Re: Listening Ports
On Mon, Sep 10, 2001 at 01:02:20AM -0700, Jeff Coppock wrote:
> I already use iptables, and can accomplish the blocking that way,
> I just wanted to see if there was a way to keep the port from
> binding to an interface to start with.
> So, I'll continue with iptables for now.
Well you don't really need to (it's a security add-on). But,
summarising a bit:
- for inetd processes use inetd's service@ip (didn't know about this, BTW,
thanks Alexander!) or use xinetd
- for non-inetd process check out the manpages/documentation of the
package since most will be able to bind only on a given port. Some
examples are given on the "Securing Debian Manual", for example, for exim.
Bind is easy, also just use the listen-on option in named.conf, and so is
Apache (BindAddress option in httpd.conf)
When hardening a system I usually start by taking a look at
netstat -an output (lsof -i, see the "Securing Debian Manual") and go,
process by process (package by package) checking wether it can be
configured to listen only on a given ip address (not 0.0.0.0) and limit it
In any case, add ipchains filtering as needed (just in case
someone changed your configuration, but do not depend only on the firewall