KDE System Guard, security and ports

[laiback]

Please forgive my ignorance but I am new to Linux, Mandriva and especially the forum.

I have read some of the security messages and came to realise that instead of having my Firewall on, as I thought was the default, it was turned off ! ah!!. So thanks for that as I changed the settings immediately. However, I have also run KDE System Guard which I found under Monitoring. When I display a graph called Network/Sockets/raw/Table I can see at least 4 ports/lines all the time. They are identified as ports 7741, ipp, X11 and local host 5353. Is this normal and if not what should I do to correct this situation?

 

I'm running Mandriva 2006 (free edition) on an AMD K6 400 Mz, 512Mb ram with exchangeable caddy hard drives.

 

Many thanks for your time.

 

[moved from Software by spinynorman]

[daniewicz]

Well I am not a security expert by any means but I will try to get this thread active.

 

According to my ports list, 7741 is unassigned and 5353 is for multicast DNS.

 

I am a Mandriva 2005 user running the native firewall "shorewall" accessed from within MCC. I have DSL using a Westell ethernet modem. When I used the KDE system guard as you specified I did not see any raw sockets listed.

 

What kind of internet connection do you have?

Are you using shorewall?

If you are using shorewall, how did you configure things within MCC?

 

 

Oh and welcome to the MUB! :D

Edited May 30, 2006 by daniewicz

[coverup]

I am not a security expert either, but my rule of thumb is to turn off all services which have anything to do with network, except for the vital ones, i.e., network.

 

Edit: according to this post, http://www.niscc.gov.uk/niscc/docs/br-2002...71.html?lang=en

7741 is default for LISa, the Linux version of the network neighborhood. It's a totally useless service. Stop it, then check the list of open ports.

Edited May 30, 2006 by coverup

[daniewicz]

Good advice regarding services coverup.

 

laiback:

MCC -> System -> Enable or disable system services

[laiback]

Thank you for these replies.

daniewicz: I'm using the standard firewall as supplied with Mandriva 2006 and have configured it from the ..Configure Your Computer System...off the pop up LHS menu system (supplying root pswd as requested). I'm using a USB modem, Thompson Speedtouch 330 over a broadband connection.

 

Where do you find a list of port useage?, I'm in the dark here and am amazed that you know what all the numbers are for.

 

coverup: WWW ref. I've printed off the notes and will see if I can follow the advice. I was suprised to find that I ended up on a page giving support for Lisa in Suse. Does Mandriva use the same system as this?

 

Will report again later whan I have acted on the above.

[ianw1974]

This is a link I use for ports:

 

http://www.iana.org/assignments/port-numbers

 

this usually helps to find out if the open port is a problem, or something to remove if not being used.

[laiback]

ianw1974: Many thanks for the reference...went over straight away. Very interesting.

 

Whilst I was there would you believe it, the firewall reported a port scanning attack. I've blacklisted it.

[coverup]

coverup: WWW ref. I've printed off the notes and will see if I can follow the advice. I was suprised to find that I ended up on a page giving support for Lisa in Suse. Does Mandriva use the same system as this?

Don't worry about the content of that link. The only important piece of information on that page is that the port 7741 is used by LISa. Stopping LISa service should close this port.

 

Edit: Mandrake/Mandriva enables LISa during installation. While it could be useful on a large corporate firewalled network you won't use it at home. Stop it.

Edited May 31, 2006 by coverup

[laiback]

coverup: Thanks for your latest info. I came to the conclusion that I couldn't/shouldn't use any of the files on that site as they are all Debian versions. So I went to my Update mirror service to see if there were any security issues with Lisa, couldn't find anything on the Mandriva sites.

 

When you say .."Edit: Mandrake/Mandriva enables LISa during installation"..." are you saying that I need to reinstall my entire system? or that I could edit some file which would affect bootup?

 

I've searched out the port refs that I noted and they are as follows:-

 

7741 is Lisa . ipp is 631/tcp or 631/udp internet printing protocol. X11 is 6000-6063/udp X windows system. 5335 unassigned but noted as local host on my system.

