June 3rd, 2003, 03:17 AM
Testing Linux Firewall?
I am new to linux, and I have begun to try to understand some of its basics. I have two questions. Do I need the following ports open to simply surf the net, do email, and download the occasional program?
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
25/tcp open smtp
111/tcp open sunrpc
631/tcp open ipp
6000/tcp open X11
10000/tcp open snet-sensor-mgmt
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
I have tried to configure my firewall using ipchains, and would like to test it. Is there any way that I can do this? I even searched google and AO, and was only successful in finding windoz based scans. (Note: An online scan is probably not possible in my situation because I am behind a router.) Thanks, sorry if this is kind of long and rambling.
June 3rd, 2003, 04:05 AM
X11 runs for remote X servers and that's what I know off the top of my head as well don't feel like doing the google thing right now you should try it and see what you get when you google it is quite simple.
June 3rd, 2003, 04:15 AM
Did you run NMAP on the local host or remotely? Is your firewall up and running?
oh, and to "simply surf the net" you do not need those ports open.
Quis custodiet ipsos custodes
June 3rd, 2003, 04:37 AM
631 ipp is internet printing protocol, either case, you don't need all those other ports open (except for x11, i don't use windows manager, so i'm not sure about this). anyways, if you're curious what those ports do, try the following:
lsof -i typeort
grep something /etc/services
hope this helps.
June 3rd, 2003, 05:28 AM
Thanks for the help everyone!
June 3rd, 2003, 11:05 AM
You probably don't need port 25 open, because unlike what Marijuana said, it isn't used for outgoing mail, it's used for *incoming* mail. Now unless you're using your machine as an incoming mail server for a domain, you don't need SMTP listening. *even* if you're using the machine as a relay.
I would say you can safely firewall all of those ports. However it's better practice just to firewall everything and then let in what you need.
Reading further down your post: if you are behind a router which does NAT (i.e. Most home routers and many others), the whole thing is academic anyway because attackers cannot address your machine, much less attack it. So if your machine has an IP in one of the reserved ranges (10.* , 192.168.* or 172.16.*-172.17.*), there is no possibility of an attacker connecting to it in a direct manner
June 3rd, 2003, 03:01 PM
The question u should ask yourself is: "Do I need any server application on my machine?".
If not make a simple rule to forbid any connection between port 1 to 1024.
For other port visit the following site - it will give u any info you're looking for
BTW žI'll advice you to use iptable which is the Netfilter upgrade of ipchain
[shadow] SHARING KNOWLEDGE[/shadow]
June 3rd, 2003, 03:36 PM
As a sidenote,SMTP(25) is used for both incoming and/or outgoing.(RFC 2821) also
a firewall does not insure 'no possibilty' of someone connecting, thats whats called candy security. aka Hard crunchy shell, soft chewy inside. Follow good security practices and shut down un-neccessary services regardless.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
June 3rd, 2003, 08:46 PM
111/tcp open sunrpc
You better close this one it's remote procedure call service Crackers/Script Kiddies
probe for this open port all the time rpc services have many security issues. Attackers can register a bogus rpc service & instruct your portmapper to listen for his her commands requests. If he or she manipulates your portmapper to forward requests to avalible services on your Linux system the attackers trick them into thinking there coming from your machine if you need to run any RPC services you need to weigh the security considerations very carefully if you don't need any rpc services I'd advise you to disable them
all including Portmapper beware!
June 3rd, 2003, 09:02 PM
Wow! I'm glad that I posted this thread, because I probably would have just left my firewall the way it was. Thanks to everyone for the info!