Funny thing is.... I ran the same scan before I upgraded and it came back with no services running.... Very Strange.
So something must have changed during the upgrade. One of the other services it claims: AppleTalk; now I know for a fact this isn't enabled on this router.... Or at least it shouldn't be! My config would say otherwise; as would DNS and DHCP. I'm very very curious. -----Original Message----- From: Moffett, Ryan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 3:06 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: IOS upgrade/Strange services [7:53492] ...an inbound ACL on the interfaces you want to protect would effectively kill access to these ports, but some of the ports you have mentioned are difficult to explain and lack command-line parameters to control, like biff for instance. Biff happens to run on UDP port 512. Can you duplicate your scan results with another tool such as nmap? Sometimes tools that use various techniques to detect open ports, especially UDP ports sometimes result in false positives. TCP connection attempts to detect open TCP ports are usually very accurate. Some of the services below appear to be TCP and UDP. Can you specify if they are TCP or UDP ports? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 2:15 PM To: [EMAIL PROTECTED] Subject: RE: IOS upgrade/Strange services [7:53492] I'm running 12.2(11)T ip/fw/ids/3DES..... The scan came back with Cu-seeme, talk, tftp, rpc-nfs, rwho, biff, name, rpc-portmapper, rwho, snmp-agent, syslog, dhcp, dns, etc... Since the router is fundamentally a unix box I can see this happening... How the heck do ya shutdown the services? Also tried shutting down the VoIP stuff... No go! I didn't think an ACL would be useful given the services appear to be running on the router itself. Kinda like stopping a service on a *nix or windoz computer. Plz lemme know your thoughts.... version 12.2 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Lhotse no logging console aaa new-model ! aaa authentication login ops line aaa session-id common enable secret enable password ! ip subnet-zero no ip source-route ! no ip domain lookup ip domain name abnamrousa.com ! no ip bootp server ip audit notify log ip audit po max-events 100 ! mta receive maximum-recipients 0 ! interface Ethernet0/0 ip address x.x.x.x 255.255.255.0 ip access-group 2 out ip nat inside half-duplex no cdp enable ! interface Serial0/0 bandwidth 1536 no ip address no ip redirects no ip unreachables encapsulation frame-relay IETF no ip route-cache no ip mroute-cache no fair-queue service-module t1 timeslots 1-24 frame-relay lmi-type ansi ! interface Serial0/0.1 point-to-point bandwidth 1536 ip address y.y.y.y 255.255.255.252 ip access-group 1 in no ip redirects no ip unreachables ip nat outside no ip route-cache no ip mroute-cache no cdp enable frame-relay interface-dlci 501 IETF ! interface Ethernet0/1 no ip address shutdown half-duplex no cdp enable ! interface Serial0/1 no ip address no keepalive shutdown no cdp enable ! ip classless no ip http server ! access-list 1 deny 65.204.141.10 access-list 1 deny 65.204.68.194 access-list 1 deny 65.204.132.5 access-list 1 deny 65.3.0.83 access-list 1 deny 65.204.176.42 access-list 1 deny 80.132.79.133 access-list 1 deny 65.5.36.66 access-list 1 deny 65.0.13.111 access-list 1 deny 65.204.21.189 access-list 1 deny 65.204.103.194 access-list 1 deny 65.204.95.250 access-list 1 deny 65.204.103.196 access-list 1 deny 65.204.39.133 access-list 1 deny 65.204.232.83 access-list 1 deny 65.204.212.31 access-list 1 deny 65.196.200.11 access-list 1 deny 65.115.13.98 access-list 1 deny 65.204.39.244 access-list 1 deny 65.204.222.51 access-list 1 deny 65.204.219.50 access-list 1 deny 65.195.0.229 access-list 1 deny 65.204.176.77 access-list 1 deny 65.204.135.120 access-list 1 deny 65.204.57.200 access-list 1 deny 64.168.217.182 access-list 1 deny 65.204.38.59 access-list 1 deny 65.204.73.87 access-list 1 deny 65.204.0.30 access-list 1 deny 65.204.118.100 access-list 1 deny 65.204.220.227 access-list 1 deny 65.204.61.3 access-list 1 deny 65.204.29.36 access-list 1 deny 65.204.135.200 access-list 1 deny 65.204.135.205 access-list 1 deny 65.204.240.181 access-list 1 deny 65.204.135.209 access-list 1 deny 65.204.135.214 access-list 1 deny 65.204.160.201 access-list 1 deny 65.204.160.200 access-list 1 deny 65.204.103.2 access-list 1 deny 65.204.160.199 access-list 1 deny 65.204.160.198 access-list 1 deny 65.204.160.195 access-list 1 deny 65.204.202.180 access-list 1 deny 65.204.202.179 access-list 1 deny 65.204.49.67 access-list 1 deny 65.204.125.0 0.0.0.255 access-list 1 permit any access-list 2 deny 199.172.158.0 0.0.0.255 access-list 2 deny 128.242.104.0 0.0.0.255 access-list 2 permit any access-list 13 permit x.x.x.x no cdp run ! no call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 access-class 13 in password login authentication ops transport input ssh ! end -----Original Message----- From: Mark W. Odette II [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 11:14 AM To: [EMAIL PROTECTED] Subject: RE: IOS upgrade/Strange services [7:53492] What's the version of IOS? What's your Access-lists look like?? Truthfully, AFAIK, the only way that all of those services could be detected from multiple hosts after performing a port scan (assuming from the "far-end"/"outside" interface) is from either A) not having access-lists defined and static NAT is in place for each of the hosts in question, or B) there are access-lists in place, but said ACLs are being used/implemented incorrectly... i.e., Something like acl 101 permit ip any any rather than a more granular set of permit statements and a deny for everything else. Can you post a scrubbed version of your config for this router?? -Mark Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53570&t=53492 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
