Topic: SME 6.0 private gateway has open ports to internet

[Peter T.]

Hi,

I have SME 6.0 box set to private gateway/server mode.
But nmap shows open ports 25, 80, 113 and 443.
How do I disable the smtp and apache access from internet?

Thank you,
Peter T.

[%sig%]

[Marco Garza]

Peter,

You need to modify the masq rules.
If you view the file /etc/rc.d/init.d/masq, you will see some lines like this:

    adjust_tcp_in 113 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 21 denylog $NEW_InboundTCP
    adjust_tcp_in 80 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 443 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 143 denylog $NEW_InboundTCP
    adjust_tcp_in 389 denylog $NEW_InboundTCP
    adjust_tcp_in 110 denylog $NEW_InboundTCP
    adjust_tcp_in 1723 denylog $NEW_InboundTCP
    adjust_tcp_in 25 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 22 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 23 denylog $NEW_InboundTCP

Any line that has ACCEPT in it is a open port.  We need to change this to denylog like the others.  Here are the steps:

Create the appropriate directories using the command:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Copy the masq fragments you want to modify, SMTP and HTTP:
cp /etc/e-smith/templates/etc/rc.d/init.d/masq/45AllowSMTP /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

cp /etc/e-smith/templates/etc/rc.d/init.d/masq/45AllowHTTP /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

Edit the line in each fragment from:
BEFORE

    $OUT = allow_tcp_in(80,
            ($status eq "enabled") && ($access eq "public"));

TO:
AFTER

    $OUT = allow_tcp_in(80,
            ($status eq "disabled") && ($access eq "private"));

Expand the template:
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

View the file /etc/rc.d/init.d/masq and make sure that the changes are reflected in the file.
If not, check your files.

Restart the IP masquerading daemon:
service masq restart

Test again...a good site is www.grc.com

That should be it.


HTH

[Robert]

Ports should be open if services are enabled and public. Rather than randomly change the rules for that in the masq init fragments, you should check that the services are correctly set to private in /home/e-smith/configuration. Check auth, httpd-e-smith and smtpfront-qmail.

[Robert]

P.S. I _assume_ that allow_tcp_in(port, condition) opens port if condition is met, but I don't have SME 6 so I can't say for sure. Please ignore my post if my assumption is incorrect.

[Marco Garza]

I dont know,
I tried everything I knew to close all incoming ports, but this was all that seemed to work.  If there is another way, someone please enlighten me.

PS.

THis was the easiest way for me to open ports also.....

just the way I did it

[Robert]

Marco, on the assumption that allow_tcp_in does what I think it does, you changed a rule that said "open port for service if service is enabled and access set to public" to "open port for service if service is disabled and access set to private". Your rule will close a port for a service that is _incorrectly_ set to enabled with public access, but a better solution would be to set access to private for the service and then let the original rule close the port for the service. Even better would be to find out why services that should be set to private are set to public and fix that.

[Graeme Fleming]

Reconfigure server as public gateway then reboot; then reconfigure back to private and reboot - this will force SME to rewite the conf files and may help resolve the problem.

HTH

[Marco Garza]

I tested the server on a fresh install with private server and gateway as the installation choice.  I have reconfigured and rebooted, but no change.  SME 5.6 with all the updates was exactly like this.  It also had the same ports open in private mode.  I am not sure why, nor have I been able to see where the bug is.  This was the only way I was able to open ports that I needed and close ones that I did not want open.  I understand that this may not be the best way, but it was the only solution that I could come up with.

[Marco Garza]

OK,
I have been able to close port 113 by stopping the Ident service:
service oidentd stop
/sbin/e-smith/signal-event console-save

(only a temp. fix)

now port 113 is closed.

Tried to close port 80 by same method, this didnt work, tried httpd-e-smith, still didnt work.  I would think that since it is a private server/gateway, this should be turned off (unless this also runs the server-manager) or port 80 is closed.

Don't know what daemon is running for port 25.
Don't know what daemon is running for port 443.

Any other Ideas??

[Robert]

The script that sets access defaults was broken in SME 5.5 and SME 5.6. Looks like it's still broken in 6.0. Symptom of the breakage is that some services are not set to private access as they should be. If the services _are_ set to private access, doing a conf-masq will correctly close the ports for the services. So, there's nothing wrong with the template for /etc/rc.d/init.d/masq (at least on SME 5.5); the problem is in the configuration database /home/e-smith/configuration. After a clean install of SME 5.5 in private s&g mode, services auth, httpd-e-smith, and smtpfront-qmail are not set to private access in /home/e-smith/configuration. You can fix this for individual services with a command like
# /sbin/e-smith/db configuration setprop auth access private
Repeat for all incorrectly set services, then reconfigure.
Now for the actual problem: the script that sets access defaults in SME 5.5 and 5.6 is /etc/e-smith/events/actions/set-access-defaults. It exits 0 if there is no PreviousConfiguration or if the SystemMode hasn't changed from the PreviousConfiguration. That's why Graeme's workaround should fix the problem. This workaround may not work on SME 6 (don't know; haven't looked at it).
Another possible fix would be to buy an Alpha and install SME/Alpha V5.5

[Peter T.]

Thanks everyone, I tried Graemes suggestion, worked out well.