Closing open ports
Hi,
$ uname -a
SunOS kite 5.10 s10_72 i86pc i386 i86pc
I installed Solaris 10 on an spare Dell box recently. I'm not well versed in Solaris and I wanted a little more exposure to it. Over the past couple of days I've managed to shut down just about every service I don't use/need, but I'm left with a few nagging open ports that I can't seem to close. The only port I want to have open is 22 for ssh.
Here's a list of currently open ports (as reported by nmap):
PORTSTATESERVICEVERSION
22/tcpopensshSunSSH 1.1 (protocol 2.0)
111/tcpopenrpcbind2-4 (rpc #100000)
898/tcpopenhttpSolaris management console server (SunOS 5.10 x86; Java 1.4.2_06; Tomcat 2.1)
6000/tcp openX11(access denied)
Port 111: Stopping bind (hence closing port 111) prevents X from starting upon reboot. The boot process won't start the dtlogin screen, and I end up having to use console mode. Is there a way around this?
Port 898: This port is opened by the wbem service. If I disable wbem, the Solaris Managment Console won't work anymore. Is there a configuration option for the SMC that allows me to shutdown the listening port but still allows me to use the SMC from the localhost?
Port 6000: I have no idea how to close this port. I did manage to close port 177 (XDMCP) from the Xconfig file, but I don't know how to close 6000. I don't need any remote X connectivity at all. Any ideas?
Thanks.
[1471 byte] By [
jcliburn] at [2007-11-26 0:43:35]
# 2
I'm going through some of the same problems you are with Solaris 10 beta 72. Sun has changed the way they start these services.
But you can control wbem (port 898) by changing the file /etc/rc2.d/S90wbem to /etc/rc2.d/s90wbem. So on reboot it won't start. To turn it off now just enter from the root prompt "/etc/rc2.d/S90wbem stop" (w/o the quotes). I'm not sure about rpcbind.
I am looking around at how Solaris 10 handles these services. If you enter the command "svccfg" you'll be dropped a "svc:>" prompt. From here you can enter "list" to get a listing of the servcies you can manage through this tool. Of course you will want to look at the man pages, svccfg(1M). Two other tools to look at are svcadm(1M) and smf(5).
Bob
# 3
Thanks for the reply, Bob.
> But you can control wbem (port 898) by changing the
> file /etc/rc2.d/S90wbem to /etc/rc2.d/s90wbem. So on
> reboot it won't start. To turn it off now just enter
> from the root prompt "/etc/rc2.d/S90wbem stop" (w/o
> o the quotes). I'm not sure about rpcbind.
Yeah, I was able to stop the wbem service permanently by toying inside rc2.d, but without wbem, the Solaris Mgt Console doesn't work anymore. I kinda like the Console, but in my opinion it shouldn't be listening for remote connections; there should be an option to allow its use only on the localhost.
>
> I am looking around at how Solaris 10 handles these
> services. If you enter the command "svccfg" you'll
> be dropped a "svc:>" prompt. From here you can enter
> "list" to get a listing of the servcies you can
> manage through this tool. Of course you will want to
> look at the man pages, svccfg(1M). Two other tools
> to look at are svcadm(1M) and smf(5).
Let me know if you figure out how to use the svc tools to point to a new daemon. For example, I installed OpenSSH 3.9.p1 at /usr/local/sbin/sshd but couldn't find a way to coax svcadm into starting the new daemon instead of the Sun SSH daemon. I ended up adding an rc2.d script to start OpenSSH, and executing svcadm disable ssh to permanently stop the Sun version. There's gotta be another way...
# 4
Sorry I forgot to mention that closing wbem shuts down the management console. I don't use that much so I always shut it down. It listens for remote connections because you can access another machines SMC from the one you bring up locally.
There might be a way to tunnel the SMC connections between two machines using IPSEC, but that could take a while to do.
I was looking at the man pages about svc, smf, svccfg and there is a way to do what you want, but I'm still early on in my learning too. If you look in /lib/svc/method this is where the start up scripts go, but you have to add them to svc.
Now it gets more complicated. They are using XML files to define various services. Look in /var/svc/manifest. Go further and look under network they have one for the Sun version of ssh called ssh.xml. I suppose you could edit that file, point it your version and use that to start OpenSSH.
Bob
