Hardening Linux

davidmwilliams writes "Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities. Read about the essential steps to secure your server as well as how to solve them manually and via automated tools like Bastille."

FP

[Anonymous Coward]

yes but does it run my favorite rootkit?

Re:

[SplatMan_DK]

Not if your favorite rootkit is the Sony music CD rootkit. Sony have wisely decided to only annoy Windows users ... ;-)

Re:

[SplatMan_DK]

Maybe you should try using Parallels. It uses fare more resources but should get the job done for you ...

And hey ... using 290 MB of memory to run a rootkit on a non-MS OS could be pretty cool ;-)

- Jesper

AppArmour

[Shuntros]

I know people seem to find it all trendy to bash Novell these days, but AppArmour is a a pretty damn good tool for containing the behaviour of applications. Use a handy little utility to monitor your application (apache, bind, postfix, anything else..) being used in a controlled environment, then apply that ruleset at kernel level and if access isn't defined in the AppArmour profile, it ain't happening.

Re:

[pembo13]

Not good as SELinux as far as I understand.

In Soviet Russia

[Anonymous Coward]

Linux hardens You

Re:

[aquabat]

beat me to it.

Happens in LUG meetings too

[Almahtar]

... couldn't resist.

Bastille hompage

[in2mind]

http://www.bastille-linux.org/ [bastille-linux.org]

Open Ports?

[CastrTroy]

I know that Mandriva tells you if you have any services installed that have open ports (SSH,Samba) when you do the install. There are some necessary open ports for most users, like samba. Having open ports doesn't have to be a bad thing, although I will agree that having them open without any reason is not a good idea. However, as long as you keep on top of the updates (very easy with Mandriva and most other distros), you shouldn't have too much to worry about.

Per-distro comparisons?

[delire]

In this regard I'm very impressed with the work the Ubuntu developers have done: a netstat -tupa post-install reveals a very small attack-surface where ports are concerned. That said, it would certainly be interesting to see a per-distro comparison at some point.

Anyone know of such a project - even if just comparing a few top-tier distributions?

Re:Per-distro comparisons?

[DrXym]

I think a dist security roundup would be an awesome thing. Do a default install of Mandrive, RedHat, Ubuntu etc. and then run nmap, examine their password policy, see what "dangerous" apps are installed by default and so on. Dists should be named and shamed if they have a single port open.

Hardened Linux From Scratch

[owlman17]

This is mainly for those who roll their own using LFS, but Hardened Linux From Scratch [linuxfromscratch.org] should give some tips, and practical advice, which critical areas need patching, plus proper practices.

Open ports and unpatched vulnerabilities?

[Knuckles]

If your Linux distro is out-of-the-box "insecure with open ports and unpatched vulnerabilities", then change distro. If this is not an option, it's time to approach your vendor menacingly, clue bat in hand.

Re:

[Nasarius]

Seriously. As someone else mentioned, this article has been outdated for about a decade. Good installers will pull in all the latest stable versions (assuming a net connection), but any popular Linux distro is trivial to update immediately after. And I can't recall the last time I've seen a default workstation/desktop install with any open ports. Maybe SSH.

Article not very informative

[Anonymous Coward]

The article isn't very informative and makes several assumptions about the distribution being used. For example, when it tells the reader to "ps aux|grep http" and then "kill -9 [the pid]" it doesn't take into account that Debian systems are running Apache2 as 'apache2', not 'httpd'. Why you would SIGKILL the running process instead of just using apachectl or the appropriate init script is also just as short-sighted.

Run 'netstat -apvtu' if you're worried about what you have open. A good ingress/egress firewall policy is ideal and any competent Linux user should be forced to learn iptables instead of relying on a GUI or automated configuration tool to make assumptions about the purposes of your network.

The article isn't very useful or accurate.

Re:

[jgrahn]

The article isn't very informative and makes several assumptions about the distribution being used. For example, when it tells the reader to "ps aux|grep http" and then "kill -9 [the pid]" it doesn't take into account that Debian systems are running Apache2 as 'apache2', not 'httpd'. Why you would SIGKILL the running process instead of just using apachectl or the appropriate init script is also just as short-sighted.

