Date: Sat, 14 Oct 2000 00:07:21 -0700 (PDT) From: Dima Dorfman <dima@unixfreak.org> To: Bennett Hui <bhui@mail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Open ports on default install of FreeBSD Message-ID: <20001014070721.056DB1F22@static.unixfreak.org> In-Reply-To: <NDBBKCNFGLGFDJGFGEECAEOBCDAA.bhui@mail.com> "from Bennett Hui at Oct 13, 2000 08:20:43 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
[ Charset ISO-8859-1 unsupported, converting... ] > I've installed FreeBSD 4.1.1 on a new computer which is intended to be a web > server. I've installed ssh and sendmail as well as apache webserver. I > chose medium security. After the install, I did a portscan on this box and > it revealed the following ports were open: > > 192.168.1.x :21 ftp > 192.168.1.x :22 ssh SSH Remote Login Protocol > 192.168.1.x :23 telnet > 192.168.1.x :25 smtp mail > 192.168.1.x :53 domain nameserver > 192.168.1.x :79 finger I'd close this (finger). There is a security problem with it in 4.1.1-RELEASE. You weren't clear whether you installed -RELEASE or not, but unless you need it, you should probably close it. It is started from inetd, so look for a line which starts with 'finger' in /etc/inetd.conf, comment it out, and send SIGHUP to inetd. > 192.168.1.x :80 www-http World Wide Web HTTP > 192.168.1.x :111 portmap Portmapper is necessary if you're using RPC. Among others, NFS and NIS use it. If you're not using any RPC services, you can disabled it. 'portmap_enable="NO"' in /etc/rc.conf should do the trick. For a list of RPC services you are running, try `rpcinfo -p localhost`. > 192.168.1.x :513 login > 192.168.1.x :514 shell cmd These are rlogind and rshd, respectivly. Unless you plan on using them--this is discouraged, you should use ssh--you should disabled them. Look for lines starting with 'rsh' and 'rlogin' in /etc/inetd.conf and comment them out. > 192.168.1.x :587 unknown service. I'm not sure what this is, but it looks like it might be an RPC service. In some versions of FreeBSD, rpc.statd was on by default--I'm not sure if it still is. Unless your host is an NFS client, this isn't necessary. I believe the appropriate rc.conf knob is rpc_statd_enable. > > Can anyone tell me what ports 111, 513, 514 and especially 587 are open for, > and if they are necessary for a web server. Should I close them? The general idea is that yes, unless you need them, you should close them. FreeBSD by itself doesn't need any ports open, and the only port really necessary for a web server is 80 (httpd). The rest are up to you. See my comments above for some more information as to what these ports are. Hope this helps -- Dima Dorfman <dima@unixfreak.org> Finger dima@unixfreak.org for my public PGP key. "To repeat what others have said, requires education; to challenge it, requires brains." -- Mary Poole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001014070721.056DB1F22>