Recipe 11.5. Securing Your Server by Closing Unnecessary Ports


Problem

Your server communicates with the surrounding network via services that listen on various open ports. Each open port represents a potential point of entry for an attacker. To minimize your risk of attack, you want to make sure that you close all unnecessary open ports.

Solution

You shouldn't have any services or network daemons listening that you don't need. Use netstat to get a list of all network daemons and the ports they are listening on. The following command produces such a list:

$ netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address           Foreign Address         State tcp        0      0 0.0.0.0:7120            0.0.0.0:*               LISTEN tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN

The output of this command won't tell you what each service is, but you'll see the protocol (e.g., TCP) and the port each one is listening on. For example, there is a service listening on port 22 over TCP. You may recognize this as the sshd (secure shell) server used for logging into the server over the network. If you didn't know this, or if there are other services that you don't recognize, you can look up port numbers in the file /etc/services. This file simply contains a mapping to common services, the ports they commonly listen on, and often a short description of what the service is for. The following shows a portion of this file:

$ less /etc/services ... ftp-data        20/tcp ftp             21/tcp fsp             21/udp          fspd ssh             22/tcp                  # SSH Remote Login Protocol ssh             22/udp ...

Once you've taken inventory of all the services on your system, you should shut down any that you don't really need to have running. This is usually as simple as uninstalling the package, but you may want to just disable it instead. On Debian GNU/Linux based systems, you can disable services by deleting or renaming the startup script for that service in the /etc/init.d directory. (On Red Hat systems, this directory is /etc/rc.d/init.d.) To make sure you have really disabled a service, you should reboot your server to ensure it has not been restarted automatically.

For those services that need to be running, such as ssh, you can reduce the risk of certain common attacks by having the service listen on a nonstandard port. The sshd daemon can be configured to listen on a high (nonprivileged port) by starting it with:

$ sudo /usr/sbin/sshd -p 12345             

This command tells sshd to listen on port 12345 instead of the default, port 22. You can also specify a new port in the sshd configuration file, such as:

/etc/ssh/sshd_config:

# Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 12345 ...

To connect to the service, you'll have to specify this nonstandard port by passing the following option to your ssh client:

$ ssh -p 12345 rob@example.com             

(Note that disguising ports is a form of security through obscurity, which is a controversial principle in security engineering. A system relying on security through obscurity may not be secure at all.)

Discussion

Each service that is listening on a server requires the system administrator to spend a certain amount of energy to make sure the newly discovered vulnerabilities are quickly patched. The fewer services you have running, the easier it will be to keep the remaining ones secure. Try to decide if you really need each service on your system and if you do, take the time to keep it secure.

The solution demonstrates one technique of minimizing the risk of a successful attack by moving the ssh daemon to a nonstandard port. What this does is cut down on the ease with which an attacker may try to brute-force his way into your system by guessing many different passwords with a script. With the service moved to a nonstandard port, an attacker has much less chance of knowing what that port is, and you greatly reduce your risk having user accounts compromised.

Another way of securing a service is to restrict access to certain network addresses. For example, if you access your production server only from work and from home, you can add the following to your server's /etc/hosts.deny file:

sshd: ALL EXCEPT 127.0.0.1,207.201.232.

This tells your server to deny all traffic to this service except from the addresses or networks in the list.

See Also

  • For more on tools for examining listening ports, see Section 13.7"

  • Section 11.1"




Rails Cookbook
Rails Cookbook (Cookbooks (OReilly))
ISBN: 0596527314
EAN: 2147483647
Year: 2007
Pages: 250
Authors: Rob Orsini

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net