Minimizing open ports

L

Lido

I've got a new installation of 8.2 RELEASE and I want to keep it as secure as possible since I'm using it as a web server. In another thread I got the advice to run:
Code: 
# sockstat -46
and
Code: 
# netstat -an | grep LISTEN

When I run those commands it looks like things are ok, except that there seems to be an open port for MySQL:
Code: 
# netstat -an | grep LISTEN
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp46      0      0 *.80                   *.*                    LISTEN
tcp46      0      0 *.3306                 *.*                    LISTEN
I did some searching for how to set up MySQL for local only and found some old posts on FreeBSD Diary. What is the current recommended way to make MySQL local only? There seems to be a way to add some parameters to rc.conf, but then there's also a file here that looks like some sort of config file:
Code: 
/usr/local/etc/rc.d/mysql-server

when I run sockstat, I get a lot more output. SSH and port 80 are on the list but there's also sendmail (which should also be send-only) and ntpd that I don't see a reason to leave open to the outside world:

Code: 
root     sendmail   1480  4  tcp4   127.0.0.1:25          *:*
www      httpd      1479  3  tcp4 6 *:80                  *:*
www      httpd      1479  4  tcp4   *:*                   *:*
www      httpd      1478  3  tcp4 6 *:80                  *:*
www      httpd      1478  4  tcp4   *:*                   *:*
www      httpd      1477  3  tcp4 6 *:80                  *:*
www      httpd      1477  4  tcp4   *:*                   *:*
www      httpd      1476  3  tcp4 6 *:80                  *:*
www      httpd      1476  4  tcp4   *:*                   *:*
www      httpd      1475  3  tcp4 6 *:80                  *:*
www      httpd      1475  4  tcp4   *:*                   *:*
root     sshd       1467  3  tcp6   *:22                  *:*
root     sshd       1467  4  tcp4   *:22                  *:*
root     httpd      1438  3  tcp4 6 *:80                  *:*
root     httpd      1438  4  tcp4   *:*                   *:*
mysql    mysqld     1417  10 tcp4 6 *:3306                *:*
root     ntpd       1259  20 udp4   *:123                 *:*
root     ntpd       1259  21 udp6   *:123                 *:*
root     ntpd       1259  22 udp6   fe80:6::1:123         *:*
root     ntpd       1259  23 udp6   ::1:123               *:*
root     ntpd       1259  24 udp4   127.0.0.1:123         *:*
root     ntpd       1259  26 udp4   192.168.1.6:123       *:*
root     syslogd    1035  6  udp6   *:514                 *:*
root     syslogd    1035  7  udp4   *:514                 *:*

Thanks.
 
Use
Code: 
syslogd_flags="-s -s"
in /etc/rc.conf to make syslogd stop listening at 514 port (requires syslogd restart).

Configure ntpd to listen only on interfaces you need.

Configure MySQL to listen on localhost or only on 'internal network'.
 
vermaden said:
Configure ntpd to listen only on interfaces You need.
Click to expand...

Not possible, mate. The ntpd(8) daemon (obnoxiously) gloms onto every interface and IPv4 / IPv6 address it can get its greedy hands on. :)

(I agree with your MySQL and syslogd(8) advice, BTW.)
 
Been using openntpd for a couple of years for this reason (binding to specific interface). Entirely trouble-free, as server and as client.
 
Ok, thanks. I couldn't find a way to remove ntp, but I installed openntp and put this into /usr/local/etc/ntpd.conf:
Code: 
listen on 127.0.0.1
Then I added the following to rc.conf:
Code: 
openntpd_enable="YES"
syslogd_flags="-s -s"
mysql_args="--bind-address=127.0.0.1"

Now, sockstat -46 gives:
Code: 
www      httpd      1593  3  tcp4 6 *:80                  *:*
www      httpd      1593  4  tcp4   *:*                   *:*
www      httpd      1592  3  tcp4 6 *:80                  *:*
www      httpd      1592  4  tcp4   *:*                   *:*
www      httpd      1591  3  tcp4 6 *:80                  *:*
www      httpd      1591  4  tcp4   *:*                   *:*
www      httpd      1590  3  tcp4 6 *:80                  *:*
www      httpd      1590  4  tcp4   *:*                   *:*
www      httpd      1589  3  tcp4 6 *:80                  *:*
www      httpd      1589  4  tcp4   *:*                   *:*
root     sendmail   1498  4  tcp4   127.0.0.1:25          *:*
root     sshd       1490  3  tcp6   *:22                  *:*
root     sshd       1490  4  tcp4   *:22                  *:*
root     httpd      1461  3  tcp4 6 *:80                  *:*
root     httpd      1461  4  tcp4   *:*                   *:*
mysql    mysqld     1440  10 tcp4   127.0.0.1:3306        *:*
_ntp     ntpd       1299  4  udp4   192.168.1.6:30819     184.105.182.7:123
_ntp     ntpd       1299  6  udp4   127.0.0.1:123         *:*
_ntp     ntpd       1299  8  udp4   192.168.1.6:52016     174.36.71.205:123
_ntp     ntpd       1299  9  udp4   192.168.1.6:12323     169.229.70.95:123

Does that look ok? The only thing that seems potentially problematic are the _ntp lines with external addresses.

Code: 
netstat -an | grep LISTEN
gives:
Code: 
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp46      0      0 *.80                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.3306         *.*                    LISTEN
 
For mysql you can also use this:

Code: 
mysql_args="--skip-networking"

It'll only create a UNIX domain socket in /tmp with the above.
 
The _ntp lines are your ntpd server checking external ntpd servers to synchronize the time. You probably have some default NTP pool in ntpd.conf.
 
You must log in or register to reply here.
Back
Top