Re: Stumped - ports still open...

Ron DuFresne Wed, 12 Apr 2000 21:07:20 -0700

he can specify the interface with namp though and get a finer assessmnet
of the rules in place...

Thanks,

Ron DuFresne


On Wed, 12 Apr 2000, Paul D. Robertson wrote:

> On Wed, 12 Apr 2000, Andr� Bell wrote:
> 
> > should be otherwise?  How do I REALLY close these ports? I already
> > commented out absolutely everything in inetd.conf with exception to the
> > authentication line and then rebooted. Nothing else in inetd.conf is
> > without a leading '#' sign. Still several services like finger, telnet, and
> > others show as open to nmap -- and yes I can actually run telnet despite
> > commenting it out :(
> 
> Get and install lsof (If you're running RedHat, it's on the CD), then
> look and see what program has those sockets open (esp. telnet and finger.)
> If it's inetd, you didn't do something right, if it's something else, it's   
> a bad thing.
> 
> You don't need ident unless you plan on IRCing from the box to one of the
> IRC networks.
> 
> > A) # pmfirewall.rules.2 - used by pmfirewall package
> > #
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 80 -j ACCEPT
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 113 -j REJECT
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 119  -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1045 -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1080 -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1524 -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 2000 -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 2005 -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 3128 -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 5742 -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 6000 -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 6667 -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 20034 -j DENY
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 40421 -j DENY
> > 
> 
> If you're running nmap from the same host, the packets come from loopback,
> your filter rules don't look like they'll touch that interface.
> 
> Most times it's better to start with a default deny policy then open up
> specific ports and services.
> 
> > B) Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/)
> > Interesting ports on xxxxxxxxxx
> > Port    State       Protocol  Service
> > 1       open        tcp        tcpmux          
> > 11      open        tcp        systat          
> > 15      open        tcp        netstat         
> > 25      open        tcp        smtp            
> > 79      open        tcp        finger          
> > 80      open        tcp        http            
> > 111     open        tcp        sunrpc          
> > 113     open        tcp        auth            
> > 119     open        tcp        nntp            
> > 143     open        tcp        imap2           
> > 515     open        tcp        printer         
> > 540     open        tcp        uucp            
> > 635     open        tcp        unknown         
> > 1080    open        tcp        socks           
> > 1524    open        tcp        ingreslock      
> > 2000    open        tcp        callbook        
> > 2005    open        tcp        deslogin        
> > 3128    open        tcp        squid-http      
> > 6667    open        tcp        irc             
> > 12345   open        tcp        NetBus          
> > 12346   open        tcp        NetBus          
> 
> Most of these *aren't* inetd-controlled services.  They're started in the
> run level startup scripts for whatever run level you're using.  If you're
> using the SysV init stuff in RedHat, it's /etc/rc.d/rc3.d *unless* you're
> running that stupid "always start X" stuff, in which case it's run level 6
> (IIR) instead of run level 3.  Typically, I just mv the SNNwhatever file
> to XNNwhatever to turn off services.  I'd recommend getting a good Linux
> book or seeking help in the Linux newsgroups for things like disabling
> services.
> 
> I'm interested in what has 12345 and 12346 open though, please let us know
> what lsof points to.
> 
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal opinions
> [EMAIL PROTECTED]      which may have no basis whatsoever in fact."
>                                                                      PSB#9280
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: Stumped - ports still open...

Reply via email to
