LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   New installation of a VPS with Slackware: Strange filtered ports (http://www.linuxquestions.org/questions/linux-security-4/new-installation-of-a-vps-with-slackware-strange-filtered-ports-360639/)

fax8 09-06-2005 04:24 AM

New installation of a VPS with Slackware: Strange filtered ports
 
Hi

Some days ago I activated a virtual private server with Slackware 9.1 for using
as a webserver for some of my websites.

After installation I did a nmap on the server and this was the output:
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
113/tcp open auth
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
4444/tcp filtered krb524
10000/tcp open snet-sensor-mgmt

I don't know what the filtered ports are becouse I don't
think I have programs that are using them and I still didn't
configure my iptables firewall.

I'm afraid this could be a sort of backdoor opened by some
malignous..

What do you guys think about this?

note: If I set up a firewall with iptables wich bloks the filtered port
nmap doesn't report them.

sin 09-06-2005 09:36 AM

is your machine directly connected to the the net or are you sitting behind some kind of router ?

i get somthing similar when scanning my external system from work

22/tcp open ssh
80/tcp open http
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds

i am not using samba on this system, however i belive it has somthing to do with my broadband router and its nasty build in fw :)

fax8 09-07-2005 04:13 PM

The VPS is behind a router at my ISP.

Also me was thinking about a firewall/router doing something
beetwen me and my VPS.

The strange thing is that now I set up iptables and
the strange ports aren't reported:

Code:

(The 1655 ports scanned but not shown below are in state: filtered)
PORT      STATE  SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
110/tcp  closed pop3
113/tcp  closed auth
10000/tcp open  snet-sensor-mgmt

Nmap finished: 1 IP address (1 host up) scanned in 176.875 seconds

This line is letting me thinking:
(The 1655 ports scanned but not shown below are in state: filtered)
maybe ports
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap

are not reported in nmap reports becouse now that iptable is up
all the ports are filtered so no more interesting

What do you think about???

Thanks

sin 09-08-2005 02:56 AM

could be, are you using DROP or REJECT ?

fax8 09-08-2005 04:28 PM

both of them.

I'm using kiss a firewall script

http://www.geocities.com/steve93138/
http://www.geocities.com/steve93138/kiss.txt

fax8 09-10-2005 09:13 AM

what do you think about?


All times are GMT -5. The time now is 03:20 PM.