LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-07-2005, 08:12 PM   #1
Darwish
Member
 
Registered: Jun 2005
Location: Egypt (North Africa)
Distribution: Debian Sarge
Posts: 35

Rep: Reputation: 15
Closing port 1723 "pptp service" in linux


Can any one help me to close that port 1723, I don understand any security issues. Here's the result of nmapping my ip .. (i use a one port router with NAT settings, i don use a firewall)

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 03:08 EET
Interesting ports on SpeedTouch.lan (MY IP):
(The 1655 ports scanned but not shown below are in state: closed)

21/tcp open ftp
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp filtered http
113/tcp filtered auth
1723/tcp open pptp
5631/tcp filtered pcanywheredata
5632/tcp filtered pcanywherestat

The only port which is not covered by NAT is 1723, how to close it ?!!
 
Old 11-08-2005, 09:45 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Do you want to keep what ever service is listening on port 1723 running and simply firewall it so that it isn't accessible remotely or do you wan to turn off whatever service is running? Either way, run netstat -pant and post the output.
 
Old 11-09-2005, 09:09 PM   #3
Darwish
Member
 
Registered: Jun 2005
Location: Egypt (North Africa)
Distribution: Debian Sarge
Posts: 35

Original Poster
Rep: Reputation: 15
Thanks for replying..
Here's the output of netstat -pant

Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:966             0.0.0.0:*               LISTEN     3752/rpc.statd
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN     3839/sendmail: MTA:
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     3202/portmap
tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN     3712/inetd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     3839/sendmail: MTA:
tcp        0      0 10.0.0.1:57550          72.14.207.104:80        ESTABLISHED19510/firefox-bin
tcp        0      0 10.0.0.1:57551          72.14.207.104:80        ESTABLISHED19510/firefox-bin
tcp        0      0 10.0.0.1:57555          216.73.86.187:80        TIME_WAIT  -
tcp        0      0 10.0.0.1:57548          64.179.4.149:80         TIME_WAIT  -
tcp        0      0 10.0.0.1:47432          207.46.2.100:1863       ESTABLISHED20486/gaim
tcp6       0      0 :::22                   :::*                    LISTEN     3744/sshd
I dunno what is this service, and i want to close this service or at least close/filter the port
 
Old 11-10-2005, 12:47 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I don't see anything listening on port 1723 in the netstat output. Which IP are you scanning, your remote external IP, the internal IP of your router, or something else?

PPTP protocol functions by having clients establish a control channeling on tcp port 1723 and then setting up a GRE-over-IP tunneled PPP session. So I think somehow you're scanning the router and seeing the daemon listening for the incoming control channel connections. You might want to check into your router/modem and make sure any GRE/VPN passthrough functions are disabled. But it might help if you clarify what IP (you don't need to give the specific IP, but an answer like my external IP or my routers internal IP might make things a little more clear).
 
Old 11-10-2005, 08:35 PM   #5
Darwish
Member
 
Registered: Jun 2005
Location: Egypt (North Africa)
Distribution: Debian Sarge
Posts: 35

Original Poster
Rep: Reputation: 15
Sorry cuz I dunno which IP you mentioned, here is the result of scanning all of the IPs I
know:

here is the results scanning my internal (10.0.0.1) IP (Only on pc connected with the router):
Code:
Interesting ports on 10.0.0.1:
(The 1659 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
113/tcp open  auth
648/tcp open  unknown
and here is the result of the IP that i use to connect to the router Software (10.0.0.138):
Code:
Interesting ports on SpeedTouch.lan (10.0.0.138):
(The 1659 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
21/tcp   open  ftp
23/tcp   open  telnet
80/tcp   open  http
1723/tcp open  pptp
MAC Address: 00:0E:50:89:EC:27 (Thomson Multi Media)
and here is the result of my IP (82.201.**.**):
Code:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-11 03:36 EET
Interesting ports on SpeedTouch.lan (82.201.**.**):
(The 1654 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE
21/tcp    filtered ftp
23/tcp    filtered telnet
80/tcp    filtered http
113/tcp   filtered auth
1723/tcp  open     pptp
5631/tcp  filtered pcanywheredata
5632/tcp  filtered pcanywherestat
10082/tcp filtered amandaidx
10083/tcp filtered amidxtape
Mayb I understood wrong, is there a problem in my security ?, sorry cuz i don understand networking anymore, Iam going to read some security tutorials and how-tos but, iam too
busy in exams now.
thx for care

Last edited by Darwish; 11-10-2005 at 08:43 PM.
 
Old 11-10-2005, 09:02 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Ok, it's definitely your router and not the linux box. You should try scanning your external IP from outside the network to make sure that this isn't an artifact caused by scanning from the LAN side (often LAN side traffic is firewalled differently than WAN). If you don't have any other systems outside the LAN, then try using on of the free online scans available through www.grc.com or http://scan.sygatetech.com/ . If you still see port 1723 open, then check your router settings and make sure that the VPN settings are turned off.
 
Old 11-11-2005, 08:19 PM   #7
Darwish
Member
 
Registered: Jun 2005
Location: Egypt (North Africa)
Distribution: Debian Sarge
Posts: 35

Original Poster
Rep: Reputation: 15
Thanks alot for ur suggestions, i'll do it now...
 
Old 11-12-2005, 05:17 AM   #8
Darwish
Member
 
Registered: Jun 2005
Location: Egypt (North Africa)
Distribution: Debian Sarge
Posts: 35

Original Poster
Rep: Reputation: 15
Yeah sir, after doing the stealth scan from http://scan.segatech.com This port "1723" is not found in the open ports...

The only found opened port was "113", the website says it's for irc ... so i don think a problem exist here..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Priority: script to run on boot vs. "service iptables save" iheardrain Linux - General 5 09-30-2004 10:53 PM
" Spymac Launches The Internet's First Free 1 Gigabyte Email Service" furfurdemon666 General 9 04-09-2004 09:28 PM
"Opposite" to a "Listening" in Port Lingo General_Tso Linux - Security 6 02-11-2004 12:19 PM
tftp - "Destination Unreachable" due to "Port Unreachable" renjithgopal Linux - Security 5 07-24-2003 11:36 AM
firewall.rc.config says :"open port 8080" but nmap says port is closed saavik Linux - Security 2 02-14-2002 01:16 PM


All times are GMT -5. The time now is 09:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration