I realized something strange, or something I just do not understand. I noticed in my journal someone was trying to auth to mysql. I did nmap T4 to my server and can see that mysql is open. A Firewalld read says these things are not open by default and I didn’t open it myself.
PORT STATE SERVICE 17/tcp filtered qotd 19/tcp filtered chargen 22/tcp open ssh 25/tcp filtered smtp 70/tcp filtered gopher 80/tcp open http 82/tcp filtered xfer 139/tcp filtered netbios-ssn 143/tcp open imap 366/tcp filtered odmr 389/tcp filtered ldap 407/tcp filtered timbuktu 416/tcp filtered silverplatter 427/tcp filtered svrloc 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 512/tcp filtered exec 543/tcp filtered klogin 587/tcp open submission 631/tcp filtered ipp 648/tcp filtered rrp 668/tcp filtered mecomm 726/tcp filtered unknown 749/tcp filtered kerberos-adm 912/tcp filtered apex-mesh 3000/tcp open ppp **3306/tcp open mysql** 5000/tcp open upnp 5222/tcp open xmpp-client 5280/tcp open xmpp-bosh 10000/tcp open snet-sensor-mgmt 20000/tcp open dnp
When I do
[[email protected] ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ftp http https imap imaps pop3 pop3s smtp smtps ssh ports: 587/tcp 53/tcp 20/tcp 2222/tcp 10000-10100/tcp 20000/tcp 1025-65535/tcp 53/udp 5222/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="126.96.36.199" drop rule family="ipv4" source address="188.8.131.52/22" drop rule family="ipv4" source address="184.108.40.206/22" reject rule family="ipv4" source address="220.127.116.11/23" reject rule family="ipv4" source address="18.104.22.168/25" reject rule family="ipv4" source address="22.214.171.124/22" reject rule family="ipv4" source address="126.96.36.199/11" reject [[email protected] ~]#
firewall-cmd --get-active-zones (I assume I didn’t really have to do this since
firewall-cmd --list-all should show me all that’s active right?)
public interfaces: eth0
Does anyone have any idea why mysql be completely open like this? Could a package or APP I install have turned this on? How is it not listed in my active public?
I am a little nervous about the proper command to use to close this as public. localhost I use on all my apps but I do not want to share public. Usually I would have done:
firewall-cmd --zone=public --remove-service=mysql --permanent
but since its not in public this does not work
should I do:
This should pickup the default zone and close down the port, but I’m afraid it’ll close for localhost
Anything else anyone sees wrong here please feel free to comment.
Centos7 with Virtualmin
Your firewall is "open" because someone decided to allow virtually every port. Notice the allowed ports contains:
You should remove this and replace it with any ports in that range that you actually need to have opened to the world. (It looks like some are already specified, but you should double check what you actually need.)
firewall-cmd --add-port=<number>/<protocol> # repeat as necessary firewall-cmd --remove-port=1025-65535/tcp # add first, then remove this, to # prevent service interruption firewall-cmd --runtime-to-permanent # after verifying everything works
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.