 

Sorry to be a pain but, how do I close a port?

 

Thanks

 

 

 

 

 

 

Thanks

[ianw1974]

This is what I normally do:

 

urpme lisa

 

this will remove lisa. Or, you can disable the service but leave it installed, with:

 

chkconfig lisa off
service lisa stop

 

first, it will turn the service off for when you reboot, and the second command stops it to save you from rebooting. Port 631 is cups, and you need this for printing. 5335 is also enabled on my machine, but I can't find anything as to what it is, but ignore it. X11 ports are OK, they are your xorg. The easiest way to ensure security is install shorewall, then you have a firewall to protect against open ports. If you are already behind a firewall then don't worry about these ports. And if they're open against localhost/127.0.0.1 nobody except yourself will be able to connect to them anyway, as they aren't bound to a network card.

 

If you do this at the command prompt for me:

 

chkconfig --list

 

and copy the full output, I can tell you what other services you can stop/remove from your system.

[laiback]

ianw1974: Thanks, I'm on the case.

 

[laiback]

ianw1974:

Done as you suggested. Lisa now off and gone from the System load graphs. Used the second version to stop it rather than kill it off with urpme.

 

Below listed output from chkconfig --list.

You are most kind; thanks

Speedtouch is my modem

Shorewall is what I believe to be the firewall, standard with Mandriva 2006

I guess alsa and sound are there because I'm listening to a CD at the same time.

 

 

acpi 0:off 1:off 2:on 3:on 4:on 5:on 6:off

acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off

alsa 0:off 1:off 2:on 3:on 4:on 5:on 6:off

atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off

cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off

dm 0:off 1:off 2:off 3:off 4:off 5:on 6:off

freshclam 0:off 1:off 2:on 3:on 4:on 5:on 6:off

haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off

harddrake 0:off 1:off 2:off 3:on 4:on 5:on 6:off

iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off

kheader 0:off 1:off 2:on 3:on 4:off 5:on 6:off

lisa 0:off 1:off 2:off 3:off 4:off 5:off 6:off

mDNSResponder 0:off 1:off 2:off 3:on 4:on 5:on 6:off

mandi 0:off 1:off 2:on 3:on 4:on 5:on 6:off

messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off

netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off

netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

network 0:off 1:off 2:on 3:on 4:on 5:on 6:off

nifd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

numlock 0:off 1:off 2:off 3:on 4:on 5:on 6:off

oki4daemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off

partmon 0:off 1:off 2:off 3:on 4:on 5:on 6:off

rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off

shorewall 0:off 1:off 2:on 3:on 4:on 5:on 6:off

sound 0:off 1:off 2:on 3:on 4:on 5:on 6:off

speedtouch 0:off 1:off 2:off 3:on 4:on 5:on 6:off

syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off

xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off

xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

 

xinetd based services:

cups-lpd: off

rsync: off

[ianw1974]

OK, the others I would turn off are:

 

netfs

rawdevices

 

as you won't need these. Netfs is usually used with nfs, but you don't have other nfs services installed, so you don't need this. Rawdevices is safe to turn off. I'm not entirely sure what it does, but the system works perfectly fine without it.

[laiback]

Many thanks for the advice.

I'm pleased to report that Lisa didn't return on a reboot.

 

I feel much happier now and have learn't a thing or two in the process.

 

Bye for now

 

& many thanks

[coverup]

I would suspect that mDNSResponder could be responsible for another open port that you were mentioning. Not sure what this service does... TRy to disable it temporarily and see if the system works without it.

 

To disable the service temporarily (so it will come back after reboot), open root console and type

service mDNSResponder stop
netstat -tan

The second line will show you ports which are currently open. Then try doing things that you would normally do on the net, eg, browse, download, etc. If everything works, stop mDNSresponder for good following the routine which Ian has explained before.