It triggers me on two other points too:

• ps + grep + kill is so 1990s. pkill from Solaris

Box?

[wytcld]

Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities.

That box must have a lot of dust on it, and an early 13-floppy Slackware distro inside.

Before making a claim like that, the writer should come up with at least three examples, from current versions of major distros.

Reminds me of a local woman who said "We must have a town-wide neighborhood watch, because there's a child sexual predator on every block." In the several years since she raised that hysteria, there's been exactly one serious case in town: one of her best friends had his extensive child porn collection found by the police. He hired the state's most expensive lawyers and got off with probation. She's still his best friend.

Back to the topic. The article mentions telnet. Is there a single current distro that comes with telnetd enabled? Let's help the sloppy author. Has anyone here installed any current distro and found "open ports and unpatched vulnerabilities"?

Re:

[nacturation]

... OpenBSD has zero services in the default install. I'm not sure about ubuntu, or debain, but I'm pretty sure they dont even come with SSHd

That's not correct. Of course it has services open in the default install -- otherwise why do you think they claim only 2 remote exploits in 10 years? A remote exploit wouldn't be possible without at least one service running.
 

Re:

[adamofgreyskull]

Only 2 people in those 10 years have worked out how to enable httpd?

Hardened? Hardly.

[slummy]

This article makes no mention of grsecurity [grsecurity.net]. Surely closing off unused services and patching vulnerabilities can certainly prevent a penetration, but what happens if a penetration is successful? grsecurity is the answer.

Re:

[dbIII]

I tried all that - and then some clown didn't update it, enabled shell access for all email users, made it more convenient by accepting ssh connections from any address instead of a case by case basis, put a compiler on there and then some user with a very common name had "coffee" as their password. With only ssh open it still went down to a dictionary attack and some sort of privelage escalation through stuff the attacker compiled on the machine.

You not only have to limit the ports but who you accept conn

So what - we are all NAT'ed anyway?

[SplatMan_DK]

I bet that 99% of Linux users are behind a NAT router (because as IT geeks they have tons of networked gear and a private network). The remaining 1% with a public IP directly on their Linux box probably know what they are doing. And don't give me the "what if there is port forwarding rules on the router" argument. If the user has port forwarding rules then he/she also knowledgeable enough to secure the target Linux box. I know a lot of IT geeks (being one myself) and I seriously don't know ANY IT geek who

Re:

[marcello_dl]

My laptop is the NAT router, you insensitive clod! :)

Re:

[SplatMan_DK]

Fine. I will rephrase myself: "a NAT capable router". There.

My router has a lot of configuration options which are not NAT. In fact there are lots of uses for routers than don't use NAT schemes. There are also many ways to use NAT without the network device actually being a physical box we usually call a "router".

What is your point? If everybody except you is retarded, then why don't you enlighten us?

- Jesper

Since the submitter is also the author...

[kwabbles]

Can you tell us the story about how you came to write this article?

Here's how I'm picturing it:

(editor) Mr. Williams, we need a techie article on Linux.
(mr. williams) Okay... I haven't touched linux since I played around with my RedHat 7.2 box 3 years ago.
(editor) Do you still have it?
(mr. williams) Yes, what would you like me to write about it?
(editor) Write something up on securing its "holes and vulnerabilities", and we'll sensationalize it a bit by making it look like Linux is insecure out of the box.
(mr. williams) I don't know how to do that.
(editor) Find something on google. Try it on your RedHat machine.
(mr. williams) I'm going to look really stupid.
(editor) You're a journalist.

The defaults are no longer what they were in 199x

[bl8n8r]

Seems to me the article is just pimping bastille Linux. Years and years ago, most distros did indeed ship with some pretty crack-worthy options enabled by default. It took a small amount of prodding by the community, but most distros, these days, lean towards a default disable policy:

- [KU]buntu
    All services off by default. netfilter rules are default allow however, but there is
    nothing to connect to.

- Fedora/RHEL/CentOS
    Choose during install what services you want enabled/open/firewalled.
    SELinux enabled by default.

