This won’t add anything to the knowledge that already exists online but hopefully it’s more searchable for the next poor sap that is confused by this.

Locking Down my Server

This site runs on a tiny Rackspace server. I’m no expert but one of the easiest things you can do to lock down your server is to shut down as many ports as possible. That means that you don’t have potentially vulnerable software listening in on ports.

You’ll probably do some nmap.

demian@raven ~>nmap localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2014-07-11 09:51 CDT
Interesting ports on localhost (127.0.0.1):
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

And maybe some netstat.

demian@raven ~>netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:https                 *:*                     LISTEN     
tcp        0      0 *:www                   *:*                     LISTEN     
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     83108    /var/run/acpid.socket

I checked it locally and noticed that exim4 was running and had a port open. So I made sure that service was no longer in the startup scripts and removed the daemon.

Now Try from Laptop

Just to be sure I ran it from nmap from my laptop. This is what I saw.

demian  ~  nmap neidetcher.com

Starting Nmap 6.40 ( http://nmap.org ) at 2014-07-11 09:30 CDT
Nmap scan report for neidetcher.com (184.106.150.226)
Host is up (0.057s latency).
rDNS record for 184.106.150.226: foo.com
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
554/tcp  open  rtsp
3128/tcp open  squid-http
7070/tcp open  realserver
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

Whoah, that’s a lot of ports. Obviously some hacker syndicate from Eastern Europe has replaced my version of nmap such that it doesn’t show the ports they have used to turn my server into a slave for their botnet.

Apple Airport

I ran across this blog post. The deal is that Apple Airport will try to proxy protocols for you. Apparently it doesn’t bother to check with the far-end servers to see if the port is even available. So, to you on your computer behind an Apple router, nmap will think the port is hot.