Default open port to newly created node
I'm a new linode customer, just created new node debian 7.0 few days ago, configed basic security, installed some package afterwards.
I'm just wondering about the open port list that I got from nmapping my linode host from own computer.
PORT STATE SERVICE
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1433/tcp filtered ms-sql-s
1434/tcp filtered ms-sql-m
1720/tcp filtered H.323/Q.931
1900/tcp filtered upnp
3128/tcp filtered squid-http
4444/tcp filtered krb524
4899/tcp filtered radmin
9898/tcp filtered monkeycom
I have basic linux skill but not so advanced.
How do I close these ports?
Is there any ports above that linode might use internally, so I just let it there open?
10 Replies
Better yet, log in via Lish, set iptables to block everything by default, and allow what you know you need.
If you need help with this, let us know. iptables isn't very complicated, it just seems complicated to new users.
@IceClimber:
Is Lish more secure than ssh? I was wondering because I'm interested in closing all possible ports. I have a new node and it seems that I'm already getting scanned.
Would be better in a new topic. It is generally cosnidered rude to hijak someone else's thread.
I can't speak for the browser client, but Lish itself can be accessed directly via ssh. Since ssh is just as secure as ssh, Lish via ssh should be just as secure as ssh to directly to your Linode.
The only real advantage to using Lish is that you save bandwidth on your Linode. Otherwise, you'd be better ssh'ing directly to your Linode. Lish provides a small viewing area for, e.g. command output or text editors (e.g. nano/vim/etc.) where ssh directly to your Linode lets you use your entire screen.
If you're concerned about leaving ssh open, change the port it's running on, disable root logins, and require the use of ssh keys.
@IceClimber:
Is Lish more secure than ssh? I was wondering because I'm interested in closing all possible ports.
There's no reason you can't keep both open. If there's ever a problem (such as you can't log into Linode) then you'd want an alternate form of access. You can always change the SSH port, limit who can log into SSH, restrict it to specific IPs, use public key authentication, etc, etc. I'm sure there are many on this forum who are more versed in this stuff than I am and who could point you to tutorials.
@IceClimber:I have a new node and it seems that I'm already getting scanned.
Every IP address on the internet gets scanned. They scan blocks of IP addresses - sometimes randomly, other times it's because the IPs belong to a hosting company or a services company, etc.
Make sure you use a very strong password for any account that can access SSH. You can prevent root from logging into SSH, and even limit it to one user name (which can be as random or crazy as you'd like). Tight security is essential, but limiting your options to the point of potentially locking yourself out of your own server is not usually a good idea.
@zunzun:
@Piki:It's rude to hijak someone else's thread.
You imply that he engaged in rude forum behavior without directly stating so - the mark of a forum coward.
Note that I implied that you are a coward without stating so directly - ha, ha, ha.
James
Except I didn't imply anything, therefor you didn't imply anything. It is obvious that the thread was hijaked, both by you and a newcomer, and I was simply stating politely something a newcomer may not know about the forum community.
It is only a coward that insults someone from behind the safety of his computer. It is also the mark of a coward to hijak an already hijaked forum thread to send his insults.
Note that I implied that you are a coward without directly saying so. And in this case, while I did send an insult your way, I also spoke truth – something which, in today's society, is more courage than cowardice.