LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-14-2003, 03:07 PM   #1
richlawson
LQ Newbie
 
Registered: Jun 2003
Posts: 22

Rep: Reputation: 15
nmap results


Hi,

Wonder if anyone can help with this. I've just ran a portscan of my mandrake 9.1 box using nmap and am unsure what a lot of the following stuff is. I am running squid, proftpd, ssh, samba and webmin is running so i can account for those ports. The linux box is behind a router running a NAT firewall.

What I want to know is whats all this stuff from port 10005 upwards??? And why are the netbios ports filtered when I don't have port forwarding enabled for these ports, surely they should be in state closed

The 1626 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
135/tcp filtered msrpc
445/tcp filtered microsoft-ds
3128/tcp open squid-http
10000/tcp filtered snet-sensor-mgmt
10005/tcp filtered stel
10082/tcp filtered amandaidx
10083/tcp filtered amidxtape
12000/tcp filtered cce4x
12346/tcp filtered NetBus
13701/tcp filtered VeritasNetbackup
13702/tcp filtered VeritasNetbackup
13705/tcp filtered VeritasNetbackup
13706/tcp filtered VeritasNetbackup
13708/tcp filtered VeritasNetbackup
13709/tcp filtered VeritasNetbackup
13710/tcp filtered VeritasNetbackup
13711/tcp filtered VeritasNetbackup
13712/tcp filtered VeritasNetbackup
13713/tcp filtered VeritasNetbackup
13714/tcp filtered VeritasNetbackup
13715/tcp filtered VeritasNetbackup
13716/tcp filtered VeritasNetbackup
13717/tcp filtered VeritasNetbackup
13718/tcp filtered VeritasNetbackup
13720/tcp filtered VeritasNetbackup
13721/tcp filtered VeritasNetbackup
13722/tcp filtered VeritasNetbackup
13782/tcp filtered VeritasNetbackup
13783/tcp filtered VeritasNetbackup

interestingly if i nmap localhost i get this

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
3128/tcp open squid-http
6000/tcp open X11
6667/tcp open irc
10000/tcp open snet-sensor-mgmt

which is correct, the irc server is only for use on local network. Any ideas on this. When the port scan was performed the only active machine on the network was the linux box.

thanks in advance
 
Old 12-14-2003, 06:32 PM   #2
pjcp64
Member
 
Registered: Dec 2002
Location: Omaha, NE
Distribution: Ubuntu Server and SuSE
Posts: 69

Rep: Reputation: 15
Try
lsof | egrep "ESTABLISHED|LISTEN" | more

This should show you all of the established connections as well as the ports that are listening for new connections.

I'd guess from the list you showed that you must be using Amanda backup software too. That might account for some of these.
 
Old 12-15-2003, 09:38 AM   #3
gundelgauk
Member
 
Registered: Jul 2003
Distribution: Gentoo
Posts: 168

Rep: Reputation: 30
I wouldn't worry too much about those ports 10000 and above. As you can see they are being filtered which means that iptables is simply dropping any packets destined for those ports. Which is a good thing. Nothing will get through there.
All other scanned ports are being reported as closed which means that incoming packets on these ports are not only being dropped but your box responds with a packet that tells the sender that this port is closed.

Practically there is not much difference between 'closed' and 'filtered'. But some ppl prefer having all their ports in a 'filtered' state. You may want to ask Unspawn about this.
 
Old 12-15-2003, 10:24 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Right, nmap is quite intelligent and can often tell when a port is being filtered. In this case, filtered means that the packets are being dropped by the firewall and there's no response from the system. This makes your box harder to find by most scans. It also means that if any legitimate users try to connect to a filtered service they will have to sit and wait for a few minutes before their connection times out. Usually that's not a big deal, assuming you have everything setup correctly. The other thing you can do is set your firewall to reject instead of drop. That will make all ports show as "closed" and it will respond immediately. That lets the attacker know there's a box there (can't get a "closed" response without one) and it also vastly speeds up their scanning. Other than that, there's no real harm.

As an important side note, triple check your squid configuration to make absolutely certain that it won't accept outside connections. Open proxies are one of the main ways spammers and crackers do their dirty deeds.
 
Old 12-16-2003, 02:21 PM   #5
richlawson
LQ Newbie
 
Registered: Jun 2003
Posts: 22

Original Poster
Rep: Reputation: 15
Hi Thanks for the responses

I ran the command 'lsof | egrep "ESTABLISHED|LISTEN" | more' which confirmed the only services I have listening are the ones i want

I know that when nmap reports a port as state filtered the port is behind a firewall, only thing is I don't have my IPtable firewall running at the mo?? So shouldn't the port be closed as the port is closed on the router?

The netbios + smb ports 135 + 445 no longer appear on portsacn results, this is good

Still don't know where all the high ports are coming from though, i'm not using amanda backup so that rules that out. I've checked with my ISP and they state they are not blocking or filtering these ports. Don't know where to go next?? I've tried shutting all services down but the high ports still show up. Any more ideas?

Thanks for suggestions so far
 
Old 12-16-2003, 02:33 PM   #6
richlawson
LQ Newbie
 
Registered: Jun 2003
Posts: 22

Original Poster
Rep: Reputation: 15
Oh yeah, the access control lists will only allow connections from localhost, my internal network and my IP static IP address as assigned by ISP. (this is because I use an SSH tunnel into my box from work to use the proxy) so i think all that side of things is ok
 
Old 12-16-2003, 03:26 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Most firewalls and routers that do packet filtering will simply drop packets instead of "bouncing" them. That's why the ports don't show as closed. You'll only get the "closed" if the port responds with a tcp rst or an icmp unreachable.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
nmap results not correct? bobwall Linux - Networking 1 05-27-2005 03:31 AM
please help me,i m desperate.nmap results el3ctronic Linux - Security 4 03-01-2005 10:24 AM
nmap scan results ! dimgr Linux - Security 3 01-21-2005 12:39 PM
nmap scan results juanb Linux - Security 5 11-16-2004 02:31 AM
nmap results djcomplex Linux - Software 3 03-20-2004 01:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration