Re: All these open ports
On Thu, 19 Aug 2004 19:44:06 -0600, Dana J. Laude [EMAIL PROTECTED] wrote: Or better yet, Jon should checkout the following link: http://www.debian.org/doc/user-manuals#securing The harden-doc is outdated except on unstable, so you're better off reading the online version at the above page. Thanks - that is a good guide. -- Jon Dowland [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Tuesday 21 September 2004 11:57, Tom Allison wrote: [EMAIL PROTECTED] wrote: If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. Query how? Based on what rules it an outgoing connection allowed/disallowed? There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) the commercial firewall products can't detect such attempts to phone home. In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework - but I have asked here and there and thus far no one seems to know. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. Using 'policy drop' for outgoing traffic, and then explicitly allowing certain traffic would do what you want, if I understand your question correctly. Try using something like firehol (firehol.sf.net), where it's really easy and convinient to define rules. (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) There's several aspects of this that you have overlooked regarding just the basics of iptables and the state of TCP/IP today. First, iptables can be configured such that filtered port traffic can be directed into userspace wherein you can do anything you would like to with them, including adding rules to permit their traffic. The methods by which you could query outgoing traffic is numerous with or without iptables. But more importantly you have to understand that you cannot block and query all traffic going out from your computer. If you did that, you would block FTP for the majority of environments. Namely, passive mode FTP which was popularized by Microsoft. Prior to this everyone had the notion of connection through the control and data ports which were traceable and identifiable. Passive mode FTP allows you to make a high port connection to another high port connection. Both of these port numbers are not defined until the connection is attempted. This connection cannot be filtered in iptables because you have to create a high-port to high-port connection ACCEPT rule in order for passive mode to work. [ snip ] Why not just use connection tracking? Load the ip_conntrack_ftp module and create proper iptables rules. Iptables will then be able to recognize the high-port connection as RELATED to the original connection to port 21. B/R, -- Frederik Dannemare | mailto:[EMAIL PROTECTED] http://qa.debian.org/developer.php?login=Frederik+Dannemare http://frederik.dannemare.net | http://www.linuxworlddomination.dk Key fingerprint: BB7B 078A 0DBF 7663 180A F84A 2D25 FAD5 9C4E B5A8 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Tuesday 21 September 2004 04:57, Tom Allison wrote: At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) Well, there isn't any easy way i know of to do this on linux, however, it really is a case of a solution in search of a problem. This sort of thing really isn't an issue with free software, or really with any properly designed system. -- _ _ _ _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( t | i | m | @ | i | t | . | k | p | t | . | c | c ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ GPG key fingerprint = 1DEE CD9B 4808 F608 FBBF DC21 2807 D7D3 09CA 85BF -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
Tom Allison wrote: More importantly today is to understand how 99.9% of the virus and malware is transmitted today. It's not through unfiltered ports and such as described in your original email, but through the email mechanism (or http) itself. And while I don't have any hard numbers at my desk to support the 99.9% claim, I don't believe it to be too far off the mark. My machine at home receives some kind of port scan on average about every three seconds. That's a lot higher rate than it receives spam. Am I the 0.1%? Cheers, Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Wednesday September 22 at 02:36pm Dave Howorth [EMAIL PROTECTED] wrote: Tom Allison wrote: More importantly today is to understand how 99.9% of the virus and malware is transmitted today. It's not through unfiltered ports and such as described in your original email, but through the email mechanism (or http) itself. And while I don't have any hard numbers at my desk to support the 99.9% claim, I don't believe it to be too far off the mark. My machine at home receives some kind of port scan on average about every three seconds. That's a lot higher rate than it receives spam. Am I the 0.1%? Port scan != virus/malware -- -johann koenig Now Playing: Project 86 - Rebuttal : Safety First Today is Setting Orange, the 46th day of Bureaucracy in the YOLD 3170 My public pgp key: http://mental-graffiti.com/pgp/ pgpt5gaMN2bX2.pgp Description: PGP signature
Re: All these open ports
[EMAIL PROTECTED] wrote: If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) the commercial firewall products can't detect such attempts to phone home. In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework - but I have asked here and there and thus far no one seems to know. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) There's several aspects of this that you have overlooked regarding just the basics of iptables and the state of TCP/IP today. First, iptables can be configured such that filtered port traffic can be directed into userspace wherein you can do anything you would like to with them, including adding rules to permit their traffic. The methods by which you could query outgoing traffic is numerous with or without iptables. But more importantly you have to understand that you cannot block and query all traffic going out from your computer. If you did that, you would block FTP for the majority of environments. Namely, passive mode FTP which was popularized by Microsoft. Prior to this everyone had the notion of connection through the control and data ports which were traceable and identifiable. Passive mode FTP allows you to make a high port connection to another high port connection. Both of these port numbers are not defined until the connection is attempted. This connection cannot be filtered in iptables because you have to create a high-port to high-port connection ACCEPT rule in order for passive mode to work. This iptables rule will allow anything to connect so you get into a lot of problems with being able to connect trojans or virus in the same manner. More importantly today is to understand how 99.9% of the virus and malware is transmitted today. It's not through unfiltered ports and such as described in your original email, but through the email mechanism (or http) itself. And while I don't have any hard numbers at my desk to support the 99.9% claim, I don't believe it to be too far off the mark. If you want to block a vast majority of the virus problems on the internet today then email should be configured to not execute anything when it receives a message and the MSIE browser should be fixed so that I cannot send an EXE file with a TEXT/HTML description, allowing your browser to download it as HTML and then the file explorer portion of the browser functionality to execute the EXE file based on name extension. These are fundamental mistakes in software design that would never have been allowed if intelligent people where in charge. While I deeply loathe MSFT for more good reasons than I can publish in a day, I think these security problems are evidence of Marketing superceding the Engineering forces in the company, resulting in some really stupid things being done for some eye-candy reasons. Engineering isn't stupid, they're just asked to do some really stupid things. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
So what are exactly are you worried about? A program uploading sensitive data to a random server? Well the easiest way for a program to do that is to invoke sendmail to e-mail the information to the server. In which case the program never attempts to open a port, your m-t-a does. Your m-t-a opening a port is the most normal thing in the world. Or if for some reason you don't have your m-t-a properly configured, it could invoke ssh or lynx or ... You're right; there are as many opportunities for paranoia WRT what on my system could phone home in which manner. I think for Linux to be secured against that sort of thing, there would have to be a kernel hook that logged PIDs of processes that got spawned, and then watched to see if that PID attempted an outgoing access of some sort. (I'm not volunteering to write *that*...). I've similarly wondered if the Gatesware equivalents (the personal firewalls) are capable of detecting outgoing accesses by things that aren't invoked by the user... probably not, and the corresponding vulnerability is probably there for Windoze systems as well, as I mentioned earlier... The thing is, that sort of malicious code could be embedded in anything you install. The only thing protecting you is the traceability of the code and concomitant liability of the perpetrator to prosecution. Otherwise half the frustrated geeks in the world would be embedding their little projects in their employer's products. I don't know about you, but that sort of protection doesn't make me feel secure in general - I want some sort of process monitoring that can detect outgoing communication attempts. The fact that it hasn't happened yet, doesn't reduce my paranoia one bit. Moreover, the attitude of Linux people that they're somehow immune because of the limited distribution of Linux compared to the Gatesware installed base, is just whistling in the dark, cum laude. From the responses I get in general, the general attitude seems to be to shrug it off because no one can do anything about it. Again, you're right, though, that I'm too narrowly focused WRT the real issue. Maybe this discussion really belongs on a linux security list... Thanks for your input - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: All these open ports
