closing ports

[WickeD_Angel]

Hi guys, I'm new to this forum :)

 

I've been using mandriva 2007.0 for some time now and wondering how to close all ports...

 

# nmap localhost gives:

 

Not shown: 1678 closed ports

PORT STATE SERVICE

22/tcp open ssh

111/tcp open rpcbind

 

I understand that it's the sshd and portmap services that need to be stopped, yet I do prefer to

close them permanently ('service servicename stop' doesn't work for me). My Security level is HIGH, I'm using MCC firewall (guess it is shorewall). The problem is that even when I stop sshd and portmap services from System --> System Services, they come back after restart. Any ideas how to stop them permanently? In case that's important, my Mandriva serves as a router and provides NAT services for 2 pcs on the the LAN.

 

Thanks in advance.

[tyme]

Beside where you stopped the services there should be a checkbox labeled "on boot" - unchecking this will cause the system to not start these programs on boot.

 

Also note that when scanning your system with nmap and using localhost or 127.0.0.1 it's likely you will be allowed through ports that a different system would not be permitted to access. So, while you may see these ports as open when scanning from localhost, if you went to another system and scanned remotely using this systems IP address you may not find these two ports to be open. Nonetheless, if you aren't use SSH you should turn it off, and I'm still curious as to why Mandriva has rpcbind running by default - it's notoriously insecure by nature.

 

Lastly, welcome to the board

[WickeD_Angel]

That's the funny thing - I unchecked the labels "on boot" both for portmap and sshd, but the services are there after reboot :) Tried it several times.

 

I'm planning to nmap my system from outside soon. Unfortunately, the other pcs on my LAN are win-based.

[ianw1974]

Portmap is usually used for nfs stuff. So if you're not using nfs, remove it by doing:

 

urpme portmap

 

or use the gui remove software application. Try:

 

chkconfig sshd off

 

to disable ssh if the gui isn't doing the trick.

[emmanuel_uk]

AFAIK there is a bug in the dependency of the start scripts

so you can never disable portmap, even if disabling nfs

There is a thread on this in the mandriva forum

 

I might be wrong but I am sure this is an issue

[ianw1974]

I've managed to disable it fine. It's the removal of the application, where the problem occurs.

 

For portmap to be removes, netfs service must be enabled, else the removing the application won't work.

 

Using chkconfig to disable is fine, at least has been on my system. But I tend to remove services I'm not using to keep the system clean.

[WickeD_Angel]

Hello again, guys.

 

I think that chkconfig helped 'cause according to nmap, the sshd & portmap services are now off by default after reboot :) (rebooted 2 times and didn't see them) I guess the Mandriva GUI tools are...buggy? :)

 

Anyways, I did manage to configure more services, one of them being samba. I was wondering, what's the best security option for a small LAN? I used user level security (user + 8 chars encrypted password) and limitted smb to serve only local private addresses. Is this enough? I couldn't find example configurations in /etc/samba, so that's it for now.

 

What about edonkey port (I'm using amule)? Should nmap list it as a service or extra care should be taken to make it more secure?

 

Thanks once again.

[emmanuel_uk]

http://qa.mandriva.com/show_bug.cgi?id=25668

This is what I was talking about

You cannot disable portmap (well Ianw solutions I did not know about,

I had to edit the scripts)

 

the other post bug is for 64 bits but this is for 32 bits

2007 cannot disable netfs and portmap

http://forum.club.mandriva.com/viewtopic.p...ghlight=portmap

[WickeD_Angel]

# chkconfig --del netfs

Needed by script(s) in runlevel 2: keytable(start) keytable(stop)

 

So as I understand, the real bug is in the netfs dependency, because I have managed to stop permanently both portmap and sshd without manual intervention. The thing is, first one should disable sshd, then portmap.

 

I think the dependency line is something like:

sshd -> portmap -> netfs

 

So we are left with netfs? Any ideas? :)

[emmanuel_uk]

On my PC, open ports are

netstat -tuanp | grep -i LISTEN

tcp 0 0 127.0.0.1:111 0.0.0.0:* LISTEN portmap

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN cupsd

udp 0 0 0.0.0.0:68 0.0.0.0:* dhclient

chkconfig --list | grep netfs

netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off

Look like I left it on, but this is not opening a port, so "it is ok"

 

BTW I never found out how to force dhclient not to listen everywhere

Just on the local network would be fine

[WickeD_Angel]

On my PC, open ports are

netstat -tuanp | grep -i LISTEN

tcp 0 0 127.0.0.1:111 0.0.0.0:* LISTEN portmap

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN cupsd

udp 0 0 0.0.0.0:68 0.0.0.0:* dhclient

chkconfig --list | grep netfs

netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off

Look like I left it on, but this is not opening a port, so "it is ok"

 

BTW I never found out how to force dhclient not to listen everywhere

Just on the local network would be fine

 

I've got this, too:

 

netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off

 

I guess it's still needed by some init scripts.

[ianw1974]

My netfs is disabled:

 

[root@esprit ian]# chkconfig --list netfs
netfs		   0:off   1:off   2:off   3:off   4:off   5:off   6:off

 

so it is possible. You can't remove it from the system though:

 

[root@esprit ian]# rpm -qf /etc/init.d/netfs
initscripts-8.38-7mdv2007.0

 

as it's in the initscripts package, and this is important I believe ;)

 

So, disabling is easy enough.

[WickeD_Angel]

I don't know, maybe I have some different configurations that keeps me from disabling it, it startles me.