port 111

Stormpie · April 11, 2002, 8:50pm

hi

if i do a portscan on my fbsd box, i got one port that i don't want to see it open
that's port 111, sunrpc, how can i close it?
and also my-sql port 1433 and port 1523 (cichild-lm)

tnx for your help!!

system · April 11, 2002, 11:13pm

Check the man page for services and inetd.conf - (works on SUN)
Hopefully yours are the same - you can then comment out the ones you don't want.

LivinFree · April 12, 2002, 1:45am

On FreeBSD, you should check your /etc/inetd.conf file to make sure that all the services you don't want has a # at the front of the line.
Then, edit the /etc/rc.conf and let (I think) portmap=NO

Actually, I have an OpenBSD box that I don't run any services but sshd - I have disabled both portmap and inetd.

The easiest way to clear this up may be to reboot, unless you want to try to kill everything thats running that you just turned off.

Check again to see what ports are open, and keep adjusting and researching until it's how you want it!

Also, you figure out what process is opening port 1433 and 1533 for sure is to use "lsof", a wonderful free tool that may already be installed on your system.

eNTer · April 14, 2002, 6:47am

You must create a firewall configuration file. Check the one which FBSD already uses as sample, /etc/rc.firewall, adjust it to your needs, and enable the firewall at boot time [add two lines: firewall_enable="YES" and firewall_type="SIMPLE" in /etc/rc.conf, start the firewall using this line at runtime:# sh /etc/rc.firewall, and you're finished. But be careful, you should have the console close, especially if you made a mistake somewhere...

LivinFree · April 17, 2002, 4:56am

Why do you need a firewall if you close the ports? You can't attack a port that isn't open...

eNTer · April 18, 2002, 3:58am

Yes, that's true, but a firewall can drop a packet, while a closed port usually returns "icmp port unreachable", and is harder to fingerprint the OS on the machine

LivinFree · April 18, 2002, 6:23am

A firewall is yet another item that can be not only fingerprinted, but exploited and bypassed, only to hit that much harder on admins lulled into a false sense of security...

For example, look at the recent developments with fragroute vs. snort. It can be used to perform very common attacks right under snort's nose without even a whimper... I realize that snort is probably not what you had in mind, but I am willing to bet this becomes a very widely used attack tool to bypass both IDS and firewalls completely, until a better solution is attained.