LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-28-2004, 08:30 PM   #1
don_wombat
LQ Newbie
 
Registered: Nov 2004
Posts: 26

Rep: Reputation: 15
Angry SuSE 9.2 - FTP Port open with no FTP service?!?!


Hey All,

Just installed SuSE 9.2 on a machine that is going to be my web server/email server system. In locking the box down, I noticed that TCP:21 is responding to a port scan. I don't have any FTP service active in inet or any type of FTP server running period!!! I'm trying to track down where it's coming from, but SuSE is just a little bit different from your standard Red Hat system.

TIA,
 
Old 11-28-2004, 08:49 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Welcome to Linuxquestions.

As root try running: netstat -pantu

Also run (if installed): lsof -i
 
Old 11-29-2004, 08:34 PM   #3
don_wombat
LQ Newbie
 
Registered: Nov 2004
Posts: 26

Original Poster
Rep: Reputation: 15
Just got back to the server. After running a "netstat -pantu", I got the following results:

hyrule:/etc/sysconfig/network # netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3912/portmap
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 4103/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4341/master
tcp 0 0 66.231.105.161:1198 131.159.72.23:21 ESTABLISHED 9097/y2base
tcp 0 0 :::80 :::* LISTEN 8783/httpd2-prefork
tcp 0 0 :::22 :::* LISTEN 4028/sshd
tcp 0 0 ::1:25 :::* LISTEN 4341/master
udp 0 0 0.0.0.0:68 0.0.0.0:* 6113/dhcpcd
udp 0 0 0.0.0.0:111 0.0.0.0:* 3912/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 4103/cupsd

That shows me the y2base app is the only one baring port 21. After killing "watcher" (the SuSE update utility, I got the following:

hyrule:/etc/sysconfig/network # netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3912/portmap
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 13084/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4341/master
tcp 0 0 :::80 :::* LISTEN 8783/httpd2-prefork
tcp 0 0 :::22 :::* LISTEN 4028/sshd
tcp 0 0 ::1:25 :::* LISTEN 4341/master
udp 0 0 0.0.0.0:68 0.0.0.0:* 6113/dhcpcd
udp 0 0 0.0.0.0:111 0.0.0.0:* 3912/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 13084/cupsd


This is all fine and dandy. But I'm still showing port 21 as listening. Grrrrrrrrrr!!!!!!!
 
Old 11-29-2004, 09:23 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
What does the lsof -i command show? Is there anything between the SuSE box and the system you're scanning from (router, switch, other hosts, internet)? Also when you say it port 21 "responds" , do you mean it's shown as "open" or as "closed" while most other ports are in the "filtered" state?
 
Old 11-30-2004, 01:19 AM   #5
monroetech
Member
 
Registered: Nov 2004
Location: Toledo, OH
Distribution: SuSE 9.2 Pro
Posts: 53

Rep: Reputation: 15
try this

telnet 127.0.0.1 21

Here is a snipit of mine...

[ftp not running]
jbutler@www:~> telnet 127.0.0.1 21
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
jbutler@www:~>

[ftp running]
jbutler@www:/etc> telnet 127.0.0.1 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ProFTPD 1.2.10 Server (FTP Server) [127.0.0.1]


See what kind of response you get back from telneting to that port and report back
 
Old 11-30-2004, 01:23 AM   #6
monroetech
Member
 
Registered: Nov 2004
Location: Toledo, OH
Distribution: SuSE 9.2 Pro
Posts: 53

Rep: Reputation: 15
Hmm... looking back over what you pasted I do not see where port 21 is set to Listen
Maybe I'm over looking it, but i'll have to look again... I bet Capt is on the right track, your bouncing filtered or closed
 
Old 11-30-2004, 11:37 AM   #7
don_wombat
LQ Newbie
 
Registered: Nov 2004
Posts: 26

Original Poster
Rep: Reputation: 15
Yeah, I completely agree with you guys. Nothing on my box seems to be listening on port 21.

In an extreme act of frustration, I reinstalled SuSE 9.2 as the server wasn't in any super configuration anyhow. Aftrer just a basic install, here is the same information:

linux:/etc/sysconfig/network # netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4218/portmap
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 4381/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4511/master
tcp 0 0 66.231.105.161:1090 64.233.167.99:80 TIME_WAIT -
tcp 0 0 66.231.105.161:1078 64.233.167.99:80 TIME_WAIT -
tcp 0 0 66.231.105.161:1079 64.233.167.99:80 TIME_WAIT -
tcp 0 0 66.231.105.161:1080 64.179.4.149:80 TIME_WAIT -
tcp 0 0 :::22 :::* LISTEN 4288/sshd
tcp 0 0 ::1:25 :::* LISTEN 4511/master
udp 0 0 0.0.0.0:111 0.0.0.0:* 4218/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 4381/cupsd
linux:/etc/sysconfig/network # lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 4218 nobody 3u IPv4 7192 UDP *:sunrpc
portmap 4218 nobody 4u IPv4 7193 TCP *:sunrpc (LISTEN)
sshd 4288 root 3u IPv6 7327 TCP *:ssh (LISTEN)
cupsd 4381 lp 0u IPv4 8660 TCP *:ipp (LISTEN)
cupsd 4381 lp 2u IPv4 8661 UDP *:ipp
master 4511 root 12u IPv4 8558 TCP localhost:smtp (LISTEN)
master 4511 root 13u IPv6 8559 TCP localhost:smtp (LISTEN)
linux:/etc/sysconfig/network # telnet 127.0.0.1 21
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

Here is what I get from an outside IP:

C:\telent 66.231.105.161 21
Connecting To 66.231.105.161...Could not open connection to the host, on port 21: Connection failed

Even with that, a port scan still shows 21 as responding!

