Hi, I solved the problem. I found out that portsentry leaves a couple of ports deliberately open to quickly detect portscans. Changing portsentry's configuration file and restarting it closed them. On the other hand: just opening ports does not make the service available because that is controlled by inetd, right? So I might as well leave them open without causing a security hole. Can anyone of the security experts reflect on this? Martijn wrote:

Hi,

I thought I had closed down all interesting services/ports on one of my machines except for the two I really need (and I use tcp wrappers for those), but 'nmap' reports that there are still open ports:

/home/martijn> nmap localhost

Starting nmap V. 2.02 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port State Protocol Service 1 open tcp tcpmux 11 open tcp systat 15 open tcp netstat 21 open tcp ftp 23 open tcp telnet 79 open tcp finger 80 open tcp www 111 open tcp sunrpc 119 open tcp nntp 143 open tcp imap2 540 open tcp uucp 635 open tcp unknown

Nmap run completed -- 1 IP address (1 host up) scanned

I thought I had commented out all but the required telnet and ftp services, as inetd.conf shows:

/home/martijn> egrep -v ^# /etc/inetd.conf ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

How come that all those services like finger, netstat, nntp etc. are still available while they are not listed as such in /etc/inetd.conf? I know about the 'www' (got Apache running), but the rest I don't need and don't want.

How/where can I disable them? The box is running SuSE 6.1 by the way, kernel 2.2.5.

Bye, Martijn "What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?" -- Larry Wall -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/