From what I recall of a discussion over SP2 for XP with a MS rep, thier firewall should have a lots of fun trying to figure out what is legit outgoing and what is not ;0 regards Thing -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, 26 August 2004 9:07 a.m. To: [EMAIL PROTECTED] Subject: Re: All these open ports So what are exactly are you worried about? A program uploading sensitive data to a random server? Well the easiest way for a program to do that is to invoke sendmail to e-mail the information to the server. In which case the program never attempts to open a port, your m-t-a does. Your m-t-a opening a port is the most normal thing in the world. Or if for some reason you don't have your m-t-a properly configured, it could invoke ssh or lynx or ... You're right; there are as many opportunities for paranoia WRT what on my system could phone home in which manner. I think for Linux to be secured against that sort of thing, there would have to be a kernel hook that logged PIDs of processes that got spawned, and then watched to see if that PID attempted an outgoing access of some sort. (I'm not volunteering to write *that*...). I've similarly wondered if the Gatesware equivalents (the personal firewalls) are capable of detecting outgoing accesses by things that aren't invoked by the user... probably not, and the corresponding vulnerability is probably there for Windoze systems as well, as I mentioned earlier... The thing is, that sort of malicious code could be embedded in anything you install. The only thing protecting you is the traceability of the code and concomitant liability of the perpetrator to prosecution. Otherwise half the frustrated geeks in the world would be embedding their little projects in their employer's products. I don't know about you, but that sort of protection doesn't make me feel secure in general - I want some sort of process monitoring that can detect outgoing communication attempts. The fact that it hasn't happened yet, doesn't reduce my paranoia one bit. Moreover, the attitude of Linux people that they're somehow immune because of the limited distribution of Linux compared to the Gatesware installed base, is just whistling in the dark, cum laude. From the responses I get in general, the general attitude seems to be to shrug it off because no one can do anything about it. Again, you're right, though, that I'm too narrowly focused WRT the real issue. Maybe this discussion really belongs on a linux security list... Thanks for your input - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Mon, 23 Aug 2004 13:05:00 +0800, Katipo [EMAIL PROTECTED] said: In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework Even firestarter provides some degree of configurability in this respect. It will block ports on an individual basis, if you can identify them as needing to be blocked - but AFAIK the iptables script it sets up, defaults to forwarding all requests from internal processes. (If I'm wrong about that, or if there is some way to get it even to flag outgoing access attempts by newly spawned processes, I'd like to know about it...) Asking in the right place helps. A number of people here would have the answers you're looking for, but Debian has a firewall list. Yes - I asked about that earlier. I posted to the firewall list earlier, in fact, and got no response at all. Additionally, there is a lot of traffic on here other than my own, WRT firewall and iptables subjects. I'll cross-post this to the firewall list, but I'm really getting the impression it doesn't get used much... maybe I'm wrong, but I'm signed up on it and don't see as much traffic on there as I do about firewall on the users list. Itt might be an idea to check out apps like tinyhoneypot amongst others, also. Thanks... I'll do that - it sounds like there's at least one area I haven't explored yet... (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) Failing that, go run windows. Why, thank you. I needed that. (But not to worry, I'm on my way out of Billyworld permanently, one way or the other, difficulties notwithsatanding...) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
[EMAIL PROTECTED] wrote: On Mon, 23 Aug 2004 13:05:00 +0800, Katipo [EMAIL PROTECTED] said: In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework Even firestarter provides some degree of configurability in this respect. It will block ports on an individual basis, if you can identify them as needing to be blocked - but AFAIK the iptables script it sets up, defaults to forwarding all requests from internal processes. (If I'm wrong about that, or if there is some way to get it even to flag outgoing access attempts by newly spawned processes, I'd like to know about it...) Asking in the right place helps. A number of people here would have the answers you're looking for, but Debian has a firewall list. Yes - I asked about that earlier. I posted to the firewall list earlier, in fact, and got no response at all. Additionally, there is a lot of traffic on here other than my own, WRT firewall and iptables subjects. I'll cross-post this to the firewall list, but I'm really getting the impression it doesn't get used much... maybe I'm wrong, but I'm signed up on it and don't see as much traffic on there as I do about firewall on the users list. Itt might be an idea to check out apps like tinyhoneypot amongst others, also. Thanks... I'll do that - it sounds like there's at least one area I haven't explored yet... (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) Failing that, go run windows. Why, thank you. I needed that. (But not to worry, I'm on my way out of Billyworld permanently, one way or the other, difficulties notwithsatanding...) For a fast but supposed secure FW, can't you use 'ShieldUP' from the site : http://www.grc.com/ ? It close all the ports under nux and win-sheet too :(! and is documented : ) ! If it may have help :) ? Sheers Mi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
