Bodhi Linux - open ports problem

I'm using the latest Bodhi Linux release and i did a "All Service Ports" test here: https://www.grc.com/x/ne.dll?bh0bkyd2

These are the results:

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2011-11-28 at 16:42:20

Results from scan of ports: 0-1055

4 Ports Open
1052 Ports Closed
0 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be STEALTH.

Ports found to be OPEN were: 22, 53, 80, 443

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

Is there any way to stealth or close the open ports?
Already posted on Bodhi Linux forums.

 

just use GUFW. it's a frontend for the built-in firewall
(type "gufw" in Synaptic app, right click and "Mark for Installation", then apply. Enable in Preferences/Firewall Preferences)

it should stealth all your ports.
only thing you will then fail is the Ping request but that is similar to the Vista firewall.

 

Link?

 

Here: http://forums.bodhilinux.com/index.php?/topic/3294-open-ports/

 

You don't like the answer? It seemed to make sense to me but I'm not at all expert about firewalls.

 

I'm not totally enlightened

"From https://www.grc.com/x/ne.dll?rh1dkyd2

Port 22 - Secure Shell provides a secure-connection version of the Telnet remote console service with additional features. Unfortunately, the SSH services and their security add-on packages have a long history of many widely exploited buffer overflow vulnerabilities. If your system has this port exposed to the outside world you should be vigilant in keeping your SSH service updated.

Port 53 - If our port analysis reveals that your system's port 53 is open and listening for incoming traffic, you should determine what's going on. Even though only a few Trojan programs are known to open port 53, the exact behavior of malicious software is a constantly moving target . . . which is why periodic security checkups here are always worthwhile.

Port 80 - The web is so insecure these days that new security "exploits" are being discovered almost daily. There are many known problems with Microsoft's Personal Web Server (PWS) and its Frontpage Extensions that many people run on their personal machines. So having port 80 "open" as it is here causes intruders to wonder how much information you might be willing to give away.

Port 443 - The presence of this secure web port in your system implies that this system is establishing secure connections with web browsers. The number one reason for doing this is the transmission of credit card information. This implies that the successful intruder could access the web server's credit card database and score bigtime. This is a VERY bad port to have open unless you are actually conducting secure web commerce!

Of coarse most exploits would only work in Windows, but maybe is there a way to make Bodhi Linux even more secure?
(I'm right now in a bus, using public Wifi in my notebook). Thanks!"

 

did you try gufw?

 

http://www.dedoimedo.com/computers/gufw.html

http://www.youtube.com/watch?v=WgSYUTKV1g8

http://www.youtube.com/watch?v=8Lwxk5iLn_I

install this in your bodhi and block the open ports

 

lol!

glad i could help.

 

Thanks a lot moontan and mack_guy911
I just got home, i'll try as soon as i can.

 

it's easy as cake.

i'll check here to see if you need help but you should be good to go.

you will pass the GRC test with the default settings.
like i said, only thing you will fail is the ping test but who cares?

 

In my house i'm able to connect to a hotspot or to my router.
Without using GUFW, when connected to the hotspot i get this result:

"Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice."

and when connected to my router i get this:

"Solicited TCP Packets: PASSED — No TCP packets were received from your system as a direct result of our attempts to elicit some response from any of the ports listed below — they are all either fully stealthed or blocked by your ISP. However . . .

Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation."

I don't know what kind of connection i was using on the bus, but it left the OS totally exposed

I'll install now GUFW.

 

If you run netstat -tulpean as sudo, what does it show?

BTW, some of the answers in the bodhi forum are plain wrong ...
Specifically regarding why ports should or should not be open, etc.

