Closing some open ports
BSD Mail
bsdmail at gmail.com
Fri Dec 16 10:13:16 PST 2005
Greetings,
I've finished installing a FreeBSD RELENG_6_0 which carries
DNS/Apache/DHCP/SAMBA/TFTP
Chrooted Bind9 / chrooted DHCP and tftp port is listening on the int_if only
thru inetd.
Apache is only serving intranet site for docs.
I know too many services on one machine, but it's not my call.
My problem is with SAMBA and SNMP "for mrtg graph" I want them to bind to
specific IPs instead of listening on *:port my sockstat -4l shows:
<snip>
root snmpd 717 6 udp4 *:161 *:*
root smbd 709 21 tcp4 *:445 *:*
root smbd 709 22 tcp4 *:139 *:*
root nmbd 705 6 udp4 *:137 *:*
root nmbd 705 7 udp4 *:138 *:*
root nmbd 705 8 udp4 10.99.99.254:137 *:*
root nmbd 705 9 udp4 10.99.99.254:138 *:*
root nmbd 705 10 udp4 10.98.98.254:137 *:*
root nmbd 705 11 udp4 10.98.98.254:138 *:*
<snip>
My general practice is always to bind each and every service to a specific
IP for containing it.
unless it's needed such as DHCP. I looked on samba's website first on how to
make samba run as
non-root unfortuantely looks that is not possible as far as I'm aware of,
which is insance.
Although I have "hosts allow" and "interfaces" statement in
smb.conflistening only on the internal LAN.
I can still scan my network with nmap from another network and get this:
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
I can install samba inside a jail(8) but it will be still running as root
and the ports will show up. Or I can put some rules
in pf.conf to restrict access to whatever I want from outside.
But maybe there is another way to do that, I'm all ears.
All I want is to get rid
of this:
root smbd 709 21 tcp4 *:445 *:*
root smbd 709 22 tcp4 *:139 *:*
root nmbd 705 6 udp4 *:137 *:*
root nmbd 705 7 udp4 *:138 *:*
I can live with it running as root in my LAN, as long it doesn't show on the
external interface when port scanning.
Thanks in advance,
--
BSDMail
More information about the freebsd-questions
mailing list