[Gllug] Security & closing ports on certain interfaces.

Bruce Richardson itsbruce at uklinux.net
Thu Feb 14 12:12:04 UTC 2002


On 2/14/02, 9:41:36 AM, "Paul Brazier" <pbrazier at cosmos-uk.co.uk> wrote 
regarding [Gllug] Security & closing ports on certain interfaces.:

> If I nmap my home PC (RedHat 7.1) from outside with the firewall down I
> see the X11, SMTP and sunrpc ports open.
> I only use postfix to send out mail (it comes in by pop3).
> I need sunrpc to use NFS on my internal network.

> Is it possible to configure these services so they only advertise
> themselves as open on my lo and eth0 interfaces (i.e. not on the ppp0
> interface)?

Only if they offer that facility or if you can run them out of xinetd.  
With xinetd you can bind services to only listen on particular 
interfaces.  Indeed, you can bind one service to listen to a port on one 
interface and another to listen at the same port on another interface.

Postfix: I should have thought the inet_interfaces setting would do this 
- set it to the ip addresses for your loopback and lan interfaces and 
restart postfix.  If that doesn't work then you should try reconfiguring 
postfix to run from xinetd.  Only Postfix isn't really well suited to 
being run from xinetd.  Exim otoh works fine from inetd/xinetd and indeed 
it's the recommended configuration for a home PC.

> I've tried things like xhost and /etc/hosts.allow and /etc/hosts.deny

hosts.allow and hosts.deny list addresses to block/allow, not interfaces 
to listen/not listen on.

> and /etc/postfix/main.cf but although I think they stop anyone
> connecting without authority they still seem to advertise the ports as
> open to nmap.

> I know I can shut them off with a firewall but I'm going for a
> belt-and-braces approach.

I'm fairly sure you can make Postfix only listen on the internal 
interfaces. With the portmapper you're out of luck - all you can do is 
block the network address in hosts.deny/allow and have the extra 
insurance of a firewall.  As for X - you can make it not listen for tcp 
connections at all by running it with -nolisten tcp.  The place to do 
that is in your xserverrc or .xserverrc script.

-- 

Bruce

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list