- Knoppix 5.1.1
    Only Port 68 for dhcp client listener. /etc/hosts.deny ALL:PARANOID

- Mandriva 2007 Bootable CD
    Port 6000 is all that's open (X server. Ok this is dumb, why?)

Other distros follow similar suit. You can find out what's running on your linux box with:
  - netstat -tuna (all tcp/udp sockets, dont resolve names, all listening/non-listening sockets)
  - locate iptables; sudo iptables -nvL (show iptables chains for netfilter)

Chances are, if you've not mucked around with the default services things are pretty tight.
TFA is a bit inaccurate for linux systems these days.

Re:

[sootman]

> Mandriva 2007 Bootable CD
> Port 6000 is all that's open (X server. Ok this is dumb, why?)

Well, if it's a bootable CD, maybe the idea is you boot to it, and then do a remote X session to it? With no HD in the box, there would be no risk to your data.

newbie article

[NynexNinja]

The obvious problem with this article is they mention using "Bastille" and forget to mention grsec [grsecurity.net]. I don't really care about Bastille, but I do care about using grsec. Just because you turn off some services doesnt mean someone is not going to pop an xterm off your apache web server from some random cgi vulnerability... At least when someone compromises your web server in this way (which is probably how most linux web servers get compromised these days anyway), the attacker wont be able to do anything besides navigate the directory tree maybe. The attacker wont be able to view processes that are outside their own uid. The attacker wont be able to execute binaries outside of the standard bin directories (so custom scripts/binaries wont execute), and stack overflows do not allow execution of arbitrary code.. Its not a very fun environment to work in, most attackers will just look around and exit when confined to this type of environment...

Redhat 7.0, ipchains?

[joib]

Uh oh..

Secure wget!

[rcs1000]

Almost all script kiddies work off the same theory: find an application that has not been updated, and which has a security vulnerability (un-updated versions of Wordpress or AWStats are always favourites), use this to run wget to pull a script, rootkit, etc. onto the server, then "break" the machine and use it as a spambot.

The simplest way, then, to prevent script kiddies from compromising your system is not only allow access to wget through sudo! Simply chmod it.

Now, this is no excuse not to ensure every

Re:

[Ant P.]

It'd be safer to just have an execute-permission whitelist for the httpd user.

Hardening Linux

[Santana]

1. Insert OpenBSD CD
2. Reboot
3. Follow the instructions on screen

Bind services to localhost.

[argent]

Services run from inetd/xinetd have their port and interface bindings managed externally, and since UNIX systems have run multihomed almost from the start, there are few if any deamons that can't be run bound to localhost, so if you have to run a local webserver for some purpose it can be unconditionally protected from remote exploits simply by running it on localhost... so as far as an attacker is concerned it doesn't exist.

Installing Debian server

[Britz]

I would install a Debian server using the minimum install cds and then apt-getting just the services I need from the mirrors (which should have current patches). I mean, if it is going to be a server it should have a somewhat fast internet connection, right?

Use nmap?

[verbatim_verbose]

Why do "security experts" like these folks always suggest using nmap to determine what services you are running? Have these folks never heard of netstat?

Re:

[garett_spencley]

Because you can't trust the machine you're auditing if it has been compromised.

Re:

[Cheeze]

lsof | grep TCP

That command will tell you much more than netstat. It'll also give you the program that is opening the port.

How To in summary...

[IBBoard]

For those not wanting to read the article, that "basic how to" is:

1) Disable unwanted services (done via the CLI in this day of GUIs)
2) Keep the OS patched
3) Install and run Bastille to do everything else for you.

Re:How To in summary...

[Knuckles]

And yet if someone writes an article like this on how to secure Windows (where lets face it the advice, aside from #3 is exactly the same) it's proof that Windows is insecure.

That's because the article fell through a hole in time, and actually belongs in 1997. They are already yelling to give their article back. No self-respecting consumer distro has shipped with open ports in ages.

Re:How To in summary...

[tomhudson]

The summary is ... strange.

"... many Linux systems are insecure with open ports" ... "...how to secure your server ..."

Remember all those internet ads about "YOUR COMPUTER HAS OPEN PORTS !!!"

