[NCLUG] Closing ports

J. Paul Reed preed at sigkill.com
Sun Apr 22 20:59:14 MDT 2001


On Sun, 22 Apr 2001, dobbster wrote:

> >    mv /usr/sbin/portmap  /usr/sbin/portmap-hold
> >
> > ... that is we move the portmap binary away from its usual
> > location, and the service will not start.  This is a hackish
> > solution, but should work.

While this solution is very portable (i.e. it WILL stop the service from
running on pretty much EVERY distro out there), it is very hackish.

The right way (tm) to do it on an RHAT system is 'rpm -e portmap'; you can
also poke around in /etc/rc.d/rc3.d/ and remove the link to that service;
in Slack, I think it's the file /etc/rc.3; this, of course, assumes you're
running in runlevel 3; if you're not, you'll need to use the right rc
directory for the runlevel you're in.

> Does the kernel itself listen to some ports?

Yes, but most of these are in very low port ranges (i.e. 1-15) and you can
comment them out in /etc/inetd.conf; echo, daytime, and chargen are
examples of such historical kernel services which aren't used much anymore.

Personally, I don't run portsentry, the main reason being that I've found
it whines too much and bothers the administrator (i.e. me) with things that
I don't need to be bothered with.

Granted, I probably could've used it before I became uber-paranoid about
security... I'm getting the feeling that portsentry is kind of a
"security-newbie's" thing (this impression coming from others I've known
who swear by it, not you.)

Anyway, if you really want to be sure that stuff isn't listening to your
ports without your knowledge, I would suggest you read up on ipchains
(assuming you're using 2.2.x still) and build at least a simple ruleset
that will deny everything to the ports you don't want people talking to at
all.

This way, the k1DDi3s don't even get a "Connection refused" and their
vulnerability scanning depending on how smart *they* are, may take longer,
and you don't have to worry about who's starting what... the kernel will
drop the syn packet before it ever gets to your portmap/irc/etc. port.

Later,
Paul
  ----------------------------------------------------------------------
  J. Paul Reed                preed at sigkill.com || web.sigkill.com/preed
  Homer no function beer well without.  -- H. Simpson, "The Joy of Sect"




More information about the NCLUG mailing list