LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-22-2008, 05:34 PM   #16
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376

Quote:
Originally Posted by jonwondering View Post
what is nic?
Network interface card.
 
Old 10-23-2008, 12:14 AM   #17
jonwondering
LQ Newbie
 
Registered: Oct 2008
Posts: 13

Original Poster
Rep: Reputation: 0
well thanks but that doesn't help. i still have no idea what that hosting company has...
and i also have no idea why this has been moved to a newbie section. it is a question about security and iptables after all.
 
Old 10-23-2008, 12:59 AM   #18
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Sorry, but my question was coming from th angle that I see some funny nmap results from machines with multiple NICs. Not sure why.

Can I suggest - and this is totally up to you - that you email me you external IP and I'll run nmap from here. I don't see how I can do any damage that way. You can send me a message by clicking on my name to the left and select send email to...

I'll post the results back here (without IP)
 
Old 10-23-2008, 07:31 PM   #19
jonwondering
LQ Newbie
 
Registered: Oct 2008
Posts: 13

Original Poster
Rep: Reputation: 0
billymayday, I appreciate your effort to help and all your suggestions, but I think I am just gonna carefully revise my iptables rules, because it's obvious I don't have all those hundreds of processes listening on those ports, and it's probably just something wrong with the rules...

Plus I can't just trust a stranger with my expensive playbox (Even though you've probably helped tons of ppl with 4K+ posts )

Thank you for all the troubles of helping me once again...
 
Old 10-23-2008, 07:41 PM   #20
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
That's fine.

Rgds
 
Old 10-23-2008, 09:38 PM   #21
plpl303
Member
 
Registered: Oct 2008
Posts: 31

Rep: Reputation: 15
NIC = network interface card

If this is a virtual host, it might be the case that you are in fact port-scanning the *real* host that your virtual host is running on. (I don't know if that is so, but it's a thought.)

But regardless of what iptables is configured for, a port shouldn't be accessible if there's nothing listening there. So it's kind of puzzling... it seems to be an issue besides iptables itself. It's also odd that netstat doesn't think anything's listening.

Maybe I'm being kind of paranoid, but are you sure that the box hasn't been compromised?

Last edited by plpl303; 10-23-2008 at 09:46 PM.
 
Old 10-24-2008, 12:02 PM   #22
jonwondering
LQ Newbie
 
Registered: Oct 2008
Posts: 13

Original Poster
Rep: Reputation: 0
nope, not sure. with all this weird crap happening there's a good chance it has and i have no idea about it. but i don't even know how to check really, does anybody? lol. there's not much of a website there, and i've looked in different folders, and checked running processes, and looked at iptables rules for backdoors, and cron jobs and stuff like that. didn't see anything out of the ordinary.

scanning the host itself is probably impossible (at least i hope) because they gave me a unique ip. really don't know what's going on. the crappy part is they refuse to help because they say it's not their problem, and keep sending me stupid links on how to configure my webserver...
 
Old 10-24-2008, 09:31 PM   #23
plpl303
Member
 
Registered: Oct 2008
Posts: 31

Rep: Reputation: 15
Hey, wait a minute... looking back over your nmap output:

Quote:
SYN Stealth Scan Timing: About 33.59% done; ETC: 22:17 (0:02:12 remaining)
Increasing send delay for xx.xx.xx.xx from 0 to 5 due to 13 out of 32 dropped probes since last increase.
Discovered open port 7201/tcp on xx.xx.xx.xx
Discovered open port 1364/tcp on xx.xx.xx.xx
Increasing send delay for xx.xx.xx.xx from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Discovered open port 1472/tcp on xx.xx.xx.xx
It looks like some sort of adaptive firewall is in place: Notice that nmap's probes are being dropped: First about 40% of them and then 100%. So I'm guessing that nmap is not reporting the correct output due to firewall rules. It's probably not your virtual box's iptables rules but rather something either on the real host or on another intermediate firewall that's making the results inaccurate. At least that's my guess... seems that nmap's output indicates that *every* port is open -- and even if the box was cracked, that is a little difficult to believe... not impossible, but it seems a little surprising.
 
Old 10-24-2008, 10:24 PM   #24
jonwondering
LQ Newbie
 
Registered: Oct 2008
Posts: 13

Original Poster
Rep: Reputation: 0
hmmm, but how can this be? shouldn't i be able to manipulate my rules on the server the way i want them to? lol. i just don't know where this "magical" thing might come from... the thing is, i scanned this server from three different ip's from two different networks, and it all shows the same thing: tons of ports open - waaaay too many of them. so i am guessing its nothing on my end (nmap computers), and rather something either with mediahost, or with my own misconfiguration of the server. the problem is i don't even understand how these rules show up in nmap. telnet seems to connect to a few of them, but not all (and i don't even know if that means much anyway)...
 
Old 10-24-2008, 10:40 PM   #25
jonwondering
LQ Newbie
 
Registered: Oct 2008
Posts: 13

Original Poster
Rep: Reputation: 0
okay this is the weirdest thing. i finally managed to get a guy on the line that actually helped and explained what was happening, or at least what he thinks is happening. he says mediatemple has a firewall that covers all the servers it has, including the hosted websites and their own individual firewalls. so if i understood him correctly, he's saying nmap gets through some firewall rules, but not through mine (if i set them up correctly).

he recommended checking listening ports, and my own iptables rules. he said if somebody would have tried an attack through a port, they would know about it because of their firewall that blankets everybody else's.

it's just still a little puzzling to me why i am seeing hundreds and hundreds of these ports open. what's the purpose? plus it feels uncomfortable when you work on your iptables rules, and can't really check them thoroughly anyway to see if they work the way you want them to. and to make sure that you do have at least some level of security. but this way it looks like anything and everything is possible...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dynamic change of iptables rules using web interface OgeeN Linux - Security 1 09-07-2007 07:03 PM
iptables rules doesn't work as expected.. Shioni Linux - Security 4 11-15-2006 02:37 AM
One of my iptables rules is making X not work krock923 Linux - Security 5 08-24-2006 03:10 AM
Applying iptables rules to multiple subnets eggi Linux - Networking 2 01-04-2006 11:29 PM
Iptables keeps changing the order of the rules –will this still work? dholingw Linux - Security 11 06-22-2004 01:01 AM


All times are GMT -5. The time now is 06:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration