Mailinglist Archive: opensuse (3506 mails)
| < Previous | Next > |
Re: [SLE] nmap showing cups/nfs open to outside.
- From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
- Date: Sat, 2 Sep 2006 19:40:23 +0000 (UTC)
- Message-id: <44F9DE23.3040101@xxxxxxxxxxxxx>
On 02/09/06 08:49, pelibali wrote:
>Hi,
>
>I did an nmap scan on my computer itself on thee ways and realized
>that both the cups and nfs services are in fact listening on the
>external interfaces (last case as MYCOMP.MYDOMAIN):
>
><snip>
>
>Previously I could successfully stop smtp/ssh/squid to listen on my
>external interface; would you please have an advise, how to stop the
>above two to do the same?! I'm not afraid too much, because the fire-
>wall is on, but...
By default, services such as nfs, ipp and samba will listen on every
network device you have, but that should not pose a problem if you have
a good firewall. SuSEfirewall2, for example, will reject any new
connections on ports that you do not explicitly allow, even though
running nmap on your own external interface indicates they are open
(that is probably due to the fact you are connecting to the interface
from localhost).
Go to one of those external sites (google for port.scan and pick one,
you'll want to find one that does both TCP and UDP scans, most only do
TCP) to check which ports really are open on your system. If anything is
open that should be closed, the SuSEfirewall variables you need to check
are FW_SERVICES_EXT_* in /etc/sysconfig/SuSEfirewall2.
You can stop CUPS from listening on the external interface by editing
/etc/cups/cupsd.conf. I have not found a way to do this one in Yast
(which can do most other CUPS configuration operations), so you'll need
to edit it manually. Search for and comment out the line "Port 631", and
add the following lines:
Listen localhost:631
Listen <internal_interface_IP>:631
Save, then run rccups restart. Nmap should now show port 631 is not open
on the external interface. (Note that the first line is essential; see
Note 2. in the config file, immediately above the part you just edited).
One additional comment: if you are using broadcast to update printer
information on the network, you should probably add port 631 to the
firewall variable FW_ALLOW_FW_BROADCAST_INT (by default, CUPS does not
broadcast, but uses polling by remote systems to update printer status
information on the network).
>Hi,
>
>I did an nmap scan on my computer itself on thee ways and realized
>that both the cups and nfs services are in fact listening on the
>external interfaces (last case as MYCOMP.MYDOMAIN):
>
><snip>
>
>Previously I could successfully stop smtp/ssh/squid to listen on my
>external interface; would you please have an advise, how to stop the
>above two to do the same?! I'm not afraid too much, because the fire-
>wall is on, but...
By default, services such as nfs, ipp and samba will listen on every
network device you have, but that should not pose a problem if you have
a good firewall. SuSEfirewall2, for example, will reject any new
connections on ports that you do not explicitly allow, even though
running nmap on your own external interface indicates they are open
(that is probably due to the fact you are connecting to the interface
from localhost).
Go to one of those external sites (google for port.scan and pick one,
you'll want to find one that does both TCP and UDP scans, most only do
TCP) to check which ports really are open on your system. If anything is
open that should be closed, the SuSEfirewall variables you need to check
are FW_SERVICES_EXT_* in /etc/sysconfig/SuSEfirewall2.
You can stop CUPS from listening on the external interface by editing
/etc/cups/cupsd.conf. I have not found a way to do this one in Yast
(which can do most other CUPS configuration operations), so you'll need
to edit it manually. Search for and comment out the line "Port 631", and
add the following lines:
Listen localhost:631
Listen <internal_interface_IP>:631
Save, then run rccups restart. Nmap should now show port 631 is not open
on the external interface. (Note that the first line is essential; see
Note 2. in the config file, immediately above the part you just edited).
One additional comment: if you are using broadcast to update printer
information on the network, you should probably add port 631 to the
firewall variable FW_ALLOW_FW_BROADCAST_INT (by default, CUPS does not
broadcast, but uses polling by remote systems to update printer status
information on the network).
| < Previous | Next > |