Hi guys, I'm new to this forum

I've been using mandriva 2007.0 for some time now and wondering how to close all ports...

# nmap localhost gives:

Not shown: 1678 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind

I understand that it's the sshd and portmap services that need to be stopped, yet I do prefer to
close them permanently ('service servicename stop' doesn't work for me). My Security level is HIGH, I'm using MCC firewall (guess it is shorewall). The problem is that even when I stop sshd and portmap services from System --> System Services, they come back after restart. Any ideas how to stop them permanently? In case that's important, my Mandriva serves as a router and provides NAT services for 2 pcs on the the LAN.

Thanks in advance.

Beside where you stopped the services there should be a checkbox labeled "on boot" - unchecking this will cause the system to not start these programs on boot.

Also note that when scanning your system with nmap and using localhost or 127.0.0.1 it's likely you will be allowed through ports that a different system would not be permitted to access. So, while you may see these ports as open when scanning from localhost, if you went to another system and scanned remotely using this systems IP address you may not find these two ports to be open. Nonetheless, if you aren't use SSH you should turn it off, and I'm still curious as to why Mandriva has rpcbind running by default - it's notoriously insecure by nature.

Lastly, welcome to the board

That's the funny thing - I unchecked the labels "on boot" both for portmap and sshd, but the services are there after reboot Tried it several times.

I'm planning to nmap my system from outside soon. Unfortunately, the other pcs on my LAN are win-based.

Portmap is usually used for nfs stuff. So if you're not using nfs, remove it by doing:



or use the gui remove software application. Try:



to disable ssh if the gui isn't doing the trick.

AFAIK there is a bug in the dependency of the start scripts
so you can never disable portmap, even if disabling nfs
There is a thread on this in the mandriva forum

I might be wrong but I am sure this is an issue

I've managed to disable it fine. It's the removal of the application, where the problem occurs.

For portmap to be removes, netfs service must be enabled, else the removing the application won't work.

Using chkconfig to disable is fine, at least has been on my system. But I tend to remove services I'm not using to keep the system clean.

Hello again, guys.

I think that chkconfig helped 'cause according to nmap, the sshd & portmap services are now off by default after reboot (rebooted 2 times and didn't see them) I guess the Mandriva GUI tools are...buggy?

Anyways, I did manage to configure more services, one of them being samba. I was wondering, what's the best security option for a small LAN? I used user level security (user + 8 chars encrypted password) and limitted smb to serve only local private addresses. Is this enough? I couldn't find example configurations in /etc/samba, so that's it for now.

What about edonkey port (I'm using amule)? Should nmap list it as a service or extra care should be taken to make it more secure?

Thanks once again.

http://qa.mandriva.com/show_bug.cgi?id=25668
This is what I was talking about
You cannot disable portmap (well Ianw solutions I did not know about,
I had to edit the scripts)

the other post bug is for 64 bits but this is for 32 bits
2007 cannot disable netfs and portmap
http://forum.club.mandriva.com/viewtopic.p...ghlight=portmap

# chkconfig --del netfs
Needed by script(s) in runlevel 2: keytable(start) keytable(stop)

So as I understand, the real bug is in the netfs dependency, because I have managed to stop permanently both portmap and sshd without manual intervention. The thing is, first one should disable sshd, then portmap.

I think the dependency line is something like:
sshd -> portmap -> netfs

So we are left with netfs? Any ideas?

On my PC, open ports are
netstat -tuanp | grep -i LISTEN
tcp 0 0 127.0.0.1:111 0.0.0.0:* LISTEN portmap
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN cupsd
udp 0 0 0.0.0.0:68 0.0.0.0:* dhclient
chkconfig --list | grep netfs
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Look like I left it on, but this is not opening a port, so "it is ok"

BTW I never found out how to force dhclient not to listen everywhere
Just on the local network would be fine

I've got this, too:

netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off

I guess it's still needed by some init scripts.

My netfs is disabled:



so it is possible. You can't remove it from the system though:



as it's in the initscripts package, and this is important I believe

So, disabling is easy enough.

I don't know, maybe I have some different configurations that keeps me from disabling it, it startles me.