Its a computer connected to "Teh Intarweb" - its supposed to have open ports.

Next we'll read another story about how some "1337 hacker hacked into another person's machine" at IP address 127.0.0.1, erased all their files, and somehow, the "other person" was able to hack their machine and do the same thing ...

Followed by a nostalgiac look at "Punch-the-monkey" ads.

Re:

[Knuckles]

Its a computer connected to "Teh Intarweb" - its supposed to have open ports.

Not if it just acts as a client, as most "consumer" machines do.

Re:

[tomhudson]

>>Its a computer connected to "Teh Intarweb" - its supposed to have open ports.

>>Not if it just acts as a client, as most "consumer" machines do.

Nobody with a consumer machine uses a chat program? A file-sharing program? Heck, Window95 shipped with a web server (PWS), and thats about as "ghetto consumer box" as you can get.

Re:

[Knuckles]

Nobody with a consumer machine uses a chat program? A file-sharing program? Heck, Window95 shipped with a web server (PWS), and thats about as "ghetto consumer box" as you can get.

What part of "in the default configuration" do you not understand? OBVIOUSLY if you run a program that opens a port, you will have an open port. It is rather silly to demand that you can run chat clients and file sharing programs without opening ports.

What the fact that Windows 95 was a braindead abomination has to do with the cur

Re:

[tomhudson]

>OBVIOUSLY if you run a program that opens a port, you will have an open port. It is rather silly to demand that you can run chat clients and file sharing programs without opening ports.

Which is why I said that the fact that a port is open is not, of itself, a problem. The summary of the article said "many Linux systems are insecure with open ports"; that a port is open or not is not, in itself, indicative of a security problem, and that it put me in mind of all those "Your computer is at risk because

Re:

[Knuckles]

I agree, but having no daemons running when you don't need them is safer still. And yes, needlessly having something like sendmail running when there is no admin is useless risk.

Re:

[tomhudson]

Most distros nowadays are pretty decent about not installing, never mind running, stuff "out of the box". This "article" is severely dated, back to the time when the only people who installed linux *wanted* all sorts of servers running.

I'm from those "bad old days", and I've had to adapt, by not assuming that tools and utilities that I took for granted are still available in a near-default install. Even when I check "developer tools", I still have to go through the list to include those older, simpler par

Re:

[Knuckles]

I hear you, but of course it's still a sensible decision.

Re the article: yeah, ipchains. And giving tips for securing telnetd. And missing apparmor and SELinux and grsecurity. And does anyone still run servers on a Pentium 1 and needs xinitd? It totally looks like random bits pasted together after googling for "linux, security". BTW, I left a comment at the site, basically summarizing the slashdot discussion (and linking back to it), and he blocked me :)

Re:

[jgrahn]

Even when I check "developer tools", I still have to go through the list to include those older, simpler parts of the toolchain that, for some reason, are too "simple" for todays' developers.

Who ever thought that "tree" would be near-forgotten? What next, fgrep? :-)

Tree is hardly a developer tool, is it? But yes, it's sometimes useful and I install it on all my machines.

Re:

[tomhudson]

"BTW, I left a comment at the site, basically summarizing the slashdot discussion (and linking back to it), and he blocked me :)"

Sounds like he's a real dickhead! [trolltalk.com] (link is NSA - Not Safe Anywhere).

Re:

[tomhudson]

I use tree a fair amount of the time - its really handy for grepping only parts of a source tree, for example, or for when I want to save a quick snapshot of a directory layout to a plain-text file, before making any serious mods that I may live to regret :-)

Its also handy in shell scripts. I just like my older, simpler tools for some jobs.

Re:

[Zonk (troll)]

Most distros nowadays are pretty decent about not installing, never mind running, stuff "out of the box".

One word: Ubuntu. Ubuntu doesn't install much out of the box, but it doesn't install a firewall. If you apt-get, say, apache2, it automatically starts it. That's not cool. The Fedora/RHEL/CentOS way is better. If you install something, it stays disabled until you configure it and enable it. They also default to installing a firewall, and also default to using SELinux.

Re:

[tomhudson]

"If you apt-get, say, apache2, it automatically starts it. That's not cool."

I would assume that if someone goes to the effort to install apache, they want to run it, and that's probably what Ubuntu does. Having said that, the experience of a coworker was different. He didn't want to run the OpenSUSE disk I had handy, so he borrowed an Ubuntu disk. Of course, that meant that the machine absolutely sucked for development. Missing servers, development tools, libraries, files ...

Each distro has its good an

Re:

[Knuckles]

Yeah well, using it on an old single-use laptop, fine. Putting it on the Internet though, or using it as a general-purpose multitasking OS was insanity.

Re:

[Too Much Noise]

Its a computer connected to "Teh Intarweb" - its supposed to have open ports.

Not if it just acts as a client, as most "consumer" machines do.

Well, you need at least incoming udp:68, at least if you want it to receive the initial response from the DHCP server.

Re:

[Knuckles]

Sure, but I indeed forgot it in this thread, I realized soon after a later one. Anyway, it's probably safe to assume that this is commonly (on slashdot) known and accepted.

Re:

[Knuckles]

opening an outbound tcp connection creates an open port on the local machine. It won't accept incoming connections, though.

But ports that are only open in response to the user initiating a connection are not open "by default", are they. Plus, this is just the way things are, technically, and as such not usable as differentiating criteria, wouldn't you agree?

Re:

[DaleGlass]

It doesn't seem to be very widely known, but at least on Linux, all of 127.0.0.0/8 is assigned to the loopback. So 127.85.31.97 would work just as well, in case you happen to find a script kiddie a bit smarter than average.

Re:

[PitaBred]

It's the same on Windows... any script kiddie is vulnerable to this exploit... hope it doesn't get patched ;)

Re:

[SLi]

Remember all those internet ads about "YOUR COMPUTER HAS OPEN PORTS !!!"

No, but I remember "Your computer is broadcasting an IP address!".

Re:How To in summary...

[Jessta]

I've alway found GUI tools to be slow and weird.
gentoo has great service management /etc/init.d/ start /etc/init.d/ restart /etc/init.d/ stop

GUI tools are seriously annoying, since this article is about security and disabling unneeded services having config tools that require the unneeded service X11 is pretty silly.

Re:

[ianare]

You do realize ALL linux distros have this right? Anyway the gui tools are only acting as a frontend to init.d, and while I will agree X11 has no place on a running server, it does make the initial configuration easier for certain things. It's trivial to set the default runlevel to 3 once everything is set up properly.

Re:

[Kjella]

GUI tools are seriously annoying, since this article is about security and disabling unneeded services having config tools that require the unneeded service X11 is pretty silly.

True, it's not necessary but in a sane setup X11 isn't a network service either. If you need to first compromise a running internet-facing service to get local privilidges and then use a local escalation exploit in X11, the bar is fairly high. If you prefer the GUI tools, I wouldn't worry too much over it as long as it's otherwise pa

Re:

[Gazzonyx]

Yes, but GUIs also normally have applications to enable and disable services (which was my point). Their method is to hack in files from the command line or similar, while most distros should have an "easy to use" service management app. I know Redhat and Fedora have for ages.

That has always bothered me (on RHEL, at least - Fedora is more desktop oriented than server oriented). They create these GUIs to do everything for you, which is a front end for their own interface to the flippin' etc files. I guess I just don't want to see RHEL admins become MSCEs, or it could be because my mind is warped since Slackware was my first distro. It could also be because I've lately been fighting with Solaris for control of my services (don't get me started). But I think any admin worth th

What could be simpler???

[DrSkwid]

I type Undo then middle click it (though it's already present by default) (acme)
Middle clicking on any executable command and have it execute is also pretty neat. (acme, send menu item in the wm, rio)
I can also send arbitrary strings for matching against a list and the match executes, that's a boon as well. (plumber which is a system service (though it runs in userland as you, obviously - this is plan9 there are rules)

I write a pallette of commands for my current problem domain which are just txt files so I

Re:

[HoosierPeschke]

Well, not everyone is good at everything. I'm always looking for new references of how to do things, either for myself or people I have been trying to convert to Linux. I typically take guides of this nature and make quick references or sticky notes to remind myself of all the checks to properly secure a box. For instance, I download every new Gentoo handbook and update my quick reference for that, which is only 3 pages long (install through config)!

