Hello,

I'm a new linode customer, just created new node debian 7.0 few days ago, configed basic security, installed some package afterwards.

I'm just wondering about the open port list that I got from nmapping my linode host from own computer.

PORT     STATE    SERVICE
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1433/tcp filtered ms-sql-s
1434/tcp filtered ms-sql-m
1720/tcp filtered H.323/Q.931
1900/tcp filtered upnp
3128/tcp filtered squid-http
4444/tcp filtered krb524
4899/tcp filtered radmin
9898/tcp filtered monkeycom

I have basic linux skill but not so advanced.
How do I close these ports?
Is there any ports above that linode might use internally, so I just let it there open?

It is possible that most of the ports you listed are filtered either by your ISP, Linode's ISP, or some network in between. For those, you would need to do nothing to close them. If you are, indeed, running a service that listens on one of the ports you've listed (and you're now bothered that you've chosen to do this), you could stop running that service or have it bind to a different port or interface.

I forgot to answer your last question. You do not need to leave any ports accessible. You can block them all or disable networking entirely (people do this by accident occasionally).

I think by default the Linux firewall (called iptables) has everything open on new installs. If you new how to use iptables, that would be how you close them.

Better yet, log in via Lish, set iptables to block everything by default, and allow what you know you need.

If you need help with this, let us know. iptables isn't very complicated, it just seems complicated to new users.

_________________
Kris the Piki Geeker

Is Lish more secure than ssh? I was wondering because I'm interested in closing all possible ports. I have a new node and it seems that I'm already getting scanned.

Would be better in a new topic. It is generally cosnidered rude to hijak someone else's thread.

I can't speak for the browser client, but Lish itself can be accessed directly via ssh. Since ssh is just as secure as ssh, Lish via ssh should be just as secure as ssh to directly to your Linode.

The only real advantage to using Lish is that you save bandwidth on your Linode. Otherwise, you'd be better ssh'ing directly to your Linode. Lish provides a small viewing area for, e.g. command output or text editors (e.g. nano/vim/etc.) where ssh directly to your Linode lets you use your entire screen.

If you're concerned about leaving ssh open, change the port it's running on, disable root logins, and require the use of ssh keys.

_________________
Kris the Piki Geeker

There's no reason you can't keep both open. If there's ever a problem (such as you can't log into Linode) then you'd want an alternate form of access. You can always change the SSH port, limit who can log into SSH, restrict it to specific IPs, use public key authentication, etc, etc. I'm sure there are many on this forum who are more versed in this stuff than I am and who could point you to tutorials.

Every IP address on the internet gets scanned. They scan blocks of IP addresses - sometimes randomly, other times it's because the IPs belong to a hosting company or a services company, etc.

Make sure you use a very strong password for any account that can access SSH. You can prevent root from logging into SSH, and even limit it to one user name (which can be as random or crazy as you'd like). Tight security is essential, but limiting your options to the point of potentially locking yourself out of your own server is not usually a good idea.

Ok thanks for the replies, I use iptables to close all the unneeded ports. If you search 'quick and dirty iptables', there's an iptables guide from another vps provider, could be useful for initial quick iptables rule.

deleted

Except I didn't imply anything, therefor you didn't imply anything. It is obvious that the thread was hijaked, both by you and a newcomer, and I was simply stating politely something a newcomer may not know about the forum community.

It is only a coward that insults someone from behind the safety of his computer. It is also the mark of a coward to hijak an already hijaked forum thread to send his insults.

Note that I implied that you are a coward without directly saying so. And in this case, while I did send an insult your way, I also spoke truth -- something which, in today's society, is more courage than cowardice.

_________________
Kris the Piki Geeker

deleted