On Sat, Dec 08, 2001 at 01:25:16PM +0200, Michael Wood wrote: > Hi > > On Sat, Dec 08, 2001 at 07:40:06PM +1000, mdevin@ozemail.com.au wrote: > [snip] > > So, what I can figure out is that it seems that I have only > > the following daemons listening: postfix, sshd, cupsd, > > XF86_SVGA, portmap. > > > > I have only deliberately decided to run postfix, sshd and > > cupsd. Everything in /etc/inetd.conf is hashed out. In fact > > I renamed the file so that it is not accessed at all. > > Commenting everything out should be sufficient. Yep did that too. Do you think I should move the completely commented file back to /etc/inetd.conf? > > > The only ones I didn't know about in this list are portmap and > > XF86_SVGA. Firstly, I can't seem to find the config file for > > X where you set the --nolisten parameter - but I have not > > unset this at any stage and I thought Debian did this by > > Make sure your /etc/X11/xinit/xserverrc contains something like > this: > > #!/bin/sh > exec /usr/bin/X11/X -dpi 100 -nolisten tcp Hmmm. This file did not exist on my computer. I don't know why. I just assumed that it would have the nolisten parameter as default. I remember reading somewhere that Debian did this - but I guess I did not check. In any case, I created the file with just the 2 lines you have above and then stopped and restarted X. It seems to have fixed that (see below). > > default. Secondly, I guess everyone needs portmap it seems, > > so I can't turn this off or some things won't work. Someone > > please educate me here. > > No. You do not need portmap unless you're using NFS or > something like that. (i.e. SUN RPC services.) portmap is > started by /etc/init.d/portmap when your machine boots. Disable > it. (Why was portmap part of net-base to begin with?) > > It you're using testing/unstable, portmap is in it's own package > (called portmap) and you should be able to uninstall it. I couldn't find the portmap package. I am running potato with 2.4 kernel stuff from Adrian Bunk's site. I did apt-cache search portmap - but only found "scotty". Which is not installed on my system. Then I did some google searches to see if I could remove the package it is in, but couldn't find anything. In the end I just did: update-rc.d -f portmap remove And that fixed it (see below). But I would prefer to remove the whole program from my system if that can be done with a simple apt-get remove --purge command. > > > So my question is: > > Is there some way to make certain daemons, (say postfix) > > listen only on some interfaces? For example, I have > > everything firewalled from outside, so I really only need > > postfix to listen on the loopback interface for local > > connections. Is this possible? > > It's technically possible, but this depends on if the particular > daemon has support for this. Postfix does. > > Just put a line like this in main.conf: > > inet_interfaces = localhost > > > Then netstat -ln might show something like: > > tcp 0 0 0.0.0.0:25 127.0.0.1:* LISTEN > [snip] > > Well, not quite :) Here's what it looks like: > > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN Ahhh. Thanks for that. I put that line in my main.cf for postfix and did a reload. > > I have no idea if cups supports binding to a particular > interface, but the documentation should tell you. If you can't > figure out how to do it or it's not possible without modifying > the source, you should use ipchains/iptables to restrict access > to the port it uses. I just did a bit more looking into this and found that indeed CUPS does allow you to specify which interfaces it listens on. I put the following line in /etc/cups/cupsd.conf Listen 127.0.0.1:631 and that seems to have fixed that. > > I hope this helps. Thanks a lot - it was very helpful and educational. Now here is the output of netstat -ln (looking much better): # netstat -ln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 69748 private/cleanup unix 2 [ ACC ] STREAM LISTENING 69755 private/rewrite unix 2 [ ACC ] STREAM LISTENING 69759 private/bounce unix 2 [ ACC ] STREAM LISTENING 69763 private/defer unix 2 [ ACC ] STREAM LISTENING 69771 public/showq unix 2 [ ACC ] STREAM LISTENING 69767 private/smtp unix 2 [ ACC ] STREAM LISTENING 69775 private/error unix 2 [ ACC ] STREAM LISTENING 69779 private/local unix 2 [ ACC ] STREAM LISTENING 69783 private/cyrus unix 2 [ ACC ] STREAM LISTENING 69787 private/uucp unix 2 [ ACC ] STREAM LISTENING 69791 private/ifmail unix 2 [ ACC ] STREAM LISTENING 69795 private/bsmtp unix 2 [ ACC ] STREAM LISTENING 1010 /dev/log unix 2 [ ACC ] STREAM LISTENING 1226 /dev/gpmctl unix 2 [ ACC ] STREAM LISTENING 64908 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 64934 /tmp/ssh-JywB5237/agent.5237 Ahhh. That looks much better. Now it seems that the only daemon listening on the internet side of my computer is ssh. I do want sshd to listen on all (0.0.0.0) but I would like to find a way to make it only accept connection attempts for a certain user from the internet but still allow several other users to connect from the LAN. I do know how to make it accept connections for only certain users - by using the AllowUsers config item in /etc/ssh/sshd_config. But this allows all the users specified, to connect on all interfaces ssh listens on, which is not what I want ideally. What would be better, is to allow several from the LAN to connect but only one (me) from the internet. This doesn't seem possible from my reading so far. Oh well. Thanks for the educational points. Cheers. Mark.
Attachment:
pgpuoyK3dPvRc.pgp
Description: PGP signature