How to close down ports with IPCHAINS

[Compunuts]

Okay.. Here it's. I wanted to close down some of the ports that I've open for but I'm not sure what they are used for and how to specifically close it down.

111 Sun rpc
443 https ( I dont' have secure site so why I need this?? )
515 printer ( : )
6000 X11

Could you tell me the command?? TIA.

[binary_boy]

My understanding of ports is that they aren't like doors, either open or closed. A port is only "open" if a program or process is actively listening for connections on that port.

Look in your /etc/inetd.conf file. That starts up the services that listens on various ports. Comment out those that you don't need. Since my machine is just a home computer, I comment out ALL the services in inetd.conf. In fact, I don't even run inetd.conf. No reason to unless you are running services as a server.

I think https is apache.

As for port 6000, that's X Windows listening for remote connections. To stop that, run X Windows with the -nolisten tcp switch. i.e, here is a line from my gdm.conf

[servers]
0=/usr/bin/X11/X -nolisten tcp

[redhead]

#!/bin/sh

PORTS="111 443 515 6000"
for PORT in "$PORTS"; do
* iptables -A OUTPUT -o $EXTERN_NIC -p tcp --sport $PORT -j DROP
done

[Compunuts]

A port is only "open" if a program or process is actively listening for connections on *that port.

And I think the most difficult is chasing down that program and disabling it, I guess.

Look in your /etc/inetd.conf file. That starts up the services that listens on various ports. Comment out those that you don't need.

The thing is that they are ALL commented out but still some services are running ....

Since my machine is just a home computer, I comment out ALL the services in inetd.conf. In fact, I don't even run inetd.conf. No reason to unless you are running services as a server.

yeah. This is the server machine which serves my home LAN as well as my small test sites....

I think https is apache.

It's secure web server but I can't find the option to disable in httpd.conf . :-/

As for port 6000, that's X Windows listening for remote connections. To stop that, run X Windows with the -nolisten tcp switch. i.e, here is a line from my gdm.conf

[servers]
0=/usr/bin/X11/X -nolisten tcp

Yeah. Mine is XDM.

Thanks for your input anyway....

[Compunuts]

#!/bin/sh

PORTS="111 443 515 6000"
for PORT in "$PORTS"; do
* iptables -A OUTPUT -o $EXTERN_NIC -p tcp --sport $PORT -j DROP
done

That sounds great. Now where do I put this thing to make it permanent so that the close port will always be there if I even reboot it?? TIA.

[kenshi]

Redhead is correct except that he used iptables instead of ipchains. Plus I would block it on the input instead of the output. Do it exactly like him except change the iptables line to this:

ipchains -A input -p tcp --dport $PORT -j DROP

But do you really want to leave all the other ports unguarded? It probably won't hurt anything if nothing is open on the other ports but who's to say that something won't become open without your knowledge? I'd do this:

ipchains -A input -p tcp --syn -j DROP

And if you want certain ports to be open, add lines like this before the previous line:

ipchains -A input -p tcp --dport 80 -j DROP

or you can replace 80 with $PORT and do it the script way like before.

[kenshi]

The thing is that they are ALL commented out but still some services are running ....

After you changed it, did you do a "killall -SIGHUP inetd"? If not, then do.

That sounds great. Now where do I put this thing to make it permanent so that the close port will always be there if I even reboot it?? TIA.

Which distro? If it's one of the big RPM-based ones, you could make a script of it and link to the script from /etc/rc.local.

[gorn]

to find out what pid is using what port:

fuser -n tcp 515

will found out whats using 515/tcp

then do a ps -aux | grep PID

[Feztaa]

My understanding of ports is that they aren't like doors, either open or closed. A port is only "open" if a program or process is actively listening for connections on *that port.

Well then your understanding is flawed, because ports are pretty much exactly like doors

A closed port is just that -- closed. It can be opened by any program that wishes to open it and listen on it.

Compunuts wants to know how he can close and lock (aka stealth) his ports, so that programs can't open them even if they want to.

Unfortunately, I'm not a big ipchains guy (I only know iptables, actually, but I know it well ), so I can't help you, Compunuts. But I will say that it's always a better idea to have a default-closed ruleset that only opens the ports you want, instead of just closing a few and leaving the rest unguarded.

[redhead]

But do you really want to leave all the other ports unguarded? It probably won't hurt anything if nothing is open on the other ports but who's to say that something won't become open without your knowledge?

These are the ports I block in my firewall.

Code:

TCP_PORTS="0 111 137 138 139 445 515 555 587 1243 2772 2773 3306\
 * * * *6000 6001 6002 6003 6004 6005 6007 6008 6009 6670 6711 6776 6969\
 * * * *7215 12345 21544 23456 27374 30100 31337 31789 50505 54283"
UDP_PORTS="0 111 138 515 555 1243 2772 2773 6670 6711 6776\
    6969 7215 12345 21544 23456 27374 30100 31337 31789 50505\
    54283"