Question About Ports

**Lighty** · 02-06-2007, 01:04 PM

Well! I have just lost another customer due to me having to contact support to open a port on a linux box.

I understand closing ports on a II's server, but can someone explain to me why you have to have all ports closed on a linux box?

**jason** · 02-06-2007, 01:21 PM

For the same reasons as closing them on Windows machines: any open port is basically a welcome mat for attackers. Blocking the ones that aren't necessary lessens the potential for attack. Attacks against Linux are less common than their Windows counterparts, but with the increasing popularity of Linux you can bet that its only a matter of time...

--Jason

**Lighty** · 02-06-2007, 01:40 PM

Now how did I know you were going to say that?

If you have a properly patch box don't care if it is linux or Windows you don't need to block every port.

**R45** · 02-06-2007, 02:38 PM

Originally Posted by Lighty

If you have a properly patch box don't care if it is linux or Windows you don't need to block every port.

True in a sense. Open ports aren't exactly "free doors to a server". A firewall blocks communication outright on the rules it sets up, without a firewall the server will atleast respond to requests, but it isn't a gateway. Open ports can be exploited if for example there was a buffer overflow vulnerability in your OS's TCP/UDP implementation, but on the other hand having a single open port (webserver for example) would mean that exploit could be used on any of those existing ones. Also take into account accidental daemons, if for example you mistakingly installed a telnet server, it would be a moot point if the telnet port is restricted by the firewall.

For an effective firewall setup, for the ports that are open, they should be binded to an application/daemon so the firewall's rules knows when to allow traffic and not. Blindly opening port 80/25/etc is about the same as not running a firewall at all.

If you have a VPS, you can manage the firewall yourself though, which I think would settle your concerns.

**jason** · 02-06-2007, 03:45 PM

Personally, I never trust that any of my systems are secure, even if they are "properly patched," not with the number of zero day exploits in the wild. In an environment where users can install their own software (such as on a shared hosting server) you can never trust that a systenm is propely patched unless you constantly check every user-installed script, and no host has the time to do that. Therefore the next best thing is to lock down the server as much as possible with a firewall, and that means closing unsed ports.

I'm sorry, call me a paranoid sys admin, but I never trust any computer, at least not 100%.

--Jason

**Lighty** · 02-06-2007, 04:38 PM

I understand the concerns for II's again I am on a linux server, it appears to me that jaguarpc is over paranoid.

Take a look ariund goole see how many and how long ago there were any exploits for linux.

**Vin DSL** · 02-06-2007, 05:06 PM

Originally Posted by Lighty

Well! I have just lost another customer due to me having to contact support to open a port on a linux box...

I'm calling B.S. on this...

Proof?!?!?!

**Vin DSL** · 02-06-2007, 05:07 PM

Here's my proof...

Originally Posted by Lighty

Take a look ariund goole see how many and how long ago there were any exploits for linux.

**Gwaihir** · 02-07-2007, 05:36 AM

Why would you leave ports open on the off chance that someone legitimate might need them, when you know the chances of something bad coming in are much higher? New exploits are found and tried regularly, even for Linux.

Why can't your customer wait for a port to be opened up for him? I can't imagine anything that pressing. I think every now and then you'll simply loose a customer for no fault of yours or Jags. That's just the way it is, I'm afraid.

**the_ancient** · 02-07-2007, 06:09 AM

Originally Posted by Gwaihir

Why would you leave ports open on the off chance that someone legitimate might need them, when you know the chances of something bad coming in are much higher? New exploits are found and tried regularly, even for Linux.

Why can't your customer wait for a port to be opened up for him? I can't imagine anything that pressing. I think every now and then you'll simply loose a customer for no fault of yours or Jags. That's just the way it is, I'm afraid.

You can please all people some of the time, some people all of the time, but never all people all the time

**jason** · 02-07-2007, 07:49 AM

Originally Posted by Lighty

Take a look ariund goole see how many and how long ago there were any exploits for linux.

When I log into my CentOS box I am often greeted by a little blinking red exclamation point in my menu bar, telling me that there are patches that I need to look at. Granted, some of them are just functional upgrades to the software I have installed, but quite often there are upgrades that are purely there to improve security of a specific component of my system. True, they may not be exploits against Linux (the kernel), but any vulnerable piece of software running on a system is a weakness for the entire system.

In the SANS @RISK newsletter I received on Monday listed four Linux vulnerabilities, that's about the norm:

* 07.6.16 - Gentoo Linux Acme Thttpd File Access Information Disclosure
* 07.6.17 - Linux Kernel Dev_Queue_XMIT Local Denial of Service
* 07.6.18 - Linux Kernel ListXATTR Local Denial of Service
* 07.6.19 - smb4K Multiple Vulnerabilities

There were also a couple dozen web application exploits; they are the achilles heal of a shared web server.

The last time I needed a port opened on my server (so that I script I'm running could do whois lookups) I opened a ticket and had it resolved in 7 minutes and 26 seconds. If a client can't wait for that long to have a port opened then they are probably going to be a problem client for as long as they're with you. Its probably best that they're gone.

--Jason

**Galen** · 02-07-2007, 08:50 AM

I'd like to see a host that doesn't keep all ports closed. Too bad that such hosts don't exist cuz they've all been hacked into oblivion

**Frank Broughton** · 02-07-2007, 09:13 AM

Galen of course you mean except 80 25 110 and a bunch of others right....

**Lighty** · 02-07-2007, 04:33 PM

WOW!

[Personal attacks removed.
Keep it civil please.]

**Lighty** · 02-07-2007, 04:49 PM

Did you actually look at the risk, please know what you are talking about!

Originally Posted by jason

When I log into my CentOS box I am often greeted by a little blinking red exclamation point in my menu bar, telling me that there are patches that I need to look at. Granted, some of them are just functional upgrades to the software I have installed, but quite often there are upgrades that are purely there to improve security of a specific component of my system. True, they may not be exploits against Linux (the kernel), but any vulnerable piece of software running on a system is a weakness for the entire system.

In the SANS @RISK newsletter I received on Monday listed four Linux vulnerabilities, that's about the norm:

* 07.6.16 - Gentoo Linux Acme Thttpd File Access Information Disclosure
* 07.6.17 - Linux Kernel Dev_Queue_XMIT Local Denial of Service
* 07.6.18 - Linux Kernel ListXATTR Local Denial of Service
* 07.6.19 - smb4K Multiple Vulnerabilities

There were also a couple dozen web application exploits; they are the achilles heal of a shared web server.

The last time I needed a port opened on my server (so that I script I'm running could do whois lookups) I opened a ticket and had it resolved in 7 minutes and 26 seconds. If a client can't wait for that long to have a port opened then they are probably going to be a problem client for as long as they're with you. Its probably best that they're gone.

--Jason

LinkBack

Thread Tools

Display

Question About Ports

Bookmarks

Bookmarks

Posting Permissions