OpenBSD has open ports in default installation

I have been considering replacing Ubuntu with OpenBSD to improve the security on my local server. I need to have ssh access to it, and I also need it to serve static web content - so the only ports I need open are 22 and 80.

However, when I scan my server for open ports after installing OpenBSD 4.8, and enabling ssh and http at /etc/rc.conf

httpd_flags=""
sshd_flags=""

I discovered that it had several other open ports:

Port Scan has started…

Port Scanning host: 192.168.56.102

     Open TCP Port:     13          daytime
     Open TCP Port:     22          ssh
     Open TCP Port:     37          time
     Open TCP Port:     80          http
     Open TCP Port:     113         ident

ssh (22) and http (80) should be open as I enabled httpd and sshd, but why are the other ports open, and should I worry about them creating additional security vulnerabilities? Should they be open in a default installation?


Solution 1:

Daytime and Time and what I would consider "legacy" protocols. My guess is they are included in the default configuration for traditional UNIX-style completeness. They are started by inetd, and unless you need these services (you probably don't if you have to ask) you can disable them by commenting out the relevant lines in your /etc/inetd.conf (see man page).

#ident           stream  tcp     nowait  _identd /usr/libexec/identd     identd -el
#ident           stream  tcp6    nowait  _identd /usr/libexec/identd     identd -el
#daytime        stream  tcp     nowait  root    internal
#daytime        stream  tcp6    nowait  root    internal
#time           stream  tcp     nowait  root    internal
#time           stream  tcp6    nowait  root    internal

kill -HUP `cat /var/run/inetd.pid`

Solution 2:

Given that pf is enabled by default you can make your pf.conf use the default deny method. Assume your interface is fxp0, this is a good starting rule set.

set skip on lo0

block in  fxp0
block out fxp0

pass out on fxp0 proto { tcp, udp, icmp } from any to any modulate state

pass in on fxp0 proto tcp from any to (fxp0) {22 80}