Ubuntu 20.04 LTS Server Edition
Checking the Server For Unwanted Inbound Paths

Updated 27 July 2021

When deploying a server that faces the Internet with a public IP address, one needs to verify that only those services that are intended to be accessible by the world at large are indeed accessible. Two tools give you visibility to what is exposed to the outside world: netstat(8) and nmap(1) .

When you find a port that is open to the world that shouldn't be, you will need to look at the service that is opening the port, and pay particular attention to what interfaces that service binds the port to. (Ending with a preposition — Ed) The first place to look is in the configuration file for that service. Many common services, like BIND9, DOVECOT, and SSH use "Listen" directives, or something like them. Postfix uses a different scheme: the IP address of the interface you to which you want to bind the port is prefixed to the service name, separated by a colon.

For some services, though, you will need to look into the systemd files: suffix unit and/or socket. The man files describe how to bind a service to a single interface.

netstat(8): Run this command as root on the server to be examined. The command lists the ports available to the outside world. Run it twice, once for TCP ports and once for UDP ports.

• netstat -tap | grep LISTEN | egrep '(smtp\.)|(0:[^*])'
  The output from this command shows all TCP-based services that are accessible from the Internet via the interface with the public IP address.

  # netstat -tap | grep LISTEN | egrep '(smtp\.example\.com)|(0:[^*])'
  Proto Recv-Q Send-Q Local Address           Foreign Address State  PID/Program name    
  tcp        0      0 0.0.0.0:ssh             0.0.0.0:*       LISTEN 787/sshd: /usr/sbin 
  tcp        0      0 0.0.0.0:smtp            0.0.0.0:*       LISTEN 1154/master         
  tcp        0      0 smtp.example.com:https  0.0.0.0:*       LISTEN 739/openvpn
  #        
    

  (The title line is not output, but is shown here to describe the fields in this discussion. Also, unnecessary spaces have been removed so the text fits a cell phone screen.)
  
  This example output comes from a mail server, properly set up with a firewall to block other ports on the public interface. You can run this command with UFW disabled to see if you have configured all the services properly — that is, only those services that need to bind to the public ports are actually binding to the public port.
  
  NOTE: 0.0.0.0 in the Local Address field indicates that the service is using a "wild card" binding; that is, binding on all interfaces.
  
  Turn off the firewall — systemctl stop ufw — and rerun the command. Identical output says that the configuration of the services is correct. (Don't forget to turn the firewall systemctl start ufw back on.)
• netstat -uap | egrep '(smtp\.example\.com)|(0:[^*])'
  The output from this command shows all UDP-based services that are accessible from the Internet via the interface with the public IP address.

  # netstat -uap | egrep '(smtp\.example\.com)|(0:[^*])'
  Proto Recv-Q Send-Q Local Address           Foreign Address State  PID/Program name    
  #  
    

  When there is no output, as in this example, it means that the server is not exposing any UDP services. With a very few exceptions, UDP services should never be exposed to the public-facing interface — these service can easily be abused to effect a distributed denial of service attack against others, using the server upstream's bandwidth.

nmap(8): Run this command as root on another computer. The command lists the ports available to the outside world. Run it twice, once for TCP ports and once for UDP ports.

• nmap -sS smtp.example.com
  Run this command to verify that there are no "surprise" open TCP ports.

  Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-15 14:45 PDT
  Nmap scan report for smtp.example.com (93.184.216.34)
  Host is up (0.0015s latency).
  Not shown: 997 filtered ports
  PORT    STATE SERVICE
  22/tcp  open  ssh
  25/tcp  open  smtp
  443/tcp open  https
  
  Nmap done: 1 IP address (1 host up) scanned in 5.18 seconds
    

  The server being examed is running OpenVPN (see above) on port 443/tcp. The nmap program doesn't know that, and so it declares it as https.
• nmap -sS smtp.example.com
  Run this command to verify that there are no "surprise" open UTP ports.

  root@game:/home/satch# nmap -sU smtp.example.com
  Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-15 15:04 PDT
  Nmap scan report for smtp.example.com (76.209.1.165)
  Host is up (0.0012s latency).
  All 1000 scanned ports on smtp.example.com (93.184.216.34) are open|filtered
  
  Nmap done: 1 IP address (1 host up) scanned in 21.35 seconds
    

  The result above shows that there are no UDP ports open.

That's how a server builder can run an initial pen test on a new or updated server. This is a low-cost alternative to having a pen tester service try to break in using unexpected public ports. Using a pen tester service is still recommended just before a server is put into production, in case there are other flaws (like zero-day exploits) that would provide an entry point to ne'er-do-wells.

Comments, suggestions, and error reports are welcome.
Send them to: spamfilter (at) satchell (dot) net)
© 2021 Stephen Satchell, Reno NV