[Malvern] Superfluous ports.

Steve Cashmore steve at cashmore.me.uk
Fri Jan 14 15:53:32 GMT 2005 

At 14:18 14/01/2005 +0000, Geoff Bagley wrote:

>How does one identify and close down superfluous TCP/IP ports,
>if possible,  flagging up warnings if access be attempted ?

Usual way if security is a priority is to start from the other end and 
close everything, then open only those ports you absolutely need.  It is a 
little more complex than just closing ports though, and you need to check 
SYN flags if inspecting packets.  You need to understand the bi-directional 
nature of TCP/IP traffic if you're going to port filter, it is quite easy 
to misapply rules and get a false sense of security, or to relax 
restrictions further than necessary.  Try looking at some of the on-line 
scripts on the web if you're planning to set up ipchains or iptables.  I 
don't have a reference to any on hand, but maybe someone here knows of 
some.  That will help lead you through some of the steps involved.
In your case with a router with NAT applied you have quite a good first 
line of defence, no incoming connection packets (with SYN set) will reach 
your server unless you instruct the router to forward any specific traffic 
to an individual machine.  In fact, except for possibly SMTP mail, you may 
not need to allow for any incoming connection.

By closing off all ports except SMTP, and blocking incoming pings, I only 
get a steady 100 or so frustrated connection attempts to my SMTP server per 
day.  Before pings were blocked, I used to get about 3 times that level.  I 
use a combination of router firewall, port filtering, and tcpwrappers to 
protect my systems.  I no longer log other connection attempts.  In my 
opinion a bigger risk is from inadvertant compromise of machines inside the 
secure zone, either from browser exploits or human engineering.

If you meant you just want to stop those services from running that you 
don't need then look at netstat and nmap to identify them.  Then close down 
the server components either from xinetd or in the startup scripts.  ntsysv 
will also probably list some of those services that have been configured on 
your machine.  Depending on your documentation it may sometimes take a 
little digging to find where to look.  Recent distributions have been much 
better in not turning on services by default.

On broadband you will soon get bored looking at all the simple connection 
attempts and turn much of the reporting off.

--
Steve

More information about the Malvern mailing list