All these open ports 

Newsgroups:  gmane.linux.debian.user
Date:        Fri, 13 Aug 2004 21:56:17 -0400
> I've just noticed that my debian testing open many ports by default:
>
> tcp        0      0 *:dict                  *:*                     LISTEN
> tcp        0      0 *:time                  *:*                     LISTEN
> tcp        0      0 *:discard               *:*                     LISTEN
> tcp        0      0 *:682                   *:*                     LISTEN
> tcp        0      0 *:daytime               *:*                     LISTEN
> tcp        0      0 *:sunrpc                *:*                     LISTEN
> tcp        0      0 *:www                   *:*                     LISTEN
> tcp        0      0 *:x11-1                 *:*                     LISTEN
> tcp        0      0 *:auth                  *:*                     LISTEN
> tcp        0      0 *:ssh                   *:*                     LISTEN
> tcp        0      0 cxmr.dyndns.org:8118    *:*                     LISTEN
> tcp        0      0 cxmr.dyndns.org:822     *:*                     LISTEN
> tcp        0      0 *:ipp                   *:*                     LISTEN
> tcp        0      0 *:3128                  *:*                     LISTEN
>
> udp        0      0 *:discard               *:*
> udp        0      0 *:676                   *:*
> udp        0      0 *:679                   *:*
> udp        0      0 *:icpv2                 *:*
> udp        0      0 *:bootpc                *:*
> udp        0      0 *:sunrpc                *:*
> udp        0      0 *:ipp                   *:*
>
> How can I close them?

Uninstall the respective services. Or, use a firewalling system (dedicated firewall, iptables, etc…)

To find out what service uses what port:

stefan:~$ sudo lsof -i tcp:www         # substitute your port name/number
Password:
COMMAND PID USER   FD   TYPE DEVICE SIZE NODE NAME
apache  221 root   16u  IPv4    173       TCP *:www (LISTEN)
apache  629 root   16u  IPv4    173       TCP *:www (LISTEN)
apache  630 root   16u  IPv4    173       TCP *:www (LISTEN)
apache  631 root   16u  IPv4    173       TCP *:www (LISTEN)
apache  632 root   16u  IPv4    173       TCP *:www (LISTEN)
apache  633 root   16u  IPv4    173       TCP *:www (LISTEN)

Note that some services have options to use UNIX-domain sockets exclusively, such as the X-server (look for -nolisten tcp, etc).

You probably don't use all of these:

Webserver? If no, no apache.
Dict Server? Disable. The client uses dict.org, not localhost.
XServer? If you don't use the windowing system, get rid of it (note:
_not_ using it is rare, GNOME/KDE require it)
SSH?
CUPS? (network printing)

As for discard/time/daytime, you need to comment out lines in your /etc/inetd.conf (but how can you exploit a service whose purpose is to discard everything you throw at it?)

All these open ports 

> I've just noticed that my debian testing open many ports by default:

Some of them are opened by inetd. You can use "dpkg-reconfigure inetd", or edit /etc/inetd.conf and comment out the protocols you don't need. After that, restart inetd.

> tcp        0      0 *:www                   *:*   LISTEN

This is a web server, maybe apache. It probably runs in standalone mode. If you don't need it, deinstall it. You can also bind it to some or several IPs like Cups or ssh.

> tcp        0      0 *:x11-1                 *:*   LISTEN

Check your login manager. Maby it opens a port. Look for Xservers files on your system. If you use kdm, open /etc/kde3/kdm/Xservers, and change all the lines like this:

original: :0 local@tty1 /usr/X11R6/bin/X vt7

changed: :0 local@tty1 /usr/X11R6/bin/X -nolisten tcp vt7

> tcp        0      0 *:auth                  *:*    LISTEN

Some identd, like oidentd or pidentd. Probably run from inetd, and pretty harmless. You may need this one for some IRC networks. If you don't need it, deinstall it.

> tcp        0      0 *:ssh                   *:*    LISTEN

Well, you should know what this is. You can configure ssh to listen only to selected IPs, e.g. those of your LAN interface, if you want. Check the sshd_config man page.

