- This topic has 17 replies, 6 voices, and was last updated Apr 3-1:25 pm by xm4n.
-
Posts
-
xm4n
Hi,
I was running a port scan check on a fresh install of Antix 19.2 and noticed that port 22 seems to be open and listening. The box Antix 19.2 is installed on is not a server and I am using this as a regular desktop. Isn’t dangerous to keep port 22 open on a fresh install of Antix 19.2?e.g.:
$ netstat -tulpn results in:
(trunc)…
…
2158/connmand
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTENand
$ ss -tulwn | grep LISTEN results in:
(trunc)…
….
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*I did this:
$ sudo ufw deny 22
Rule added
Rule added (v6)
$
and also went to the gufw and setup deny rule for tcp port 22.
However I then ran the above cli commands and still see that port 22 is open.
Is there something I am missing? & Is it me, or is it not a good idea to have port 22 open listening when using this OS as a regular desktop only?
anticapitalista
Not here.
According to https://portchecker.co/
antiX-19.2 running live has port 22 closed.
antiX-19.2 installed and ufw enabled has port 22 closed.Can anyone else confirm if port 22 is open on antiX-19.2 by default.
Thanks.
- This reply was modified 3 years, 1 month ago by anticapitalista. Reason: more checks made
Philosophers have interpreted the world in many ways; the point is to change it.
antiX with runit - leaner and meaner.
Ok, I did a fresh install once again of Antix 19.2
and I see that port again open using cli. Although https://portchecker.co indicates it is closed, the cli is giving me a diff story:$ netstat -tulpn
(truc)..
….
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:39157 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN –
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN&
$ ss -tulwn | grep LISTEN
(truc)..
….
tcp LISTEN 0 10 127.0.0.1%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:39157 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22As you can see from the above 2 commands, netstat & ss, they both show port 22 open and listening. I usually go by what the command line provides me.
Just for giggles, I went to https://www.canyouseeme.org/ and entered in port 22 and it did say that it can’t see my service on port 22, which is fine, but
from an Admin perspective, this is giving me the nerves, especially if I do a majority of my work on command line. Thoughts?Oh and btw, this is from a freshest install with no configuring of ufw or any other firewall utility.
I mean straight from the bat, fresh install.anticapitalista
I cannot reproduce it.
Let’s see if anyone can.
Philosophers have interpreted the world in many ways; the point is to change it.
antiX with runit - leaner and meaner.
Dave
On live default cheat codes the ssh service is not started. Therefore the netstat output does not show as ssh server listening. However it is indeed the case that the ssh server is started with a fresh installed system. Thus the netstat output shows ssh as listening on all address on port 22.
Iirc you have the option to choose this when installing through the installers. However I do agree that the service likely should default to off or listen to the local ip 127.0.0.1 only. This can be changed in /etc/ssh/sshd.conf. Or the package openssh-server could be removed though I think that the remote assistance programs needs it?
Computers are like air conditioners. They work fine until you start opening Windows. ~Author Unknown
SamK
…the package openssh-server could be removed though I think that the remote assistance programs needs it?
That would completely disable SSH-Conduit. It would also disable a major part of x11vnc which is installed as a dependency of 1-to-1-Assistance and as a standalone app in the antiX menu. Additionally ssvnc (the standalone partner app of x11vnc) also a dep of 1-to-1 will break.
@SamK,
Ok then how do you suppose for default fresh installations, would port 22 be blocked or turned off by default since it may present a security risk for desktop users as best practices?
dolphin_oracle
I haven’t check the port status, but on default MX installations we don’t install openssh-server, which probably keeps the port closed.
not having openssh-server does not prevent a user from using ssh to “ssh” to another system. It only disables server side function, not client side.
ssh-conduit-antix will bring in openssh-server if its not installed. since ssh-conduit-antix isn’t installed by default, I don’t see a big issue there.
Hi @Dolphin_Oracle,
(loved your antix linux video btw…:) )Checked on fresh install the following:
$ find / -iname openssh-server
/usr/share/doc/openssh-server
/etc/ufw/applications.d/openssh-server
$hmmmm,
Ok, so I did the following:
$ssh localhost
The authenticity of host ‘localhost (::1)’ can’t be established.
ECDSA key fingerprint is SHA256:–deleted for sec purposes—-
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘localhost’ (ECDSA) to the list of known hosts.
stealth@localhost’s password:
$Seems openssh server is installed on this fresh install.
Used nmap to be sure:
$ nmap -sV localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-02 15:14 CDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00033s latency).
Other addresses for localhost (not scanned): ::1 127.0.0.1 127.0.0.1 127.0.0.1
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
$🙁
BTW, I do not have any SSH Conduit, 1-to-1 Asst, x11VNC, etc. installed at all.
Thoughts?
anticapitalista
apt purge openssh-serverPhilosophers have interpreted the world in many ways; the point is to change it.
antiX with runit - leaner and meaner.
Cool,
Thanks @anticapitalistaWell, I suppose for every fresh install, I’ll just have to manually remove open ssh-server.
But, I was just, you know, as far as Best security practices is concerned, wanted to show awareness to make sure that port 22 is not open.
Thanks for the input guys.I think I’m good now.
ModdIt
@xm4n
Thanks for bringing this up, ssh server was installed on both my own and kids machines including some very recent standard installations.
tcp port 22 open. Did not expect that, anyway it is fixed now.
Purged open-ssh server as suggested and message to users to do same.
SSH Conduit, 1-to-1 Asst, x11VNC never installed so not pulled in by those.- This reply was modified 3 years, 1 month ago by ModdIt. Reason: Clarify addition
anticapitalista
The installer also gives users the option to disable ssh and this keeps port 22 closed.
nmap -sV localhost Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-03 16:19 EEST Nmap scan report for localhost (127.0.0.1) Host is up (0.00019s latency). Other addresses for localhost (not scanned): 127.0.0.1 127.0.0.1 127.0.0.1 ::1 All 1000 scanned ports on localhost (127.0.0.1) are closed Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.61 secondsI have ssh disabled (I always do this during installation and I also have openssh-server installed.
apt install openssh-server Reading package lists... Done Building dependency tree Reading state information... Done openssh-server is already the newest version (1:7.9p1-10+deb10u2). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.Philosophers have interpreted the world in many ways; the point is to change it.
antiX with runit - leaner and meaner.
@moddit & @anticapitalista,
Thank you guys, much appreciated.
Oh btw, where in the installation of the Full antix 19.2 installer where would I see the option to disable port 22/openssh server?
- You must be logged in to reply to this topic.
