LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Closing port 1723 "pptp service" in linux (http://www.linuxquestions.org/questions/linux-security-4/closing-port-1723-pptp-service-in-linux-380930/)

Darwish 11-07-2005 07:12 PM

Closing port 1723 "pptp service" in linux
 
Can any one help me to close that port 1723, I don understand any security issues. Here's the result of nmapping my ip .. (i use a one port router with NAT settings, i don use a firewall)

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 03:08 EET
Interesting ports on SpeedTouch.lan (MY IP):
(The 1655 ports scanned but not shown below are in state: closed)

21/tcp open ftp
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp filtered http
113/tcp filtered auth
1723/tcp open pptp
5631/tcp filtered pcanywheredata
5632/tcp filtered pcanywherestat

The only port which is not covered by NAT is 1723, how to close it ?!!

Capt_Caveman 11-08-2005 08:45 PM

Do you want to keep what ever service is listening on port 1723 running and simply firewall it so that it isn't accessible remotely or do you wan to turn off whatever service is running? Either way, run netstat -pant and post the output.

Darwish 11-09-2005 08:09 PM

Thanks for replying..
Here's the output of netstat -pant

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 0.0.0.0:966            0.0.0.0:*              LISTEN    3752/rpc.statd
tcp        0      0 127.0.0.1:587          0.0.0.0:*              LISTEN    3839/sendmail: MTA:
tcp        0      0 0.0.0.0:111            0.0.0.0:*              LISTEN    3202/portmap
tcp        0      0 0.0.0.0:113            0.0.0.0:*              LISTEN    3712/inetd
tcp        0      0 127.0.0.1:25            0.0.0.0:*              LISTEN    3839/sendmail: MTA:
tcp        0      0 10.0.0.1:57550          72.14.207.104:80        ESTABLISHED19510/firefox-bin
tcp        0      0 10.0.0.1:57551          72.14.207.104:80        ESTABLISHED19510/firefox-bin
tcp        0      0 10.0.0.1:57555          216.73.86.187:80        TIME_WAIT  -
tcp        0      0 10.0.0.1:57548          64.179.4.149:80        TIME_WAIT  -
tcp        0      0 10.0.0.1:47432          207.46.2.100:1863      ESTABLISHED20486/gaim
tcp6      0      0 :::22                  :::*                    LISTEN    3744/sshd

I dunno what is this service, and i want to close this service or at least close/filter the port

Capt_Caveman 11-09-2005 11:47 PM

I don't see anything listening on port 1723 in the netstat output. Which IP are you scanning, your remote external IP, the internal IP of your router, or something else?

PPTP protocol functions by having clients establish a control channeling on tcp port 1723 and then setting up a GRE-over-IP tunneled PPP session. So I think somehow you're scanning the router and seeing the daemon listening for the incoming control channel connections. You might want to check into your router/modem and make sure any GRE/VPN passthrough functions are disabled. But it might help if you clarify what IP (you don't need to give the specific IP, but an answer like my external IP or my routers internal IP might make things a little more clear).

Darwish 11-10-2005 07:35 PM

Sorry cuz I dunno which IP you mentioned, here is the result of scanning all of the IPs I
know:

here is the results scanning my internal (10.0.0.1) IP (Only on pc connected with the router):
Code:

Interesting ports on 10.0.0.1:
(The 1659 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
113/tcp open  auth
648/tcp open  unknown

and here is the result of the IP that i use to connect to the router Software (10.0.0.138):
Code:

Interesting ports on SpeedTouch.lan (10.0.0.138):
(The 1659 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
21/tcp  open  ftp
23/tcp  open  telnet
80/tcp  open  http
1723/tcp open  pptp
MAC Address: 00:0E:50:89:EC:27 (Thomson Multi Media)

and here is the result of my IP (82.201.**.**):
Code:

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-11 03:36 EET
Interesting ports on SpeedTouch.lan (82.201.**.**):
(The 1654 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE
21/tcp    filtered ftp
23/tcp    filtered telnet
80/tcp    filtered http
113/tcp  filtered auth
1723/tcp  open    pptp
5631/tcp  filtered pcanywheredata
5632/tcp  filtered pcanywherestat
10082/tcp filtered amandaidx
10083/tcp filtered amidxtape

Mayb I understood wrong, is there a problem in my security ?, sorry cuz i don understand networking anymore, Iam going to read some security tutorials and how-tos but, iam too
busy in exams now.
thx for care

Capt_Caveman 11-10-2005 08:02 PM

Ok, it's definitely your router and not the linux box. You should try scanning your external IP from outside the network to make sure that this isn't an artifact caused by scanning from the LAN side (often LAN side traffic is firewalled differently than WAN). If you don't have any other systems outside the LAN, then try using on of the free online scans available through www.grc.com or http://scan.sygatetech.com/ . If you still see port 1723 open, then check your router settings and make sure that the VPN settings are turned off.

Darwish 11-11-2005 07:19 PM

Thanks alot for ur suggestions, i'll do it now...

Darwish 11-12-2005 04:17 AM

Yeah sir, after doing the stealth scan from http://scan.segatech.com This port "1723" is not found in the open ports...

The only found opened port was "113", the website says it's for irc ... so i don think a problem exist here..


All times are GMT -5. The time now is 03:57 AM.