Closing all ports on Linux

Sirs,

is it possible to prohibit linux to open a
especific port? For example, I don't want smtp
to listen to port 25, but I want to keep the
programa running! Is there any file in Linux
system where I say which ports should never be
opened?

I know it may cause the program to stop running or
even don't start at all.

I don't want iptable solutions.

thx for reading.

--
Leonardo Henrique Machado
Universidade Federal de Minas Gerais

Leonardo Henrique Machado wrote:
> Sirs,
>
> is it possible to prohibit linux to open a
> especific port? For example, I don't want smtp
> to listen to port 25, but I want to keep the
> programa running! Is there any file in Linux
> system where I say which ports should never be
> opened?
>
> I know it may cause the program to stop running or
> even don't start at all.
>
> I don't want iptable solutions.

Generally configuration goes application by application. sendmail can
be configured to listen only on lo, for example.

Allen Kistler <(E-Mail Removed)> said:
>Leonardo Henrique Machado wrote:
>> is it possible to prohibit linux to open a
>> especific port? For example, I don't want smtp
>> to listen to port 25, but I want to keep the
>> programa running! Is there any file in Linux
>> system where I say which ports should never be
>> opened?
....
>> I don't want iptable solutions.
>
>Generally configuration goes application by application. sendmail can
>be configured to listen only on lo, for example.

Allen has here the correct solution, but I'm interested to hear the "why"
for not wanting iptables solutions. At times, that may be the only option
there is (no way to configure some programs not to listen on a network
socket), and also iptables is a pretty good safety belt (prohibits access,
even in the case where you inadvertently configure a service to start
listening on a socket). Further, iptables is invisible to the application.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Allen Kistler wrote:
> Leonardo Henrique Machado wrote:
>
>> Sirs,
>>
>> is it possible to prohibit linux to open a
>> especific port? For example, I don't want smtp
>> to listen to port 25, but I want to keep the
>> programa running! Is there any file in Linux
>> system where I say which ports should never be
>> opened?
>>
>> I know it may cause the program to stop running or
>> even don't start at all.
>>
>> I don't want iptable solutions.
>
>
> Generally configuration goes application by application. sendmail can
> be configured to listen only on lo, for example.

I suppose what you want it's to only listen to local connections,
and don't bind the program to a IPort pair. You can do it with
the sendmail configuration, but I think the proposed iptables
solution it's a much better one and more flexible, you can use
it for other programs too.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

Try netstat -an

then for each port

lsof -i tcp:25 (Which lists you application)

lsof -i udp:53

now find start up script for application and exit or remove it

stopping the application will stop the port hence not have extra ports
open for no reason



Jose Maria Lopez Hernandez wrote:

> Allen Kistler wrote:
>
>> Leonardo Henrique Machado wrote:
>>
>>> Sirs,
>>>
>>> is it possible to prohibit linux to open a
>>> especific port? For example, I don't want smtp
>>> to listen to port 25, but I want to keep the
>>> programa running! Is there any file in Linux
>>> system where I say which ports should never be
>>> opened?
>>>
>>> I know it may cause the program to stop running or
>>> even don't start at all.
>>>
>>> I don't want iptable solutions.
>>
>>
>>
>> Generally configuration goes application by application. sendmail can
>> be configured to listen only on lo, for example.
>
>
> I suppose what you want it's to only listen to local connections,
> and don't bind the program to a IPort pair. You can do it with
> the sendmail configuration, but I think the proposed iptables
> solution it's a much better one and more flexible, you can use
> it for other programs too.
>

appologies not read the whole of your message

/etc/services is what assigns a port to a specific service - although
that has no control on ports being open etc.

The best thing to do is to change the ports within either the config
file of your service or recompile from source assigning new port values
rather than using standard ports.


