LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-24-2003, 08:45 PM   #1
ArnaudVR
Member
 
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30

Rep: Reputation: 15
Open UDP ports


Hi there,

I recently decided to port scan my penguin and I saw lots of open ports. This lead to a small port closing spree, I edited inetd.conf and one or two startup scripts. The TCP ports were relatively easy to close, but I have no clue how to close the open UDP ports ! Where are the services that open these ports, are they started by the kernel

Examples are:

bootpc UDP Port68
Kerberos 5 UDP Port88
SUN-RPC UDP Port111
imap UDP Port143
ms-sql-m UDP Port1434

thanks for any info
 
Old 06-24-2003, 09:05 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,306
Blog Entries: 54

Rep: Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857
As root on the box, "netstat -anp", trace PID for opened port to running binary of process. Shut down using init scripts and remove package from system if not used *now*. If no running process for given port, check firewall for policy and port blockings, also see ICMP (error messages in case of UDP port).
 
Old 06-25-2003, 06:52 AM   #3
ArnaudVR
Member
 
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30

Original Poster
Rep: Reputation: 15
questioning whether the ports are really open

thanks unSpawn I did what you said and it helped me see where the rpc-portmap service was coming from, but I better add that I used Network Security Scanner from a win based platform to scan the ports, now the linux port scanner that I just recently tried does not respond in the same way at all, in fact it only reports two open udp ports, sun-rpc and time, which corresponds much better to what I left open.
This has lead me to think that the port scanner I was using is completely buggy.
 
Old 06-25-2003, 07:59 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,306
Blog Entries: 54

Rep: Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857
No, that ain't completely true. Port scanners like Nmap and NSS rely on return traffic to determine which ports are open. They look up the port in a static list (like /etc/services) to determine the service running. If you need to verify an app/daemon running on a port, use a protocol-specific scanner that does banner grabbing or Nessus or netcat to the port yourself.
 
Old 06-25-2003, 08:55 AM   #5
ArnaudVR
Member
 
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30

Original Poster
Rep: Reputation: 15
Is there anyway that I could change that static list ? nmap and nss don't report the same open ports in my case. nss finds about twice the amount of open ones.
 
Old 06-25-2003, 09:25 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,306
Blog Entries: 54

Rep: Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857
Haven't got a clue wrt NSS as it's Wintendo and I don't (want to have to) handle that. It's only the protocol/port/common name triplet that the list is searched for. The list itself doesn't affect the amount of ports shown or their state. Basically what affects state is the commandline switches you use to scan and the "intelligence" of the scanner to interprete the return traffic.
 
Old 06-25-2003, 10:43 AM   #7
ArnaudVR
Member
 
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30

Original Poster
Rep: Reputation: 15
alrighty, so then, that the best way to make these ports not come up in a 'stupid' port scan would be to firewall them

Last edited by ArnaudVR; 06-25-2003 at 01:48 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to open udp ports on suse enterprise server 9 swbxp Linux - Security 2 11-07-2005 02:31 PM
How to open UDP ports on suse 9.0 Pro firewall? TheTweaker Linux - Networking 0 08-12-2004 12:59 AM
how to open TCP/UDP ports RH9 franky Linux - Networking 3 07-18-2003 10:03 PM
Whole bunch of UDP ports open on firewall machine AllenWood Linux - Networking 1 03-07-2001 10:46 AM
Whole bunch of UDP ports open on firewall machine AllenWood Linux - Security 1 03-06-2001 06:45 PM


All times are GMT -5. The time now is 11:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration