I've used Red Hat for years but this is my first Debian system.

This is a fresh install of Debian (Woody), intended to primarily serve
as a Squid web proxy and fileserver for Windows clients. I've got a
bunch of junk from the default install listening.

I want ftp, ssh, http, https, samba, and squid (on port 8080 instead
of 3128) to be open.

I don't think I need 98, 111, 113, 515, and 32768-70 to be open.
Pointers to appropriate help files, or idiot-proof instructions for
closing them would be appreciated. Thanks.


output of 'nmap -p 1-65535 localhost' follows ...

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 65522 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
80/tcp open http
98/tcp open linuxconf
111/tcp open sunrpc
113/tcp open auth
139/tcp open netbios-ssn
443/tcp open https
515/tcp open printer
8080/tcp open http-proxy
32768/tcp open unknown
32769/tcp open unknown
32770/tcp open sometimes-rpc3

Hello

MonkeyOmen (<monkeyomen@nym.hush.com>) wrote:

> I've used Red Hat for years but this is my first Debian system.
>
> This is a fresh install of Debian (Woody), intended to primarily serve
> as a Squid web proxy and fileserver for Windows clients. I've got a
> bunch of junk from the default install listening.
>
> I want ftp, ssh, http, https, samba, and squid (on port 8080 instead
> of 3128) to be open.
>
> I don't think I need 98, 111, 113, 515, and 32768-70 to be open.
> Pointers to appropriate help files, or idiot-proof instructions for
> closing them would be appreciated. Thanks.

Use lsof, netstat or fuser to find the ID of the process that opened the
port.

98: linuxconf
111: portmapper
113: identd
515: lpd

These are probably controlled by inedt, so you should take a look
at /etc/inetd.conf and decativate the services you don't need. Then
restart inetd: /etc/init.d/inetd restart

Check your system with netstat -l after the next reboot. Some services
like exim (smtp) are configured to automatically switch to standalone
mode if they are not started by inetd, so you have to switch these off
as well. The best way would be to simply deinstall the services you
don't need.

best regards
Andreas Janssen

--
Andreas Janssen <andreas.janssen@bigfoot.com>
PGP-Key-ID: 0xDC801674 ICQ #17079270
Registered Linux User #267976
http://www.andreas-janssen.de/debian-tipps.html

MonkeyOmen wrote:
> I've used Red Hat for years but this is my first Debian system.
>
> This is a fresh install of Debian (Woody), intended to primarily serve
> as a Squid web proxy and fileserver for Windows clients. I've got a
> bunch of junk from the default install listening.
>
> I want ftp, ssh, http, https, samba, and squid (on port 8080 instead
> of 3128) to be open.
>
> I don't think I need 98, 111, 113, 515, and 32768-70 to be open.
> Pointers to appropriate help files, or idiot-proof instructions for
> closing them would be appreciated. Thanks.
>
>
> output of 'nmap -p 1-65535 localhost' follows ...
>
> Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
> Interesting ports on localhost (127.0.0.1):
> (The 65522 ports scanned but not shown below are in state: closed)
> Port State Service
> 21/tcp open ftp
> 22/tcp open ssh
> 80/tcp open http
> 98/tcp open linuxconf
> 111/tcp open sunrpc
> 113/tcp open auth
> 139/tcp open netbios-ssn
> 443/tcp open https
> 515/tcp open printer
> 8080/tcp open http-proxy
> 32768/tcp open unknown
> 32769/tcp open unknown
> 32770/tcp open sometimes-rpc3

What I do is run an iptables firewall that is restrictive; i.e., all ports
are closed except those I specifically open, and those are open only to
the senders I specify by IP address. So in your case, I would not enable
98, 111, 113, 515, and 32768-70 from any IP address.

I set it to log all attempts to connect to my machines that are rejected
except for pings which are mostly rejected but not logged. Then logwatch
sends me an e-mail of all attempts every morning. Also, I can look myself
at /var/log/messages for problems. Sometimes it turns out I need to open a
port to some IP addresses.

--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 08:35:00 up 2 days, 18:15, 5 users, load average: 4.23, 4.23, 4.18

Yes, try getting the best of both worlds (posts).

you can deactivate the unnecessary services from inetd.conf and use
iptables for a restrictive firewall with those needed ports only.

--
raqueeb hassan
congo (drc)

MonkeyOmen <monkeyomen@nym.hush.com> wrote:
> I don't think I need 98, 111, 113, 515, and 32768-70 to be open.

Who cares? You scanned from localhost, so you won't learn anything
from that anyway!

Don't worry about such things. If there were a security flaw in a
default server, a debian correction would fix it at once, and so would
you, automatically, with your nightly updates.

> Pointers to appropriate help files, or idiot-proof instructions for
> closing them would be appreciated. Thanks.
>
> output of 'nmap -p 1-65535 localhost' follows ...
>
> Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
> Interesting ports on localhost (127.0.0.1):
> (The 65522 ports scanned but not shown below are in state: closed)
> Port State Service
> 21/tcp open ftp
> 22/tcp open ssh
> 80/tcp open http
> 98/tcp open linuxconf

This is only going to be open on localhost, where you do need it, and
even if it were open to the world, so what? Nobody has your root
password, so they can't use it, and if they did have, they could get in
via ssh instead (hic: if root login not disabled).

> 111/tcp open sunrpc

This doesn't route. And of course will be protected by tcp_wrappers,
where presumably you have lited what you want to be able to access it.

> 113/tcp open auth

Auth? What? Oh, identd! You need that. Otherwise people out there can't
check that you are who you say you are. Well - you could disable it and
then you act like a ms-win box, and whowould want to do that!

> 139/tcp open netbios-ssn

You definitely don't want this anywhere on your system!

> 443/tcp open https
> 515/tcp open printer

This should be closed to all but local hosts. See your printer setup.

> 8080/tcp open http-proxy
> 32768/tcp open unknown
> 32769/tcp open unknown

These are probably local halves of some connection - but take a look at
what they are. Anyway, you can't tell anything by looking from
localhost.

> 32770/tcp open sometimes-rpc3

Fine. Ditto, I presume.


Peter