closing ports (canna, squid and sendmail)
Hello, I am reviewing the security on my home desktop and have a question which I hope is simple to answer. I should say that I am on a 56k dial up PPP connection and offer no services to anyone. I am the only user and root. Simple. In fact, I think my security measures are probably over-the-top, but still it sems like good practice and makes interesting learning. I have hardened the system using Marc's hardening script and have set up Firewall2. Now, when I scan my ports with nmap, I have 'canna', 'smtp' and 'squid' showing open. Canna is my Japanese language server and I have squid running to cache pages for web browsing. I also opened up the smtp/sendmail service so I can use fetchmail to fetch my mail. My questions are: 1. Can I close the canna port and still use canna? I see no reason why it should be sitting open to external connections when I am the only person that needs to use it. How do I close it? 2. Is it necessary for squid to be sitting open, when I do not serve any web pages. Can I close the port and still have squid cache pages for my browsing? 3. I fetch mail with fetchmail which requires sendmail to send the mail to my account. Must I have sendmail running as a daemon or can I invoke sendmail when fetchmail needs it. If I shut down sendmail/smtp, I can sendmail, with sendmail -q but fetchmail fails. Basically, how do I close the smtp port but still use fetchmail? I'd be grateful for any help. And if I appear to be barking up the wrong tree, then please do let me know! :-) thanks Joss
At 09:39 AM 22/05/2001, you wrote:
Hello,
I am reviewing the security on my home desktop and have a question which I hope is simple to answer. I should say that I am on a 56k dial up PPP connection and offer no services to anyone. I am the only user and root. Simple. In fact, I think my security measures are probably over-the-top, but still it sems like good practice and makes interesting learning.
I have hardened the system using Marc's hardening script and have set up Firewall2. Now, when I scan my ports with nmap, I have 'canna', 'smtp' and 'squid' showing open. Canna is my Japanese language server and I have squid running to cache pages for web browsing. I also opened up the smtp/sendmail service so I can use fetchmail to fetch my mail.
My questions are:
1. Can I close the canna port and still use canna?
You should be able to bind it to localhost or some such thing
I see no reason why it should be sitting open to external connections when I am the only person that needs to use it. How do I close it?
Unfortunately I have no idea as I have not used cana.
2. Is it necessary for squid to be sitting open, when I do not serve any web pages. Can I close the port and still have squid cache pages for my browsing?
No.. It is not. http://squid.visolve.com/squid24s1/network.htm#http_port Chance: http_port 3128 to: http_port 127.0.0.1:3128 Then make sure you have your proxy set to 127.0.0.1:3128 :-) You may also want to set udp_incoming_address 127.0.0.1 or disable it completely.
3. I fetch mail with fetchmail which requires sendmail to send the mail to my account. Must I have sendmail running as a daemon or can I invoke sendmail when fetchmail needs it. If I shut down sendmail/smtp, I can sendmail, with sendmail -q but fetchmail fails. Basically, how do I close the smtp port but still use fetchmail?
Sendmail will still send local mail without listening on a network socket. I'm not exactly sure what you are trying to do with fetchmail, but you can change in /etc/rc.config.d/sendmail.rc.config: SENDMAIL_ARGS="-bd -q10m -om" to SENDMAIL_ARGS="-q10m -om"
I'd be grateful for any help. And if I appear to be barking up the wrong tree, then please do let me know! :-)
Hope this helps you Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
On Tue, May 22, 2001 at 11:21:14AM +1000, Nix wrote:
Sendmail will still send local mail without listening on a network socket. I'm not exactly sure what you are trying to do with fetchmail, but you can change in /etc/rc.config.d/sendmail.rc.config:
SENDMAIL_ARGS="-bd -q10m -om"
to
SENDMAIL_ARGS="-q10m -om"
The above is what you would do if you were going to run sendmail off of inetd. But this is not necessary! The above changes are not needed if you add the following to /etc/sendmail.cf O DaemonPortOptions=Addr=localhost This causes sendmail to bind to the localhost even though it continues to run as a deamon. Fetchmail delivers mail by dumping into port 25! This happens locally, that is, on the localhost. so the above will allow fetchmail to work while still not allowing those outside the localhost from seeing an open port! -- Paul Elliott 1(512)837-9345 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
Many thanks to Paul and Nix for their quick replies. smtp and squid are now closed ad working for me. In the end, I found out I could receive mail via fetchmail without using sendmail but divert mail to procmail instead. This has simplified things even more than the sendmail fix, Paul sent. I found out how to direct the Japanese canna sever to localhost but so far this has not worked for me. I have sent a note to the SUSE Japanese developer asking for information. It's probably something he should consider since SUSE has recently started supporting Japanese and there's probably going to be a lot of people running Japanese on SUSE that are unaware of the open canna port. thanks again, Joss p.s. I see from the list archives that back in January, mail from me to this list was the subject of a possible security issue. Rest assured, this was not anything except for my pure incompetence setting up sendmail. I tried to subscribe to the list before realising my sendmail was not set up properly. If I remember correctly, my application to the list was immediately rejected. I then spent far too long learning how to set up sendmail after that ;-) Sorry to have got this list involved in my incompetence.
On Tue, May 22, 2001 at 08:39:35AM +0900, Joss Winn wrote:
3. I fetch mail with fetchmail which requires sendmail to send the mail to my account. Must I have sendmail running as a daemon or can I invoke sendmail when fetchmail needs it. If I shut down sendmail/smtp, I can sendmail, with sendmail -q but fetchmail fails. Basically, how do I close the smtp port but still use fetchmail?
Add O DaemonPortOptions=Addr=localhost to /etc/sendmail.cf make no other changes. This will cause sendmail to bind to localhost, hosts outside your computer will not see an open port. -- Paul Elliott 1(512)837-9345 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
participants (3)
-
Joss Winn -
Nix -
Paul Elliott