Hey guys,

I am looking at a scan from nmap and I would like some guidance on the ports that are open?

# nmap -sT -O localhost

-------------------------
PORT STATE SERVICE
-------------------------
21/tcp open ftp <--- ProFTP
22/tcp open ssh <--- SSH
25/tcp open smtp <--- Postfix (Do I need open if only sending out?)
80/tcp open http <--- Apache
111/tcp open rpcbind <--- Portmapper (LISTEN 1729 tcp/udp)
113/tcp open auth <--- Inetd (Listen 2326 tcp)
139/tcp open netbios-ssn <--- Smbd (Listen 2396 tcp)
445/tcp open microsoft-ds <--- ***
548/tcp open afpovertcp <--- Afpd (Listen 2277 tcp) Appletalk?
901/tcp open samba-swat <--- Inetd (Listen 2326 tcp)
2049/tcp open nfs <--- ***
3306/tcp open mysql <--- Mysqld (Listen 2091 tcp)
10000/tcp open snet-sensor-mgmt <--- ***

*** 445 ***
tcp 0 0 0.0.0.0:44558 0.0.0.0:* Listen 2445/rpc.statd
tcp 0 0 0.0.0.0:445 0.0.0.0:* Listen 2396/smbd
tcp 0 0 0.0.0.0:32771 0.0.0.0:* 2445/rpc.statd
tcp 0 0.0.0.0:925 0.0.0.0:* 2445 /rpc.statd

*** 2049 ***
tcp 0 0 0.0.0.0:2049 0.0.0.0:* Listen -
udp 0 0 0.0.0.0:2049 0.0.0.0:* Listen -

*** 10000 *** (Webmin https local only)
tcp 0 0 0.0.0.0:10000 0.0.0.0:* Listen 2532/perl
udp 0 0 0.0.0.0:10000 0.0.0.0:* Listen 2532/perl

Ok first some background. This is Debian Testing and I use this as my webserver. Aparently I haave samba installed and it setup for nfs which I am going to remove. Any suggestions on this?

nomb

Setup a firewall and use it to filter any ports you don't need?

Turn off any services you don't need- else one day you forget to set the firewall or it fails then ...

Instead of a local scan, how about scanning from the internet? I'm sure you just scanned locally to get an idea of what services were running on your box, but if you scanned from outside your LAN, you could compare the two scan results to determine what was available from the outside, then build a firewall policy that would cater to both internal and external.

If your web server is at your home and you're using some set-top gateway router/firewall, you most likely have to have some port forwarding going on (especially on port 80 or whatever port you're serving your web pages on) for the ports to be exposed to the internet. You don't always want to rely on NAT, though. Also, if your router allows this host to be a DMZ host and that's how you have it configured, that's a whole different ballgame...if this is the case, you definitely need a firewall on that box.

I stay away from DMZs and just setup port forwarding on my router.
This was an internal scan through my phone. Do you know of a web-based
scanning which can scan an ip address that you enter? I know you can do this with ShieldsUp! but you have to use firefox's web development plugin and show the hidden fields and yadda yadda yadda. I'm at work so I don't wanna do that. I'm just amazed that I have smb running, what was I thinking...

What is '548/tcp open afpovertcp'? Is that appletalk? I couldn't find appletalk in my services but I'll look again.

Thanks,

nombd

548/TCP is "Apple Filesharing Protocol over TCP"...dunno if this is related to Appletalk or not, but I don't think it is.

Check http://home.planet.nl/~houwe135/wbnt1/#port-scan for some browser-based scanners that you could use. I did a quick google search and found it, but you may want to either check more extensively or get a friend to scan for you.

You won't need tcp/25 inbound if your not planning on recieving email.
You can also do a netstat -an|grep -i listen and get a good idea of all listening ports (tcp/udp).
From a security standpoint, definetly put a firewall on the box and have it start at startup. There are way too many robots out there doing SSH/Telnet scans on servers. With the firewall (using ipchains/tables or whatever you like) you can limit access to management interfaces et.all.

I'm pretty sure that once he scans from external, he'll find that port 25 won't be open. It may not even be open for inbound on his LAN. He scanned on the host itself, so it will show open, but I don't think that means that the host will actually receive inbound traffic from any other machine on his LAN (or outside). I may be wrong but I've the feeling that tcp/25 may be OK as long as only localhost is listening on that port.

