From owner-freebsd-questions Sat Oct 14 0: 7:26 2000 Delivered-To: freebsd-questions@freebsd.org Received: from static.unixfreak.org (static.unixfreak.org [63.198.170.139]) by hub.freebsd.org (Postfix) with ESMTP id 1379C37B503 for ; Sat, 14 Oct 2000 00:07:23 -0700 (PDT) Received: by static.unixfreak.org (Postfix, from userid 1000) id 056DB1F22; Sat, 14 Oct 2000 00:07:21 -0700 (PDT) Subject: Re: Open ports on default install of FreeBSD In-Reply-To: "from Bennett Hui at Oct 13, 2000 08:20:43 pm" To: Bennett Hui Date: Sat, 14 Oct 2000 00:07:21 -0700 (PDT) Cc: freebsd-questions@freebsd.org From: Dima Dorfman Reply-To: dima@unixfreak.org X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <20001014070721.056DB1F22@static.unixfreak.org> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [ Charset ISO-8859-1 unsupported, converting... ] > I've installed FreeBSD 4.1.1 on a new computer which is intended to be a web > server. I've installed ssh and sendmail as well as apache webserver. I > chose medium security. After the install, I did a portscan on this box and > it revealed the following ports were open: > > 192.168.1.x :21 ftp > 192.168.1.x :22 ssh SSH Remote Login Protocol > 192.168.1.x :23 telnet > 192.168.1.x :25 smtp mail > 192.168.1.x :53 domain nameserver > 192.168.1.x :79 finger I'd close this (finger). There is a security problem with it in 4.1.1-RELEASE. You weren't clear whether you installed -RELEASE or not, but unless you need it, you should probably close it. It is started from inetd, so look for a line which starts with 'finger' in /etc/inetd.conf, comment it out, and send SIGHUP to inetd. > 192.168.1.x :80 www-http World Wide Web HTTP > 192.168.1.x :111 portmap Portmapper is necessary if you're using RPC. Among others, NFS and NIS use it. If you're not using any RPC services, you can disabled it. 'portmap_enable="NO"' in /etc/rc.conf should do the trick. For a list of RPC services you are running, try `rpcinfo -p localhost`. > 192.168.1.x :513 login > 192.168.1.x :514 shell cmd These are rlogind and rshd, respectivly. Unless you plan on using them--this is discouraged, you should use ssh--you should disabled them. Look for lines starting with 'rsh' and 'rlogin' in /etc/inetd.conf and comment them out. > 192.168.1.x :587 unknown service. I'm not sure what this is, but it looks like it might be an RPC service. In some versions of FreeBSD, rpc.statd was on by default--I'm not sure if it still is. Unless your host is an NFS client, this isn't necessary. I believe the appropriate rc.conf knob is rpc_statd_enable. > > Can anyone tell me what ports 111, 513, 514 and especially 587 are open for, > and if they are necessary for a web server. Should I close them? The general idea is that yes, unless you need them, you should close them. FreeBSD by itself doesn't need any ports open, and the only port really necessary for a web server is 80 (httpd). The rest are up to you. See my comments above for some more information as to what these ports are. Hope this helps -- Dima Dorfman Finger dima@unixfreak.org for my public PGP key. "To repeat what others have said, requires education; to challenge it, requires brains." -- Mary Poole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message