[NCLUG] Closing ports
dobbster
dobbster at dobbster.com
Sun Apr 22 05:01:56 MDT 2001
Hello...
Every day I have to look at annoyingly long server logs from the "portsentry"
software. In essence, it shows the entries in /var/log/messages where bad guys
are trying to get into my open ports. Usually these are 111, 1080, and 143 -
All services I have disabled (I am aware of the security risks, and I don't need
any of these services.) 111 (portmapper/RPC) gets hit the most.
nmap or netstat -l shows these ports as "open" or "listening". I know there are
not any server daemons actually listening to these ports, so why are they still
showing up as open? Is there any way to close them? My uneducated guess is
that the kernel may automatically handle some of them, but would this be also
true of ports like 6667 (irc)? It seems as if there ought to be a simple
mechanism for just shutting down TCP/UDP ports, but I am not aware of any
(except ipchains, etc.)
Even if there aren't any real security risks here, I'd love to shorten the huge
"system attack" messages I get every day. It seems our servers get scanned by
dozens of machines every day, and it really clutters up the logs.
Thanks in advance for your great collective wisdom and advice,
Mark (dobbster at dobbster.com)
More information about the NCLUG
mailing list