I use an OmniSwitch 6360 in an isolated environment, connecting different computers with 3 VLans. Using commands “show udp ports” and “show tcp ports”, I found many services : RPCBIND, slNI, RadCli, alusubagent, SSHFS. Some ports for these services are static, other are dynamics (they change after a reboot). Do I need all these services ? I want to reduce the switch surface attack, as some computers are not managed by my organization, how can I do with services with dynamic ports ?
You can write ACLs (QoS) to restrict access to the switch all the IP address (or VLANs) except the IP addresses which are allowed to access the switch.
Default services like NTP which will use udp port 123 or for SSH port 22 should allowed for specific IP addresses to use NTP clock to sync and to manage the switch resply.
you can disable unnecessary services show ip service → example:- Ip Service ftp admin-state disable