[lug] Firewall / Lockdown questions

John Hernandez jph at jph.net
Tue Jul 31 16:26:17 MDT 2007


Comments inline.

On 7/31/07, dio2002 at indra.com <dio2002 at indra.com> wrote:
>
> When i run netstat and or nmap on what is going to be a web server:
>
> PORT     STATE SERVICE
> 25/tcp   open  smtp
> 80/tcp   open  http
> 111/tcp  open  rpcbind
> 443/tcp  open  https
> 930/tcp  open  unknown
> 3306/tcp open  mysql
>
> ports 930 and 111 (rpc.statd & portmap) seem to be open for connection
> from the world.  the following init.d services start these processes:
>
> nfslock -> port 930 rpc.statd
> portmap -> port 111 portmap
>
> if i stop these services, the disappear from netstat / nmap listings which
> i think is what i want.  questions:
>
> 1) is there any reason why nfslock should be running if i don't have nfs
> running? oddly enough the system installed by default to disable nfs yet
> enabled nfslock


I believe nfslock is used for the nfs client functionality.  If you don't
plan to mount any remote NFS filesystems on this box, it should be safe to
disable this.

2) Is there any reason why i want portmap running?  I'm not sure but it
> looks like portmap was probably needed to serve the requests to nfs and
> nfslock which is possibly why it's enabled?  What typical services is
> portmap a frontend for and is there a way to discover that on a running
> system:
>
> # rpcinfo -p localhost
>    program vers proto   port
>     100000    2   tcp    111  portmapper
>     100000    2   udp    111  portmapper
>     100024    1   udp    927  status
>     100024    1   tcp    930  status


Your assessment is correct - it's there for the nfs client capability.
Again, you should be able to disable it.

Also, sendmail is enabled in chkconfig.  It shows up in both nmap /
> netstat.  My server will only need the ability to send outbound
> error/status mail FROM the server to an external admin email address.
>
> 3) Do i need to have this sendmail service enabled for simple outgoing
> mail as described?   Basically how do i configure minimal outbound
> sendmail capability while keeping either:
>
> a) the port entirely closed / invisible (not sure if that's even possible)
> or
> b) locked down (visible and open but only sends from local host and
> accepts no inbound - i'm thinking this can be done in a config file
> without the need for iptables rules).


All distros these days default to one of a) (by means of listening on the
loopback interface) or b).   You didn't mention what you're using, but
unless it's really out-of-date, I'd be surprised if you need to do anything
here other than maybe setting the alias for root.

-John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20070731/f2083eed/attachment.html>


More information about the LUG mailing list