[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 301
  • Last Modified:

Wanting to block all ports except 22 on Unbuntu Server

I do not ahve xterm access so I am doing remotely via shell.

I ran nmap and got  the following, first is internal second is against external ip.
mnelson@oryx:~$ sudo nmap -sT -O localhost

Starting Nmap 4.62 ( http://nmap.org ) at 2009-02-19 12:42 EST
Interesting ports on localhost (127.0.0.1):
Not shown: 1712 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
631/tcp  open  ipp
3128/tcp open  squid-http
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.21
Network Distance: 0 hops

External

Starting Nmap 4.62 ( http://nmap.org ) at 2009-02-19 12:43 EST
Interesting ports on xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(public ip):
Not shown: 1714 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
No exact OS matches for host (If you know what OS is running on it, see http://n          map.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=4.62%D=2/19%OT=22%CT=1%CU=34327%PV=N%DS=0%G=Y%TM=499D9A46%P=x86_6
OS:4-unknown-linux-gnu)SEQ(SP=105%GCD=1%ISR=108%TI=Z%II=I%TS=U)SEQ(SP=107%G
OS:CD=1%ISR=10C%TI=Z%II=I%TS=U)SEQ(SP=100%GCD=1%ISR=106%TI=Z%II=I%TS=U)SEQ(
OS:SP=109%GCD=1%ISR=10A%TI=Z%II=I%TS=U)SEQ(SP=F6%GCD=1%ISR=110%TI=Z%II=I%TS
OS:=U)OPS(O1=M5B4NNSNW7%O2=M5B4NNSNW7%O3=M5B4NW7%O4=M5B4NNSNW7%O5=M5B4NNSNW
OS:7%O6=M5B4NNS)WIN(W1=16D0%W2=16D0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y
OS:%DF=Y%T=40%W=16D0%O=M5B4NNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD
OS:=0%Q=)T2(R=Y%DF=N%T=20%W=80%S=A%A=Z%F=R%O=%RD=44BD347E%Q=)T3(R=Y%DF=Y%T=
OS:40%W=16D0%S=O%A=S+%F=AS%O=M5B4NNSNW7%RD=0%Q=)T4(R=Y%DF=N%T=20%W=400%S=A%
OS:A=Z%F=R%O=%RD=44BD347E%Q=)T5(R=Y%DF=Y%T=40%W=0%S=O%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=Y%DF=N%T=20%W=8000%S=A%A=Z%F=R%O=%RD=44BD347E%Q=)T7(R=Y%DF=N%T=20%W
OS:=FFFF%S=A%A=Z%F=R%O=%RD=44BD347E%Q=)U1(R=Y%DF=N%T=40%TOS=C0%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=F883%RUL=G%RUD=G)IE(R=Y%DFI=N%T=40%TOSI=S%CD=
OS:S%SI=S%DLI=S)


Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/s          ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.187 seconds

This looks like I am blocked but how would I go about disabling HTTPS and telnet?
I could not find xinetd

0
manelson05
Asked:
manelson05
  • 7
  • 4
  • 3
  • +1
4 Solutions
 
Fabio MarzoccaFreelancerCommented:
If you need to block all ports but 22, you can use ufw:


sudo ufw enable
sudo ufw allow 22
sudo ufw status

0
 
manelson05Author Commented:
And this will block everything except 22?

What about if I install snort? It opens lots of ports, right?
0
 
manelson05Author Commented:
Is there a way to simply disable a service instead of blocking the ports?
Can you just # out a service so it is neutered?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
fosiul01Commented:
Yes you can uninstall service, its better then blocking port

also best options is , block all incomming ports and then open one by one,

as a rule you should not run any service which you dont need
according to your portmap

22/tcp   open  ssh
631/tcp  open  ipp
3128/tcp open  squid-http

if you stop squid then you would not be able to use squid server for proxy

ipp i guess it for printer server which is cups , so you cant stop this service becuase i guess you using cups
so if you want just block this port from outside.

so what else you need to stop ??

i didnot know that ubuntu has its own firewall which is ufw!!!
0
 
Maciej SsysadminCommented:
As far as I remember snort doesn't open any port - it just listens for incoming packets.

