[NCLUG] Closing ports

Michael Dwyer mdwyer at sixthdimension.com
Mon Apr 23 10:17:11 MDT 2001


> > Does the kernel itself listen to some ports?
>
> Yes, but most of these are in very low port ranges (i.e. 1-15) and you
can
> comment them out in /etc/inetd.conf; echo, daytime, and chargen are
> examples of such historical kernel services which aren't used much
anymore.

Ummm. No.  The kernel listens to ICMP traffic, but doesn't open TCP or
UDP ports on its own.  These low ranges are actually handled internally
by the inetd.  Echo returns whatever you send it.  Chargen spews a
printer-test pattern of characters when you connect to it.  Useful for
testing at one time, but consider what happens if you spoof some
addresses -- connect someone's chargen port to someone else's echo port.
No bandwidth for you!Because of that, they are usually commented out.

Chargen is also useful for newbies discovering MUDs:  "Hey, I just found
this really cool mud!  Its at 127.0.0.1:19" !  Check it out!  Since
everybody closes chargen now, its not quite a much fun.

Oh, incidently, if you are root, another tool in the lsof fame is using
the -p flag in netstat.  That will tell you which process ID is holding
the network port.  Useful, if difficult to read. "netstat -ap"

> Anyway, if you really want to be sure that stuff isn't listening to
your
> ports without your knowledge, I would suggest you read up on ipchains
> (assuming you're using 2.2.x still) and build at least a simple
ruleset
> that will deny everything to the ports you don't want people talking
to at
> all.

ipchains are great, but I think you should always look into the source
of the problem when you can.  eg, instead of firewalling the portmapper,
why not just turn the portmapper off?  ESPECIALLY with the portmapper.
If you block the portmapper, all you have done is hidden the phone book.
All your other RPC services are still running somewhere, it just becomes
more difficult to find them.





More information about the NCLUG mailing list