Topic: Closing Ports on SME 5.6

[Mike]

How do I close the ports for PING and TELNET on SME 5.6 all other ports indicate Stealth except HTTP which is seen as Open.

[Klaus Eckert]

there is a contrib that does that job.
search in the forum for "port opening".

cheers
klaus

[Charlie Brady]

Klaus Eckert wrote:

> there is a contrib that does that job.
> search in the forum for "port opening".

No, the "port opening" contrib does not do this. It isn't very useful. Don't use it. If you need a port open for an application, use a simple custom template instead, or better yet, make an distribute an interface RPM which supports the application.

http://www.e-smith.org/docs/howto/howto_modify_e-smith_interface_rpm.php3

Charlie

[Nathan Fowler]

Use ipchains to close the ports, if you want the rules to be persistent on reboot, append them to the end of /etc/rc.d/rc.local

To deny ICMP:
/sbin/ipchains -A input -p icmp --icmp-type echo-request -d -i [extern interface] -j DENY

To deny TELNET:
I would recommend you set it to Private from the E-smith manager.  Then add:
/sbin/ipchains -A input -p tcp --dport 23 -d /32 -j DENY

[Mike]

Have managed to close Telnet Port 23 on SME 5.6 but "PING" does not appear to use a port? Have I missed something here? How does one stop the server from responding to PING?

[phillip ramirez]

look up icmp port.

[Charlie Brady]

Mike wrote:

> Have managed to close Telnet Port 23 on SME 5.6

Telnet is denied by default. If you have enabled telnet, disable it or set it to private (if you must), and the port will be closed.

Charlie

[Mike]

Interesting comment about Telnet being closed by default. An external port scan from Symantec on a fresh install of SME 5.6 showed it as Open?

Thankyou all for your comments, much appreciated.

[Charlie Brady]

Mike wrote:

> Interesting comment about Telnet being closed by default. An
> external port scan from Symantec on a fresh install of SME
> 5.6 showed it as Open?

Any security concerns should be communicated directly (in detail) to smesecurity@mitel.com and any suspected bugs to smebugs@mitel.com.

Charlie

[Joseph B]

Hi, Nathan,

I appended ipchains rules to rc.local, as you suggest, to disable web access for some computers in the network (see http://forums.contribs.org/index.php?topic=17827.msg69746#msg69746), but the rules disappear after some time (during dialup ?)... Seems that the system re-initiates its own rules from time to time...

A solution ?

Thanks.

Joseph.

[Joseph B]

Many thanks to Nathan Fowler who gave me the solution to my problem.

(see http://www.e-smith.org/bboard//read.php?f=3&i=33358&t=33338)

Joseph.