Locking Down Ports Under Linux

by Greg Pregovia.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on linux  

You are here: Categories » Computers and technology » Linux

TCP/IP networks assign a port to each service, such as HTTP, Simple Mail Transfer Protocol (SMTP), and Post Office Protocol version 3 (POP3).This port is given a number, called a port number, used to link incoming data to the correct service. For example, if a client browser is requesting to view a server’s Web page, the request will be directed to port 80 on the server.The Web service receives the request and sends the Web page to the client. Each service is assigned a port number, and each port number has a TCP and UDP port. For example, port 53 is used for the Domain Name System (DNS) and has a TCP port and a UDP port. TCP port 53 is used for zone transfers between DNS servers; UDP port 53 is used for common DNS queries—resolving domain names to IP addresses.

Well-Known and Registered Ports There are two ranges of ports used for TCP/IP networks: well-known ports and registered ports.The well-known ports are the network services that have been assigned a specific port number (as defined by /etc/services). For example, SMTP is assigned port 25, and HTTP is assigned port 80. Servers listen on the network for requests at the well-known ports. Registered ports are temporary ports, usually used by clients, and will vary each time a service is used. Registered ports are also called ephemeral ports, because they last for only a brief time.The port is then abandoned and can be used by other services.

The port number ranges are classified, as shown in Table 2.1, according to Request for Comments (RFC) 1700.To access RFC 1700, go to ftp://ftp.isi.edu/ in-notes/rfc1700.txt.

Port Number Ranges for Various Types:

Well-known 1 to 1023 Registered 1024 to 65535

Connections to ports number 1023 and below are assumed to run with root-level privileges. This means that untrusted services should never be configured with a port number below 1024. You will see how well-known ports work with registered ports shortly.

Commonly Used Well-Known TCP/UDP Port Numbers

FTP (Default data): 20
FTP (Connection dialog, control): 21
Telnet: 23
SMTP: 25
DNS: 53
DHCP BOOTP Server: 67
DHCP BOOTP Client: 68
TFTP: 69
Gopher: 70
HTTP: 80
POP3: 110
NNTP: 119
NetBIOS Session Service: 139
Internet Message Access Protocol (IMAP), version 2: 143

To explain how well-known ports work with registered ports, let’s look at a typical Web site connection from a Web browser to a Web server.The client sends the HTTP request from a registered TCP port, such as port 1025.The request is routed across the network to the well-known TCP port 80 of a Web server. Once a session is established, the server continues to use port 80, and the client uses various registered ports, such as TCP port 1025 and 1026, to transfer the HTTP data. Figure 2.5 is a packet capture that displays the establishment of a TCP session between a client and server, and the transmission of HTTP data between them. In frame 2 of the packet capture, the source address (24.130.10.35) is the client computer requesting the Web page.The destination address (192.0.34.65) is the Web server, which hosts the Internet Corporation of Assigned Names and Numbers (ICANN) Web site. In the Info field, the 1025 > 80 indicates that the source TCP port is 1025.The 80 indicates that the destination TCP port is 80. The first three frames display the TCP handshake, which establishes a TCP connection between the client and server. In the frames that follow, the client requests HTTP data from the server.The request determines the HTTP version that the client and server will use.The client then requests and downloads the contents of the Web page.

Determining Ports to Block

When determining which ports to block on your server, you must first determine which services you require. In most cases, block all ports that are not exclusively required by these services.This is tricky, because you can easily block yourself from services you need, especially services that use ephemeral ports, as explained earlier.

If your server is an exclusive e-mail server running SMTP and IMAP, you can block all TCP ports except ports 25 and 143, respectively. If your server is an exclusive HTTP server, you can block all ports except TCP port 80. In both cases, you can block all UDP ports since SMTP and IMAP all use TCP services exclusively. However, if you want to use your server as an HTTP client (i.e., for accessing operating system updates) or as an e-mail client to a remote mail server, you will restrict the system. Clients require registered UDP ports for DNS, as well as registered TCP ports for establishing connections with Web servers. If you open only the corresponding UDP ports 25, 80, and 143, DNS requests are blocked because DNS queries use UDP port 53, and DNS answers use a UDP registered port (e.g., the response stating that www.syngress.com= 205.181.158.215). Even if you open port 53, a different registered port may be www.syngress.com

assigned each time for the answer. Attempting to allow access to a randomly assigned registered port is almost impossible and a waste of time.The same problem applies with TCP connections that require ephemeral ports. Therefore, you should either open all TCP/UDP registered ports (so you can use your server as a client), or block them (except for the services you require) and access resources, such as operating system updates, another way. Many administrators order the Red Hat Linux Update CDs, which are re-mastered every eight weeks, that contain all current updates (www.redhat.com/products/software/ linux/updatecd/).You can also simply download the updates from another computer.

