Date: Sat, 14 Oct 2000 00:07:21 -0700 (PDT) From: Dima Dorfman <dima@unixfreak.org> To: Bennett Hui <bhui@mail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Open ports on default install of FreeBSD Message-ID: <20001014070721.056DB1F22@static.unixfreak.org> In-Reply-To: <NDBBKCNFGLGFDJGFGEECAEOBCDAA.bhui@mail.com> "from Bennett Hui at Oct 13, 2000 08:20:43 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
[ Charset ISO-8859-1 unsupported, converting... ]
> I've installed FreeBSD 4.1.1 on a new computer which is intended to be a web
> server. I've installed ssh and sendmail as well as apache webserver. I
> chose medium security. After the install, I did a portscan on this box and
> it revealed the following ports were open:
>
> 192.168.1.x :21 ftp
> 192.168.1.x :22 ssh SSH Remote Login Protocol
> 192.168.1.x :23 telnet
> 192.168.1.x :25 smtp mail
> 192.168.1.x :53 domain nameserver
> 192.168.1.x :79 finger
I'd close this (finger). There is a security problem with it in
4.1.1-RELEASE. You weren't clear whether you installed -RELEASE or
not, but unless you need it, you should probably close it. It is
started from inetd, so look for a line which starts with 'finger' in
/etc/inetd.conf, comment it out, and send SIGHUP to inetd.
> 192.168.1.x :80 www-http World Wide Web HTTP
> 192.168.1.x :111 portmap
Portmapper is necessary if you're using RPC. Among others, NFS and
NIS use it. If you're not using any RPC services, you can disabled
it. 'portmap_enable="NO"' in /etc/rc.conf should do the trick. For a
list of RPC services you are running, try `rpcinfo -p localhost`.
> 192.168.1.x :513 login
> 192.168.1.x :514 shell cmd
These are rlogind and rshd, respectivly. Unless you plan on using
them--this is discouraged, you should use ssh--you should disabled
them. Look for lines starting with 'rsh' and 'rlogin' in
/etc/inetd.conf and comment them out.
> 192.168.1.x :587 unknown service.
I'm not sure what this is, but it looks like it might be an RPC
service. In some versions of FreeBSD, rpc.statd was on by
default--I'm not sure if it still is. Unless your host is an NFS
client, this isn't necessary. I believe the appropriate rc.conf knob
is rpc_statd_enable.
>
> Can anyone tell me what ports 111, 513, 514 and especially 587 are open for,
> and if they are necessary for a web server. Should I close them?
The general idea is that yes, unless you need them, you should close
them. FreeBSD by itself doesn't need any ports open, and the only
port really necessary for a web server is 80 (httpd). The rest are up
to you. See my comments above for some more information as to what
these ports are.
Hope this helps
--
Dima Dorfman <dima@unixfreak.org>
Finger dima@unixfreak.org for my public PGP key.
"To repeat what others have said, requires education; to challenge it,
requires brains."
-- Mary Poole
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001014070721.056DB1F22>