Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Just installed SuSE 9.2 on a machine that is going to be my web server/email server system. In locking the box down, I noticed that TCP:21 is responding to a port scan. I don't have any FTP service active in inet or any type of FTP server running period!!! I'm trying to track down where it's coming from, but SuSE is just a little bit different from your standard Red Hat system.
What does the lsof -i command show? Is there anything between the SuSE box and the system you're scanning from (router, switch, other hosts, internet)? Also when you say it port 21 "responds" , do you mean it's shown as "open" or as "closed" while most other ports are in the "filtered" state?
Hmm... looking back over what you pasted I do not see where port 21 is set to Listen
Maybe I'm over looking it, but i'll have to look again... I bet Capt is on the right track, your bouncing filtered or closed
C:\telent 184.108.40.206 21
Connecting To 220.127.116.11...Could not open connection to the host, on port 21: Connection failed
Even with that, a port scan still shows 21 as responding!
When I see "Connection failed", that would either tell me that SuSEfirewall2 is blocking the port, and/or that the server isn't listening on that port. I know that I'm using the default firewall, so I went ahead and added a tunnel through for FTP (tcp: 21 - in the SuSEfirewall2 config). Then got this....
echo "Setting time from Atomic Clock Server"
first thing it will flush any existing config.... then I tell it to only accept incomming connections on the following ports.... 21 22 25 53 80 110 143, You can change those to meet your needs.... if their are too many lines just delete some.....
I also threw in there to update the system time to time.windows.com every time the system boots..... which isnt often......
Save this to a file, you'll have to chmod +x call it rc.firewall or whatever, save it to /user/sbin
Then open up /etc/init.d/boot.localnet and paste it in there... Here is a snipit of my boot.localnet
### BEGIN INIT INFO
# Provides: boot.localnet
# Required-Start: boot.ldconfig
# X-UnitedLinux-Should-Start: boot.quota
# Default-Start: B
# Description: setup hostname and yp and do cleanup
### END INIT INFO
Last edited by monroetech; 11-30-2004 at 03:59 PM.
Are you sure that your dsl modem isn't causing this? I had a cisco 678 dsl modem that would do something similiar it had management ports that would mess up port scans. If your server isn't listening on port 21 who cares anyway.