[Gllug] Security & closing ports on certain interfaces.
Jackson, Harry
HJackson at colt-telecom.com
Thu Feb 14 10:39:22 UTC 2002
> -----Original Message-----
> From: Paul Brazier [mailto:pbrazier at cosmos-uk.co.uk]
>
> If I nmap my home PC (RedHat 7.1) from outside with the
> firewall down I
> see the X11, SMTP and sunrpc ports open.
> I only use postfix to send out mail (it comes in by pop3).
> I need sunrpc to use NFS on my internal network.
>
> Is it possible to configure these services so they only advertise
> themselves as open on my lo and eth0 interfaces (i.e. not on the ppp0
> interface)?
> If so is it generally speaking just some options in the
> /etc/<service>.conf files??
>
> I've tried things like xhost and /etc/hosts.allow and /etc/hosts.deny
> and /etc/postfix/main.cf but although I think they stop anyone
> connecting without authority they still seem to advertise the ports as
> open to nmap.
>
> I know I can shut them off with a firewall but I'm going for a
> belt-and-braces approach.
Xintetd is the obvious choice but the way I done it was to find the
configuration file for each service and look for the following strings,
either in this file or the man page for it.
interface
eth0
bind
listen
secur
This normally found the thing that I needed to change to get the service in
question to only listen on internal devices. I have not mastered Xinetd for
all my services yet but it is on my to do list. I have also got an iptables
firewall that allows me to connect out using http via squid and pop3 but
blocks all incoming connections. I also use the following command to see
what is listening on my machine as it is quicker than nmap
$netstat -pan --inet
Anything with 0.0.0.0 and LISTEN on the same line means that it is visible
and open to external sources see man page for a more thorough explanation.
Harry
What are the advantages of using NFS over samba?
*************************************************************************************
COLT Telecommunications
Registered in England No. 2452736
Registered Office: Bishopsgate Court, 4 Norton Folgate, London E1 6DQ
Tel. 020 7390 3900
This message is subject to and does not create or vary any contractual
relationship between COLT Telecommunications, its subsidiaries or
affiliates ("COLT") and you. Internet communications are not secure
and therefore COLT does not accept legal responsibility for the
contents of this message. Any view or opinions expressed are those of
the author. The message is intended for the addressee only and its
contents and any attached files are strictly confidential. If you have
received it in error, please telephone the number above. Thank you.
*************************************************************************************
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list