Bodhi Linux - open ports problem

Discussion in 'all things UNIX' started by AlexC, Nov 28, 2011.

Thread Status:
Not open for further replies.
  1. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    I'm using the latest Bodhi Linux release and i did a "All Service Ports" test here: https://www.grc.com/x/ne.dll?bh0bkyd2

    These are the results:

    ----------------------------------------------------------------------

    GRC Port Authority Report created on UTC: 2011-11-28 at 16:42:20

    Results from scan of ports: 0-1055

    4 Ports Open
    1052 Ports Closed
    0 Ports Stealth
    ---------------------
    1056 Ports Tested

    NO PORTS were found to be STEALTH.

    Ports found to be OPEN were: 22, 53, 80, 443

    Other than what is listed above, all ports are CLOSED.

    TruStealth: FAILED - NOT all tested ports were STEALTH,
    - NO unsolicited packets were received,
    - A PING REPLY (ICMP Echo) WAS RECEIVED.

    ----------------------------------------------------------------------

    Is there any way to stealth or close the open ports?
    Already posted on Bodhi Linux forums.
     
  2. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    just use GUFW. it's a frontend for the built-in firewall
    (type "gufw" in Synaptic app, right click and "Mark for Installation", then apply. Enable in Preferences/Firewall Preferences)

    it should stealth all your ports.
    only thing you will then fail is the Ping request but that is similar to the Vista firewall.
     
    Last edited: Nov 28, 2011
  3. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Link?
     
  4. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
  5. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  6. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    I'm not totally enlightened :doubt:

    "From https://www.grc.com/x/ne.dll?rh1dkyd2

    Port 22 - Secure Shell provides a secure-connection version of the Telnet remote console service with additional features. Unfortunately, the SSH services and their security add-on packages have a long history of many widely exploited buffer overflow vulnerabilities. If your system has this port exposed to the outside world you should be vigilant in keeping your SSH service updated.

    Port 53 - If our port analysis reveals that your system's port 53 is open and listening for incoming traffic, you should determine what's going on. Even though only a few Trojan programs are known to open port 53, the exact behavior of malicious software is a constantly moving target . . . which is why periodic security checkups here are always worthwhile.

    Port 80 - The web is so insecure these days that new security "exploits" are being discovered almost daily. There are many known problems with Microsoft's Personal Web Server (PWS) and its Frontpage Extensions that many people run on their personal machines. So having port 80 "open" as it is here causes intruders to wonder how much information you might be willing to give away.

    Port 443 - The presence of this secure web port in your system implies that this system is establishing secure connections with web browsers. The number one reason for doing this is the transmission of credit card information. This implies that the successful intruder could access the web server's credit card database and score bigtime. This is a VERY bad port to have open unless you are actually conducting secure web commerce!

    Of coarse most exploits would only work in Windows, but maybe is there a way to make Bodhi Linux even more secure?
    (I'm right now in a bus, using public Wifi in my notebook). Thanks!"
     
    Last edited: Nov 28, 2011
  7. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    did you try gufw?
     
  8. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
  9. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    lol!

    glad i could help.
     
  10. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Thanks a lot moontan and mack_guy911:thumb:
    I just got home, i'll try as soon as i can.
     
  11. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    it's easy as cake.

    i'll check here to see if you need help but you should be good to go.

    you will pass the GRC test with the default settings.
    like i said, only thing you will fail is the ping test but who cares?
     
  12. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    In my house i'm able to connect to a hotspot or to my router.
    Without using GUFW, when connected to the hotspot i get this result:

    "Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice."

    and when connected to my router i get this:

    "Solicited TCP Packets: PASSED — No TCP packets were received from your system as a direct result of our attempts to elicit some response from any of the ports listed below — they are all either fully stealthed or blocked by your ISP. However . . .

    Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

    Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation."

    I don't know what kind of connection i was using on the bus, but it left the OS totally exposed:thumbd:

    I'll install now GUFW.
     
    Last edited: Nov 28, 2011
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    If you run netstat -tulpean as sudo, what does it show?

    BTW, some of the answers in the bodhi forum are plain wrong ...
    Specifically regarding why ports should or should not be open, etc.

