Mailinglist Archive: opensuse-security (685 mails)
| < Previous | Next > |
Re: [suse-security] which ports to block ?
- From: Michael Appeldorn <appeldorn@xxxxxxxxx>
- Date: Tue, 19 Feb 2002 09:20:56 +0100
- Message-id: <WTZWHB2XLK3X1WSN63LI52WSPD9YTGE.3c720ae8@pc_100_32>
>hi,
>
>i have written my own firewall script to protect my homelan using
>iptables. i drop all connections from the outside made to ports 0-1023
>and accept all connects to port 1024 and above. this protects my
>system from connects via telnet, ssh, ftp aso., but are there any of
>the upper ports that i should block as well ? i left them untouched,
>because data is transfered on the higher ports after connection has
>been established.
>
>--
>gruss,jens
>---------------------------------------------------------------------------
>instant networks - netzwerkmanagment & internetfullservices
If you not exactly know what you do, so try a script-based solution.
Get e.g. SuSEfirewall2 here www.suse.com\~marc
And - to answer your question. Only services that are started can
get compromised. Normally services comes up in sysV init-scripts
and especially with the inetd (/etc/rc.config to disable)
To check which services are bound to a port type simply
netstat -an | grep -i listen
Yours Michael
>
>i have written my own firewall script to protect my homelan using
>iptables. i drop all connections from the outside made to ports 0-1023
>and accept all connects to port 1024 and above. this protects my
>system from connects via telnet, ssh, ftp aso., but are there any of
>the upper ports that i should block as well ? i left them untouched,
>because data is transfered on the higher ports after connection has
>been established.
>
>--
>gruss,jens
>---------------------------------------------------------------------------
>instant networks - netzwerkmanagment & internetfullservices
If you not exactly know what you do, so try a script-based solution.
Get e.g. SuSEfirewall2 here www.suse.com\~marc
And - to answer your question. Only services that are started can
get compromised. Normally services comes up in sysV init-scripts
and especially with the inetd (/etc/rc.config to disable)
To check which services are bound to a port type simply
netstat -an | grep -i listen
Yours Michael
| < Previous | Next > |