Hi,

Wonder if anyone can help with this. I've just ran a portscan of my mandrake 9.1 box using nmap and am unsure what a lot of the following stuff is. I am running squid, proftpd, ssh, samba and webmin is running so i can account for those ports. The linux box is behind a router running a NAT firewall.

What I want to know is whats all this stuff from port 10005 upwards??? And why are the netbios ports filtered when I don't have port forwarding enabled for these ports, surely they should be in state closed

The 1626 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
135/tcp filtered msrpc
445/tcp filtered microsoft-ds
3128/tcp open squid-http
10000/tcp filtered snet-sensor-mgmt
10005/tcp filtered stel
10082/tcp filtered amandaidx
10083/tcp filtered amidxtape
12000/tcp filtered cce4x
12346/tcp filtered NetBus
13701/tcp filtered VeritasNetbackup
13702/tcp filtered VeritasNetbackup
13705/tcp filtered VeritasNetbackup
13706/tcp filtered VeritasNetbackup
13708/tcp filtered VeritasNetbackup
13709/tcp filtered VeritasNetbackup
13710/tcp filtered VeritasNetbackup
13711/tcp filtered VeritasNetbackup
13712/tcp filtered VeritasNetbackup
13713/tcp filtered VeritasNetbackup
13714/tcp filtered VeritasNetbackup
13715/tcp filtered VeritasNetbackup
13716/tcp filtered VeritasNetbackup
13717/tcp filtered VeritasNetbackup
13718/tcp filtered VeritasNetbackup
13720/tcp filtered VeritasNetbackup
13721/tcp filtered VeritasNetbackup
13722/tcp filtered VeritasNetbackup
13782/tcp filtered VeritasNetbackup
13783/tcp filtered VeritasNetbackup

interestingly if i nmap localhost i get this

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
3128/tcp open squid-http
6000/tcp open X11
6667/tcp open irc
10000/tcp open snet-sensor-mgmt

which is correct, the irc server is only for use on local network. Any ideas on this. When the port scan was performed the only active machine on the network was the linux box.

thanks in advance

Try
lsof | egrep "ESTABLISHED|LISTEN" | more

This should show you all of the established connections as well as the ports that are listening for new connections.

I'd guess from the list you showed that you must be using Amanda backup software too. That might account for some of these.

I wouldn't worry too much about those ports 10000 and above. As you can see they are being filtered which means that iptables is simply dropping any packets destined for those ports. Which is a good thing. Nothing will get through there.
All other scanned ports are being reported as closed which means that incoming packets on these ports are not only being dropped but your box responds with a packet that tells the sender that this port is closed.

Practically there is not much difference between 'closed' and 'filtered'. But some ppl prefer having all their ports in a 'filtered' state. You may want to ask Unspawn about this.

Right, nmap is quite intelligent and can often tell when a port is being filtered. In this case, filtered means that the packets are being dropped by the firewall and there's no response from the system. This makes your box harder to find by most scans. It also means that if any legitimate users try to connect to a filtered service they will have to sit and wait for a few minutes before their connection times out. Usually that's not a big deal, assuming you have everything setup correctly. The other thing you can do is set your firewall to reject instead of drop. That will make all ports show as "closed" and it will respond immediately. That lets the attacker know there's a box there (can't get a "closed" response without one) and it also vastly speeds up their scanning. Other than that, there's no real harm.

As an important side note, triple check your squid configuration to make absolutely certain that it won't accept outside connections. Open proxies are one of the main ways spammers and crackers do their dirty deeds.

Hi Thanks for the responses

I ran the command 'lsof | egrep "ESTABLISHED|LISTEN" | more' which confirmed the only services I have listening are the ones i want

I know that when nmap reports a port as state filtered the port is behind a firewall, only thing is I don't have my IPtable firewall running at the mo?? So shouldn't the port be closed as the port is closed on the router?

The netbios + smb ports 135 + 445 no longer appear on portsacn results, this is good

Still don't know where all the high ports are coming from though, i'm not using amanda backup so that rules that out. I've checked with my ISP and they state they are not blocking or filtering these ports. Don't know where to go next?? I've tried shutting all services down but the high ports still show up. Any more ideas?

Thanks for suggestions so far

Oh yeah, the access control lists will only allow connections from localhost, my internal network and my IP static IP address as assigned by ISP. (this is because I use an SSH tunnel into my box from work to use the proxy) so i think all that side of things is ok

Most firewalls and routers that do packet filtering will simply drop packets instead of "bouncing" them. That's why the ports don't show as closed. You'll only get the "closed" if the port responds with a tcp rst or an icmp unreachable.