ShieldsUP! isn't a firewall, it's just a service which port scans you and tells you the results. Mezig said: [EMAIL PROTECTED] wrote: For a fast but supposed secure FW, can't you use 'ShieldUP' from the site : http://www.grc.com/ ? It close all the ports under nux and win-sheet too :(! and is documented : ) ! If it may have help :) ? Sheers Mi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Robert Vangel * RedFlag LANfest Network Services Management -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
[EMAIL PROTECTED] wrote: If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) the commercial firewall products can't detect such attempts to phone home. In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework - but I have asked here and there and thus far no one seems to know. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. So what are exactly are you worried about? A program uploading sensitive data to a random server? Well the easiest way for a program to do that is to invoke sendmail to e-mail the information to the server. In which case the program never attempts to open a port, your m-t-a does. Your m-t-a opening a port is the most normal thing in the world. Or if for some reason you don't have your m-t-a properly configured, it could invoke ssh or lynx or ... signature.asc Description: OpenPGP digital signature
Re: All these open ports
If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) the commercial firewall products can't detect such attempts to phone home. In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework - but I have asked here and there and thus far no one seems to know. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall packages (was: All these open ports)
You could get something close to Zone Alarm (minus the application permissions stuff) with a very short iptables script which set the policies for INPUT and FORWARD to DROP, and OUTPUT to ACCEPT, and adding a couple of rules for allowing related and established connections on the INPUT chain. I'm sure there are basic HOWTOs on this floating around - google for something like iptables introduction and you should find some good hits. Actually, that's sort of what the firestarter (and probably the other firewall packages?) does - it generates a control script with a bunch of iptables entries. And, you're right, there are plenty of sample scripts, etc. available. But thus far, it's the application permissions (and some of the logging) that escapes me. The problem is, I'm lazy and would rather find something already implemented, if possible. But if no such thing exists, I'll eventually hack something together. (Which defines the real issue: how do I prove that no such thing exists? Didn't Aristotle have something to say about that??) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
[EMAIL PROTECTED] wrote: If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. snip In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework Even firestarter provides some degree of configurability in this respect. - but I have asked here and there and thus far no one seems to know. Asking in the right place helps. A number of people here would have the answers you're looking for, but Debian has a firewall list. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. With Debian you can configure for literally any eventuality. Itt might be an idea to check out apps like tinyhoneypot amongst others, also. (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) Failing that, go run windows. Regards, David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
Jon Dowland wrote: On Fri, 13 Aug 2004 21:56:17 -0400, Tong [EMAIL PROTECTED] wrote: Hi, I've just noticed that my debian testing open many ports by default: How can I close them? Firstly open up the rc file for your inetd (e.g. /etc/inetd.conf) and comment out any lines you don't need. This should do (at least) discard, echo, daytime. Then, determine which programs are responsible for the remaining open ports. Stop them from running and prevent them from starting by default if necessary. How to do this varies on an application-to-application basis; but can probably be forced by removing the package in question (if you aren't using it at all) or using update-rc.d (I think). If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Or better yet, Jon should checkout the following link: http://www.debian.org/doc/user-manuals#securing The harden-doc is outdated except on unstable, so you're better off reading the online version at the above page. Dana -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall packages (was: All these open ports)
