[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Ports safe to close?
- Subject: RE: [cobalt-security] Ports safe to close?
- From: "Drage, Nicholas" <nickd@xxxxxxxxx>
- Date: Wed, 29 Aug 2001 13:08:36 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Carrie wrote:
> > When running an nmap scan on one of my servers with IPChains
> > installed and running, I get these open ports:
> > 1080/tcp open socks
> > 2000/tcp open callbook
> > 2001/tcp open dc (this is digichat)
> > 6667/tcp open irc
> > 32771/tcp open sometimes-rpc5
> > 32772/tcp open sometimes-rpc7
> > 32773/tcp open sometimes-rpc9
> > 32774/tcp open sometimes-rpc11
>
> <shiver> that doesn't look very nice... </shiver>
Seconded.
Is this another case of Portsentry generating false alarms for remote scanning software? ( I mean socks, irc *and* rpc services ).
BTW - Carrie, IIRC the default flag for nmap is -sT not -sS.
> And then several other people wrote stuff about 'closing' ports...
Yay, clue!
> Folks: You don't close a port; you stop a service running on
> it. If there's something holding a port open and you don't know what it is,
> then it's time to go a-digging. Personally I think IPChaining these ports
> out of existence is only gonna mask the fact that there are things running on
> your box which you didn't expect.
Seconded. And if Portsentry is generating the positives, and you're using IPChains to protect against them, you're really making work for yourself :)
<snip>
> A suggestion: if your RaQ has the more up-to-date version of netstat
> installed, try running netstat -lnp. That shows you listening
> ports, the programs and their PID.
netstat -tupan will avoid all the socket details at the bottom.
> Even more useful (but sadly ISTR not installed on the RaQ by
> default) is 'lsof' - LiSt Open Files. It's tremendously verbose and can
> take some time to dig through, but is in my experience one of the more useful
> debugging/analysis tools for a running system.
Yes, shame not to see this on the RaQ, I don't *think* it even comes with most Linux distributions. "lsof -i" will list all connections and is a useful complement to netstat.
--
Nick Drage - Packet Pooh-Bah - Security Architecture - Demon Internet