[Gllug] Security & closing ports on certain interfaces.
Bruce Richardson
itsbruce at uklinux.net
Thu Feb 14 12:12:04 UTC 2002
On 2/14/02, 9:41:36 AM, "Paul Brazier" <pbrazier at cosmos-uk.co.uk> wrote
regarding [Gllug] Security & closing ports on certain interfaces.:
> If I nmap my home PC (RedHat 7.1) from outside with the firewall down I
> see the X11, SMTP and sunrpc ports open.
> I only use postfix to send out mail (it comes in by pop3).
> I need sunrpc to use NFS on my internal network.
> Is it possible to configure these services so they only advertise
> themselves as open on my lo and eth0 interfaces (i.e. not on the ppp0
> interface)?
Only if they offer that facility or if you can run them out of xinetd.
With xinetd you can bind services to only listen on particular
interfaces. Indeed, you can bind one service to listen to a port on one
interface and another to listen at the same port on another interface.
Postfix: I should have thought the inet_interfaces setting would do this
- set it to the ip addresses for your loopback and lan interfaces and
restart postfix. If that doesn't work then you should try reconfiguring
postfix to run from xinetd. Only Postfix isn't really well suited to
being run from xinetd. Exim otoh works fine from inetd/xinetd and indeed
it's the recommended configuration for a home PC.
> I've tried things like xhost and /etc/hosts.allow and /etc/hosts.deny
hosts.allow and hosts.deny list addresses to block/allow, not interfaces
to listen/not listen on.
> and /etc/postfix/main.cf but although I think they stop anyone
> connecting without authority they still seem to advertise the ports as
> open to nmap.
> I know I can shut them off with a firewall but I'm going for a
> belt-and-braces approach.
I'm fairly sure you can make Postfix only listen on the internal
interfaces. With the portmapper you're out of luck - all you can do is
block the network address in hosts.deny/allow and have the extra
insurance of a firewall. As for X - you can make it not listen for tcp
connections at all by running it with -nolisten tcp. The place to do
that is in your xserverrc or .xserverrc script.
--
Bruce
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list