How to close ports in Linux?

by

I have some question in closing port, I think I got some strange things.

When I use execute

nmap --top-ports 10 192.168.1.1

it shows that 23/TCP port is open.

But when I execute

nmap --top-ports 10 localhost

it show that 23/tcp port is closed.

Which of them is true? I want to close this port on my whole system, how can I do it?

Contents hide
Answers:
Method 1
Method 2
Method 3
Method 4
Method 5

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Nmap is a great port scanner, but sometimes you want something more authoritative. You can ask the kernel what processes have which ports open by using the netstat utility:

[email protected]:~$ sudo netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address   State    PID/Program name
tcp        0      0 127.0.0.1:53    0.0.0.0:*         LISTEN   1004/dnsmasq    
tcp        0      0 0.0.0.0:22      0.0.0.0:*         LISTEN   380/sshd        
tcp        0      0 127.0.0.1:631   0.0.0.0:*         LISTEN   822/cupsd       
tcp6       0      0 :::22           :::*              LISTEN   380/sshd        
tcp6       0      0 ::1:631         :::*              LISTEN   822/cupsd

The options I have given are:

  • -t TCP only
  • -l Listening ports only
  • -n Don’t look up service and host names, just display numbers
  • -p Show process information (requires root privilege)

In this case, we can see that sshd is listening on any interface (0.0.0.0) port 22, and cupsd is listening on loopback (127.0.0.1) port 631. Your output may show that telnetd has a local address of 192.168.1.1:23, meaning it will not answer to connections on the loopback adapter (e.g. you can’t telnet 127.0.0.1).

There are other tools that will show similar information (e.g. lsof or /proc), but netstat is the most widely available. It even works on Windows (netstat -anb). BSD netstat is a little different: you’ll have to use sockstat(1) to get the process information instead.

Once you have the process ID and program name, you can go about finding the process and killing it if you wish to close the port. For finer-grained control, you can use a firewall (iptables on Linux) to limit access to only certain addresses. You may need to disable a service startup. If the PID is “-” on Linux, it’s probably a kernel process (this is common with NFS for instance), so good luck finding out what it is.

Note: I said “authoritative” because you’re not being hindered by network conditions and firewalls. If you trust your computer, that’s great. However, if you suspect that you’ve been hacked, you may not be able to trust the tools on your computer. Replacing standard utilities (and sometimes even system calls) with ones that hide certain processes or ports (a.k.a. rootkits) is a standard practice among attackers. Your best bet at this point is to make a forensic copy of your disk and restore from backup; then use the copy to determine the way they got in and close it off.

Method 2

To “close” the port you can use iptables 

sudo iptables -A INPUT -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j DROP

Method 3

A Linux system has a so called loopback interface, which is for internal communication. Its hostname is localhost and its IP address is 127.0.0.1.

When you run nmap on localhost, you actually run the portscan on the virtual loopback interface. 192.168.1.1 is the IP address of your physical (most likely eth0) interface.

So you’ve run nmap on two different network interfaces, this is why there’s a difference in the open ports. They are both true.

If you have TCP port 23 open, it is likely that you have a telnet server running (which is not a good thing due to its lack of encryption) or you have some kind of trojan horse on your machine.

Method 4

If you do nmap localhost, it tells you about a different situation: some programs on linux work as server although they are used only locally. This is because other programs use them like a server they connect to. So both answers are true, since you ask something different.

Port 23 is used for telnet. Normally not used anymore. Try to do nmap -sV 192.168.1.1 to find out which program opens the port.

(192… is a local network IP, so the result of nmap <your outside world IP> will also give a different result, because of possible firewall settings etc)

Method 5

If you have a service running and listening on port 23, it is arguably cleaner to stop the process that listens to port 23 (probably telnet) than to keep it running and close or block port 23 using iptables.

When there’s no process listening on a port, even in the absence of a firewall block, any attempt to connect to it should result in an immediate “connection refused” (ECONNREFUSED to connect(2))

One way to find the process (and its pid) that listens on port 23, if there’s such process, is:

sudo lsof -i -P | grep ':23 '

In the above -i lists open internet ports (both UDP and TCP), and -P inhibits translation of ports to service names (via /etc/services)

After you found the running process listening on port 23, you can figure out how it got started by looking at the process tree (with say, pstree). If its parent is init (very likely), you may recursively search for the name of the process under /etc. e.g.:

sudo grep -r telnet /etc

This should lead you to the best way to disable it from running in the 1st place.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x