# Minimizing open ports



## Lido (Dec 16, 2011)

I've got a new installation of 8.2 RELEASE and I want to keep it as secure as possible since I'm using it as a web server. In another thread I got the advice to run: 
	
	



```
# sockstat -46
```
 and 
	
	



```
# netstat -an | grep LISTEN
```

When I run those commands it looks like things are ok, except that there seems to be an open port for MySQL:

```
# netstat -an | grep LISTEN
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp46      0      0 *.80                   *.*                    LISTEN
tcp46      0      0 *.3306                 *.*                    LISTEN
```
I did some searching for how to set up MySQL for local only and found some old posts on FreeBSD Diary. What is the current recommended way to make MySQL local only? There seems to be a way to add some parameters to rc.conf, but then there's also a file here that looks like some sort of config file:

```
/usr/local/etc/rc.d/mysql-server
```

when I run sockstat, I get a lot more output. SSH and port 80 are on the list but there's also sendmail (which should also be send-only) and ntpd that I don't see a reason to leave open to the outside world:


```
root     sendmail   1480  4  tcp4   127.0.0.1:25          *:*
www      httpd      1479  3  tcp4 6 *:80                  *:*
www      httpd      1479  4  tcp4   *:*                   *:*
www      httpd      1478  3  tcp4 6 *:80                  *:*
www      httpd      1478  4  tcp4   *:*                   *:*
www      httpd      1477  3  tcp4 6 *:80                  *:*
www      httpd      1477  4  tcp4   *:*                   *:*
www      httpd      1476  3  tcp4 6 *:80                  *:*
www      httpd      1476  4  tcp4   *:*                   *:*
www      httpd      1475  3  tcp4 6 *:80                  *:*
www      httpd      1475  4  tcp4   *:*                   *:*
root     sshd       1467  3  tcp6   *:22                  *:*
root     sshd       1467  4  tcp4   *:22                  *:*
root     httpd      1438  3  tcp4 6 *:80                  *:*
root     httpd      1438  4  tcp4   *:*                   *:*
mysql    mysqld     1417  10 tcp4 6 *:3306                *:*
root     ntpd       1259  20 udp4   *:123                 *:*
root     ntpd       1259  21 udp6   *:123                 *:*
root     ntpd       1259  22 udp6   fe80:6::1:123         *:*
root     ntpd       1259  23 udp6   ::1:123               *:*
root     ntpd       1259  24 udp4   127.0.0.1:123         *:*
root     ntpd       1259  26 udp4   192.168.1.6:123       *:*
root     syslogd    1035  6  udp6   *:514                 *:*
root     syslogd    1035  7  udp4   *:514                 *:*
```

Thanks.


----------



## vermaden (Dec 16, 2011)

Use 
	
	



```
syslogd_flags="-s -s"
```
 in /etc/rc.conf to make syslogd stop listening at *514* port (requires syslogd restart).

Configure ntpd to listen only on interfaces you need.

Configure MySQL to listen on localhost or only on 'internal network'.


----------



## anomie (Dec 16, 2011)

vermaden said:
			
		

> Configure ntpd to listen only on interfaces You need.



Not possible, mate. The ntpd(8) daemon (obnoxiously) gloms onto every interface and IPv4 / IPv6 address it can get its greedy hands on. 

(I agree with your MySQL and syslogd(8) advice, BTW.)


----------



## SirDice (Dec 16, 2011)

anomie said:
			
		

> Not possible, mate. The ntpd(8) daemon (obnoxiously) gloms onto every interface and IPv4 / IPv6 address it can get its greedy hands on.


Correct. net/openntpd however does allow it.


----------



## anomie (Dec 16, 2011)

So I hear. I really need to get around to deploying and testing that one.


----------



## DutchDaemon (Dec 17, 2011)

Been using openntpd for a couple of years for this reason (binding to specific interface). Entirely trouble-free, as server and as client.


----------



## gkontos (Dec 17, 2011)

For mysql-server you will have to edit my.cnf and add:


```
bind-address = 127.0.0.1
```

Regards


----------



## Lido (Dec 17, 2011)

Ok, thanks. I couldn't find a way to remove ntp, but I installed openntp and put this into /usr/local/etc/ntpd.conf:
	
	



```
listen on 127.0.0.1
```
Then I added the following to rc.conf:
	
	



```
openntpd_enable="YES"
syslogd_flags="-s -s"
mysql_args="--bind-address=127.0.0.1"
```

Now, sockstat -46 gives:
	
	



```
www      httpd      1593  3  tcp4 6 *:80                  *:*
www      httpd      1593  4  tcp4   *:*                   *:*
www      httpd      1592  3  tcp4 6 *:80                  *:*
www      httpd      1592  4  tcp4   *:*                   *:*
www      httpd      1591  3  tcp4 6 *:80                  *:*
www      httpd      1591  4  tcp4   *:*                   *:*
www      httpd      1590  3  tcp4 6 *:80                  *:*
www      httpd      1590  4  tcp4   *:*                   *:*
www      httpd      1589  3  tcp4 6 *:80                  *:*
www      httpd      1589  4  tcp4   *:*                   *:*
root     sendmail   1498  4  tcp4   127.0.0.1:25          *:*
root     sshd       1490  3  tcp6   *:22                  *:*
root     sshd       1490  4  tcp4   *:22                  *:*
root     httpd      1461  3  tcp4 6 *:80                  *:*
root     httpd      1461  4  tcp4   *:*                   *:*
mysql    mysqld     1440  10 tcp4   127.0.0.1:3306        *:*
_ntp     ntpd       1299  4  udp4   192.168.1.6:30819     184.105.182.7:123
_ntp     ntpd       1299  6  udp4   127.0.0.1:123         *:*
_ntp     ntpd       1299  8  udp4   192.168.1.6:52016     174.36.71.205:123
_ntp     ntpd       1299  9  udp4   192.168.1.6:12323     169.229.70.95:123
```

Does that look ok? The only thing that seems potentially problematic are the _ntp lines with external addresses.


```
netstat -an | grep LISTEN
```
 gives:
	
	



```
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp46      0      0 *.80                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.3306         *.*                    LISTEN
```


----------



## aragon (Dec 17, 2011)

For mysql you can also use this:


```
mysql_args="--skip-networking"
```

It'll only create a UNIX domain socket in /tmp with the above.


----------



## DutchDaemon (Dec 17, 2011)

The _ntp lines are your ntpd server checking external ntpd servers to synchronize the time. You probably have some default NTP pool in ntpd.conf.


----------

