BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Scanning Your Network
Pages: 1, 2, 3

Now, what do I want to do with the results from this nmap scan? A good rule of thumb is to DISABLE all the ports that you don't use. Since you can't disable the ports you do want to use, you'll need to SECURE those ports.



In my example, I don't want to disable ssh, smtp, http, or X11, since I do use these services, so I'll have to keep these in mind when I create my firewall rules so only appropriate hosts will have access. I'm no longer using NFS, so I should disable sunrpc; this computer does not have access to any printers, so I should disable the printer; finally, my mail client does not use the submission port, so I should get rid of that as well.

I can disable the sunrpc and printer daemons by becoming the superuser and adding the following lines to /etc/rc.conf:

portmap_enable="NO"
lpd_enable="NO"

Before I save my changes, I'll doublecheck for typos.

Things are a bit more complicated to get rid of the submission port. (If you're unsure what the submission port is used for, a good explanation was given in the mailing list archives here.)

I don't want to mess up Sendmail on this computer, since I use it to send my e-mail; I'll be extra careful and back up my original Sendmail configuration file before making any changes. Still as the superuser, I can do this by typing:

cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig

When I installed FreeBSD, a file called freebsd.mc was used to create that Sendmail configuration file. I'll back up this file as well, as I need to modify it in order to disable the submission port:

cd /usr/src/etc/sendmail
cp freebsd.mc freebsd.mc.orig

If this directory does not exist on your FreeBSD system, you'll have to first add the /src/etc distribution using /stand/sysinstall.

Once you've backed up freebsd.mc, use your favourite editor to add the following line just before the two last MAILER lines at the end of the file:

FEATURE('no_default_msa')

Again, check for typos and save your change. Now type:

make freebsd.cf
make freebsd.cf install
cp freebsd.cf /etc/mail/sendmail.cf

We now need to tell rc and sendmail to read our configuration changes. Since rc only reads its configuration file at boot time, the easiest way to accomplish both tasks is to type:

killall init

When I receive the prompt back, I'll press Enter and then type:

exit

If all went well, I won't see any error messages, and when I rerun the nmap scan, I should only see ssh, smtp, http, and X11 in the output.

Let's return for a moment to that original nmap scan. This "vanilla tcp connect() scan" read a file called /usr/local/share/misc/nmap-services and then attempted to reach the connect system call for every port listed in that file. The connect request failed for every port that wasn't listening for TCP connections and succeeded for the ports that were listening. However, this scan does not check for daemons that might be listening for UDP requests.

All of the other scan types require superuser privileges; I'll become the superuser and use the sU switch to scan for the daemons that are willing to accept UDP connections:

su
Password:
nmap -sU localhost

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1447 ports scanned but not shown below are in state: closed)

Port       State       Service
68/udp     open        bootpc

Nmap run completed -- 1 IP address (1 host up) scanned in 11 seconds

Remember that UDP does not create a connection, as it is the connection-less transport. UDP Port 68 is used by the DHCP client, which I need to keep open so I can renew my DHCP lease with my service provider. This does not mean that I'm running a DHCP server on my computer, as DHCP servers use UDP port 67 instead.

Before we go any farther, let's run the sockstat utility and compare the results to the nmap scan:

sockstat -4

                                    LOCAL    FOREIGN
USER    COMMAND   PID    FD  PROTO  ADDRESS  ADDRESS
root    XF86_SVG  15769   0  tcp4   *:6000   *:*                  
nobody  httpd     14592  16  tcp4   *:80     *:*                  
root    sendmail  12873   4  tcp4   *:25     *:*                  
nobody  httpd     12410  16  tcp4   *:80     *:*                  
nobody  httpd     12409  16  tcp4   *:80     *:*                  
nobody  httpd     12408  16  tcp4   *:80     *:*                  
nobody  httpd     12407  16  tcp4   *:80     *:*                  
nobody  httpd     12406  16  tcp4   *:80     *:*                  
root    httpd     12382  16  tcp4   *:80     *:*                  
root    sshd      12336   3  tcp4   *:22     *:*                  
root    dhclient  12269   3  udp4   *:*      *:*                  
root    dhclient  12269   6  udp4   *:68     *:*

You'll note that both utilities show the same port information: My machine is willing to accept TCP connections on ports 22, 25, 80, and 6000 and UDP connections on port 68. Why would someone use nmap instead of sockstat? If you only need to secure one machine and you are sitting at it, it's easier to use the built-in sockstat utility. However, if you need to test the security of your entire network, you can scan every host at once using the nmap utility; you can even save your results to a file and have a record of which ports are enabled on each machine. It also saves you sitting down at every machine in order to run the sockstat utility. Finally, once you've built a firewall, you can test its reactions to your firewall rules by using the other types of nmap scans.

Pages: 1, 2, 3

Next Pagearrow





Sponsored by: