[Techtalk] closing ports in /etc/services
Brenda Bell
k15a-list-linuxchix at theotherbell.com
Fri Sep 19 22:37:31 EST 2003
Quoting Caitlyn Martin <caitlynmaire at earthlink.net>:
> For example, lets say I have amanda, the open source backup software,
> installed as a client on my machine. If amanda, amandad, kamanda, and
> kamandad (assuming kerberos authentication is used) are not in
> /etc/services amanda will not run. The corresponding ports will not
> show up if you do a netstat -a, nor will the show up if you scan the
> system with a tool like nmap. Nothing is listening on the port since
> the service is not running.
>
> The "no" part comes in to play in two areas: one, there is still
> nothing preventing some script or application from opening the port
> later, and there is nothing blocking communications to that port.
> That's where a firewall comes in. That is why I said commenting out
> lines in /etc/services is no substitute for a firewall.
I can't help the urge to highlight an important distinction which has been
touched on but I believe should be underlined: it all boils down to
whether a given service will or will not run if its port is not defined in
/etc/services. IMO, the web page that started this discussion led the
reader to two conclusions: that removing an entry from /etc/services would
close the port and that a port not listed in /etc/services is closed.
While the former may be true some of the time, the latter is just plain
unreliable. As you alluded to, the only way to determine whether a port is
open is by digging through inetd/xinetd, lsof and netstat. I have an
internal smtp server running on port 825 frontended by a virus scanning
SMTP server running on port 25. Port 825 is not in /etc/services but the
port is most definitely open (inside my firewall, of course :)
> First off, the more ways you make sure that things you don't want
> running can, in fact, not run, IMHO, the better. The idea that this
> won't deter a cracker is correct, but it's one more step that they have
> to be bothered with, more time they have to spend, and more chance for
> detection when something magically changes. The more steps you take to
> insure your desired configuration, the tighter the system, and the less
> desirable you are as a target of opportunity. It also may provide some
> additional security from less than skillful intruders.
All true in theory, but the cracker who has the means to start services
that aren't already running probably has the means to quickly deal with the
fact that the port isn't in /etc/services and would most likely look at it
as an inviting challenge :)
Removing a port from /etc/services may be a means of keeping ***some***
services from starting... but the only sure fire way to keep ***any***
service from running is to not install it in the first place.
--
Brenda
http://opensource.theotherbell.com
More information about the Techtalk
mailing list