Web Hosting Forums

Page 1 of 2 1 2 LastLast
Results 1 to 15 of 16

This is a discussion on Question About Ports in the Hosting Talk & Chit-chat forum
Well! I have just lost another customer due to me having to contact support to open a port on a linux box. I understand closing ...

  1. #1
    Loyal Client
    Join Date
    Feb 2007
    Posts
    5

    Question About Ports

    Well! I have just lost another customer due to me having to contact support to open a port on a linux box.

    I understand closing ports on a II's server, but can someone explain to me why you have to have all ports closed on a linux box?

  2. #2
    Community Leader jason's Avatar
    Join Date
    Sep 2001
    Location
    Rochester, NY
    Posts
    5,884
    For the same reasons as closing them on Windows machines: any open port is basically a welcome mat for attackers. Blocking the ones that aren't necessary lessens the potential for attack. Attacks against Linux are less common than their Windows counterparts, but with the increasing popularity of Linux you can bet that its only a matter of time...

    --Jason
    Jason Pitoniak
    Interbrite Communications
    www.interbrite.com www.kodiakskorner.com

  3. #3
    Loyal Client
    Join Date
    Feb 2007
    Posts
    5
    Now how did I know you were going to say that?

    If you have a properly patch box don't care if it is linux or Windows you don't need to block every port.

  4. #4
    R45
    R45 is offline
    Loyal Client R45's Avatar
    Join Date
    Mar 2002
    Location
    Trinidad and Tobago
    Posts
    72
    Quote Originally Posted by Lighty View Post
    If you have a properly patch box don't care if it is linux or Windows you don't need to block every port.
    True in a sense. Open ports aren't exactly "free doors to a server". A firewall blocks communication outright on the rules it sets up, without a firewall the server will atleast respond to requests, but it isn't a gateway. Open ports can be exploited if for example there was a buffer overflow vulnerability in your OS's TCP/UDP implementation, but on the other hand having a single open port (webserver for example) would mean that exploit could be used on any of those existing ones. Also take into account accidental daemons, if for example you mistakingly installed a telnet server, it would be a moot point if the telnet port is restricted by the firewall.

    For an effective firewall setup, for the ports that are open, they should be binded to an application/daemon so the firewall's rules knows when to allow traffic and not. Blindly opening port 80/25/etc is about the same as not running a firewall at all.

    If you have a VPS, you can manage the firewall yourself though, which I think would settle your concerns.
    Adam Alkins
    [website]

  5. #5
    Community Leader jason's Avatar
    Join Date
    Sep 2001
    Location
    Rochester, NY
    Posts
    5,884
    Personally, I never trust that any of my systems are secure, even if they are "properly patched," not with the number of zero day exploits in the wild. In an environment where users can install their own software (such as on a shared hosting server) you can never trust that a systenm is propely patched unless you constantly check every user-installed script, and no host has the time to do that. Therefore the next best thing is to lock down the server as much as possible with a firewall, and that means closing unsed ports.

    I'm sorry, call me a paranoid sys admin, but I never trust any computer, at least not 100%.

    --Jason
    Jason Pitoniak
    Interbrite Communications
    www.interbrite.com www.kodiakskorner.com

  6. #6
    Loyal Client
    Join Date
    Feb 2007
    Posts
    5
    I understand the concerns for II's again I am on a linux server, it appears to me that jaguarpc is over paranoid.

    Take a look ariund goole see how many and how long ago there were any exploits for linux.

  7. #7
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661
    Quote Originally Posted by Lighty View Post
    Well! I have just lost another customer due to me having to contact support to open a port on a linux box...
    I'm calling B.S. on this...

    Proof?!?!?!
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  8. #8
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661
    Here's my proof...

    Quote Originally Posted by Lighty View Post
    Take a look ariund goole see how many and how long ago there were any exploits for linux.
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  9. #9
    the Windlord Gwaihir's Avatar
    Join Date
    Jun 2002
    Posts
    2,570
    Why would you leave ports open on the off chance that someone legitimate might need them, when you know the chances of something bad coming in are much higher? New exploits are found and tried regularly, even for Linux.

