Re: is it rational to close the 139 port
On Sun, 22 Jul 2012, lina wrote:
> strangely my netstat showed my 139 and 445 ports are open.
>
> tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
>
> Do I need specify
>
> -A INPUT -p tcp --dport 139 -j REJECT
>
> in iptables?
It is good practice to not let ports 135, 137, 138, 139 and 445 get through
the interface to *EXTERNAL* networks/Internet. They're used for services
that ought to stay restricted to your internal network and VPNs. And
they're required only if you use Windows-style network shares in your
internal network.
The same goes to port 631 (CUPS/IPP printing) and a few other ports that are
used by services that nobody in an external network has any business messing
with in the general case.
If you don't need Windows-style networking at all, it is best to
disable/remove/purge package "samba", which provices these services. This
ought to close the 445 and 139 ports.
> BTW, why need allow ping? from outside?
It is useful for diagnostics initiated from the outside, and that's it. If
you don't need it (i.e. you never ping your box from an outside network),
you can safely drop incoming ICMP ECHO REQUESTS in the external interface
(that type 8 in the iptable rule means ECHO REQUEST). Do not mess with the
other ICMP types unless you know what you're doing, some of them must not be
dropped at all, while some others are required only in specific network
topologies. The kernel already does a very good job at ignoring rogue
ICMPs by default.
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: