OpenBSD has open ports in default installation
I have been considering replacing Ubuntu with OpenBSD to improve the security on my local server. I need to have ssh access to it, and I also need it to serve static web content - so the only ports I need open are 22 and 80.
However, when I scan my server for open ports after installing OpenBSD 4.8, and enabling ssh and http at /etc/rc.conf
httpd_flags=""
sshd_flags=""
I discovered that it had several other open ports:
Port Scan has started…
Port Scanning host: 192.168.56.102
Open TCP Port: 13 daytime
Open TCP Port: 22 ssh
Open TCP Port: 37 time
Open TCP Port: 80 http
Open TCP Port: 113 ident
ssh (22) and http (80) should be open as I enabled httpd and sshd, but why are the other ports open, and should I worry about them creating additional security vulnerabilities? Should they be open in a default installation?
Solution 1:
Daytime and Time and what I would consider "legacy" protocols. My guess is they are included in the default configuration for traditional UNIX-style completeness. They are started by inetd, and unless you need these services (you probably don't if you have to ask) you can disable them by commenting out the relevant lines in your /etc/inetd.conf (see man page).
#ident stream tcp nowait _identd /usr/libexec/identd identd -el
#ident stream tcp6 nowait _identd /usr/libexec/identd identd -el
#daytime stream tcp nowait root internal
#daytime stream tcp6 nowait root internal
#time stream tcp nowait root internal
#time stream tcp6 nowait root internal
kill -HUP `cat /var/run/inetd.pid`
Solution 2:
Given that pf is enabled by default you can make your pf.conf use the default deny method. Assume your interface is fxp0, this is a good starting rule set.
set skip on lo0
block in fxp0
block out fxp0
pass out on fxp0 proto { tcp, udp, icmp } from any to any modulate state
pass in on fxp0 proto tcp from any to (fxp0) {22 80}