Cheers,
Mrk

 

1st when you connect to grc.com via router (ie your pc behind router....either direct via wifi....or what ever) it give results of router not of your pc so you have close ports open .......dosent make diffrence ........... same happen with you conneted with hotspot thats way on same pc diffrent results

second ping test fail means your router replay to pings

many router default set that way and they does to make sure connectivity occur other wise more problem could occur

https://www.wilderssecurity.com/showthread.php?t=272327

https://www.wilderssecurity.com/showthread.php?t=279343

as far your port concern block makes rules to block these ports "in" 22.53.443.80
you pass your test

even you block these ports both(ie in and out) i guess still they work because of port mapping

or

one rule like mrk did deny all incoming traffic **see above dedoimedo.com link**

also this

https://www.linux.com/learn/tutoria...all-configurations-easily-with-gufw-on-ubuntu


**** also remember to deny instead of reject becoz ...........in reject they will be ping replay that packet has been rejected but in case of deny it dropped siliently without any replay *****

 

I tested my Ubuntu. Passed everything except the ping stuff.

I don't have gufw installed. Ocky gave me a couple of tips re. the terminal mode (ufw) and that seems to have done the job. I'll put the link here if I find it.

Edit: I couldn't find it but from the notes I took ...
Use

Code:

sudo ufw status

to know if the firewall is enabled. If it is, you'll get "active" or "firewall loaded".
If it isn't, enter

Code:

sudo ufw enable
sudo ufw default deny

That's all I did.

 

@ vasa

right you are vasa.

GUFW. is just a front-end GUI, for us Windows refugees.

 

Check https://www.wilderssecurity.com/showthread.php?t=301358&page=3&highlight=iptables
From post #59-#64

 

I now have GUFW enabled and i'm connected to the hotspot. I see this:
http://img4.imageshack.us/img4/7582/shotqz.jpg
Is there anything unusual?

@mack_guy911
Thanks for the link to the tutorial

 

That was it!

 

Not related to your problem, but you could set your terminal to 132 (columns). Less chance of wrapping and you get a prettier presentation.

 

what Ocky wrote is also same but in command mode its pretty easy too you should learn that as well its helpful and easy in case gui dont work


all you need it 3 commands that not difficult

to start with basic default closing all net "in" but let things connect "out" when needed


@ocky thanks for sharing i am learing too

 

If you look at that output, local address, none of those "open" ports is listed there, so that must be your router interface.
You do have some open ports so to speak, but it's DHCP and avahi daemon, again, which is related to DNS discovery.

All in all, not a problem.

Mrk

 

What is FD as in FD 13u or 5w etc.

desktop:~$ sudo netstat --tcp --udp --listening --program
[sudo] password for:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:7634 *:* LISTEN 1546/hddtemp
tcp 0 0 localhost:ipp *:* LISTEN 1576/cupsd
tcp 0 0 localhost:smtp *:* LISTEN 1490/exim4
tcp6 0 0 localhost:ipp [::]:* LISTEN 1576/cupsd
tcp6 0 0 localhost:smtp [::]:* LISTEN 1490/exim4
udp 0 0 *:bootpc *:* 3867/dhclient
udp 0 0 *:49382 *:* 1063/avahi-daemon:
udp 0 0 *:mdns *:* 1063/avahi-daemon:
desktop:~$

desktop:~$ sudo lsof +M -i4
[sudo] password for:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1063 avahi 13u IPv4 5259 0t0 UDP *:mdns
avahi-dae 1063 avahi 14u IPv4 5260 0t0 UDP *:49382
exim4 1490 Debian-exim 3u IPv4 5635 0t0 TCP localhost:smtp (LISTEN)
hddtemp 1546 root 0u IPv4 6040 0t0 TCP localhost:7634 (LISTEN)
cupsd 1576 root 7u IPv4 15023 0t0 TCP localhost:ipp (LISTEN)
dhclient 3867 root 5w IPv4 141331 0t0 UDP *:bootpc
desktop:~$

 

File descriptor. Check my lsof tutorial for details.
3u means you're using fd 3 for read and write. 5r means from fd 5, etc.
You can also check this info under /proc/pid/fd and see exactly what you're holding.
Mrk

 

Thanks!