Blocking Ports

To block TCP/UDP services in Linux, you must disable the service that uses the specific port.The following section discusses disabling ports using xinetd, and disabling ports assigned to stand-alone services.

Xinetd Services

Many services are disabled by their respective files in the /etc/xinetd.d directory by commenting out the service that uses the port. For example, to disable port 79 (used for finger services, which gives out user data that can be used by malicious hackers), you would comment out the service finger entry in /etc/xinetd.d/ finger file. Refer to Table 2.2 to view other ports you may wish to block. It lists common ports blocked by firewalls. However, these ports can also be blocked at the server itself. Follow these steps to disable port 79:

1. To disable port 79, you must edit the /etc/xinetd.d/finger file. Open the finger file and locate the service finger line.

2. Comment out the finger service line, and then write and quit the file.

3. Next, you must restart xinetd by entering:

/etc/rc.d/init.d/xinetd restart

4. If you have a finger program installed on your system, or access to a finger gateway, attempt a finger request to your system.You should fail. Note that you can use xinetd to disable many other ports.

Stand-Alone Services

To disable ports whose corresponding services are not included in the /etc/xinetd.d directory, you must kill the service’s process and make sure that service does not automatically restart upon reboot.These services are called standalone services. For example, port 111 is assigned a stand-alone portmapper service not required for most e-mail servers.The portmapper service, which is technically part of the Sun Remote Procedure Call (RPC) service, runs on server machines and assigns port numbers to RPC packets, such as NIS and NFS packets. Because these RPC services are not used by most e-mail services, port 111 is not necessary. To disable port 111, you must disable the portmapper service as follows:

1. To disable the portmapper service, identify the process identifier (PID) for portmap by entering:

ps aux | grep portmap

2. The second column lists the PID number.The last column lists the process using that PID.To stop the portmapper service, identify the PID number and enter:

kill –9 [PID NUMBER]

3. To make sure the service does not restart during reboot, enter: Ntsysv

4. Scroll down to the portmap service and uncheck the check box next to the service. Click OK.The portmap service will no longer restart at bootup.

Some ports, such as port 80, are not activated unless the service is installed. For example, if you have not installed Apache server, then port 80 is not used. There is no need to block the port because it is already disabled.

Share
Leave a comment or ask a question
Total comments: 0

Linux Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Choose an Ubuntu Version - The developers behind Ubuntu have worked to make the software as easy and flexible to install as possible. They understand that people will be installing Ubuntu on different types of computers (more...)
Customize Ubuntu Look and Feel - Changing the Background To change the background of your desktop right-click it and select Change Desktop Background. Inside the dialog box that appears, choose yo (more...)
Configuring a Printer in Ubuntu - In the Linux world, configuring a printer has traditionally been a challenge. For years, newcomers to Linux have been repeatedly challenged and even bludgeoned with terms, commands, and phrases (more...)
Working with Windows from inside Ubuntu - Although the Linux platform offers an increasingly compelling platform for the desktop, there are sometimes situations when there is just no alternative application available. This is often the (more...)
Hardening the System with Bastille and Functions - Bastille is an open source program that facilitates the hardening of a Linux system. It performs many of the tasks, including downloading operating system updates and disabling services and po (more...)
Using GPG and Md5sum to Verify Signatures on Tarball Packages - Follow these steps to verify the signature of a gzipped tarball: 1. Add the public key of the person or organization that created the package. 2. Sign the public k (more...)
Red Hat Linux Errata: Fixes and Advisories - Once your Red Hat system is live, you must make sure that the most current required Red Hat errata are installed.These errata include bug fixes, corrections, and updates to Red Hat products. (more...)
Deploying GNU Privacy Guard - Although many GUI interfaces are in the planning stage for GPG, the following steps focus on using GPG with the command line.The steps assume that you already have GPG installed on your system (more...)
Manually Disabling Unnecessary Services and Ports in Linux - To harden a server, you must first disable any unnecessary services and ports.This process involves removing any unnecessary services, such as the Linux rlogin service, and locking down unnece (more...)
What is the GNU Debugger - Gdb is the Free Software Foundation's debugger. It is a good command-line debugger, on which several tools have been built, including Emacs' gdb mode, the graphical (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.