Chad Perrin explains some procedures for closing ports and turning off services on Unix and Linux systems for added security.
Earlier this month, I provided some tips on how to use netstat and other tools to list open ports and listening services on a number of different operating systems. As pointed out in the previous article, "10 security tips for all general-purpose OSes," shutting down unnecessary services (and closing their associated network ports) reduces your exposure to malicious security crackers. In this article, I will explain some procedures for closing ports and turning off services on Unix and Linux systems.
On many Unix and Linux systems, there is a network service daemon called inetd that listens for connections on Internet sockets defined by the port numbers listed in its configuration file at /etc/inetd.conf. When such a connection is made, inetd invokes a server process with the service socket as its standard input, output, and error descriptors — aka STDIN, STDOUT, and STDERR.
This is all done to allow a single daemon to do all the connection listening for a multitude of other server programs so that they do not all need to be constantly running individually. This can both reduce load on the system and provide a more convenient centralized management for Internet services. Because it manages servers, it is sometimes referred to as the "Internet superserver."
Closing ports whose services are managed by inetd can be accomplished by simply searching for the line in the /etc/inetd.conf file that lists the appropriate service and making sure it is commented out. To comment out a line in /etc/inetd.conf, just add a # at the beginning of the line.
Using the grep utility, you can quickly and easily search for all lines in /etc/inetd.conf that are not commented out. For example, if the only line not commented out is for the CUPS network printing service, the following example shows both a grep command you could use to search for uncommented lines and likely output for the command:
# grep -v "^s*#" /etc/inetd.conf
printer stream tcp nowait lp /usr/local/libexec/cups/daemon/cups-lpd cups-lpd -o document-format=application/octet/stream
(Watch the linewrap on that long line of output.)
Use man grep for more information about the grep utility. Many editors commonly used for viewing and editing configuration files, such as vi, also provide regular-expression-based searching capabilities. The man inetd and man inetd.conf commands can be used to access the manpages for the inetd superserver and its configuration file, respectively, on systems where these manpages are installed.
Somewhere along the line, someone decided that an Internet superserver should take advantage of its position as the single point of entry for a large number of network services to provide access control and logging functionality. To serve this purpose, xinetd was created as a replacement for inetd. Aside from that added functionality, it is essentially the same sort of program as inetd itself.
Unlike with inetd, you cannot close down a listening port by simply commenting out the appropriate line in a configuration file. The xinetd server maintains a directory full of files that are each related to a different service it manages — the /etc/xinetd.d directory — which must each be modified individually to deactivate the appropriate service.
In the /etc/xinetd.d directory, you should find a series of files named after the services they are meant to represent — with names like echo, imap, and telnet. To disable a service, edit its corresponding file so that the line with the disable option is set to yes rather than no. For these changes to take effect, the xinetd superserver needs to be restarted.
Some services will not be managed by either inetd or xinetd, in some cases because the system does not use an Internet superserver, and in others simply because the server process in question is meant to be activated at system startup and operate independently of any superservers. On most systems, such processes will be managed through the rc utility, which is used to automate the boot process after being invoked by init (see man rc and man init, respectively, for more information about what these processes do).
You may be able to close a given port and deactivate its associated server process by commenting any lines associated with it out of the /etc/rc.conf file, or by changing its value from "YES" to "NO", as appropriate for the individual service, such as on a FreeBSD system. On some systems, the /etc/rc.d directory contains, or /etc/rc*.d directories contain, symlinks to server startup scripts that are located elsewhere (such as the init.d directory on a Debian GNU/Linux system). On these systems, deleting the symlink will prevent rc from starting the associated server process.
These approaches will stop the server processes from being started when you start up the system or (as in the case of Linux systems) change runlevels, but will not actually turn off already running servers. To do this, you must find the actual startup script and use that to deactivate the process. For instance, if on a Debian system you have this file listing:
# ls -l /etc/rc3.d
. . .
lrwxrwxrwx 1 root root 13 2006-06-14 13:17 S14ppp -> ../init.d/ppp
. . . you will be able to find the ppp startup script in /etc/init.d. You can delete the S14ppp file to prevent rc from starting ppp when the system boots, then navigate to /etc/init.d and issue this command to stop the ppp server process right away:
# ./ppp stop
Software management system
In many cases, closing an open port and deactivating a listening service may be most appropriately and easily accomplished by simply uninstalling the appropriate server program. The software management system of your operating system, such as APT for Debian and the ports system for FreeBSD, can be used to remove such software cleanly and completely, handling dependencies automatically for you and even giving warnings at times when removing a server program might break functionality you are using.
Refer to the documentation for your OS's particular software management tools.
After configuring your system so that it does not open unwanted ports, and after shutting down any running processes that listen on those ports, you should double-check your work. Use whatever procedure you used to list open ports and listening services again to make sure what you wanted turned off is now off. If it is an option in your working environment, you should reboot your computer to make sure you have configured the system properly so that these services will not be restarted in case of a reboot, too.
There are other tools available for easing the process of shutting down servers and closing ports. For instance, Bastille Linux is a guided network security lockdown tool available through the software management systems of many Linux distributions, and some distributions offer default GUI tools for managing such configurations (such as openSUSE's YaST toolset). Other tools — such as rclean and The Fish — may also be available in your Unix-like operating system's software management system archives.