Linode.com Forum

[pmmenneg]

I am building a new install, and trying to be sure that I will not have any ports open that I shouldn't. This linode will be a web server w/ mysql, no access to the mysql from anything other than localhost, no mail, etc.

nmap reveals the following:

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-12-03 12:23 EST
Interesting ports on localhost (127.0.0.1):
Not shown: 1672 closed ports
PORT STATE SERVICE
9/tcp open discard
13/tcp open daytime
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
37/tcp open time
80/tcp open http
3306/tcp open mysql

I need http and ssh open, I am debating ftp vs sftp, but I do not need 25 for sure, not sure how to close that up. Anyone have any ideas about discard, daytime, time and whether or not I need mysql to have a port open if I will have php talking to mysql directly on the same box?

Thanks for any insight,

Paul

[pmmenneg]

Not sure if this helps, but ran a nmap on my ip address as well, and a port scan from a web page, and port 25, etc, so they appear open to the outside world as well, not just localhost.

Also note this is a clean Debian 4 install, only vsftpd, apache2 and mysql5 added.

Thanks

[zunzun]

Here are my notes:

nano /etc/ssh/sshd_config, set PermitRootLogin to no and check that root cannot ssh into box

------------------------- iptables.sh with ssh brute force preventer -----------------------------------
#!/bin/sh

iptables -P FORWARD DROP
iptables -P INPUT ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 0:21 -j DROP
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 23:79 -j DROP
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 81:442 -j DROP
iptables -A INPUT -i eth0 -p tcp --syn --destination-port 444: -j DROP

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

and start manually as root. (chmod 755 iptables.sh also)

# to ensure this script starts at boot, add links to /etc/rc2-5
ln -s /etc/init.d/iptables.sh /etc/rc2.d/S99iptables
ln -s /etc/init.d/iptables.sh /etc/rc3.d/S99iptables
ln -s /etc/init.d/iptables.sh /etc/rc4.d/S99iptables
ln -s /etc/init.d/iptables.sh /etc/rc5.d/S99iptables

[pmmenneg]

So I create this iptables.sh script as you posted and place it in /etc/init.d/?

Thanks.

[tofu]

I use Firehol. Very easy to configure.

[SteveG]

First, let me add another vote for Firehol. Much better than dinking around with rules directly - it's really easy to get those wrong.

Second, while a firewall is a good idea, you should disable the service in addition to blocking the port. Thus, reconfigure your mail server to listen only on localhost, rather than just blocking external access to port 25.

Third, in response to the original post, if your only access to mysql is from the same host, it doesn't need to listen on any port - it can listen to a named socket on the file system.

[pmmenneg]

This is really my goal, shut-down the ports, not just block them.

As I have a clean Debian install with no mail apps per se, any idea how I would figure what opened port 25 and if anything is listening on it?

[pclissold]

Code:  netstat --listening --inet --program
will tell you what PID and program name are listening on what port.

[IntuititveNipple]

I protect the 'management' ports a different way. I do not open SSH or any FTP or HTTP/S web-admin ports (Webmin, Zope, etc.) to the public Internet.

Instead I set up a VPN using openvpn with a CA certificate used to sign the server (Linode) and clients (remote) certificates.

The clients have copies of the CA certificate and their own certificate and private 'key'.

In addition I configure openvpn to use a keyed-Hash Message Authentication Code (HMAC) certificate to prevent denial of service attacks on the openvpn UDP port from preventing legitimate access.

Each client creates a connection using openvpn. Once connected they can SSH or access the other admin services as usual.

I also use sshfs to mount the Linode file-system into the remote PC for easy file manipulation.

[gregg]

and of course a really un-sexy way to stop a lot of script-kiddies is to just change the ssh port to something other than 22. when i did this, i went from hundreds of ssh-port 22 attempts to 0. yes, zero, i was surprised.

[unixfool]

Code: Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-12-03 12:23 EST
Interesting ports on localhost (127.0.0.1):

One thing you should do is scan from another machine and not from the same machine...you'd get a better picture of what's actually exposed to the internet.

Just my 2 cents...