Most of services can be configured to listen on some specified interfaces. Sshd is service that should be listening on external interface (having ssh available just for localhost is in most cases useless ;)), but 631 (probably you have cups installed) should listen on localhost only (unless you want to give some remote users access to your printers). If so, you may reconfigure cups to listen on localhost interface only. In your cupsd.conf file, add line "Listen localhost:631" (or change if you have "Listen *:631") - if you have also "Listen /path/to/file.sock", leave it untouched.
As for squid - you should probably leave this untouched if this proxy is available to users in your network. If you are using this only for your localhost users, then you may add line to your squid.conf: "http_port localhost:3128" (or change already existing line starting with http_port, but as this is 3128, which is deafult port for squid, you may have such line commented in your squid.conf file. If so - add what I wrote above - ("http_port localhost:3128")).

From your nmap outputs, it looks that you have only ssh port opened from the world. Other port - 631 and 3128 are available only on localhost (so appropriate applications are configured in a way, I described above).
And I don't see any HTTPS or telnet ports opened - even for localhost.
0
 
Fabio MarzoccaFreelancerCommented:
man ufw
0
 
manelson05Author Commented:
I set deny rules with UFW, however I can still get out on firefox. Do you think this has something to do with the firewall since I set it up 1:1 nat with a public ip?
0
 
manelson05Author Commented:
So if I can only see 22 in nmap I have no need to be paranoid then.
0
 
fosiul01Commented:
however I can still get out on firefox : you meant you can browse by firefox ?? thats because your outboud is open, which is normal

if you see only 22 on portmap, then that mean only port 22 is opened, which it should be if you want to access server from outside

as i said in my fast commensts

block all incomming ports, just opne one by one when you will needs its the best way to prevent hacking..
0
 
Fabio MarzoccaFreelancerCommented:
ufw deny proto tcp to any port 80

       This  will  deny all traffic to tcp port 80 on this host
0
 
manelson05Author Commented:
Yes, I followed your advvice from earlier post, it was excellent and 100accurate.
I was curious why I can get out on firefox and then get packets back via 80, is this due to the 1:1 NAT from firewall? Should I leave server public facing and remove from behind firewall or just trust nmap?


To                         Action  From
--                         ------  ----
22/tcp                     ALLOW   Anywhere
22/udp                     ALLOW   Anywhere
80/tcp                     DENY    Anywhere
80/udp                     DENY    Anywhere
21/tcp                     DENY    Anywhere
21/udp                     DENY    Anywhere
25/tcp                     DENY    Anywhere
25/udp                     DENY    Anywhere
23/tcp                     DENY    Anywhere
23/udp                     DENY    Anywhere
143/tcp                    DENY    Anywhere
143/udp                    DENY    Anywhere
443/tcp                    DENY    Anywhere
443/udp                    DENY    Anywhere
1389/tcp                   DENY    Anywhere
1389/udp                   DENY    Anywhere
44395/tcp                  DENY    Anywhere
44395/udp                  DENY    Anywhere


0
 
fosiul01Commented:
Should I leave server public facing and remove from behind firewall or just trust nmap?  : NO
put the server behind the firewall, firewall is there to protect your server.

go to this site :http://www.yougetsignal.com/tools/open-ports/ from any pc of your network.

jsut do a scan for open ports, it will show you want ports are open in your network, and you will know definited

You dont need to worry about outboud ports, its just the inbound you need to think..
0
 
manelson05Author Commented:
I love learning more form the experts they are not only helping me to solve problems but to grow and pass along this valuable inofrmation.

Thank you all
0
 
fosiul01Commented:
i have only 1 years linux experience!!

keep on eye on EE, look other peoples problem you will learn a lot

good luck
0
 
manelson05Author Commented:
Thank yoU!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now