> tcp        0      0 *:ipp                   *:*    LISTEN

Probably Cups printing. If you only use the printer on the computer Cups runs on, open /etc/cups/cupsd.conf, replace "Port 631" by "Listen 127.0.0.1:631" and restart Cups.

> udp        0      0 *:ipp                   *:*

Again Cups, this time browsing for network printers. If you don't need this, change "Browsing On" to "Browsing Off" in /etc/cups/cupsd.conf.

Andreas Janssen

All these open ports 

% lsof -i tcp:time
COMMAND PID USER   FD   TYPE DEVICE SIZE NODE NAME
inetd   651 root    7u  IPv4   1059       TCP *:time (LISTEN)
 lsof -i tcp:daytime
COMMAND PID USER   FD   TYPE DEVICE SIZE NODE NAME
inetd   651 root    6u  IPv4   1058       TCP *:daytime (LISTEN)
% lsof -i tcp:dict
COMMAND   PID  USER   FD   TYPE DEVICE SIZE NODE NAME
dictd   21560 dictd   12u  IPv4 348620       TCP *:dict (LISTEN)
 lsof -i tcp:682
COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
rpc.statd 924 root    6u  IPv4   1528       TCP *:682 (LISTEN)
 lsof -i tcp:sunrpc
COMMAND PID   USER   FD   TYPE DEVICE SIZE NODE NAME
portmap 480 daemon    4u  IPv4    570       TCP *:sunrpc (LISTEN)
 lsof -i tcp:auth
COMMAND PID USER   FD   TYPE DEVICE SIZE NODE NAME
inetd   651 root    8u  IPv4   1060       TCP *:auth (LISTEN)
 lsof -i tcp:822
COMMAND PID USER   FD   TYPE DEVICE SIZE NODE NAME
famd    646 root    3u  IPv4   1044       TCP cxmr.dyndns.org:822 (LISTEN)
 lsof -i tcp:ipp
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
cupsd   9266 root    0u  IPv4 426221       TCP *:ipp (LISTEN)
 lsof -i tcp:8118
COMMAND PID    USER   FD   TYPE DEVICE SIZE NODE NAME
privoxy 768 privoxy    3u  IPv4   1195       TCP cxmr.dyndns.org:8118 (LISTEN)
 lsof -i tcp:3128
COMMAND PID  USER   FD   TYPE DEVICE SIZE NODE NAME
squid   996 proxy   11u  IPv4   1648       TCP *:3128 (LISTEN)

All these open ports 

% lsof -i tcp:dict
COMMAND   PID  USER   FD   TYPE DEVICE SIZE NODE NAME
dictd   21560 dictd   12u  IPv4 348620       TCP *:dict (LISTEN)
% /etc/init.d/dictd stop
% update-rc.d -f dictd remove
update-rc.d: /etc/init.d/dictd exists during rc.d purge (continuing)
 Removing any system startup links for /etc/init.d/dictd ...
   /etc/rc0.d/K20dictd
   /etc/rc1.d/K20dictd
   /etc/rc2.d/S20dictd
   /etc/rc3.d/S20dictd
   /etc/rc4.d/S20dictd
   /etc/rc5.d/S20dictd
   /etc/rc6.d/K20dictd

Ref:

% update-rc.d dictd remove
update-rc.d: /etc/init.d/dictd exists during rc.d purge (use -f to force)
% update-rc.d dictd defaults 20
 Adding system startup for /etc/init.d/dictd ...
   /etc/rc0.d/K20dictd -> ../init.d/dictd
   /etc/rc1.d/K20dictd -> ../init.d/dictd
   /etc/rc6.d/K20dictd -> ../init.d/dictd
   /etc/rc2.d/S20dictd -> ../init.d/dictd
   /etc/rc3.d/S20dictd -> ../init.d/dictd
   /etc/rc4.d/S20dictd -> ../init.d/dictd
   /etc/rc5.d/S20dictd -> ../init.d/dictd

All these open ports 

>>Buy a firewall or set up iptables.
>
>
> You can just load the Firestarter package; it will allow you to block
> ports (via a generated iptables script).

There are other available packages: I use FireHOL