Slashdot comments (and sometimes articles) contain ton

Re:

[ozmanjusri]

I'm always looking for new references of how to do things, either for myself or people I have been trying to convert to Linux.

Don't read TFA then. The advice it gives is barely relevant to any distro released in the past decade.

Re:

[Torvaun]

I'm right there with you. Between /. and bash.org, I learned sudo, sed, grep, wget, and to never click a link without checking its target first.

Re:

[RMH101]

...and to never click a link without checking its target first.

That was Goatse.cx

Dude, that article sucked.

[khasim]

Did you see where it mentioned nmap? No? Because it didn't. Wouldn't you expect it to tell you to run nmap from a different machine to you can what your outside profile looks like?

It reads more like someone who's just discovered Bastille and now considers himself "informed" on "security issues".

Step #1. Limit the avenues of attack. This is where you'd use nmap.

Step #2. Remove anything you don't absolutely need. Come on, most people out there will be running some distribution now. At least he could have covered dpkg, rpm, etc.

What's this with the "Enter kill -9 xxx where xxx is the PID."? How about just /etc/init.d/service_name stop? Just use the package manager to remove it.

And editing xinetd.conf / inetd.conf? Again, just use the package manager to remove it.

And he doesn't even go into how each distribution handles package updates? What the fuck? Nothing about "apt-get update"? No "apt-get upgrade"?

No, this article is about someone's discovery of Bastille and how it helps an old, stock installation of Red Hat.

That's a good point. Thanks.

[khasim]

It is often useful to run it locally, anyway, so that you can compare the output of `nmap localhost` and `nmap 0.0.0.0`, as often a machine will have services running that are only accessible locally.

Yep. That's why I prefer hitting it from a different machine. Multiple machines if possible. One on the same LAN segment and one from somewhere on the Internet.

That way you'll see what a would-be-attacker will see.

Sure, I might be running SMTP on port 25, but bound to 127.0.0.1 instead of eth0. An attacker would have to FIRST gain access to my machine through some other means to be able to attack my SMTP service.

Sure, that first hurdle might be set very, Very, VERY, VERY high, but if someone can get over it ... that's why patching is still important. But that's also why patching cannot be your only "defense". You will not know what vulnerabilities the bad guys have found that are not patched yet. Defense in depth.

And that's what "security" is all about to me. It's the PROCESS of evaluating threats and reducing their effectiveness.

Maybe.

[khasim]

I think you missed my point -- you can see what an attacker would see from the local machine, by nmapping the network IP. Going to a different machine is superfluous.

I set up a VPN connection for a co-worker last week. She was directly connected to the Internet through her ISP supplied cable modem.

Except that that particular cable modem automatically filtered the inbound connections. Checking her machine showed that everything was okay ... but checking from outside showed that everything was not okay.

Rather

This is the last time I'm explaining it to you.

[khasim]

Running nmap on those two IP addresses yields different results.

Maybe it does. Maybe it does not. But that is immaterial. This is about what an attacker would see. Not what your machine can see from itself.

It is possible to set up a system that allows access to those services from eth0 & localhost, but not from any other addresses.

You are not concerned about what you can see from your machine. You are concerned about what an attacker can see. They are NOT the same.

The latter will show exactly what an attacker would see.

NO it will NOT.

Your statement is only accurate for the condition in which NO ports are open. That is a single scenario and does NOT account for the various possibilities. Therefore the ONLY way to know what an attacker would see is to scan the way the attacker would.

When a service is bound to an IP on a machine, it has a choice of which IP to bind to. Services accessible by the connection on her eth0 network device (or any other device, for that matter) can be viewed by nmapping the network IP associated with that device.

No. Again, the system can be set up so that the ports are visible from localhost and eth0. The only way to know EXACTLY what the attacker can see (other than in the specific scenario of all ports being closed) is to scan the way the attacker would.

If her cable modem filtered traffic or ports, the list given by nmap would still be accurate, as any filtered ports would come back either as filtered or closed.

