Securing Linux, closing ports
nmap reveals the following:
Starting Nmap 4.11 (
Interesting ports on localhost (127.0.0.1):
Not shown: 1672 closed ports
PORT STATE SERVICE
9/tcp open discard
13/tcp open daytime
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
37/tcp open time
80/tcp open http
3306/tcp open mysql
I need http and ssh open, I am debating ftp vs sftp, but I do not need 25 for sure, not sure how to close that up. Anyone have any ideas about discard, daytime, time and whether or not I need mysql to have a port open if I will have php talking to mysql directly on the same box?
Thanks for any insight,
Paul
10 Replies
Also note this is a clean Debian 4 install, only vsftpd, apache2 and mysql5 added.
Thanks
nano /etc/ssh/sshd_config, set PermitRootLogin to no and check that root cannot ssh into box
–----------------------- iptables.sh with ssh brute force preventer -----------------------------------
!/bin/sh
iptables -P FORWARD DROP
iptables -P INPUT ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 0:21 -j DROP
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 23:79 -j DROP
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 81:442 -j DROP
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 444: -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSHbruteforce "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
and start manually as root. (chmod 755 iptables.sh also)
to ensure this script starts at boot, add links to /etc/rc2-5
ln -s /etc/init.d/iptables.sh /etc/rc2.d/S99iptables
ln -s /etc/init.d/iptables.sh /etc/rc3.d/S99iptables
ln -s /etc/init.d/iptables.sh /etc/rc4.d/S99iptables
ln -s /etc/init.d/iptables.sh /etc/rc5.d/S99iptables
Thanks.
Firehol
Second, while a firewall is a good idea, you should disable the service in addition to blocking the port. Thus, reconfigure your mail server to listen only on localhost, rather than just blocking external access to port 25.
Third, in response to the original post, if your only access to mysql is from the same host, it doesn't need to listen on any port - it can listen to a named socket on the file system.
As I have a clean Debian install with no mail apps per se, any idea how I would figure what opened port 25 and if anything is listening on it?
netstat --listening --inet --program
will tell you what PID and program name are listening on what port.
Instead I set up a VPN using openvpn with a CA certificate used to sign the server (Linode) and clients (remote) certificates.
The clients have copies of the CA certificate and their own certificate and private 'key'.
In addition I configure openvpn to use a keyed-Hash Message Authentication Code (HMAC) certificate to prevent denial of service attacks on the openvpn UDP port from preventing legitimate access.
Each client creates a connection using openvpn. Once connected they can SSH or access the other admin services as usual.
I also use sshfs to mount the Linode file-system into the remote PC for easy file manipulation.
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-12-03 12:23 EST
Interesting ports on localhost (127.0.0.1):
One thing you should do is scan from another machine and not from the same machine…you'd get a better picture of what's actually exposed to the internet.
Just my 2 cents…