Updated 27 July 2021
When deploying a server that faces the Internet with a public IP address, one needs to verify that only those services that are intended to be accessible by the world at large are indeed accessible. Two tools give you visibility to what is exposed to the outside world: netstat(8) and nmap(1) .
When you find a port that is open to the world that shouldn't be, you will need to look at the service that is opening the port, and pay particular attention to what interfaces that service binds the port to. (Ending with a preposition — Ed) The first place to look is in the configuration file for that service. Many common services, like BIND9, DOVECOT, and SSH use "Listen" directives, or something like them. Postfix uses a different scheme: the IP address of the interface you to which you want to bind the port is prefixed to the service name, separated by a colon.
For some services, though, you will need to look into the systemd files: suffix unit and/or socket. The man files describe how to bind a service to a single interface.
netstat(8): Run this command as root on the server to be examined. The command lists the ports available to the outside world. Run it twice, once for TCP ports and once for UDP ports.
netstat -tap | grep LISTEN |
egrep '(smtp\.)|(0:[^*])'
# netstat -tap | grep LISTEN | egrep '(smtp\.example\.com)|(0:[^*])' Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 787/sshd: /usr/sbin tcp 0 0 0.0.0.0:smtp 0.0.0.0:* LISTEN 1154/master tcp 0 0 smtp.example.com:https 0.0.0.0:* LISTEN 739/openvpn #(The title line is not output, but is shown here to describe the fields in this discussion. Also, unnecessary spaces have been removed so the text fits a cell phone screen.)
0.0.0.0
in the Local Address field
indicates that the service is using a "wild card" binding;
that is, binding on all interfaces.systemctl stop ufw
— and
rerun the command. Identical output says that the
configuration of the services is correct. (Don't forget to
turn the firewall systemctl start ufw
back on.)
netstat -uap | egrep
'(smtp\.example\.com)|(0:[^*])'
# netstat -uap | egrep '(smtp\.example\.com)|(0:[^*])' Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name #When there is no output, as in this example, it means that the server is not exposing any UDP services. With a very few exceptions, UDP services should never be exposed to the public-facing interface — these service can easily be abused to effect a distributed denial of service attack against others, using the server upstream's bandwidth.
nmap(8): Run this command as root on another computer. The command lists the ports available to the outside world. Run it twice, once for TCP ports and once for UDP ports.
nmap -sS
smtp.example.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-15 14:45 PDT Nmap scan report for smtp.example.com (93.184.216.34) Host is up (0.0015s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 5.18 secondsThe server being examed is running OpenVPN (see above) on port 443/tcp. The nmap program doesn't know that, and so it declares it as https.
nmap -sS
smtp.example.com
root@game:/home/satch# nmap -sU smtp.example.com Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-15 15:04 PDT Nmap scan report for smtp.example.com (76.209.1.165) Host is up (0.0012s latency). All 1000 scanned ports on smtp.example.com (93.184.216.34) are open|filtered Nmap done: 1 IP address (1 host up) scanned in 21.35 secondsThe result above shows that there are no UDP ports open.
That's how a server builder can run an initial pen test on a new or updated server. This is a low-cost alternative to having a pen tester service try to break in using unexpected public ports. Using a pen tester service is still recommended just before a server is put into production, in case there are other flaws (like zero-day exploits) that would provide an entry point to ne'er-do-wells.
Comments, suggestions, and error reports are welcome.
Send them to: spamfilter (at) satchell (dot)
net)
© 2021 Stephen Satchell, Reno NV