On Wed, 12 Apr 2000, Andr� Bell wrote:
> should be otherwise? How do I REALLY close these ports? I already
> commented out absolutely everything in inetd.conf with exception to the
> authentication line and then rebooted. Nothing else in inetd.conf is
> without a leading '#' sign. Still several services like finger, telnet, and
> others show as open to nmap -- and yes I can actually run telnet despite
> commenting it out :(
Get and install lsof (If you're running RedHat, it's on the CD), then
look and see what program has those sockets open (esp. telnet and finger.)
If it's inetd, you didn't do something right, if it's something else, it's
a bad thing.
You don't need ident unless you plan on IRCing from the box to one of the
IRC networks.
> A) # pmfirewall.rules.2 - used by pmfirewall package
> #
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 80 -j ACCEPT
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 113 -j REJECT
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 119 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1045 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1080 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1524 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 2000 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 2005 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 3128 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 5742 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 6000 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 6667 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 20034 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 40421 -j DENY
>
If you're running nmap from the same host, the packets come from loopback,
your filter rules don't look like they'll touch that interface.
Most times it's better to start with a default deny policy then open up
specific ports and services.
> B) Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/)
> Interesting ports on xxxxxxxxxx
> Port State Protocol Service
> 1 open tcp tcpmux
> 11 open tcp systat
> 15 open tcp netstat
> 25 open tcp smtp
> 79 open tcp finger
> 80 open tcp http
> 111 open tcp sunrpc
> 113 open tcp auth
> 119 open tcp nntp
> 143 open tcp imap2
> 515 open tcp printer
> 540 open tcp uucp
> 635 open tcp unknown
> 1080 open tcp socks
> 1524 open tcp ingreslock
> 2000 open tcp callbook
> 2005 open tcp deslogin
> 3128 open tcp squid-http
> 6667 open tcp irc
> 12345 open tcp NetBus
> 12346 open tcp NetBus
Most of these *aren't* inetd-controlled services. They're started in the
run level startup scripts for whatever run level you're using. If you're
using the SysV init stuff in RedHat, it's /etc/rc.d/rc3.d *unless* you're
running that stupid "always start X" stuff, in which case it's run level 6
(IIR) instead of run level 3. Typically, I just mv the SNNwhatever file
to XNNwhatever to turn off services. I'd recommend getting a good Linux
book or seeking help in the Linux newsgroups for things like disabling
services.
I'm interested in what has 12345 and 12346 open though, please let us know
what lsof points to.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
