[NCLUG] Closing ports

dobbster dobbster at dobbster.com
Sun Apr 22 09:48:56 MDT 2001 

> Commenting out a given service name in /etc/services does
> NOTHING to stop it from running -- /etc/services is just a
> 'phonebook' allowing for looking up the ports used by a given
> service IF it is not already known.  Just as you do not need
> to look up your home phone number every time you make a call
> home, the portmap binary 'knows' where it is going to ...
> 
> Commenting out in /etc/services has NO EFFECT.

That's what I figured.  I understand /etc/services to be just a look-up table
for converting services to ports.

> -------------------------
> Stopping the portmapper --
> 
> You do not mention if you are running a Slack or a RH
> (BSD-type or SysV-type initscripts) distribution.  In either
> case, this should work:
> 
>    mv /usr/sbin/portmap  /usr/sbin/portmap-hold
> 
> ... that is we move the portmap binary away from its usual
> location, and the service will not start.  This is a hackish
> solution, but should work.
> 
> In a host exposed on the public internet, it is much better
> is to formally remove the package and its ancillaries, along
> with the YP utilities, and R services, and so forth.  A
> discussion of this moves to formal hardening and is beyond the
> scope of your question.

This is actually a RH 6.x system, but I have observed the same thing on a MDK7.1
system.  NFS, NIS, and portmapper have been disabled via linuxconf, but the
packages still exist on the system.  They're definitely not running, although I
did move the binary elsewhere just to be safe.

What I don't understand is why the ports are still open.  For example, nmap
shows that 143 (imap) is still open, but imap is disabled via /etc/inetd.conf. 
It also shows 6667 (ircd) as open, but I don't have an irc server package on the
system at all.  Same with 1080 (socks).

This machine has been connected to the Internet for over a year, but I don't
think it's ever been compromised.  It doesn't seem as if anyone ever
successfully connects to the ports; they just scan over them.

Does the kernel itself listen to some ports?

Thanks for the thoughts,

Mark

More information about the NCLUG mailing list