    Why can't your customer wait for a port to be opened up for him? I can't imagine anything that pressing. I think every now and then you'll simply loose a customer for no fault of yours or Jags. That's just the way it is, I'm afraid.
    Regards,

    Wim Heemskerk
    ---
    Visit MeCCG.net - Cardgaming in J.R.R. Tolkien's Middle-earth
    And Gwaihir.net - The Middle-earth CCG store

  10. #10
    Loyal Client the_ancient's Avatar
    Join Date
    Feb 2004
    Posts
    3,474
    Quote Originally Posted by Gwaihir View Post
    Why would you leave ports open on the off chance that someone legitimate might need them, when you know the chances of something bad coming in are much higher? New exploits are found and tried regularly, even for Linux.

    Why can't your customer wait for a port to be opened up for him? I can't imagine anything that pressing. I think every now and then you'll simply loose a customer for no fault of yours or Jags. That's just the way it is, I'm afraid.
    You can please all people some of the time, some people all of the time, but never all people all the time
    -------------------------
    the_ancient
    MP Technology Group

  11. #11
    Community Leader jason's Avatar
    Join Date
    Sep 2001
    Location
    Rochester, NY
    Posts
    5,884
    Quote Originally Posted by Lighty View Post
    Take a look ariund goole see how many and how long ago there were any exploits for linux.
    When I log into my CentOS box I am often greeted by a little blinking red exclamation point in my menu bar, telling me that there are patches that I need to look at. Granted, some of them are just functional upgrades to the software I have installed, but quite often there are upgrades that are purely there to improve security of a specific component of my system. True, they may not be exploits against Linux (the kernel), but any vulnerable piece of software running on a system is a weakness for the entire system.

    In the SANS @RISK newsletter I received on Monday listed four Linux vulnerabilities, that's about the norm:

    * 07.6.16 - Gentoo Linux Acme Thttpd File Access Information Disclosure
    * 07.6.17 - Linux Kernel Dev_Queue_XMIT Local Denial of Service
    * 07.6.18 - Linux Kernel ListXATTR Local Denial of Service
    * 07.6.19 - smb4K Multiple Vulnerabilities

    There were also a couple dozen web application exploits; they are the achilles heal of a shared web server.

    The last time I needed a port opened on my server (so that I script I'm running could do whois lookups) I opened a ticket and had it resolved in 7 minutes and 26 seconds. If a client can't wait for that long to have a port opened then they are probably going to be a problem client for as long as they're with you. Its probably best that they're gone.

    --Jason
    Jason Pitoniak
    Interbrite Communications
    www.interbrite.com www.kodiakskorner.com

  12. #12
    Loyal Client
    Join Date
    Jan 2004
    Location
    I'm right behind you....
    Posts
    387
    I'd like to see a host that doesn't keep all ports closed. Too bad that such hosts don't exist cuz they've all been hacked into oblivion

  13. #13
    all about nothing! Frank Broughton's Avatar
    Join Date
    Jan 2006
    Posts
    2,237
    Galen of course you mean except 80 25 110 and a bunch of others right....

  14. #14
    Loyal Client
    Join Date
    Feb 2007
    Posts
    5
    WOW!

    [Personal attacks removed.
    Keep it civil please.]
    Last edited by Ron; 02-07-2007 at 06:29 PM.

  15. #15
    Loyal Client
    Join Date
    Feb 2007
    Posts
    5
    Did you actually look at the risk, please know what you are talking about!


    Quote Originally Posted by jason View Post
    When I log into my CentOS box I am often greeted by a little blinking red exclamation point in my menu bar, telling me that there are patches that I need to look at. Granted, some of them are just functional upgrades to the software I have installed, but quite often there are upgrades that are purely there to improve security of a specific component of my system. True, they may not be exploits against Linux (the kernel), but any vulnerable piece of software running on a system is a weakness for the entire system.

    In the SANS @RISK newsletter I received on Monday listed four Linux vulnerabilities, that's about the norm:

    * 07.6.16 - Gentoo Linux Acme Thttpd File Access Information Disclosure
    * 07.6.17 - Linux Kernel Dev_Queue_XMIT Local Denial of Service
    * 07.6.18 - Linux Kernel ListXATTR Local Denial of Service
    * 07.6.19 - smb4K Multiple Vulnerabilities

    There were also a couple dozen web application exploits; they are the achilles heal of a shared web server.

    The last time I needed a port opened on my server (so that I script I'm running could do whois lookups) I opened a ticket and had it resolved in 7 minutes and 26 seconds. If a client can't wait for that long to have a port opened then they are probably going to be a problem client for as long as they're with you. Its probably best that they're gone.

    --Jason

Page 1 of 2 1 2 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •