WickeD_Angel Posted March 8, 2007 Report Share Posted March 8, 2007 Hi guys, I'm new to this forum :) I've been using mandriva 2007.0 for some time now and wondering how to close all ports... # nmap localhost gives: Not shown: 1678 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind I understand that it's the sshd and portmap services that need to be stopped, yet I do prefer to close them permanently ('service servicename stop' doesn't work for me). My Security level is HIGH, I'm using MCC firewall (guess it is shorewall). The problem is that even when I stop sshd and portmap services from System --> System Services, they come back after restart. Any ideas how to stop them permanently? In case that's important, my Mandriva serves as a router and provides NAT services for 2 pcs on the the LAN. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
tyme Posted March 8, 2007 Report Share Posted March 8, 2007 Beside where you stopped the services there should be a checkbox labeled "on boot" - unchecking this will cause the system to not start these programs on boot. Also note that when scanning your system with nmap and using localhost or 127.0.0.1 it's likely you will be allowed through ports that a different system would not be permitted to access. So, while you may see these ports as open when scanning from localhost, if you went to another system and scanned remotely using this systems IP address you may not find these two ports to be open. Nonetheless, if you aren't use SSH you should turn it off, and I'm still curious as to why Mandriva has rpcbind running by default - it's notoriously insecure by nature. Lastly, welcome to the board Quote Link to comment Share on other sites More sharing options...
WickeD_Angel Posted March 8, 2007 Author Report Share Posted March 8, 2007 That's the funny thing - I unchecked the labels "on boot" both for portmap and sshd, but the services are there after reboot :) Tried it several times. I'm planning to nmap my system from outside soon. Unfortunately, the other pcs on my LAN are win-based. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted March 9, 2007 Report Share Posted March 9, 2007 Portmap is usually used for nfs stuff. So if you're not using nfs, remove it by doing: urpme portmap or use the gui remove software application. Try: chkconfig sshd off to disable ssh if the gui isn't doing the trick. Quote Link to comment Share on other sites More sharing options...
emmanuel_uk Posted March 9, 2007 Report Share Posted March 9, 2007 AFAIK there is a bug in the dependency of the start scripts so you can never disable portmap, even if disabling nfs There is a thread on this in the mandriva forum I might be wrong but I am sure this is an issue Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted March 9, 2007 Report Share Posted March 9, 2007 I've managed to disable it fine. It's the removal of the application, where the problem occurs. For portmap to be removes, netfs service must be enabled, else the removing the application won't work. Using chkconfig to disable is fine, at least has been on my system. But I tend to remove services I'm not using to keep the system clean. Quote Link to comment Share on other sites More sharing options...
WickeD_Angel Posted March 9, 2007 Author Report Share Posted March 9, 2007 Hello again, guys. I think that chkconfig helped 'cause according to nmap, the sshd & portmap services are now off by default after reboot :) (rebooted 2 times and didn't see them) I guess the Mandriva GUI tools are...buggy? :) Anyways, I did manage to configure more services, one of them being samba. I was wondering, what's the best security option for a small LAN? I used user level security (user + 8 chars encrypted password) and limitted smb to serve only local private addresses. Is this enough? I couldn't find example configurations in /etc/samba, so that's it for now. What about edonkey port (I'm using amule)? Should nmap list it as a service or extra care should be taken to make it more secure? Thanks once again. Quote Link to comment Share on other sites More sharing options...
emmanuel_uk Posted March 10, 2007 Report Share Posted March 10, 2007 http://qa.mandriva.com/show_bug.cgi?id=25668 This is what I was talking about You cannot disable portmap (well Ianw solutions I did not know about, I had to edit the scripts) the other post bug is for 64 bits but this is for 32 bits 2007 cannot disable netfs and portmap http://forum.club.mandriva.com/viewtopic.p...ghlight=portmap Quote Link to comment Share on other sites More sharing options...
WickeD_Angel Posted March 10, 2007 Author Report Share Posted March 10, 2007 # chkconfig --del netfs Needed by script(s) in runlevel 2: keytable(start) keytable(stop) So as I understand, the real bug is in the netfs dependency, because I have managed to stop permanently both portmap and sshd without manual intervention. The thing is, first one should disable sshd, then portmap. I think the dependency line is something like: sshd -> portmap -> netfs So we are left with netfs? Any ideas? :) Quote Link to comment Share on other sites More sharing options...
emmanuel_uk Posted March 10, 2007 Report Share Posted March 10, 2007 On my PC, open ports are netstat -tuanp | grep -i LISTEN tcp 0 0 127.0.0.1:111 0.0.0.0:* LISTEN portmap tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN cupsd udp 0 0 0.0.0.0:68 0.0.0.0:* dhclient chkconfig --list | grep netfs netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off Look like I left it on, but this is not opening a port, so "it is ok" BTW I never found out how to force dhclient not to listen everywhere Just on the local network would be fine Quote Link to comment Share on other sites More sharing options...
WickeD_Angel Posted March 10, 2007 Author Report Share Posted March 10, 2007 On my PC, open ports arenetstat -tuanp | grep -i LISTEN tcp 0 0 127.0.0.1:111 0.0.0.0:* LISTEN portmap tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN cupsd udp 0 0 0.0.0.0:68 0.0.0.0:* dhclient chkconfig --list | grep netfs netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off Look like I left it on, but this is not opening a port, so "it is ok" BTW I never found out how to force dhclient not to listen everywhere Just on the local network would be fine I've got this, too: netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off I guess it's still needed by some init scripts. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted March 10, 2007 Report Share Posted March 10, 2007 My netfs is disabled: [root@esprit ian]# chkconfig --list netfs netfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off so it is possible. You can't remove it from the system though: [root@esprit ian]# rpm -qf /etc/init.d/netfs initscripts-8.38-7mdv2007.0 as it's in the initscripts package, and this is important I believe ;) So, disabling is easy enough. Quote Link to comment Share on other sites More sharing options...
WickeD_Angel Posted March 12, 2007 Author Report Share Posted March 12, 2007 I don't know, maybe I have some different configurations that keeps me from disabling it, it startles me. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.