Sun Alert and Security Discussion - What are the ports that are absolutely needed to be kept ope
Hello
In a desktop, standalone, not networked in a LAN, that does not even have a peer-to-peer computer in the local environment, but connected to the Internet for Browsing (The desktop is not a web server ) , e-mail and chat, what are the ports that are absolutely needed to be kept open ?
How are ports opened and closed in Solaris 10 ? What is the file to be modified and what is the file path ? Can it be modified in Terminal in the Desktop environment ? Or should it be done only in the shell prompt before desktop log in ? What is the syntax for instructions ?
# 1
for Browsing (The desktop is not a web server ) ,
e-mail and chat, what are the ports that are
absolutely needed to be kept open ?
Most browsers hit port 80 for Internet web Hosts.
Outbound E-mail is port 25 for sending and if you are using webmail then it's port 80. If you're using IMAP or POP mail then use 143 or 110 respectively.
I'm not sure about chat but the docs should list out what ports are needed.
http://www.iana.org/assignments/port-numbers
contains well known port numbers
How are ports opened and closed in Solaris 10 ? What
Solaris 10 uses ipf by default. You can read the documentation from ipf's home page or there should be something on docs.sun.com under Solaris10 and I imagine it would be a Security handbook that you are looking for.
alan
# 2
Dear Alan,
First, thank you for your response to this question and for the link to the webpage for port numbers.
I am somewhat familiar with with common port numbers, but am unsure of the necessity to keep even http port 80 open and listening, all the time, particularly when I don't have a webserver running in my machine. Should the http port 80 in a standalone kept always open and listening ? Similarly when the ports for smtp or IMAP out are kept open and listening all the time, an infected program in an email client could find this a hole to send out messages to recipients in the address book, automatically.
These ports - http. inbound email, outbound email and in some cases telnet and a few other ports are usually kept open in a webserver, but what are necessary in a standalone, not part of a LAN, but connects to the Internet only for browsing ?
I came across a opinion that even the http port 80 need not be kept open in a standalone ....
# 3
It's my understanding that Microsoft's firewall just blocks all inbound and allows anything outbound.
You could use a similar strategy but I think it's better to use the old adage:
That which is not explicitly allowed is denied.
So your firewall rules would allow only outbound HTTP, SMTP, Chat etc...
Then the last firewall rule becomes: deny all
You have no idea how easy this is to configure using Checkpoint Firewall-1, but you have to pay for the software. You should be able to do something similar with ipf, for free.
If you have no reason to do inbound telnet, then kill it at the firewall and then hopefully there is nothing to worry about, unless there is a bug in your firewall rules or the software itself. To test it, plug another computer into the hub and telnet machine_name and see if you can connect, or if you get bounced, as you desire.
alan
# 4
For a desktop machine that you log into physically and is only used for accessing other servers
There is no need to accept any incoming tcp connections.
Obviously if you want to ssh into the box you need to allow port 22.
Obviously you need outgoing tcp connections for your web browser.
And udp is necessary for things like dns.
But you can firewall off all incoming tcp connections.
