Well, just from a glance at what you have here...
Look's like you're running Redhat 6.2 - correct?
21 - FTP - version of WU-FTPD you are running is vulnerable to a remote root
exploit - patch and or upgrade this.
23 - Telnet - rather use SSH if possible. Telnet sends traffic in plaintext.
25 - SMTP - Are you forwarding/receiving mail on this machine? If not,
disable this, else make sure your mailserver is configured so that no one
can use your mailserver for forwarding.
53 - DNS - are you using your machine as nameserver for any domain? Disallow
zone transfer's from anywhere except your secondary nameservers for the
domains for which this machine is authoritative for.
98 - Linuxconf - definitely a bad idea to have this accessable from the
outside world. Linuxconf supports configuration to allow/disallow access
based on various access permission's - but better to block this at the
firewall.
110 - POP3 - are people retrieving mail from your machine from remote? If
not, block/disable this as well. POP3 can be used to bruteforce user/pass
pairs - accounts are not locked after repeated failed login attempts.
111 - rpcbind - returns a list of RPC services running on a machine. If my
guess about this machine being a RH6.2 Linux box is correct, then you are
probably vulnerable to a remote root exploit via rpc.stad under the default
install.
113 - identd - rather deny this port - identd can reveal quite a lot of
information about your machine to the outside world. (Make sure that your
firewall rules are for denying these packets, such that a RST packet is sent
back, else you may experience large delays in your mail handling.)
513 - rlogin - disable this - no one really uses/needs the use of rlogin.
(Basically an old version of telnet, with some rather easily abused/poor
authentication features)
(UDP packets on this port go to rwho, which provides information on
currently logged in users. Bad idea - giving away account information
again).
514 - rsh - again disable this. Remote execution of commands using .rhost's
file again for authentication - bad. Often abused for transferring files
without being logged.
995 - don't know offhand.
1024 - probably assigned as the first available non-priviledged port to some
program that needs to set up a listener.
You could do a netstat -a to list all out all open/listening connections.
Almost all of these ports should be filtered out - allow access from the
outside world to only those services to which access is needed for business
reasons, and make sure these services that are to be accessible are secured.
I hope some of this information is useful.
Take care,
Andrew
-----Original Message-----
From: Dante Sarmiento, IM [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 15, 2000 10:36 AM
To: Firewall Lists
Subject: Newbie question
Hello to all,
I can you me on this, when I try to port scan my network these information
was revealed. (Scan was done outside the network)
Starting at: 09/14/00 15:07:12
192.xxx.xx.xxx - Active on 21
192.xxx.xx.xxx - Active on 23
192.xxx.xx.xxx - Active on 25
192.xxx.xx.xxx - Active on 53
192.xxx.xx.xxx - Active on 98
192.xxx.xx.xxx - Active on 110
192.xxx.xx.xxx - Active on 111
192.xxx.xx.xxx - Active on 113
192.xxx.xx.xxx - Active on 513
192.xxx.xx.xxx - Active on 514
192.xxx.xx.xxx - Active on 515
192.xxx.xx.xxx - Active on 995
192.xxx.xx.xxx - Active on 1024
Finished at: 09/14/00 15:08:13
Details for 192.xxx.xx.xxx on 21 are - 220 myserver.com FTP server (Version
wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
Details for 192.xxx.xx.xxx on 23 are - ����� ��#��'
Details for 192.xxx.xx.xxx on 25 are - 220 myserver.com ESMTP Sendmail
8.9.3/8.9.3; Thu, 14 Sep 2000 15:18:55 +0800
Details for 192.xxx.xx.xxx on 98 are - 500 access denied: Check
networking/linuxconf network access
Details for 192.xxx.xx.xxx on 110 are - +OK Cubic Circle's v1.31 1998/05/13
POP3 ready < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> >
Details for 192.xxx.xx.xxx on 111 are -
Details for 192.xxx.xx.xxx on 515 are - lpd: : Malformed from address
Details for 192.xxx.xx.xxx on 995 are -
Is this means that my network is vulnerable to attack? If its vulnerable how
can i prevent it? I'm using only ipchain on linux.
Thanks in advance.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
