Securing Linux, closing ports

I am building a new install, and trying to be sure that I will not have any ports open that I shouldn't. This linode will be a web server w/ mysql, no access to the mysql from anything other than localhost, no mail, etc.

nmap reveals the following:

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-12-03 12:23 EST

Interesting ports on localhost (127.0.0.1):

Not shown: 1672 closed ports

PORT STATE SERVICE

9/tcp open discard

13/tcp open daytime

21/tcp open ftp

22/tcp open ssh

25/tcp open smtp

37/tcp open time

80/tcp open http

3306/tcp open mysql

I need http and ssh open, I am debating ftp vs sftp, but I do not need 25 for sure, not sure how to close that up. Anyone have any ideas about discard, daytime, time and whether or not I need mysql to have a port open if I will have php talking to mysql directly on the same box?

Thanks for any insight,

Paul

10 Replies

Not sure if this helps, but ran a nmap on my ip address as well, and a port scan from a web page, and port 25, etc, so they appear open to the outside world as well, not just localhost.

Also note this is a clean Debian 4 install, only vsftpd, apache2 and mysql5 added.

Thanks

Here are my notes:

nano /etc/ssh/sshd_config, set PermitRootLogin to no and check that root cannot ssh into box

–----------------------- iptables.sh with ssh brute force preventer -----------------------------------

!/bin/sh

iptables -P FORWARD DROP

iptables -P INPUT ACCEPT

iptables -A INPUT -i eth0 -p tcp --syn --destination-port 0:21 -j DROP

iptables -A INPUT -i eth0 -p tcp --syn --destination-port 23:79 -j DROP

iptables -A INPUT -i eth0 -p tcp --syn --destination-port 81:442 -j DROP

iptables -A INPUT -i eth0 -p tcp --syn --destination-port 444: -j DROP

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSHbruteforce "

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP


and start manually as root. (chmod 755 iptables.sh also)

to ensure this script starts at boot, add links to /etc/rc2-5

ln -s /etc/init.d/iptables.sh /etc/rc2.d/S99iptables

ln -s /etc/init.d/iptables.sh /etc/rc3.d/S99iptables

ln -s /etc/init.d/iptables.sh /etc/rc4.d/S99iptables

ln -s /etc/init.d/iptables.sh /etc/rc5.d/S99iptables

So I create this iptables.sh script as you posted and place it in /etc/init.d/?

Thanks.

I use Firehol. Very easy to configure.

First, let me add another vote for Firehol. Much better than dinking around with rules directly - it's really easy to get those wrong.

Second, while a firewall is a good idea, you should disable the service in addition to blocking the port. Thus, reconfigure your mail server to listen only on localhost, rather than just blocking external access to port 25.

Third, in response to the original post, if your only access to mysql is from the same host, it doesn't need to listen on any port - it can listen to a named socket on the file system.

This is really my goal, shut-down the ports, not just block them.

As I have a clean Debian install with no mail apps per se, any idea how I would figure what opened port 25 and if anything is listening on it?

netstat --listening --inet --program will tell you what PID and program name are listening on what port.

I protect the 'management' ports a different way. I do not open SSH or any FTP or HTTP/S web-admin ports (Webmin, Zope, etc.) to the public Internet.

Instead I set up a VPN using openvpn with a CA certificate used to sign the server (Linode) and clients (remote) certificates.

The clients have copies of the CA certificate and their own certificate and private 'key'.

In addition I configure openvpn to use a keyed-Hash Message Authentication Code (HMAC) certificate to prevent denial of service attacks on the openvpn UDP port from preventing legitimate access.

Each client creates a connection using openvpn. Once connected they can SSH or access the other admin services as usual.

I also use sshfs to mount the Linode file-system into the remote PC for easy file manipulation.

and of course a really un-sexy way to stop a lot of script-kiddies is to just change the ssh port to something other than 22. when i did this, i went from hundreds of ssh-port 22 attempts to 0. yes, zero, i was surprised.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-12-03 12:23 EST Interesting ports on localhost (127.0.0.1):

One thing you should do is scan from another machine and not from the same machine…you'd get a better picture of what's actually exposed to the internet.

Just my 2 cents…

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct