DebianThis forum is for the discussion of Debian Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The reason for open ports is that you have services listening on those ports, ftp, ssh and rpc.
You can probably disable everything in /etc/inetd.conf with a "#" at the beginning of each line.
Do a "netstat -tunap|grep LISTEN" and check the servicename to the right, for example ssh.
For each do "update-rc.d -f ssh remove" and "/etc/init.d/ssh stop" substituting ssh for each netstat output.
Do you have samba or nfs?
You can see what rpc service is active:
rpcinfo -p localhost
Then, if you don't need to be an rpc server for anyone but you you can restrict the interface to listen to localhost only
there is an /etc/rpc.conf and there is an option line, here you should probably put -i 127.0.0.1 (look at portmap manpage)
If you don't need portmap (no rpcinfo service that you need), remove the package portmap
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 2989/inetd
This is inetd opening identd.
Either you remove inetd or if you keep it and not need identd, then comment the line identd in /etc/inetd.conf) and restart inetd:
killall -HUP inetd
21 and 22 open needs more investigation, could be your router or anything.
Actually I wonder why it says 113 closed while its opened??
Yes if you have port forwards set on the router the Scan from GRC will show the ports as open regardless if they are open on the PC behind the router or not..
Disable those port forwards in your broadband router config and the scan will be fully stealthed.
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
631/tcp open ipp
i dont think im making this any better. Can you guys take a look at my firewall script please?
Code:
#!/bin/bash
# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat
# Remove all rules and chains
iptables -F
iptables -X
# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED
# Allow ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback traffic
iptables -A FIREWALL -i lo -j ACCEPT
# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
# DROP all other packets
iptables -A FIREWALL -j DROP
# Send all INPUT packets to the FIREWALL chain
iptables -A INPUT -j FIREWALL
# DROP all forward packets, we don't share internet connection in this example
iptables -A FORWARD -j DROP
# Allow https
# iptables -A TRUSTED -i eth0 -p udp -m udp --sport 443 -j ACCEPT
# iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT
# End message
echo " [End iptables rules setting]"
I know this is very basic. I was hopeing someone could suggest a more hardened firewall entries.
No pun intended but that firewall script doesn't do much. At least make the input default DROP. Hwo about letting this page make a script for you: http://easyfwgen.morizot.net/gen/
Routers aren't very good at stealthing 113. Best way is to forward it in the router to a natted IP address that you don't use. Say your box is 192.168.1.2 then forward 113 to 192.168.1.10 or some such.
You need not worry about services listening on 127.0.0.1:??? since that's just a loopback (localhost).
Like instructed above, remove portmap with "apt-get --purge remove portmap" and comment out everything in /etc/inetd.conf with a "#" at the beginning of each line.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
now to test it...
