexposed.com/modules....&mode=&order=0
http://www.linuxexposed.com/modules....&mode=&order=0 (back up link)
http://www.linuxexposed.com/modules....&mode=&order=0 ( back up back up link)

(suggestion) 22 = openssh - disable ssh if you want to close this.
25 = smtp - might have sendmail running, disable if you want to close
111 = sunrpc - mainly for remote protocol requests, nfs, etc. disable from xinetd or inet.conf if you want to close.

Another option is to learn and setup iptables and the such to setup your own firewall, etc.

***Lansing_Banda*** · November 23rd, 2003, 09:29 AM

I am running firestarter, but I don't see any differance really. I set it up to filter everything but 80 and the other ports are still not filtered. I dunno. And I have checked xinetd.d but none of the services that I want to disable are there. And I have been to hell and back trying to close 6000. I have edited every file I can think of in X11.

***Lansing_Banda*** · November 23rd, 2003, 11:12 AM

25 closed
111 closed
1241 closed - - was used by nessusd

***MrLinus*** · November 23rd, 2003, 12:54 PM

Lansing,

I'm assuming that you've done this:

Sourced from Simply Linux

Closing Port 6000
Port 6000 is listening by default. Take care of it.

1) Enter "vi /etc/X11/xdm/Xservers"
2) Hit "i" and add "-nolisten tcp" at the end of a line like this:

:0 local /usr/X11R6/bin/X -nolisten tcp

3) Hit ESC & enter ":wq"

And remarked out the necessary ports from the /etc/services file? If you do a netstat, you should see that the port is not being listened on eventhough it is "open".

**Beryllium9** · November 23rd, 2003, 05:11 PM

Did you scan 127.0.0.1, or your proper IP address? This matters, as some services should only be listening on localhost. One example is port 631, which is open because of cups. This port should only be listening on localhost. Same with port 7100, which is xfs.

Port 25 listening on your external IP address is a serious problem, depending on the configuration of sendmail, or whatever smtp service you're running. Spammers love setups like this, as it will be you getting the blame when they route their junk mail through your PC.

You can close port 443 by uninstalling mod_ssl and restarting apache.

Port 53 can be closed by stopping bind. If you did a UDP scan, you would notice this PC is also listening on UDP port 53 as well.

Ports 2049, 32771, and 32772 will close when you stop the service running on port 111. This is either NIS or NFS, i always confuse the two.

You should probably stop samba as well, unless you need it for windows connectivity on a network. This will close ports 137-139.

Ports 10000 and 953 are a mystery though, I got no idea what they are. The only time i've seen 10000 open is with webmin, and this could be a security problem if this is the reason port 10000 is open.

***Lansing_Banda*** · November 23rd, 2003, 09:46 PM

Update:
how does this look:

Port State Service
22/tcp open ssh
80/tcp open http
443/tcp open https
631/tcp open ipp
6000/tcp open X11

***skiddieleet*** · November 24th, 2003, 12:21 AM

That looks good Lansing_Banda. It seems that you now only have the ports open for which you want a service to be running, if that made any sense.

***Lansing_Banda*** · November 24th, 2003, 02:24 AM

I stll need to close 443. My apache's SSL_mod is causing that, but I am in no big hurry, nessus just gave me a warning with that. Nessus likes my setup and right now, so do I.

And Heretic, that made perfect sense

Thread: Linux Port Help

Thread Tools

Display

Linux Port Help

Posting Permissions