[EMAIL PROTECTED] wrote: ... Thus far, I haven't been able to find anything that provides canned-up functionality of the nature of the Windows Zone Alarm, although I can probably overcome that by iptables scripting, whereas with the Windows firewalls you get whatever is there and have to live with it. You could get something close to Zone Alarm (minus the application permissions stuff) with a very short iptables script which set the policies for INPUT and FORWARD to DROP, and OUTPUT to ACCEPT, and adding a couple of rules for allowing related and established connections on the INPUT chain. I'm sure there are basic HOWTOs on this floating around - google for something like iptables introduction and you should find some good hits. -- Paul http://paulgear.webhop.net -- Did you know? If you use two dashes followed by a space as your signature separator, good email programs will chop them off automatically, reducing noise in email replies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
Generally speaking, to close a port, you shut down whatever deamon is listening on it. For example, if you had port 80 open, and want to close it, shut down your web server (apache or whatever else). Same with ssh - to close that port, shut down sshd. On Fri, 13 Aug 2004 21:56:17 -0400, Tong [EMAIL PROTECTED] wrote: Hi, I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN tcp0 0 *:time *:* LISTEN tcp0 0 *:discard *:* LISTEN tcp0 0 *:682 *:* LISTEN tcp0 0 *:daytime *:* LISTEN tcp0 0 *:sunrpc*:* LISTEN tcp0 0 *:www *:* LISTEN tcp0 0 *:x11-1 *:* LISTEN tcp0 0 *:auth *:* LISTEN tcp0 0 *:ssh *:* LISTEN tcp0 0 cxmr.dyndns.org:8118*:* LISTEN tcp0 0 cxmr.dyndns.org:822 *:* LISTEN tcp0 0 *:ipp *:* LISTEN tcp0 0 *:3128 *:* LISTEN udp0 0 *:discard *:* udp0 0 *:676 *:* udp0 0 *:679 *:* udp0 0 *:icpv2 *:* udp0 0 *:bootpc*:* udp0 0 *:sunrpc*:* udp0 0 *:ipp *:* How can I close them? Thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Fri, 13 Aug 2004 21:56:17 -0400, Tong [EMAIL PROTECTED] wrote: Hi, I've just noticed that my debian testing open many ports by default: How can I close them? Firstly open up the rc file for your inetd (e.g. /etc/inetd.conf) and comment out any lines you don't need. This should do (at least) discard, echo, daytime. Then, determine which programs are responsible for the remaining open ports. Stop them from running and prevent them from starting by default if necessary. How to do this varies on an application-to-application basis; but can probably be forced by removing the package in question (if you aren't using it at all) or using update-rc.d (I think). If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. -- Jon Dowland [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall packages (was: All these open ports)
There are other available packages: I use FireHOL I used to use iptables + wondershaper in RH. I notice there are many ready-made firewall packages available in Debian. I'm wondering which one is recommended (ease to use/updated frequently, etc)? So am I, but I don't think this is the right place to ask. It seems like most people here just hack iptables directly. There's also a Debian firewall mailing list, but I posted something there and got no replies, so I'm not sure it's used very much. If you do a web search for debian firewall you'll probably find any number of other sites with firewall related forums where you can ask that question (I think there's one on the sourceforge site). I just loaded Firestarter because it seemed to be trendy firewall of the week, so maybe I'd be able to get support for it. But I could be wrong about both of those things... In any case, it doesn't provide all the functionality I want, and I expect to have to hack its iptables infrastructure (actually, being able to get at the iptables commands it uses as a foundation is a plus). Thus far, I haven't been able to find anything that provides canned-up functionality of the nature of the Windows Zone Alarm, although I can probably overcome that by iptables scripting, whereas with the Windows firewalls you get whatever is there and have to live with it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
Hello Tong ([EMAIL PROTECTED]) wrote: I've just noticed that my debian testing open many ports by default: Some of them are opened by inetd. You can use dpkg-reconfigure inetd, or edit /etc/inetd.conf and comment out the protocols you don't need. After that, restart inetd. tcp0 0 *:www *:* LISTEN This is a web server, maybe apache. It probably runs in standalone mode. If you don't need it, deinstall it. You can also bind it to some or several IPs like Cups or ssh. tcp0 0 *:x11-1 *:* LISTEN Check your login manager. Maby it opens a port. Look for Xservers files on your system. If you use kdm, open /etc/kde3/kdm/Xservers, and change all the lines like this: original: :0 [EMAIL PROTECTED] /usr/X11R6/bin/X vt7 changed: :0 [EMAIL PROTECTED] /usr/X11R6/bin/X -nolisten tcp vt7 tcp0 0 *:auth *:*LISTEN Some identd, like