I would make sure that tcp/25 is not open from the network at all. If it's only listening on 127.0.0.1 that's one thing, but it's certainly not the default IIRK. From a pure security perspective, assuming that your internet router/firewall will take care of it for you is a bad idea. If you *configure* your internet router/firewall to block it, that's a lot better idea. It will still be a security hole, just at a different level.
I'd suggest a local running firewall on the machine configured to start at boot, and disable the mail system from receiving email all together if you're not going to use it. You'll be a lot happier (and safer) in the long run.

+1

Running nmap against localhost is a bit pointless, since you're (supposed to be) looking for externally accessible tcp ports.

Review the output of
netstat -lntu
to see listening tcp/udp ports.

Once you put your packet filtering rules in place (assuming you're going to do so) you can test their effectiveness using nmap from a box on the same network, and another box on the other side of your port-forwarding router...

Uhm...scanning localhost will usually show open ports, while scanning that host from the same network but different host will show an entirely different picture. A port that is open on the localhost isn't considered a hole, IMO, as you won't be able to communicate to that port from a different host...spoofed packets, maybe, but if an internal host received spoofed traffic on the loopback, there are other issues that need to be dealt with.

Also, with most of the distros and OSs I've installed (several Linux distros and several BSDs) lately, there is no default services...it is usually upon the admin that is installing to determine what services they wish to be installed and started when the install is finished.

Below is what I've done on my machines to test. 10.150.1.103 is a FreeBSD 6.2 workstation and slackbox is a Slackware v12.0 system. FreeBSD installed SMTP by defaut but note that it assigned the service to localhost. My Slackware box doesn't run SMTP, as I opted to deactivate it, especially since it doesn't send internal system e-mails like FreeBSD does:

From a different box:


Now, scanning the IP from 'slackbox':

Port 25 doesn't show.

Secondly, I never implied that one should depend solely on a firewall/router for security, but again, a service running on localhost is definitely not a security issue, from my perspective.

From my understanding, mail services listening on the loopback interface do serve a function. Most *nix distributions send system notifications to themselves via a local mail server (the BSDs usually do this, and I've seen some Linux distros configured out-of-the-box to do this). Turning off that service may break some internal processes unless someone knows what they're doing...I don't think this is something that someone new to *nix should be doing, unless they thrive on fixing things they don't understand.

A deny-all firewall policy will help, but I think the OP needs to understand the difference between scanning on the loopback vs. scanning from another machine (and also scanning from outside the network).

So, I don't think that his issue with port 25 on the loopback constitutes a hole. If the service were bound to some interface other than loopback, that would be another issue altogether.

nomb, please run 'netstat -an | grep -l listen' so we can see if port 25 is listening on loopback or an interface.

Darn,

I can't get to those pages because I'm at work and they are blocked.
Do I need 25 open to send out mail? Or just recieve it?

Can anyone do a scan against www.nombyte.com for me?
Thats my server.

nomb

***EDIT***

Here is that command. This was run as root from the box...

localhost:~# netstat -an | grep -l listen
localhost:~#

Nomb- that should be a netstat -an |grep -i listen. And I'm just lazy- netstat -an |grep LISTEN will work as well.

here is your scan from the world (I removed the actual IP):
nmap www.nombyte.com

Starting Nmap 4.20 ( http://insecure.org ) at 2007-09-13 08:54 MDT
Interesting ports on xxxx.hsd1.va.comcast.net ():
Not shown: 1692 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
113/tcp closed auth
10000/tcp open snet-sensor-mgmt



If his mail really is only listening on 127.0.0.1, then I agree, no problem at all. I double checked a Centos 5 install (with mail selected) and it doesn't seem to bind it to any interface(except localhost). That's a change to me- seems like they all use to bind to the machine name IP address (Solaris still does by default- actually binds to all machine IPs, including localhost).

I still believe that a local firewall should be run on any host with an internet connection. Security is performed in levels, and that is a very good level to start with.

And yeah, nmap'ing localhost isn't a good idea. Netstat will give a much clearer picture of what's going on. nmap is for remote surveliance on a machine.

****

Nomb- no need for tcp/25 open to send mail. Just to receive it.

My bad...yeah, "grep -i listen" is desirable.

As root:
The column "local address" is particularly important. the ones where it stands "localhost:xxx" like "localhost:smtp" means the service is only accessible from this computer.
IMO, it's better to correct the cause (remove the unneeded services) rather than hidding them behind a firewall.