[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Ports safe to close?
- Subject: RE: [cobalt-security] Ports safe to close?
- From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Wed, 29 Aug 2001 10:02:20 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Carrie wrote:
> When running an nmap scan on one of my servers with IPChains
> installed and running, I get these open ports:
> 1080/tcp open socks
> 2000/tcp open callbook
> 2001/tcp open dc (this is digichat)
> 6667/tcp open irc
> 32771/tcp open sometimes-rpc5
> 32772/tcp open sometimes-rpc7
> 32773/tcp open sometimes-rpc9
> 32774/tcp open sometimes-rpc11
<shiver> that doesn't look very nice... </shiver>
And then several other people wrote stuff about 'closing' ports...
Folks: You don't close a port; you stop a service running on it. If there's
something holding a port open and you don't know what it is, then it's time
to go a-digging. Personally I think IPChaining these ports out of existence
is only gonna mask the fact that there are things running on your box which
you didn't expect.
Step 1: telnet to the port. In this case Carrie might see something like:
[carrie@server carrie]# telnet server 6667
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
NOTICE AUTH :*** Looking up your hostname...
NOTICE AUTH :*** Checking Ident
NOTICE AUTH :*** No Ident response
NOTICE AUTH :*** Found your hostname
or something else equally bizarre looking. That means your machine is most
likely running ircd without you knowing, or if some other message comes up
it may be running an IRC bouncer such as ezBounce or psyBNC.
A suggestion: if your RaQ has the more up-to-date version of netstat
installed, try running netstat -lnp. That shows you listening ports, the
programs and their PID.
Even more useful (but sadly ISTR not installed on the RaQ by default) is
'lsof' - LiSt Open Files. It's tremendously verbose and can take some time
to dig through, but is in my experience one of the more useful
debugging/analysis tools for a running system.
HTH
Graeme
--
Graeme Fowler
System Administrator
Host Europe Group PLC