No, the list given by nmap would not be accurate. Because the list given by nmap would show ports open (and therefore vulnerable) when there would be no way for an attacker to see those ports.

Again, the only time your statement would be accurate is the single case of all ports being closed.

If you run it on the IP of the interface an attacker will access, you will see what the attacker sees.

I've given multiple, specific examples where such would not be the case. I've shown where your statement is correct ONLY FOR A SINGLE SCENARIO where all the ports are closed.

As such, going to a different machine is still superfluous. You're giving misinformation by trying to say it's not.

Again, I've provided specific examples that illustrate where the information gained by scanning from an attacker's position would be different than scanning from the machine itself.

You can claim that such is impossible all you want.

But the facts contradict you.

You are taking a single case and claiming that it is the same for ALL the possible configurations. It is not. The only way to know what an attacker will see is to perform the scan as an attacker would.

Re:

[jotok]

Sorry, you're wrong.

From the local machine, if you nmap the externally-facing IP address, you will get different results than if you scan the loopback IP address. That is, you will only see services and ports that will roger up to a SYN (or whatever nmap is set to send) packet received by that IP.

For this reason, scanning from a distant computer is unnecessary.

Claiming otherwise, when several security professional are telling you are wrong, is asinine.
Telling them that you have specific anecdata that prove

Re:

[Random_Goblin]

jotok (728554) to khasim (1285)

You're talking to people who have probably been doing this since before you knew what the internet was. This is a good time for you to take a seat and learn something, sonny jim.

Irony defintion: when the 6 digit ids are lecturing the 4 digit ids about being new to the internet, and this thing called networking...

all an nmap on your external interface will show you is what an external entity might be able to see.. not what they can see

this is fine for the special case

Re:

[jotok]

all an nmap on your external interface will show you is what an external entity might be able to see.. not what they can see

The reason you keep saying this is, as has been observed by others, that you do not understand networking.
Seriously, you. are. wrong.

Re:

[cbiltcliffe]

The reason you keep saying this is, as has been observed by others, that you do not understand networking.
Seriously, you. are. wrong.

No...he's not wrong. Network daemons of many sorts can be set up to ignore requests from certain IP addresses (eg. 100.1.1.1), and acknowledge them from others (200.1.1.1). If the daemon does not even send an ACK back when connected to from 100.1.1.1, this would make the port appear firewalled when scanned from 100.1.1.1, but open and accepting connections from 200.1.1.1.

Re:

[Master of Transhuman]

Just so I'm clear on this, correct me if I'm wrong:

You're saying that nmapping localhost just shows open ports visible from the local machine. The nmap scan does not get routed out to the ISP (obviously) and back to the external IP address, so it only shows what the local machine can see. This is, obviously, what localhost does.

Nmapping the external IP address gets routed out to the ISP and then back and therefore it shows exactly what an attacker would see (barring some filtering of outbound ports done by

Re:

[deniable]

Try unplugging your network cable. Does an nmap scan still show exactly what an attacker would see?

And to clarify, do you claim that a packet from this machine to this machine is sent out on the wire? That would be inefficient routing.

Re:

[Blkdeath]

I think you missed my point -- you can see what an attacker would see from the local machine, by nmapping the network IP. Going to a different machine is superfluous.

If I scan my network-facing IP address, whether I do so from another machine on my LAN or from my server itself, the scan will not traverse to my ISP and back again through my modem. It will be recognized as a connection to a local address and head to that interface directly but traffic will be understood to come from a safe(r), local sourc

Re:

[TheRaven64]

Running inetd (and xinietd, for those who love breaking backwards compatibility for little gain) is not just about not running services all the time, it's also about:

• Simplifying development of TCP services by allowing them to communicate via stdio.
• Automatically forking instances of the service for each client.

UNIX is all about small programs doing one thing, and doing it well. Something like inetd does a few things that are needed by pretty much all server-type programs, and separating them out makes

Re:

[jotok]

Maybe they don't want to take your challenge because they can't parse your post.

I mean, it just took me about 15 minutes.

Just sayin'.

Re:

[Critical Facilities]

He's weawwy twying to spell cowwectly. Maybe if he were a bwunette instead of a bwond, his post would be mow weadable. It could be that he's tired fwom hunting wabbits though...

Re:

[Knuckles]

Others told you to run nmap, which is always a good idea. But the Ubuntu default is "no open ports".

Re:Huh?

[Zocalo]

As root, run the following command:

netstat -plutn

That will list all the listening services on a Linux box, complete with the program/PID that is associated with it. It's faster than just running something like NMAP, plus it will identify whether a program is binding to a specific external IP, a loopback IP and so on, not all of which an external port scanner is going to be able to report on.

Re:

[drspliff]

and "netstat -putin" secretly terminates all applications and pretends there's no open ports?

A default Ubuntu box has them all closed.

[khasim]

I'm running Ubuntu, and I was under the impression that the default installation doesn't leave any ports open.

That is correct. By default, they are all closed.

But you may have changed that. If you've installed any P2P or such apps, you may have open ports from that.

As the other poster suggested, use nmap to determine what your outward profile looks like. Even better, have a friend scan your address from their location. That will tell you what your machine looks like from the Internet.

xxxxxx@xxxxxxx:~$ sudo nmap -p0-65535 10.31.198.130

Starting Nmap 4.20 ( http://insecure.org/ [insecure.org] ) at 2007-08-12 07:54 PDT
All 65536 scanned ports on 10.31.198.130 are closed
MAC Address: 00:11:D8:E1:9F:A9 (Asustek Computer)

Nmap finished: 1 IP address (1 host up) scanned in 16.486 seconds

That's without a firewall.

Re:

[Knuckles]

Note that beside avahi (which I have forgotten in previous post when I said "no open ports") and dhcp (which has be open if casual users shall have a chance to connect to their ISP in the first place), all those services in Ubuntu just listen to localhost.

Re:

[Knuckles]

Um, I see you have a 20-digit UID or something, but how can you be surprised that /. is generally pro-FOSS, pro-Linux???

Re:

[Knuckles]

Well, I think for many (most?) people, it's one of the reasons to be here. The quality of the stories is another matter ...

Re:

[C0vardeAn0nim0]

i wish i had mod point to givo to you, my friend

Re:

[tomhudson]

Well, if you're looking for something that's "not linux", you can always enter this contest [trolltalk.com] - there are already a few entries that cover "open ports" that have nothing to do with linux - and one (# 12) that really nails "hardening" pretty good.

"The purpose of this post is to see the reasoning behind so many linux fluff stories making front page "

Its Sunday, this is slashdot, not PC Magazine, CmdrTaco is stuck reviewing submissions over dialup, and the big news of the MONTH was SCO getting kicked in the [youtube.com]

Re:

[Bombula]

If there's a bigger - and by bigger I mean more populated - Linux fanboy forum than slashdot, I'm not aware of it. All in all, I think it's probably a good thing though.

Re:

[LordSnooty]

Yah, I reckon Slashdot ought to broaden its appeal a bit, let's follow Digg and start an expansion into Adam-Sandler-did-a-funnie-on-Colbert Celebrity Bullshit Non-News.

Re:

[pembo13]

I hope you don't use Windows, with that comment about forcing others to use.

Re:

[SplatMan_DK]

There is more to being an IT Geek than pushing Linux to the world.

There are other kinds of FOSS products than Linux btw - so why is Linux the only one to get 30% of the index page?

Allthough I like and use Linux, I think the point is valid.

- Jesper

Re:

[Knuckles]

Could you please stop to draw conclusions from a data set of one day? Frankly, it's sickening. Draw up a statistic and I suppose you will see that not every day has 30% linux kernel stories.

Re:

[SplatMan_DK]

True.

But I am sure those days don't have comments about "too many Linux stories" either. Right?

So we could say it is only fair to have that particular criticism on a day where there is also fact to back it up? :-)

- Jesper

Re:

[Knuckles]

As long as the complaint is about that particular day, and not general :)

Re:

[Knuckles]

You could educate yourself a bit, maybe by reading the postings that came before yours. (set threshold to +1)