open ports question (nmap scan)
This is a discussion on open ports question (nmap scan) within the Linux Security forums, part of the System Security and Security Related category; I am a newbie at linux security, could use some mentoring on a basic question-- what do some of the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-17-2005
|
|||
|
|||
open ports question (nmap scan)
I am a newbie at linux security, could use some mentoring on a basic
question-- what do some of the open ports (services) below (from running nmap) belong to (i.e are they valid or should they be closed somehow and if so HOW?). I understand ssh and ipp, but I have no idea what sunrpc, hp-alarm-mgr, unknown (self explanatory I guess, but should it be kept open?), and snet-sensor-mgmt are. This is a home office PC with a LAN and Linksys router. Running Mandrake Linux 9.2 I do use SSH so I want that open. Related to this, if a port like 22 must be open for SSH, wouldn't a cracker know to use that port, what would stop a cracker from getting in through that or any other open port? # nmap localhost Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2005-07-17 16:55 CDT Interesting ports on localhost (127.0.0.1): (The 1638 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 111/tcp open sunrpc 631/tcp open ipp 783/tcp open hp-alarm-mgr 826/tcp open unknown 10000/tcp open snet-sensor-mgmt Nmap run completed -- 1 IP address (1 host up) scanned in 0.340 seconds 
|
|
07-18-2005
|
|||
|
|||
|
Re: open ports question (nmap scan)
On 2005-07-17, Proteus <nospam@nowhere.net> wrote:
> I am a newbie at linux security, could use some mentoring on a basic > question-- what do some of the open ports (services) below (from running > nmap) belong to (i.e are they valid or should they be closed somehow and if > so HOW?). I understand ssh and ipp, but I have no idea what sunrpc, > hp-alarm-mgr, unknown (self explanatory I guess, but should it be kept > open?), and snet-sensor-mgmt are. This is a home office PC with a LAN and > Linksys router. Running Mandrake Linux 9.2 I do use SSH so I want that > open. If you don't know what the port is open for, you may as well shut it down. If that breaks something, re-enable it and check the program that broke to make sure you've secured it properly.. > Related to this, if a port like 22 must be open for SSH, wouldn't a cracker > know to use that port, what would stop a cracker from getting in through > that or any other open port? There are a number of ways to secure open ports without disabling the services behind them. First, make sure you stay up to date on those services by tracking the security lists. Maintain a secure password policy -- no dictionary words, enforce password expiration, etc. Some programs, e.g. sshd, can be configured to only accept connections for certain users, or to use keys instad of passwords. This severely restricts what a cracker can do. Use tcp-wrappers and xinetd where possible to restrict ip addresses from which connections can be made. Use iptables to configure your firewall. -- John (john@os2.dhs.org)
|
|
07-18-2005
|
|||
|
|||
|
Re: open ports question (nmap scan)
John Thompson wrote:
> On 2005-07-17, Proteus <nospam@nowhere.net> wrote: > >> I am a newbie at linux security, could use some mentoring on a basic >> question-- what do some of the open ports (services) below (from running >> nmap) belong to (i.e are they valid or should they be closed somehow and >> if so HOW?). I understand ssh and ipp, but I have no idea what sunrpc, >> hp-alarm-mgr, unknown (self explanatory I guess, but should it be kept >> open?), and snet-sensor-mgmt are. This is a home office PC with a LAN and >> Linksys router. Running Mandrake Linux 9.2 I do use SSH so I want that >> open. > > If you don't know what the port is open for, you may as well shut it down. > If that breaks something, re-enable it and check the program that broke > to make sure you've secured it properly.. > >> Related to this, if a port like 22 must be open for SSH, wouldn't a >> cracker know to use that port, what would stop a cracker from getting in >> through that or any other open port? > > There are a number of ways to secure open ports without disabling the > services behind them. First, make sure you stay up to date on those > services by tracking the security lists. Maintain a secure password > policy -- no dictionary words, enforce password expiration, etc. Some > programs, e.g. sshd, can be configured to only accept connections for > certain users, or to use keys instad of passwords. This severely restricts > what a cracker can do. Use tcp-wrappers and xinetd where possible to > restrict ip addresses from which connections can be made. Use iptables to > configure your firewall. > But how would I shut down those ports? Do I need to learn iptables and manually shut them down?
|
|
07-18-2005
|
|||
|
|||
|
Re: open ports question (nmap scan)
On Mon, 18 Jul 2005 08:54:04 -0500, Proteus
<nospam@nowhere.net> wrote: > > > But how would I shut down those ports? Do I need to learn iptables and > manually shut them down? You can use iptables to restrict access to ports; or "netstat -lp" to find which processes are listening on those ports, and then you can kill the processes; or, if the listening process is inetd or xinetd, modify its configuration and restart it. -- Tonight you will pay the wages of sin; Don't forget to leave a tip.
|
|
07-18-2005
|
|||
|
|||
|
Re: open ports question (nmap scan)
John Thompson wrote:
... > There are a number of ways to secure open ports without disabling the > services behind them.... Is there a command line command that can close a single port, just for the current session, like 'somecommand port_to_close' so I could close down a suspected port from 'nmap localhost' that might not appear critical to have open (and might be suspect)?
|
|
07-19-2005
|
|||
|
|||
|
Re: open ports question (nmap scan)
On Mon, 18 Jul 2005 08:54:04 -0500, Proteus wrote:
> > But how would I shut down those ports? Do I need to learn iptables and > manually shut them down? Use a BASH script like this: ================================================== == #!/bin/bash # Must be run by root #@(#) 24 APR 2005 /usr/sbin/iptables -N LOGDROP /usr/sbin/iptables -A LOGDROP -j LOG --log-level 4 /usr/sbin/iptables -A LOGDROP -j DROP # FTP DATA /usr/sbin/iptables -A INPUT -p TCP --dport 20 -j LOGDROP /usr/sbin/iptables -A INPUT -p UDP --dport 20 -j LOGDROP # FTP CONTROL /usr/sbin/iptables -A INPUT -p TCP --dport 21 -j LOGDROP /usr/sbin/iptables -A INPUT -p UDP --dport 21 -j LOGDROP # SMTP /usr/sbin/iptables -A INPUT -p TCP --dport 25 -j DROP /usr/sbin/iptables -A INPUT -p UDP --dport 25 -j DROP
|
|
08-01-2005
|
|||
|
|||
|
Re: open ports question (nmap scan)
In article <eyACe.19$xR1.12@fe04.lga>, Proteus <nospam@nowhere.net>
wrote: >111/tcp open sunrpc This port is used for RPC, which is the transport for NIS and NFS. I don't think anything else needs RPC, so if you're not using NIS or NFS, you should be able to turn this off. >631/tcp open ipp This is the Web server for CUPS management.
|
|
08-04-2005
|
|||
|
|||
|
Re: open ports question (nmap scan)
Lawrence D'Oliveiro wrote:
> In article <eyACe.19$xR1.12@fe04.lga>, Proteus <nospam@nowhere.net> > wrote: > >>111/tcp open sunrpc > > This port is used for RPC, which is the transport for NIS and NFS. I > don't think anything else needs RPC, so if you're not using NIS or NFS, > you should be able to turn this off. > >>631/tcp open ipp > > This is the Web server for CUPS management. Uh.. actually it's the port for CUPS.. be that web or remote printer access/browing/etc.
|
Linear Mode
