[lug] Firewall / Lockdown questions

Hugh Brown hugh at math.byu.edu
Tue Jul 31 16:23:22 MDT 2007 

dio2002 at indra.com wrote:
> When i run netstat and or nmap on what is going to be a web server:
> 
> PORT     STATE SERVICE
> 25/tcp   open  smtp
> 80/tcp   open  http
> 111/tcp  open  rpcbind
> 443/tcp  open  https
> 930/tcp  open  unknown
> 3306/tcp open  mysql
> 
> ports 930 and 111 (rpc.statd & portmap) seem to be open for connection
> from the world.  the following init.d services start these processes:
> 
> nfslock -> port 930 rpc.statd
> portmap -> port 111 portmap
> 
> if i stop these services, the disappear from netstat / nmap listings which
> i think is what i want.  questions:
> 
> 1) is there any reason why nfslock should be running if i don't have nfs
> running? oddly enough the system installed by default to disable nfs yet
> enabled nfslock
> 
> 2) Is there any reason why i want portmap running?  I'm not sure but it
> looks like portmap was probably needed to serve the requests to nfs and
> nfslock which is possibly why it's enabled?  What typical services is
> portmap a frontend for and is there a way to discover that on a running
> system:
> 
>  # rpcinfo -p localhost
>    program vers proto   port
>     100000    2   tcp    111  portmapper
>     100000    2   udp    111  portmapper
>     100024    1   udp    927  status
>     100024    1   tcp    930  status
> 
> 
> Also, sendmail is enabled in chkconfig.  It shows up in both nmap /
> netstat.  My server will only need the ability to send outbound
> error/status mail FROM the server to an external admin email address.
> 
> 3) Do i need to have this sendmail service enabled for simple outgoing
> mail as described?   Basically how do i configure minimal outbound
> sendmail capability while keeping either:
> 
> a) the port entirely closed / invisible (not sure if that's even possible) or
> b) locked down (visible and open but only sends from local host and
> accepts no inbound - i'm thinking this can be done in a config file
> without the need for iptables rules).
> 
> thanks


nfslock/portmap are needed if you are an nfs client (not just for being 
a server).  If you aren't mounting nfs shares, you can turn them off.

You can change sendmail to only listen on 127.0.0.1 for local mail in 
your sendmail.mc/sendmail.cf.

Unless you need mysql to talk to outside systems, I would lock that down 
to lo/127.0.0.1 as well.

If it's a web server, it really should only allow inbound connections to 
80 and 443.

You may want to allow in ssh so that you can manage it.

Hugh

More information about the LUG mailing list