LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   nmap shows open kdm (https://www.linuxquestions.org/questions/linux-security-4/nmap-shows-open-kdm-444670/)

muddywaters 05-14-2006 10:25 AM
nmap shows open kdm
 
I have 2 machines connected through a d-link router. After setting up nfs decided to run nmap from the client to check the ports on the nfs server (Mepis). Everything was as expected except for
1024/tcp open kdm
Is this open to allow remote x login? If so I don't need it.

Reading previous posts on this hinted that the /etc/kde3/kdm/Xservers file can be edited. Mine looks like this

:0 local@tty1 /usr/X11R6/bin/X -dpi 100 -nolisten tcp
:1 local@tty2 reserve /usr/X11R6/bin/X -dpi 100 -nolisten tcp :1
#:2 local@tty3 reserve /usr/X11R6/bin/X -nolisten tcp :2
#:3 local@tty4 reserve /usr/X11R6/bin/X -nolisten tcp :3
#:4 local@tty5 reserve /usr/X11R6/bin/X -nolisten tcp :4

It looks like the nolisten option is already there. Is there anything else that should be changed? Should I be concerned? Feel free to call me paranoid.

Capt_Caveman 05-14-2006 02:50 PM
Run netstat -pantu on the server that you scanned and post the output. Port 1024 is often one of the first ports that is dynamically assigned so it could be any application. The -nolisten tcp settings should keep the Xserver from setting up a socket. Also what was the exact command that you used with nmap to scan the box?

muddywaters 05-14-2006 09:04 PM
Capt_Caveman

Thanks for the response. Maybe I should point out this computer has nothing of value other than the connection itself. Just trying to learn a few things.
The output of the netstat;

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN 3956/inetd
tcp 0 0 0.0.0.0:68 0.0.0.0:* LISTEN 3232/pump
tcp 0 0 0.0.0.0:905 0.0.0.0:* LISTEN 4115/rpc.statd
tcp 0 0 0.0.0.0:20012 0.0.0.0:* LISTEN 3956/inetd
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 3909/spamd.pid
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3270/portmap
tcp 0 0 0.0.0.0:33333 0.0.0.0:* LISTEN 4035/rpc.mountd
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 3947/cupsd
tcp 0 0 127.0.0.1:895 0.0.0.0:* LISTEN 4111/famd
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:1026 0.0.0.0:* -
udp 0 0 0.0.0.0:899 0.0.0.0:* 4115/rpc.statd
udp 0 0 0.0.0.0:902 0.0.0.0:* 4115/rpc.statd
udp 0 0 0.0.0.0:33333 0.0.0.0:* 4035/rpc.mountd
udp 0 0 0.0.0.0:111 0.0.0.0:* 3270/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 3947/cupsd

The command I was running fom the client;
nmap -P0 192.1680.101

2049 is nfs afaik. Still don't know what 1024 is. Also tried 'lsof -i :1024'. Possibly doesn't matter with the router firewall running(?)

edit/sorry for sloppy paste job.

Capt_Caveman 05-14-2006 10:08 PM
Try stopping the NFS and Portmapper services then re-run the netstat command and see if it still shows up.

If you aren't using NFS and RPC then I'd recommend turning those services off permanently.


All times are GMT -5. The time now is 06:31 PM.