On Wed, 12 Apr 2000, Andr� Bell wrote:
> Ok, so now I know to close these unnecessary ports. Problem now is nmap
> says I still have a ton of ports open, but when I type '/sbin/ipchains -L
> -n' ipchains shows many of these very same ports set to deny as I setup.
<snip>
nmap is crazy that way.. What you have to understand is that your firewall
rules are set to DENY from outside of that computer and it probably says
FORWARD or ACCEPT locally ... That's why they all appear open.
>
> A) # pmfirewall.rules.2 - used by pmfirewall package
> #
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 80 -j ACCEPT
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 113 -j REJECT
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 119 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1045 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1080 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1524 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 2000 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 2005 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 3128 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 5742 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 6000 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 6667 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 20034 -j DENY
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 40421 -j DENY
While this is a pretty good way of doing things... I would consider the
FreeBSD approach. DENY everything. Accept only what you want.
>
>
> B) Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/)
> Interesting ports on xxxxxxxxxx
> Port State Protocol Service
> 1 open tcp tcpmux
> 11 open tcp systat
> 15 open tcp netstat
> 25 open tcp smtp
> 79 open tcp finger
> 80 open tcp http
> 111 open tcp sunrpc
> 113 open tcp auth
> 119 open tcp nntp
> 143 open tcp imap2
> 515 open tcp printer
> 540 open tcp uucp
> 635 open tcp unknown
> 1080 open tcp socks
> 1524 open tcp ingreslock
> 2000 open tcp callbook
> 2005 open tcp deslogin
> 3128 open tcp squid-http
> 6667 open tcp irc
> 12345 open tcp NetBus
> 12346 open tcp NetBus
You'll also notice from this nmap that you have things like deslogin,
imap2, socks, IRC, and NetBus open.. Do you have any of these services
running?
I find that the best way to secure a system in Linux is to do it the way
your distribution wants you to. In Debian and Slackware you can just
move a few files around and comment out some lines. If you're using a
RedHat variant with the linuxconf modules installed you need to go through
linuxconf. You su, linuxconf, go to control panel, ,control services, and
then turn off every last thing you absolutely don't need.
Then, head over to /etc/inetd.conf and # comment out lines for services
you are no longer running. Then - Ta-Da. Your system is a bit more
secure.
I hope this helps :)
--
Greg Poirier
EarthLink Network, Inc.
Network Security
Network Abuse Engineer
-----------------
"For your information: I run OS/2, probably the most reliable networking
operating system on the earth. It's free of backdoors, trojans, Back Orifices
of any kind, so far and chances are, always will."
* Famous last words of an OS/2 user
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
