New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
because people make mistakes
Why leave it to chance ? closing a port does not cost you any resources
It prevents people from using said open ports to get around more secure setups to possibly attack you.
but how can someone attack a port if nothing is running on it?
Your post makes absolutely no sense to me. Mind elaborating a bit? Maybe you can give an example.
@hostnoob
You are obviously clueless. Of course nobody can use said port, if nothing is running on it. But think of a scenario where someone gets access to your system via exploit and can use w/e port he want's because you didn't lock them.
He does not know so he asks the question. No need to be rude.
If that said person has access to your system via expolit, why couldn't that said person also disable the firewall?
@Kupol If someone gets access to the system via exploit, they can also do an iptables -f and have free reign.
Some (with the right equipment) like to block ports at the switch.
Nah, most of the time people won't get full root access to the system.
EDIT: I think you people are clueless as fuck.
Well I wouldn't have asked if I knew the answer.
Why are you so mad? Are you a firewall salesman?
Anyway thanks everyone.
Not sure if we are still in the domain of the question. Not many of us have access to the switch - we are a LowEnd community.
I feel this is similar to the SSH port knocking discussion. We can easily secure our SSH servers via public keys. However, some like to move the SSH port for "security", others like to close the port and open it via knocking.
How many times in your life has a separate exploit (an unique exploit and not some social engineering hack) allowed a hacker to compromise your system (an up-to-date system) and attempted to open a port? @Kupol
@Silvenga
I see this crap all the time on the website of my costumers, the system itself is never hacked, but the attacker gains access to their webspace/user account, tries to log in via SSH and run applications/gain access to root. But since everything is locked down properly at the system level nothing beyond client's data gets hacked.
Lol'd.
You never answered by question. I just see red herring fallacies in your responses.
Sounds like he is hormonal to be honest.
I drop all incoming traffic by default (via iptabels) and then open (whitelist) all needed ports. Some programs do (not) allow to bind their sockets to a specific interface (e.g. lo/eth0). Additionally, I can restrict the access to only some specific systems (IPs) if needed.
It's just another layer of making sure that a program is not publicly available by accident.
It's true that if all the firewall has no "open" ports, an attacker can't bind his remote shell to the port. However, a "reverse-connect" shell is usually used in that case. That means, that the exploit spawns a shell which retrieves commands from the attackers server. Thus, you'd need to block (whitelist) all outgoing traffic, too.
An attacker should not be able to get root-access using a "simple" exploit (hopefully you do not run your daemons as root!) and so he can't "just turn off" the firewall.
Hope that helps,
gehaxelt
Some applications install other applications that listens to other ports automagically when installing from repos.
These systems can be abused in one way or another. If the "attacker" doesn't get root acces it could be used in DDoS attacks.
I have a simple rule of thumb when it comes to my customers equipment, block everything and only open what is needed.
You can't have an open port unless there is a process behind it.
Just because you only think you are running a HTTP server doesn't mean that nothing else is being broadcasted the world to use.
I.e. if you do not need that port open to the world then firewall it, or firewall it so only servers that need access can.
It is basic security essentials.
What is netstat?
http://linux.die.net/man/8/netstat
Blocking ports in the firewall is for protecting an insecure system and for protecting the world from insecure systems.
Windows systems can be assumed to be insecure by default for multiple reasons. One is that they run daemons and have services running on ports by default, with no option to easily turn them off. Therefore, in order to protect yourself, you must run a firewall to only allow access to those services in deliberate ways. GNU/Linux has this problem, too, but to a much lesser extent; most services can be turned off.
When you run an insecure system and allow access to other people, you also block outgoing connections except those you expect. Otherwise, anyone can run a simple binary or even a shell script which will make connections to other machines on the Internet to port 25 to deliver spam. This is why many networks completely block outgoing connections to port 25 for all client machines.
If you only run what you need, and if you only have trusted users on your system (ones who know they'll be severely punished if they do something bad), you don't need a firewall.
Windows server defaults with all incoming ports blocked. This was annoying when I needed remote desktop - I had to open the correct ports myself (this is the equivalent of blocking SSH:22 by default on Linux). Try doing that when you're running a headless server.
I don't know where you are getting your information from. Have you heard of Windows Server Core? There are no services you can't disable on Windows.
The OP asked about incoming ports.
On a single server for personal use don't worry about blocking ports too much, but on a shared environment such as cpanel or game hosting it's best to block anything incoming and outgoing that you won't use.
All systems are insecure in the hands of lazy sysadmins or people who nothing on administrating a server.
That is also one of the reasons why (legit) providers doesn't offer desktop OS, only Server OS.
The main reason is for the actions needed to make a service accessible be two steps instead of one. The service has to be installed/started AND specific firewall rules added to allow it to pass traffic. Makes it less likely for a service to be accessible on a public interface inadvertently where it might be attacked or abused.
This is the reason I don't like Debian/Ubuntu on servers. I know it may not be specific to Debian-based distributions, but out of the big names, they are the only ones to do this by default. Anyway...
Just block incoming and outgoing by default, then you will learn a lot about what your system is doing / trying to do. In the following start opening everything you really need. If all services run as unprivileged users, it is a lot harder for an attacker to open any doors to / out of the system.