On 09.03.2010 09:21, Sir Conquer wrote: > As I was testing new iptables rules on my remote Lenny server, port > 21 kept coming up as open, yet nothing was listening on it (according > to netstat and lsof). At which point I'm panicking and wondering > whether I've been owned! The panic had productive side-effects, as I > discovered several misconfigurations in Bind. Still, no matter where > I poked - I could not figure out what the hell is opening the damn > ftp port... After making sure that I'm thoroughly dropping all > traffic from APNIC subnets, and as I was getting ready to post a > question about my dilemma here - I had a eureka moment - I'M RUNNING > FTP PROXY on my LAN gateway! LOL :-) I laughed so hard that I woke-up > (and pissed-off) my wife!
The same can very easily happen if your network uses some sort of transparent web-proxy, either using the classic iptables REDIRECT approach or with help of a Cisco router and WCCP. Outgoing port 80 will always seem to be available and this has more than once driven me nearly mad :) Also tcptraceroutes with destination port 80 will always end in your own network (in your proxy) instead of tracing the internets, but the resulting hostname will still be the one you targeted: x...@yyyy:~$ tcptraceroute.mt -N www.debian.org 80 Selected device eth0, address 192.168.192.67, port 39841 for outgoing packets Tracing the path to www.debian.org (141.76.2.5) on TCP port 80 (www), 30 hops max 1 fw01-1-ha-dvzadmins.dvz.fh-giessen.de (192.168.192.120) 0.248 ms 0.999 ms 1.195 ms 2 asr-a016-ge1-v107.its.fh-giessen.de (10.196.12.50) 2.130 ms 2.540 ms 2.798 ms 3 www.de.debian.org (141.76.2.5) [open] 5.206 ms 3.518 ms 1.310 ms So, lesson learned: if you do remote forensics, always make sure your network behaves the way you think it does. Grüße, Sven. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
