Not sure if this helps, but ran a nmap on my ip address as well, and a port scan from a web page, and port 25, etc, so they appear open to the outside world as well, not just localhost.

Also note this is a clean Debian 4 install, only vsftpd, apache2 and mysql5 added.

Thanks

Here are my notes:

nano /etc/ssh/sshd_config, set PermitRootLogin to no and check that root cannot ssh into box

–----------------------- iptables.sh with ssh brute force preventer -----------------------------------

!/bin/sh

iptables -P FORWARD DROP

iptables -P INPUT ACCEPT

iptables -A INPUT -i eth0 -p tcp --syn --destination-port 0:21 -j DROP

iptables -A INPUT -i eth0 -p tcp --syn --destination-port 23:79 -j DROP

iptables -A INPUT -i eth0 -p tcp --syn --destination-port 81:442 -j DROP

iptables -A INPUT -i eth0 -p tcp --syn --destination-port 444: -j DROP

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSHbruteforce "

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

and start manually as root. (chmod 755 iptables.sh also)

to ensure this script starts at boot, add links to /etc/rc2-5

ln -s /etc/init.d/iptables.sh /etc/rc2.d/S99iptables

ln -s /etc/init.d/iptables.sh /etc/rc3.d/S99iptables

ln -s /etc/init.d/iptables.sh /etc/rc4.d/S99iptables

ln -s /etc/init.d/iptables.sh /etc/rc5.d/S99iptables

So I create this iptables.sh script as you posted and place it in /etc/init.d/?

Thanks.

I use Firehol. Very easy to configure.

First, let me add another vote for Firehol. Much better than dinking around with rules directly - it's really easy to get those wrong.

Second, while a firewall is a good idea, you should disable the service in addition to blocking the port. Thus, reconfigure your mail server to listen only on localhost, rather than just blocking external access to port 25.

Third, in response to the original post, if your only access to mysql is from the same host, it doesn't need to listen on any port - it can listen to a named socket on the file system.

This is really my goal, shut-down the ports, not just block them.

As I have a clean Debian install with no mail apps per se, any idea how I would figure what opened port 25 and if anything is listening on it?

netstat --listening --inet --program will tell you what PID and program name are listening on what port.

I protect the 'management' ports a different way. I do not open SSH or any FTP or HTTP/S web-admin ports (Webmin, Zope, etc.) to the public Internet.

Instead I set up a VPN using openvpn with a CA certificate used to sign the server (Linode) and clients (remote) certificates.

The clients have copies of the CA certificate and their own certificate and private 'key'.

In addition I configure openvpn to use a keyed-Hash Message Authentication Code (HMAC) certificate to prevent denial of service attacks on the openvpn UDP port from preventing legitimate access.

Each client creates a connection using openvpn. Once connected they can SSH or access the other admin services as usual.

I also use sshfs to mount the Linode file-system into the remote PC for easy file manipulation.

and of course a really un-sexy way to stop a lot of script-kiddies is to just change the ssh port to something other than 22. when i did this, i went from hundreds of ssh-port 22 attempts to 0. yes, zero, i was surprised.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-12-03 12:23 EST Interesting ports on localhost (127.0.0.1):

One thing you should do is scan from another machine and not from the same machine…you'd get a better picture of what's actually exposed to the internet.

Just my 2 cents…