Topic: Changed port settings SME 7 - 7.2 ?

[JoshuaR]

Hi guys,
    I've set up two SME servers (both work great), but there is one thing I'm having trouble with.  I've configured both servers with the same settings (almost exactly the same, minus the names, DHCP range etc.) and they are running two separate networks just fine.  The problem is, one server has all its ports closed, and the other has quite a few open.  I upgraded from SME 7.0 pre4 to 7.2 on one of the machines (the one with the closed ports), and on the other (the one with open ports) I just did a clean install of 7.2--that's the only difference I can see.  It wouldn't concern me, except they are set up as private servers and gateways, and I wouldn't think that one should have ports open by default.

I read the documentation, and apparently the port settings are changed automatically in conjunction with the server-manager settings, however, both machines have the same server-manager settings  .

I know closing ports has been posted many many many times (I've looked thorough a lot ) but I thought this was a little different since both servers are configured the same...

Sorry about the length of the post...

So, any ideas?

[mmccarn]

You might try config show and db networks show on both machines to see if something is different even though it shouldn't be.

Also, if one has been upgraded from any version before 7.2 you need to correct the yum configuration as described here: http://wiki.contribs.org/Updating_to_SME_7.2#Ensuring_the_correct_yum_repository_configuration, which may get yum to download a bunch of CentOS updates.

Also, /sbin/e-smith/audittools/newrpms might show if one system or the other has different RPMs installed.

I can't think of any valid reason for identically configured SME 7.2 servers to exhibit different 'open port' behavior.

[JoshuaR]

Also, if one has been upgraded from any version before 7.2 you need to correct the yum configuration as described here: http://wiki.contribs.org/Updating_to_SME_7.2#Ensuring_the_correct_yum_repository_configuration, which may get yum to download a bunch of CentOS updates.

When I updated the one server to 7.2, I followed the updating guide exactly as it was set out...but come to think of it, I didn't bother running yum on the maching that I did the clean install on...I wonder...

You might try config show and db networks show on both machines to see if something is different even though it shouldn't be.
Also, /sbin/e-smith/audittools/newrpms might show if one system or the other has different RPMs installed.

I'll try those as soon as I get a chance.

Quick question, in any case, should common ports such as 80, 25, etc., be open by default on a private server configeration?  I wouldn't think so, as the server is not providing external services...but I might be wrong.  Anyone with more experience than me know?

[mmccarn]

My understanding (based on scanning the forums and not on extensive personal testing) is that 'private server' mode leaves more ports open than server-gateway mode, under the assumption that the server is 'private' and therefore less exposed...

It isn't 'serving' to the internet, but is still assumed to be 'serving' to the local network.

I would definitely expect a sme server in 'private server' mode to respond on ports 80, 21, 53, 139, 389, 443, 980.

25, 22, 110, 143, 465, 995, 993 can be disabled in server-manager (smtp, ssh, pop3, imap, smtps, pop3s, imaps)

Mine looks like it's also listening on 515, 548, 783, 26 and 4700...

[JoshuaR]

this is what I got out of the documentation...
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter5#Operation_Mode

Option 1: Server and gateway mode
In server and gateway mode, your server provides services (such as e-mail, web services, file and print sharing) to your network and also acts as a gateway between your internal network and the outside world. The fact that it serves as a "gateway" means it has separate interfaces with each network, and provides security and routing.

Option 2: Private server and gateway
This mode is a variation of option 1 and provides the same functionality with the following differences:

our web server is not visible to anyone outside of the local network.
our mail server is not accessible from outside of the local network.
Additional firewall rules have been configured to drop packets for various services (such as 'ping' requests).
All services are available on the internal network. The differences are entirely in how your server is seen by the external world.

You would select this mode only if you wish to use the server as a gateway, but do not wish to publish any services to the external Internet.

In my thinking, option 2: private server and gateway should not provide open ports since it isn't providing any services to an external network...???     Help 

[raem]

JoshuaR

The problem is, one server has all its ports closed, and the other has quite a few open.

Please give exact details of what ports you are referring to and how you determined this.

[JoshuaR]

)

JoshuaR

Please give exact details of what ports you are referring to and how you determined this.

tested commom ports via Shields Up (what else  )  on server with SME 7.2 clean install...

ports
443 (https)         --open
25 (smtp)           --open
80 (http)            --open
113 (auth / ident)--closed (not stealthed--I only mentioned it because it's stealthed on the other server)

Also tested via Shields Up (SME server that was upgraded from 7.0 pre4 to 7.2)

All the ports in the common ports test were stealthed except one which was closed...
443 (https) --closed

[JoshuaR]

and just to add, I updated the server with the open ports...still opened... 

[mmccarn]

I can't find anything in /etc/e-smith/templates or in 'config show' that shows what the difference is between 'server-gateway' mode and 'private server-gateway mode'.

This makes me think that possibly the only difference is that if you select one or the other during the initial system setup you get different default 'access' values for the various services.

Try config show http-e-smith and config show smtpd on both systems and see if there's something different between them.

I'm hoping you'll find something obvious like 'access=private' on one system and 'access=public' on the other, or 'access=something' on one but no 'access=...' line on the other.

[mmccarn]

Also, according to this bug http://bugs.contribs.org/show_bug.cgi?id=2202 dated 12/22/2006 the 'servergateway-private' mode may be headed out.

Which would explain why a SME7RCx server upgraded through to 7.2 might behave differently from one configured using 7.2 from scratch...

The 'fix' at this point would be to identify the differences in the settings on the two systems and duplicate the ones you want on the system that isn't behaving as you feel it should.

A plus would be if you built a script to set all those settings and uploaded it to the bug referenced above.

[raem]

JoshuaR

As has been suggested earlier, use
config show |more
to review the status of the services associated with those ports eg
access=private
or
access=public
Also check
config show SystemMode
to verify the system is really set to private server&gateway mode.

If you find your configuration mode is correct but ports are open, and it is truly a clean install of sme7.2 without any contribs that may have modified port status, then report your findings as a bug.

The manual is reasonably clear on what to expect.

Option 2: Private server and gateway

This mode is a variation of option 1 and provides the same functionality with the following differences:

    * our web server is not visible to anyone outside of the local network.
    * our mail server is not accessible from outside of the local network.
    * Additional firewall rules have been configured to drop packets for various services (such as 'ping' requests).

All services are available on the internal network. The differences are entirely in how your server is seen by the external world.

You would select this mode only if you wish to use the server as a gateway, but do not wish to publish any services to the external Internet.