Collaboration

Close unneeded ports on Unix/Linux systems

Chad Perrin explains some procedures for closing ports and turning off services on Unix and Linux systems for added security.

Earlier this month, I provided some tips on how to use netstat and other tools to list open ports and listening services on a number of different operating systems. As pointed out in the previous article, "10 security tips for all general-purpose OSes," shutting down unnecessary services (and closing their associated network ports) reduces your exposure to malicious security crackers. In this article, I will explain some procedures for closing ports and turning off services on Unix and Linux systems.

inetd

On many Unix and Linux systems, there is a network service daemon called inetd that listens for connections on Internet sockets defined by the port numbers listed in its configuration file at /etc/inetd.conf. When such a connection is made, inetd invokes a server process with the service socket as its standard input, output, and error descriptors -- aka STDIN, STDOUT, and STDERR.

This is all done to allow a single daemon to do all the connection listening for a multitude of other server programs so that they do not all need to be constantly running individually. This can both reduce load on the system and provide a more convenient centralized management for Internet services. Because it manages servers, it is sometimes referred to as the "Internet superserver."

Closing ports whose services are managed by inetd can be accomplished by simply searching for the line in the /etc/inetd.conf file that lists the appropriate service and making sure it is commented out. To comment out a line in /etc/inetd.conf, just add a # at the beginning of the line.

Using the grep utility, you can quickly and easily search for all lines in /etc/inetd.conf that are not commented out. For example, if the only line not commented out is for the CUPS network printing service, the following example shows both a grep command you could use to search for uncommented lines and likely output for the command:

  # grep -v "^s*#" /etc/inetd.conf

printer stream tcp nowait lp /usr/local/libexec/cups/daemon/cups-lpd cups-lpd -o document-format=application/octet/stream

(Watch the linewrap on that long line of output.)

Use man grep for more information about the grep utility. Many editors commonly used for viewing and editing configuration files, such as vi, also provide regular-expression-based searching capabilities. The man inetd and man inetd.conf commands can be used to access the manpages for the inetd superserver and its configuration file, respectively, on systems where these manpages are installed.

xinetd

Somewhere along the line, someone decided that an Internet superserver should take advantage of its position as the single point of entry for a large number of network services to provide access control and logging functionality. To serve this purpose, xinetd was created as a replacement for inetd. Aside from that added functionality, it is essentially the same sort of program as inetd itself.

Unlike with inetd, you cannot close down a listening port by simply commenting out the appropriate line in a configuration file. The xinetd server maintains a directory full of files that are each related to a different service it manages -- the /etc/xinetd.d directory -- which must each be modified individually to deactivate the appropriate service.

In the /etc/xinetd.d directory, you should find a series of files named after the services they are meant to represent -- with names like echo, imap, and telnet. To disable a service, edit its corresponding file so that the line with the disable option is set to yes rather than no. For these changes to take effect, the xinetd superserver needs to be restarted.

rc.d

Some services will not be managed by either inetd or xinetd, in some cases because the system does not use an Internet superserver, and in others simply because the server process in question is meant to be activated at system startup and operate independently of any superservers. On most systems, such processes will be managed through the rc utility, which is used to automate the boot process after being invoked by init (see man rc and man init, respectively, for more information about what these processes do).

You may be able to close a given port and deactivate its associated server process by commenting any lines associated with it out of the /etc/rc.conf file, or by changing its value from "YES" to "NO", as appropriate for the individual service, such as on a FreeBSD system. On some systems, the /etc/rc.d directory contains, or /etc/rc*.d directories contain, symlinks to server startup scripts that are located elsewhere (such as the init.d directory on a Debian GNU/Linux system). On these systems, deleting the symlink will prevent rc from starting the associated server process.

These approaches will stop the server processes from being started when you start up the system or (as in the case of Linux systems) change runlevels, but will not actually turn off already running servers. To do this, you must find the actual startup script and use that to deactivate the process. For instance, if on a Debian system you have this file listing:

  # ls -l /etc/rc3.d

. . .

lrwxrwxrwx 1 root root 13 2006-06-14 13:17 S14ppp -> ../init.d/ppp

. . . you will be able to find the ppp startup script in /etc/init.d. You can delete the S14ppp file to prevent rc from starting ppp when the system boots, then navigate to /etc/init.d and issue this command to stop the ppp server process right away:

  # ./ppp stop

Software management system

In many cases, closing an open port and deactivating a listening service may be most appropriately and easily accomplished by simply uninstalling the appropriate server program. The software management system of your operating system, such as APT for Debian and the ports system for FreeBSD, can be used to remove such software cleanly and completely, handling dependencies automatically for you and even giving warnings at times when removing a server program might break functionality you are using.

Refer to the documentation for your OS's particular software management tools.