BadMan wrote:

> Try netstat -an
>
> then for each port
>
> lsof -i tcp:25 (Which lists you application)
>
> lsof -i udp:53
>
> now find start up script for application and exit or remove it
>
> stopping the application will stop the port hence not have extra ports
> open for no reason
>
>
>
> Jose Maria Lopez Hernandez wrote:
>
>> Allen Kistler wrote:
>>
>>> Leonardo Henrique Machado wrote:
>>>
>>>> Sirs,
>>>>
>>>> is it possible to prohibit linux to open a
>>>> especific port? For example, I don't want smtp
>>>> to listen to port 25, but I want to keep the
>>>> programa running! Is there any file in Linux
>>>> system where I say which ports should never be
>>>> opened?
>>>>
>>>> I know it may cause the program to stop running or
>>>> even don't start at all.
>>>>
>>>> I don't want iptable solutions.
>>>
>>>
>>>
>>>
>>> Generally configuration goes application by application. sendmail
>>> can be configured to listen only on lo, for example.
>>
>>
>>
>> I suppose what you want it's to only listen to local connections,
>> and don't bind the program to a IPort pair. You can do it with
>> the sendmail configuration, but I think the proposed iptables
>> solution it's a much better one and more flexible, you can use
>> it for other programs too.
>>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

BadMan wrote:

> appologies not read the whole of your message
>
> /etc/services is what assigns a port to a specific service - although
> that has no control on ports being open etc.

Further to this point, /etc/services is
a) not /required/ for applications to access ports (it's just a
convenience), and
b) essential for both servers and (more importantly) clients.

Ad-hoc changes to /etc/services may not prevent access to particular
ports by particular programs, and may cause other programs (clients and
servers) to break. It is not a good idea to make ad-hoc changes to
/etc/services.

> The best thing to do is to change the ports within either the config
> file of your service or recompile from source assigning new port values
> rather than using standard ports.

Best advice yet.

>
> BadMan wrote:
>
>> Try netstat -an
>>
>> then for each port
>>
>> lsof -i tcp:25 (Which lists you application)
>>
>> lsof -i udp:53
>>
>> now find start up script for application and exit or remove it
>>
>> stopping the application will stop the port hence not have extra ports
>> open for no reason
>>
>>
>>
>> Jose Maria Lopez Hernandez wrote:
>>
>>> Allen Kistler wrote:
>>>
>>>> Leonardo Henrique Machado wrote:
>>>>
>>>>> Sirs,
>>>>>
>>>>> is it possible to prohibit linux to open a
>>>>> especific port?

To prohibit /linux/ from opening a specific port, you're going to have
to make kernel changes.

To block specific ports once they are open, you can implement selective
IPTABLES rules that DROP or otherwise reject access to those ports.

However, the best way to prevent programs from opening the ports is to
prevent the program from opening the port. Either
a) don't run the program to begin with, or
b) instruct the program to not open the port (some programs have options
for this sort of behaviour)

>>>>> For example, I don't want smtp
>>>>> to listen to port 25, but I want to keep the
>>>>> programa running!

Not a good idea, as most applications that feed smtp do so through port
25. If you tell smtp to not listen to port 25, it won't have any work to do.

>>>>> Is there any file in Linux
>>>>> system where I say which ports should never be
>>>>> opened?

No. There is no such global file

>>>>> I know it may cause the program to stop running or
>>>>> even don't start at all.
>>>>>
>>>>> I don't want iptable solutions.

OK, you want one of the better solutions then.

>>>>
>>>>
>>>> Generally configuration goes application by application. sendmail
>>>> can be configured to listen only on lo, for example.

But still on port 25, which the OP doesn't want.

>>>
>>>
>>> I suppose what you want it's to only listen to local connections,
>>> and don't bind the program to a IPort pair. You can do it with
>>> the sendmail configuration, but I think the proposed iptables
>>> solution it's a much better one and more flexible, you can use
>>> it for other programs too.
>>>


- --

Lew Pitcher, IT Consultant, Enterprise Application Architecture
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed here are my own, not my employer's)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFBNgPAagVFX4UWr64RAmcQAJ40M6OTtfbNz40x2CJOdj znX7ovXwCg6NhN
X6gsVv/+rTsx8y/ei35yerc=
=lonN
-----END PGP SIGNATURE-----