    Cheers,
    Mrk
     
  14. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    1st when you connect to grc.com via router (ie your pc behind router....either direct via wifi....or what ever) it give results of router not of your pc so you have close ports open .......dosent make diffrence ........... same happen with you conneted with hotspot thats way on same pc diffrent results

    second ping test fail means your router replay to pings

    many router default set that way and they does to make sure connectivity occur other wise more problem could occur

    https://www.wilderssecurity.com/showthread.php?t=272327

    https://www.wilderssecurity.com/showthread.php?t=279343

    as far your port concern block makes rules to block these ports "in" 22.53.443.80
    you pass your test

    even you block these ports both(ie in and out) i guess still they work because of port mapping

    or

    one rule like mrk did deny all incoming traffic **see above dedoimedo.com link**

    also this

    https://www.linux.com/learn/tutoria...all-configurations-easily-with-gufw-on-ubuntu


    **** also remember to deny instead of reject becoz ...........in reject they will be ping replay that packet has been rejected but in case of deny it dropped siliently without any replay *****
     
  15. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I tested my Ubuntu. Passed everything except the ping stuff.

    I don't have gufw installed. Ocky gave me a couple of tips re. the terminal mode (ufw) and that seems to have done the job. I'll put the link here if I find it.

    Edit: I couldn't find it but from the notes I took ...
    Use
    Code:
    sudo ufw status
    to know if the firewall is enabled. If it is, you'll get "active" or "firewall loaded".
    If it isn't, enter
    Code:
    sudo ufw enable
    sudo ufw default deny
    That's all I did.
     
    Last edited: Nov 29, 2011
  16. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    @ vasa

    right you are vasa.

    GUFW. is just a front-end GUI, for us Windows refugees. ;)
     
  17. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Check https://www.wilderssecurity.com/showthread.php?t=301358&page=3&highlight=iptables
    From post #59-#64
     
  18. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    I now have GUFW enabled and i'm connected to the hotspot. I see this:
    http://img4.imageshack.us/img4/7582/shotqz.jpg
    Is there anything unusual?

    @mack_guy911
    Thanks for the link to the tutorial:thumb:
     
    Last edited: Nov 29, 2011
  19. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  20. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Not related to your problem, but you could set your terminal to 132 (columns). Less chance of wrapping and you get a prettier presentation.
     
  21. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    what Ocky wrote is also same but in command mode its pretty easy too you should learn that as well its helpful and easy in case gui dont work


    all you need it 3 commands that not difficult :D

    to start with basic default closing all net "in" but let things connect "out" when needed


    @ocky thanks for sharing i am learing too ;)

    :thumb:
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    If you look at that output, local address, none of those "open" ports is listed there, so that must be your router interface.
    You do have some open ports so to speak, but it's DHCP and avahi daemon, again, which is related to DNS discovery.

    All in all, not a problem.

    Mrk
     
  23. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    What is FD o_O as in FD 13u or 5w etc.

    desktop:~$ sudo netstat --tcp --udp --listening --program
    [sudo] password for:
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 localhost:7634 *:* LISTEN 1546/hddtemp
    tcp 0 0 localhost:ipp *:* LISTEN 1576/cupsd
    tcp 0 0 localhost:smtp *:* LISTEN 1490/exim4
    tcp6 0 0 localhost:ipp [::]:* LISTEN 1576/cupsd
    tcp6 0 0 localhost:smtp [::]:* LISTEN 1490/exim4
    udp 0 0 *:bootpc *:* 3867/dhclient
    udp 0 0 *:49382 *:* 1063/avahi-daemon:
    udp 0 0 *:mdns *:* 1063/avahi-daemon:
    desktop:~$

    desktop:~$ sudo lsof +M -i4
    [sudo] password for:
    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    avahi-dae 1063 avahi 13u IPv4 5259 0t0 UDP *:mdns
    avahi-dae 1063 avahi 14u IPv4 5260 0t0 UDP *:49382
    exim4 1490 Debian-exim 3u IPv4 5635 0t0 TCP localhost:smtp (LISTEN)
    hddtemp 1546 root 0u IPv4 6040 0t0 TCP localhost:7634 (LISTEN)
    cupsd 1576 root 7u IPv4 15023 0t0 TCP localhost:ipp (LISTEN)
    dhclient 3867 root 5w IPv4 141331 0t0 UDP *:bootpc
    desktop:~$
     
  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    File descriptor. Check my lsof tutorial for details.
    3u means you're using fd 3 for read and write. 5r means from fd 5, etc.
    You can also check this info under /proc/pid/fd and see exactly what you're holding.
    Mrk
     
  25. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Thanks!:thumb:
     
Loading...
Thread Status:
Not open for further replies.