[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Ports safe to close?

Subject: RE: [cobalt-security] Ports safe to close?
From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
Date: Wed, 29 Aug 2001 10:02:20 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Carrie wrote:
> When running an nmap scan on one of my servers with IPChains 
> installed and running, I get these open ports:
> 1080/tcp   open        socks
> 2000/tcp   open        callbook                
> 2001/tcp   open        dc (this is digichat)
> 6667/tcp   open        irc                     
> 32771/tcp  open        sometimes-rpc5          
> 32772/tcp  open        sometimes-rpc7          
> 32773/tcp  open        sometimes-rpc9          
> 32774/tcp  open        sometimes-rpc11

<shiver> that doesn't look very nice... </shiver>

And then several other people wrote stuff about 'closing' ports...

Folks: You don't close a port; you stop a service running on it. If there's
something holding a port open and you don't know what it is, then it's time
to go a-digging. Personally I think IPChaining these ports out of existence
is only gonna mask the fact that there are things running on your box which
you didn't expect.

Step 1: telnet to the port. In this case Carrie might see something like:
[carrie@server carrie]# telnet server 6667
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
NOTICE AUTH :*** Looking up your hostname...
NOTICE AUTH :*** Checking Ident
NOTICE AUTH :*** No Ident response
NOTICE AUTH :*** Found your hostname

or something else equally bizarre looking. That means your machine is most
likely running ircd without you knowing, or if some other message comes up
it may be running an IRC bouncer such as ezBounce or psyBNC.

A suggestion: if your RaQ has the more up-to-date version of netstat
installed, try running netstat -lnp. That shows you listening ports, the
programs and their PID.
Even more useful (but sadly ISTR not installed on the RaQ by default) is
'lsof' - LiSt Open Files. It's tremendously verbose and can take some time
to dig through, but is in my experience one of the more useful
debugging/analysis tools for a running system.

HTH

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

Prev by Date: RE: [cobalt-security] Ports safe to close?
Next by Date: RE: [cobalt-security] Ports safe to close?
Previous by thread: RE: [cobalt-security] Ports safe to close?
Next by thread: RE: [cobalt-security] Ports safe to close?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index