When I see "Connection failed", that would either tell me that SuSEfirewall2 is blocking the port, and/or that the server isn't listening on that port. I know that I'm using the default firewall, so I went ahead and added a tunnel through for FTP (tcp: 21 - in the SuSEfirewall2 config). Then got this....

linux:/etc/sysconfig/network # telnet 127.0.0.1 21
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
linux:/etc/sysconfig/network #

C:\telent 66.231.105.161 21
Connecting To 66.231.105.161...Could not open connection to the host, on port 21: Connection failed

EVERY INDICATION on the server tells me that there isn't anything listening to port 21. But a port scan tells me otherwise. Did this from 3 seperate IP systems with the same results.
 
Old 11-30-2004, 11:46 AM   #8
don_wombat
LQ Newbie
 
Registered: Nov 2004
Posts: 26

Original Poster
Rep: Reputation: 15
just trying something different.....

When I went to http://probe.hackerwatch.org/probe/probe.asp , It gave me this:

Closed but Unsecure
21 (FTP)

This port is not being blocked, but there is no program currently accepting connections on this port.

So how in SuSEFirewall2 do I block incoming ports on my "internet" interface? If this keeps up, I might give up and go to Mandrake or Fedora! SuSE can be nice, but also a pain!!!
 
Old 11-30-2004, 03:55 PM   #9
monroetech
Member
 
Registered: Nov 2004
Location: Toledo, OH
Distribution: SuSE 9.2 Pro
Posts: 53

Rep: Reputation: 15
First Off I dont care for SuSE Firewall... I use my own script using iptables.... here I'll post it for you and give a little explination....


#!/bin/bash

echo "Start Firewall"

/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -F INPUT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -F OUTPUT
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -F FORWARD
/usr/sbin/iptables -t nat -F

/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 21 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 25 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 110 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 143 -i eth0 -j ACCEPT

/usr/sbin/iptables -A INPUT -p icmp --icmp-type 0 -i eth0 -j ACCEPT #echo reply
/usr/sbin/iptables -A INPUT -p icmp --icmp-type 3 -i eth0 -j ACCEPT #destination
/usr/sbin/iptables -A INPUT -p icmp --icmp-type 11 -i eth0 -j ACCEPT #time exceeded

echo "Firewall Started"

echo "Setting time from Atomic Clock Server"
/usr/sbin/ntpdate time.windows.com

first thing it will flush any existing config.... then I tell it to only accept incomming connections on the following ports.... 21 22 25 53 80 110 143, You can change those to meet your needs.... if their are too many lines just delete some.....

I also threw in there to update the system time to time.windows.com every time the system boots..... which isnt often......

Save this to a file, you'll have to chmod +x call it rc.firewall or whatever, save it to /user/sbin

Then open up /etc/init.d/boot.localnet and paste it in there... Here is a snipit of my boot.localnet

### BEGIN INIT INFO
# Provides: boot.localnet
# Required-Start: boot.ldconfig
# X-UnitedLinux-Should-Start: boot.quota
# Required-Stop:
# Default-Start: B
# Default-Stop:
# Description: setup hostname and yp and do cleanup
### END INIT INFO
. /usr/sbin/rc.firewall
. /etc/rc.status
. /etc/sysconfig/cron




cheers

Last edited by monroetech; 11-30-2004 at 03:59 PM.
 
Old 11-30-2004, 10:05 PM   #10
don_wombat
LQ Newbie
 
Registered: Nov 2004
Posts: 26

Original Poster
Rep: Reputation: 15
Ok, I'm going to have a long talk with my ISP......

I turned the server completely OFF!! And I still have port 21 responding!

I think I can stop chasing my tail now.

Thanks a bunch for the advice guys!!
 
Old 12-01-2004, 06:58 AM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by don_wombat
Ok, I'm going to have a long talk with my ISP......

I turned the server completely OFF!! And I still have port 21 responding!
 
Old 12-01-2004, 11:02 AM   #12
peacebwitchu
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 185

Rep: Reputation: 30
Are you sure that your dsl modem isn't causing this? I had a cisco 678 dsl modem that would do something similiar it had management ports that would mess up port scans. If your server isn't listening on port 21 who cares anyway.
 
Old 12-01-2004, 03:14 PM   #13
don_wombat
LQ Newbie
 
Registered: Nov 2004
Posts: 26

Original Poster
Rep: Reputation: 15
nope.

Modem is an Efficient Networks 5100 bridged modem. There isn't any type of IP activity that can occur there.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I start ftp service and check if port open? quintan Linux - Software 1 11-24-2005 05:33 AM
nmap reports port 21 (ftp) open - how to close it? shazam75 Linux - Security 3 09-23-2005 07:13 PM
Open port for FTP Ephracis Linux - Security 3 12-12-2004 06:12 AM
nmap shows port 21 open, but no ftp service running ? epoo Linux - Networking 3 12-21-2003 08:16 PM
how to open the ftp port??? stonegold84 Linux - General 6 08-22-2003 12:21 AM


All times are GMT -5. The time now is 02:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration