[Techtalk] closing ports in /etc/services

R. Daneel Olivaw linuxchix at r-daneel.com
Thu Sep 18 09:35:11 EST 2003 

Le mer 17/09/2003 à 20:31, Carla Schroder a écrit :
> OK uber geeks, me again. I've always managed opening/closing ports with boot 
> scripts, firewalls, and individual program configs. Now I see this document 
> http://www.resnet.mtu.edu/support/linux/ports.php3  that says you can simply 
> comment out ports you want to keep closed in /etc/services. Sounds daffy to 
> me- what say ye? I'm running Debian, if that matters. 
> 
> cheerios,
cheerios is the name of some kind of kornflakes here ;p

Well, what is written in that page is ... untrue.
I don't say it is false, it just is untrue.
A port is open, when a program listens to it. mark.
/etc/services is, as already pointed out here, a conversion file, from a
service "name" to a service "port number".
A program that wants to listen to http requests, will ask the operating
system to open the "http" port, therefore the operating system will look
at /etc/services, grab the port number asigned to http and allow that
program to listen to port "80". This is standard.
1. you can modify /etc/services and set http port to 81, and at next
program request, the port number 81 will be opened, and the program may
not complain about this. This even may work totally ok.
2. you may remove the http entry from /etc/services. Result ? at the
request to open/listen to the http port, the operating system will make
the operation fail. The program will abort. mark.

What can be done by commenting out (or removing) entries in
/etc/services is just preventing server programs that RELY on the
operating system's configuration from running.

This result, is achieved as well, by looking at the startup files of
your operating system, and NOT running the services, even better, by
uninstalling them. This ALSO prevents the programs from running, the
difference is that you don't create a faulty situation at bootup.

As I read here, removing entries from /etc/services IS working. But it
is not the proper way doing things.

To remove "daytime" service, just ask inetd or xinetd to set it
disabled.

Another detail : a (nasty) program might not ask the operating system
about the port number associated to a service name, and just open a port
number. Therefore it is of no help in security issues to remove entries
in /etc/services.

The article was talking about a ping to a port, this, obviously, is
total nonsense, ping being ICMP packets, a place where nothing like
ports exist, while ports exist on TCP/UDP level.
This alone, shows that the writer is unaware of certain details, or at
least, tried to oversimplify things.

As a conclusion I must insisit.
1. Using the method described on that page will only confuse honest
programs, crash services unexpectedly and will prevent no program from
opening a numbered port.
2. This method is of no security value. Stick to service control (you
are able to know which service runs, and which not) and firewalling (you
decide which ports can be responded to, whitch not ...).

If there is need of more explanations, write back here.

bye,

-- 
R. Daneel Olivaw,
The Robot Inside.

More information about the Techtalk mailing list