oidentd or pidentd. Probably run from inetd, and pretty harmless. You may need this one for some IRC networks. If you don't need it, deinstall it. tcp0 0 *:ssh *:*LISTEN Well, you should know what this is. You can configure ssh to listen only to selected IPs, e.g. those of your LAN interface, if you want. Check the sshd_config man page. tcp0 0 *:ipp *:*LISTEN Probably Cups printing. If you only use the printer on the computer Cups runs on, open /etc/cups/cupsd.conf, replace Port 631 by Listen 127.0.0.1:631 and restart Cups. udp0 0 *:ipp *:* Again Cups, this time browsing for network printers. If you don't need this, change Browsing On to Browsing Off in /etc/cups/cupsd.conf. best regards Andreas Janssen -- Andreas Janssen [EMAIL PROTECTED] PGP-Key-ID: 0xDC801674 ICQ #17079270 Registered Linux User #267976 http://www.andreas-janssen.de/debian-tipps.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
[EMAIL PROTECTED] wrote: I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN tcp0 0 *:time *:* LISTEN tcp0 0 *:discard *:* LISTEN tcp0 0 *:682 *:* LISTEN I'm curious which utility produced that listing; I haven't seen lsof produce that - ? Buy a firewall or set up iptables. You can just load the Firestarter package; it will allow you to block ports (via a generated iptables script). There are other available packages: I use FireHOL -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Fri, 13 Aug 2004 23:55:46 -0600, s. keeling wrote: Incoming from [EMAIL PROTECTED]: I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN I'm curious which utility produced that listing; I haven't seen lsof produce that - ? That would be /bin/netstat -tnupl or something like that. Yeah, I just used netstat -a -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Firewar packages (was: All these open ports)
On Sat, 14 Aug 2004 11:07:58 +0200, Jerome BENOIT wrote: Buy a firewall or set up iptables. You can just load the Firestarter package; it will allow you to block ports (via a generated iptables script). There are other available packages: I use FireHOL I used to use iptables + wondershaper in RH. I notice there are many ready-made firewall packages available in Debian. I'm wondering which one is recommended (ease to use/updated frequently, etc)? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
All these open ports
Hi, I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN tcp0 0 *:time *:* LISTEN tcp0 0 *:discard *:* LISTEN tcp0 0 *:682 *:* LISTEN tcp0 0 *:daytime *:* LISTEN tcp0 0 *:sunrpc*:* LISTEN tcp0 0 *:www *:* LISTEN tcp0 0 *:x11-1 *:* LISTEN tcp0 0 *:auth *:* LISTEN tcp0 0 *:ssh *:* LISTEN tcp0 0 cxmr.dyndns.org:8118*:* LISTEN tcp0 0 cxmr.dyndns.org:822 *:* LISTEN tcp0 0 *:ipp *:* LISTEN tcp0 0 *:3128 *:* LISTEN udp0 0 *:discard *:* udp0 0 *:676 *:* udp0 0 *:679 *:* udp0 0 *:icpv2 *:* udp0 0 *:bootpc*:* udp0 0 *:sunrpc*:* udp0 0 *:ipp *:* How can I close them? Thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Fri, Aug 13, 2004 at 09:56:17PM -0400, Tong wrote: Hi, I've just noticed that my debian testing open many ports by default: Uninstall the respective services. Or, use a firewalling system (dedicated firewall, iptables, etc...) To find out what service uses what port: stefan:~$ sudo lsof -i tcp:www # substitute your port name/number Password: COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME apache 221 root 16u IPv4173 TCP *:www (LISTEN) apache 629 root 16u IPv4173 TCP *:www (LISTEN) apache 630 root 16u IPv4173 TCP *:www (LISTEN) apache 631 root 16u IPv4173 TCP *:www (LISTEN) apache 632 root 16u IPv4173 TCP *:www (LISTEN) apache 633 root 16u IPv4173 TCP *:www (LISTEN) How can I close them? Buy a firewall or set up iptables. I'm sure you want to be able to print/see graphics/ssh in. Note that some services have options to use UNIX-domain sockets exclusively, such as the X-server (look for -nolisten tcp, etc). You probably don't use all of these: Webserver? If no, no apache. Dict Server? Disable. The client uses dict.org, not localhost. XServer? If you don't use the windowing system, get rid of it (note: _not_ using it is rare, GNOME/KDE require it) SSH? CUPS? (network printing) As for discard/time/daytime, you need to comment out lines in your /etc/inetd.conf (but how can you exploit a service whose purpose is to discard everything you throw at it?) I share a LAN with my parent's Windoze boxes, and my LAN is already firewalled, so I didn't worry much about this... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN tcp0 0 *:time *:* LISTEN tcp0 0 *:discard *:* LISTEN tcp0 0 *:682 *:* LISTEN I'm curious which utility produced that listing; I haven't seen lsof produce that - ? Buy a firewall or set up iptables. You can just load the Firestarter package; it will allow you to block ports (via a generated iptables script). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
Incoming from [EMAIL PROTECTED]: I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN I'm curious which utility produced that listing; I haven't seen lsof produce that - ? That would be /bin/netstat -tnupl or something like that. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