Double-checking

After configuring your system so that it does not open unwanted ports, and after shutting down any running processes that listen on those ports, you should double-check your work. Use whatever procedure you used to list open ports and listening services again to make sure what you wanted turned off is now off. If it is an option in your working environment, you should reboot your computer to make sure you have configured the system properly so that these services will not be restarted in case of a reboot, too.

Other tools

There are other tools available for easing the process of shutting down servers and closing ports. For instance, Bastille Linux is a guided network security lockdown tool available through the software management systems of many Linux distributions, and some distributions offer default GUI tools for managing such configurations (such as openSUSE's YaST toolset). Other tools -- such as rclean and The Fish -- may also be available in your Unix-like operating system's software management system archives.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

20 comments
Photogenic Memory
Photogenic Memory

Even though your not removing applications that listen on certian ports to add extra security on a system; you can turn them off with chkconfig. That's a good alternative in case you may want to use that application in the future.

DanLM
DanLM

And only allow ports you want. ;o) But, to reduce load... I like using both. Dan

apotheon
apotheon

You turn off unnecessary services and close unneeded ports -- right? What tools, if any, do you use for making the process of managing running server processes easier? Personally, I'm happy with Vim.

Neon Samurai
Neon Samurai

The program would still exist on the system too be started manually, corrupted or replaced. Someone may be able to use another running network program to reach through a buffer and start your installed but not auto-starting ftp deamon; they upload what they need and your left with a mess to clean up. The ideal is not to have a program installed if it's not being used rather than install everything installed with what your not using dormant. It depends on what degree of security your system warrants though.

apotheon
apotheon

Of course, with webmin you have to open a new port. Ahem.

Jaqui
Jaqui

just without the same level of control as using ssh or physical access and editing the files or removing un-needed server software.

apotheon
apotheon

It has a link to the page you linked, though.

apotheon
apotheon

It's better to eliminate an attack vector than to put band-aids over it, y'know.

Neon Samurai
Neon Samurai

I tend to stick with Joe editor or Nano for my text file needs; it's tiny and strait forward. The distro default is xinetd so that works for me. I'm trying to learn vim but the commands are less obvious when you've been raised on dos Edit.com. Xinetd is the distro default and I've had no reason to change it. I'd include nmap too as a related tool for making sure that your hosts.allow is correct (assuming you did a "echo 'ALL : ALL' > /etc/hosts.deny").

Jaqui
Jaqui

the same content as the blog, a news posting, and far more on the one I posted. ;) it's just a time saver, one click, maximum data.

DanLM
DanLM

I will look again.... Just because... I don't use inetd... meaning, everything is a daemon that I have installed myself... But... I am not that sure of myself that I won't second check myself... Or third even. Dan

Jaqui
Jaqui

they are on a linux or unix server already.

apotheon
apotheon

If you want a really gentle introduction to Vim, you could try the "Easy" mode for Vim. From the shell, you'd invoke it with either [b]evim[/b] or [b]gvim -y[/b]. It launches a GUIfied version of Vim with its interface behavior altered to act more like a "normal" GUI text editor (such as Notepad). There's also the Vim tutorial, which you can invoke from the shell with the command [b]vimtutor[/b]. This launches a standard console-based tutorial session for Vim that will teach you a lot about how to make use of it.

apotheon
apotheon

"[i]Is there a vim for dos? A text editor I can use across platforms will quickly become a staple. ncftp is great that way.[/i]" I know there's a vi for DOS, but I don't think I've heard of a Vim for DOS. You might want to look into gVim (the GUI Vim) for use on MS Windows platforms. I haven't used it much, but as far as I can tell it does almost everything exactly the same as the standard TUI version of Vim. One thing it does differently is pasting with the mouse, though -- whereas with normal ol' Vim (in X Windows) you can highlight something then middle-click in your Vim window to past what you highlighted wherever the console cursor happens to be (in Insert mode, naturally), with gVim it pastes wherever your [b]mouse[/b] cursor is instead. I actually prefer pasting wherever the console cursor is. One reason is that I get greater precision that way -- I don't have to worry about whether I might mis-aim by a milimeter and paste in the wrong place. Another is that I can just middle-click anywhere in the window at all, and don't have to aim [b]at all[/b] with the mouse, to get it to paste exactly where I expect it. That's not really a concern on MS Windows, though, where the middle-click paste doesn't work. For that platform, there isn't really much reason to avoid gVim, as far as I'm aware.

Neon Samurai
Neon Samurai

I found a great introduction to vim website I've been working through slowly and vimtutor helps also. I figure if I'm going to learn something like vi, I'd best learn it as it was meant to be. I can see how the keyboard commands would be more efficient once I get them figured out. Edit mode, non-edit mode, select word, select line; sometimes I just want to open the damn file, change the text after a config variable name and move on. I'll get to the point where I can do that then I'm set since I've yet to see a *nix install without vi (including router distros). Is there a vim for dos? A text editor I can use across platforms will quickly become a staple. ncftp is great that way.