Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Closing Unwanted Ports On Solaris

205 views
Skip to first unread message

Alpha

unread,
May 11, 2002, 7:12:37 AM5/11/02
to
Hi there guru's,

I have a few Sparc machines running Solaris 8, 7 and 2.6.
I am having problems closing some unwanted ports on it.
I have done the /etc/inetd.conf part and when I ran nmap i saw a few more
ports that are still open. How can I close all these ports on them. (pasted
below)

Let say I just want ssh and smtp and nothing else.

Could anyone tell me the steps so I can secure my machines.

Thank you in advance.

--Nmap result--
Starting nmap V. 2.54BETA32 ( www.insecure.org/nmap/ )
Host bernamaweb3 (192.168.1.43) appears to be up ... good.
Initiating Connect() Scan against domain (192.168.5.1)
Adding open port 32774/tcp
Adding open port 587/tcp
Adding open port 25/tcp
Adding open port 32773/tcp
Adding open port 32771/tcp
Adding open port 898/tcp
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 21/tcp
Adding open port 6000/tcp
The Connect() Scan took 1 second to scan 1554 ports.
Interesting ports on domain (192.168.5.1):
(The 1542 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
111/tcp open sunrpc
587/tcp open submission
898/tcp open unknown
6000/tcp open X11
32771/tcp open sometimes-rpc5
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11

--End--

Alpha


Stuart Lamble

unread,
May 11, 2002, 7:27:21 AM5/11/02
to
In article <3cdcf...@news.tm.net.my>, Alpha wrote:
>Hi there guru's,
>
>I have a few Sparc machines running Solaris 8, 7 and 2.6.
>I am having problems closing some unwanted ports on it.
>I have done the /etc/inetd.conf part and when I ran nmap i saw a few more
>ports that are still open. How can I close all these ports on them. (pasted
>below)
>
>Let say I just want ssh and smtp and nothing else.

The simplest approach is to download and install lsof (available from
SunFreeware mirrors the world over in pre-compiled form), and issue
the command "lsof -i". This will tell you both which ports are open, and
which process has them open.

Typical candidates are rpcbind, and services that use rpc; a few
processes needed by CDE; and other assorted programs.

Note that if you're running X, there is no way to avoid it listening
on port 6000.

--
I'm waiting for tech support to call me back. I'm also waiting for the
second coming of Jesus. Wanna take bets on which happens first?

Alan Coopersmith

unread,
May 11, 2002, 12:53:14 PM5/11/02
to
"Alpha" <alpha69de...@hotmail.com> writes in comp.unix.solaris:

|I am having problems closing some unwanted ports on it.
|I have done the /etc/inetd.conf part and when I ran nmap i saw a few more
|ports that are still open. How can I close all these ports on them. (pasted
|below)
|Port State Service
|21/tcp open ftp

This should be in inetd.conf unless you've replaced Sun's ftp server
with something unusual.

|6000/tcp open X11

This is the X server. On Solaris 2.6 - 8, this is normally disabled by
running /usr/dt/bin/dtconfig -d, but then you're stuck with a text-only
console. (If this machine only is used on console occasionally, this
may be what you want, and use the openwin or xinit commands to start X
temporarily only when needed.)

--
________________________________________________________________________
Alan Coopersmith al...@alum.calberkeley.org
http://soar.Berkeley.EDU/~alanc/ aka: Alan.Coo...@Sun.COM
Working for, but definitely not speaking for, Sun Microsystems, Inc.

Alan Coopersmith

unread,
May 22, 2002, 1:45:09 PM5/22/02
to
al...@CSUA.Berkeley.EDU (Alan Coopersmith) writes in comp.unix.solaris:

||6000/tcp open X11
|
|This is the X server. On Solaris 2.6 - 8, this is normally disabled by
|running /usr/dt/bin/dtconfig -d, but then you're stuck with a text-only
|console. (If this machine only is used on console occasionally, this
|may be what you want, and use the openwin or xinit commands to start X
|temporarily only when needed.)

Oh, and on Solaris 9, you can add "-nolisten tcp" to the Xsun command
line to run X without listening on a tcp port.

Philip Brown

unread,
May 29, 2002, 7:11:28 PM5/29/02
to
On Wed, 22 May 2002 17:45:09 +0000 (UTC), al...@CSUA.Berkeley.EDU wrote:
>...

>Oh, and on Solaris 9, you can add "-nolisten tcp" to the Xsun command
>line to run X without listening on a tcp port.

can we expect/hope for that to be added in the next Xsun jumbo patches?


--
[Trim the no-bots from my address to reply to me by email!]
[ Do NOT email-CC me on posts. Pick one or the other.]
S.1618 http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:@@@D
http://www.spamlaws.com/state/ca1.html

Alan Coopersmith

unread,
May 29, 2002, 9:36:59 PM5/29/02
to
phi...@bolthole.no-bots.com writes in comp.unix.solaris:

|On Wed, 22 May 2002 17:45:09 +0000 (UTC), al...@CSUA.Berkeley.EDU wrote:
|>Oh, and on Solaris 9, you can add "-nolisten tcp" to the Xsun command
|>line to run X without listening on a tcp port.
|
|can we expect/hope for that to be added in the next Xsun jumbo patches?

Sorry, but I don't know of any plans to backport it at this time.

0 new messages