Topic: Iptables firewal l issue

[hamishau]

Hi all,

I have been doing some nmap scans against my SME 6.01-01 server. It is locked down so that no external access is available, except for HTTPS. That is, I have turned off VPN (GRE47, 1723), FTP (21) and Putty (22) completely in the server-manager.

The nmap scans have revealed that the FTP port and the POP3 port report as being open (but filtered). Other ports are also open (and filtered), but I am not worried about them - 25 smtp, 53 domain, 80 http, 113 auth, 443 https. I have websites and email server open to the internet, so all of them are fine as I believe that I need them to be open.  

I want to lock down the FTP and POP3 ports so that they don't appear to be open at all in a scan. They shouldn't be there as they are not accessible from the internet anyway!

How can this be achieved?

Hamish
Melbourne, AU

[Reinhold]

hamishau,

pop3 - Just a question as reply <eg> Are you sure you need/want SME at all if you intend to do this ? I personally regard Mail as one of the main features...

ftp - Just go to ServerManager/Security RemoteAccess and turn FTP completely off.

Answering both topics a broader advice would be to:
Grab the service control Server Manager panel contrib called e-smith-service-control from:

http://www.ibiblio.org/pub/Linux/distributions/smeserver/contribs/dmay/mitel/contrib/e-smith-service-control/

Install with:

rpm -Uvh e-smith-service-control-1.1.0-06.noarch.rpm

And you are able to turn on/off services (and their port usage) ad lib ...

Regards
Reinhold

[hamishau]

Hi Reinhold,

I have the mail component through IMAP (accessible only from the LAN) and webmail (accessible via HTTPS from the internet). Everything covered, so I don't need or intend to use POP3 at all.

I have FTP completely disabled in the server-manager, Remote Access panel. But it still shows up in the port scan as open/filtered. I regard this as a potential security problem. I don't want people being able to tell I have an FTP server, even if it is firewalled.

Thanks for the link. The readme says >5.6. Do you happen to know if it works or is tested for for 6.01?

Thanks,

Hamish
Melbourne, AU

[Reinhold]

hamish,

ftp- STRANGE! Which port-scan did you use ?
(proftpd definitely is switched off via server-manager!)
(even grc does show this one correctly !)
Recommended reading: Nmap:The Art of Port Scanning
http://www.insecure.org/nmap/nmap_doc.html
+ nmap manpage

services - Service-control-1.1.0-06 does work in 6.0x.
(other versions might not, at least one person on contribs complained that he had problems after reboot ... afaik)

Regards
Reinhold