[ale] Closing ports 111 & 6000

[Dana Powers]

You should not edit /etc/services, as it is just a file that helps the
system map commonly used ports to service names, whether they are turned on
or not. Here are some helpful commands ( run as root ):

this hould list all open ports on your machine, along with the running
program that is using them
bash# netstat -lntp

you will then need to run the scripts in /etc/init.d (or /etc/rc.d/init.d/
for RedHat et.al. - i use debian)
so shutdown the appropriate services. In this case, port 111 is portmap and
port 6000 is X.

portmap is simple ( remember the directory your startup scripts is
distribution specific ):
bash# /etc/rc.d/init.d/portmap stop

X is a little harder - if you are running xdm or kdm or gdm as a login
manager, you'll need to stop that ( replace kdm with yours - find it using
'ps aux'):
bash# /etc/rc.d/init.d/kdm stop

If you are running RedHat, you may very likely have a login manager that is
auto-respawned by init, which brings us to a larger topic: runlevels.
Most linux distributions use runlevels to determine what gets started on
boot up. These are typically numbered 0-6 , where 0,1, and 6 are reserved
for system states such as admin mode, single user mode, shutdown, etc. You
probably should worry about these. Levels 2-5 are all yours. Most people
will use the default runlevel forever, never change it, maybe never even
modify what gets started etc, but it is very handy to understand what they
are and how they work. Typically the higher the number, the more
workstation-like your machine will be, and the lower it is, the more
server-like your machine will be. By this I mean: workstation having nice
desktop GUI's and other handy things - typically not as secure, and should
generally be behind a more protective firewall etc. Server having only
essential services running, usually as securely as possible. The default
runlevel is 5 for current RedHat distributions as far as I know, which puts
it squarely in workstation mode, and 2 for Debian ( what I use ), which puts
it squarely in server mode.

To find out what runlevel your system is currently in, just type 'runlevel'
. You should get 2 numbers, the first will be the previous runlevel, and the
second will be the current runlevel. If there is only one, then it is just
the current runlevel.

/etc/rc.d/rcX.d/ , where X is the runlevel, is where the system stores what
programs will start automatically with each runlevel . RedHat has a nifty
little utility called 'chkconfig' which manages all system services and the
runlevels associated with them. Try this:
bash# chkconfig --list
Debian has a script named 'update-rc.d' , and Im not sure about the other
distributions. Check out the chkconfig documentation on how to adjust the
services started at each runlevel.

What I have done on RedHat machines that need to be secured is to change the
default runlevel to 2, and modify runlevel 2 using chkconfig to only start
ssh and apache or whichever services are appropriate. To do this, you will
need to understand a) how to switch runlevels, and b) how to set the default
system runlevel.

Switch runlevels is as easy as typing 'init X' where X is the runlevel you
want to switch to. This will start/stop the appropriate services using the
scripts in /etc/rc.d/ and zing, you've got yourself a new runlevel ( check
using 'runlevel' ). Note that using init to switch to runlevels 0,1 or 6
will probably shut your system down, as with 'shutdown' or 'reboot' , so be
careful.

The default system runlevel is set in /etc/inittab , usually at the top on
the line labeled 'initdefault' . Changing this will basically tell the
system which runlevel to boot into when you power up. This file also has
many lines with the phrase 'respawn' in them. These processes will be
automatically restarted if you ever try to kill them, or they die for some
reason. This is the case with the graphical login manager enabled with newer
versions of RedHat ( 7.3 is the last I looked on ), which means that you may
have a hard time getting X to die, and thus close port 6000, without
changing runlevels and/or modifying the respawn properties of the login
system.

While this is alot of information, perhaps more than you wanted or needed,
understanding your system is typically the best foundation for managing its
security - which seems to be your intent. Good luck, and thanks for caring
about your systems security!

Dana Powers

----- Original Message -----
From: "Weston, Scott" <Scott.Weston at CompuCredit.com>
To: ale at ale.org
To: <ale at ale.org>
Sent: Friday, September 06, 2002 8:07 AM
Subject: [ale] Closing ports 111 & 6000


> I am trying to close ports 111 and 6000 on my Linux box. I edited the
lines
> referencing to the specific ports in /etc/services. Where else do I need
to
> go to close the ports down???  Scott
>
>
> ==================================================
> This message contains PRIVILEGED and CONFIDENTIAL
> information that is intended only for use by the named recipient.
> If you are not the named recipient, any disclosure, dissemination,
> or action based on the contents of this message is prohibited.
> In such case please notify us and destroy and delete all copies
> of this transmission.  Thank you.
> ==================================================
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should
be
> sent to listmaster at ale dot org.
>
>
>


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.