0

I realized something strange, or something I just do not understand. I noticed in my journal someone was trying to auth to mysql. I did nmap T4 to my server and can see that mysql is open. A Firewalld read says these things are not open by default and I didn't open it myself.

nmap T4

PORT      STATE    SERVICE
17/tcp    filtered qotd
19/tcp    filtered chargen
22/tcp    open     ssh
25/tcp    filtered smtp
70/tcp    filtered gopher
80/tcp    open     http
82/tcp    filtered xfer
139/tcp   filtered netbios-ssn
143/tcp   open     imap
366/tcp   filtered odmr
389/tcp   filtered ldap
407/tcp   filtered timbuktu
416/tcp   filtered silverplatter
427/tcp   filtered svrloc
443/tcp   open     https
445/tcp   filtered microsoft-ds
465/tcp   open     smtps
512/tcp   filtered exec
543/tcp   filtered klogin
587/tcp   open     submission
631/tcp   filtered ipp
648/tcp   filtered rrp
668/tcp   filtered mecomm
726/tcp   filtered unknown
749/tcp   filtered kerberos-adm
912/tcp   filtered apex-mesh
3000/tcp  open     ppp
**3306/tcp  open     mysql**
5000/tcp  open     upnp
5222/tcp  open     xmpp-client
5280/tcp  open     xmpp-bosh
10000/tcp open     snet-sensor-mgmt
20000/tcp open     dnp

When I do firewall-cmd --list-all

[root@virtual ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ftp http https imap imaps pop3 pop3s smtp smtps ssh
  ports: 587/tcp 53/tcp 20/tcp 2222/tcp 10000-10100/tcp 20000/tcp 1025-65535/tcp 53/udp 5222/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="54.36.148.123" drop
    rule family="ipv4" source address="54.36.148.0/22" drop
    rule family="ipv4" source address="5.188.84.0/22" reject
    rule family="ipv4" source address="217.171.146.0/23" reject
    rule family="ipv4" source address="198.12.120.0/25" reject
    rule family="ipv4" source address="185.143.172.0/22" reject
    rule family="ipv4" source address="176.128.0.0/11" reject
[root@virtual ~]#

firewall-cmd --get-active-zones (I assume I didn't really have to do this since firewall-cmd --list-all should show me all that's active right?)

public
  interfaces: eth0

Does anyone have any idea why mysql be completely open like this? Could a package or APP I install have turned this on? How is it not listed in my active public?

I am a little nervous about the proper command to use to close this as public. localhost I use on all my apps but I do not want to share public. Usually I would have done: firewall-cmd --zone=public --remove-service=mysql --permanent but since its not in public this does not work should I do: firewall-cmd --remove-port=3306/tcp This should pickup the default zone and close down the port, but I'm afraid it'll close for localhost

Anything else anyone sees wrong here please feel free to comment.

Thank you

My env Centos7 with Virtualmin

gstlouis
  • 109
  • 3
  • 10

1 Answers1

0

Your firewall is "open" because someone decided to allow virtually every port. Notice the allowed ports contains:

1025-65535/tcp

You should remove this and replace it with any ports in that range that you actually need to have opened to the world. (It looks like some are already specified, but you should double check what you actually need.)

firewall-cmd --add-port=<number>/<protocol> # repeat as necessary

firewall-cmd --remove-port=1025-65535/tcp   # add first, then remove this, to 
                                            # prevent service interruption

firewall-cmd --runtime-to-permanent         # after verifying everything works
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940