[NCLUG] Closing ports
dobbster
dobbster at dobbster.com
Sun Apr 22 09:48:56 MDT 2001
> Commenting out a given service name in /etc/services does
> NOTHING to stop it from running -- /etc/services is just a
> 'phonebook' allowing for looking up the ports used by a given
> service IF it is not already known. Just as you do not need
> to look up your home phone number every time you make a call
> home, the portmap binary 'knows' where it is going to ...
>
> Commenting out in /etc/services has NO EFFECT.
That's what I figured. I understand /etc/services to be just a look-up table
for converting services to ports.
> -------------------------
> Stopping the portmapper --
>
> You do not mention if you are running a Slack or a RH
> (BSD-type or SysV-type initscripts) distribution. In either
> case, this should work:
>
> mv /usr/sbin/portmap /usr/sbin/portmap-hold
>
> ... that is we move the portmap binary away from its usual
> location, and the service will not start. This is a hackish
> solution, but should work.
>
> In a host exposed on the public internet, it is much better
> is to formally remove the package and its ancillaries, along
> with the YP utilities, and R services, and so forth. A
> discussion of this moves to formal hardening and is beyond the
> scope of your question.
This is actually a RH 6.x system, but I have observed the same thing on a MDK7.1
system. NFS, NIS, and portmapper have been disabled via linuxconf, but the
packages still exist on the system. They're definitely not running, although I
did move the binary elsewhere just to be safe.
What I don't understand is why the ports are still open. For example, nmap
shows that 143 (imap) is still open, but imap is disabled via /etc/inetd.conf.
It also shows 6667 (ircd) as open, but I don't have an irc server package on the
system at all. Same with 1080 (socks).
This machine has been connected to the Internet for over a year, but I don't
think it's ever been compromised. It doesn't seem as if anyone ever
successfully connects to the ports; they just scan over them.
Does the kernel itself listen to some ports?
Thanks for the thoughts,
Mark
More information about the NCLUG
mailing list