Re: What are these ports?

From:
Date: 10/30/02 

Date: 30 Oct 2002 11:14:52 GMT

On Tue, 29 Oct 2002 22:37:28 -0800, DX wrote:
> When i use "nmap" program do a port scan on my own Linux web server i find
> these three entries that i don't recognize:
>
> 111/tcp open sunrpc

Bad.

> 1024/tcp open kdm

Bad.

> 8009/tcp open ajp13

Quite possibly bad.

> I am running Redhat Linux.

http://www.redhat.com/solutions/security/techdocs.html

> 1).Does anyone know what these three ports are? Could you tell me briefly
> what they do?

sunrpc is the RPC portmapper, it is needed when running services such as
NFS, YP and similar. Switch it off, or close the port with iptables.

kdm is a graphical login thingy; KDE Display Manager, which has no business
on a web server. Shut it down and uninstall.

8009 could be lots of exciting things, including a backdoor left behind by
system crackers. Try 'lsof -Pi | grep LIST | grep 8009'.

> 2). Are they enabled by default?

111, yes. 1024 only if you do a 'workstation' install, I guess. 8009
is rather impossible to tell, but probably not enabled by default.

> 3). Is it safe if i close these ports?

First two should have been closed before you connected this machine to
the internet. Close them now! Third is most likely also safe to close.

Actually, build a packet filter, both on your firewall/router and on the
web server itself, that only allows incoming requests to port 80 (443 if
needed), and ssh connections from trusted hosts only. No outgoing
connections at all.

> 4).How can i close them if i am running Redhat?

This is where I'd have to admit I have not used Redhat since 5.2, but
the URLs below might help.

 - http://www.linuxsecurity.com/docs/LDP/ (wrapped)
   Security-Quickstart-Redhat-HOWTO/index.html

 - http://www.linuxworld.com/linuxworld/lw-1999-05/lw-05-ramparts.html

 - http://www.google.com

- Eirik 

-- 
New and exciting signature!

Relevant Pages

  • RE: monitor ALL connections to ALL ports
    ... Logging incoming web server connections can be done ... runs on 2 external ip address) and the port. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • FW: monitor ALL connections to ALL ports
    ... ipfw add count log all from any to any ... I want to log all connections, ... >> server it should log what ip accessed it, the time, which ip (web server ... >> runs on 2 external ip address) and the port. ...
    (FreeBSD-Security)
  • Re: port 80 open?
    ... > machine to see if you have a program that is listening on that port. ... > intercepting incoming connections to prevent you from running a web server. ... > other security programs but normally shouldn't unless you don't want to be ...
    (microsoft.public.windowsxp.security_admin)
  • Re: port 80 open?
    ... you can get a tool like nis or zonealarm that will block those ... on port 80, but even if you aren't you should really have a firewall. ... >> intercepting incoming connections to prevent you from running a web ... >> this is different from you connecting out to a web server, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Remote Access
    ... Please rerun CEICW, this helps up configure network and websites ... On the Web Server Certificate page shows. ... http://ipaddress/remote to access RWW, type the public IP address in the ... that if SBS is behind a router, I need to configure the port forwarding ...
    (microsoft.public.windows.server.sbs)