On Thu, 16 Jun 2005 00:49:28 -0700, Fritz Bayer wrote:
> Can somebody tell me which programs listen on those ports
Try one of the following commands:
socklist
netstat -antup
lsof -i
> and which ones I can disable/remove?
>
> 111/tcp open rpcbind
Sun RPC portmapper.
Have a look for other RPC services with:
rpcinfo -p
If you aren't an NFS client and/or part of a NIS domain: disable them.
> 113/tcp open auth
Ident RFC1413 - probably you want (to keep) this running. As some commonly
used servers query it. Most distros ship Pidentd which can be run under a
seperate account i.e.:
groupadd identd
gpasswd -R identd
useradd -g identd -c Pidentd -d / -s /bin/false identd
passwd -l identd
Then change /etc/identd.conf to have the following (rather then "nobody"):
server:user = identd
And maybe restrict access to some hosts/networks (using iptables you want
to send an TCP RST in return to the SYN rather then ICMP deny packet) like:
/usr/sbin/iptables -A INPUT ! -i lo -p tcp --syn --dport auth \
-j REJECT --reject-with tcp-reset
And/or patch it with libwrap then setup hosts.{allow,deny} ACLs:
http://www.usenetlinux.com/archive/i.../t-116375.html
You want to read this page also:
http://www.tldp.org/HOWTO/Security-H...ty.html#AEN917
(But maybe just switch to like: "fakeidentid", "nullidentd", or similar.)
> 867/tcp open unknown
Uuh, idunno. To get a clue about this, try something like:
fuser -v -n tcp -4 867
> 4444/tcp open krb524
Kerberos v4 support for a v5 KDC. Probably you have port 88/udp open as
well, maybe also the admin stuff. Try scanning your box for UDP services:
nc -u -v -z localhost 1-1024
nmap -sU -Tinsane localhost -p1-65535
> Is it dangerous that they can be access from the outside?
Maybe, maybe not. (Depends on their configuration and up-to-date status.)
> rpcbind for example looks like some kind of remote procedure call
> broker.
man rpc.portmap
HTH
--
-Menno.
Similar Threads
Linear Mode
