~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
D I S C L A I M E R
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am a newb to this, but I am using the same system you guys are. My
response here is a "guess" to see if my thinking is correct. Please don't
confuse it with the well-informed
input I hope it will draw :)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
My first guess: In looking thru my own filter rules, I notice the
following:
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0
* -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0
* -> 135
257 20046 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0
* -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0
* -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0
* -> 138:139
146 34019 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0
* -> 138
... and so forth. My _guess_ is that the default config "rejects" these
packets, which sends back a message to the probing machine that allows it to
determine that the port in fact exists and is responding. If the probe app
is "dumb" it will report ANY reply as "vulnerable." Most other filters in
E2B seem to use DENY, but if I am correct, there are some comments in the
E2B scripts related to Windows doing "braindead things" --- this may be part
of the cure for that, as these are Windows default networking ports.
As far as the 1080, that's SOCKS --- I don't know why it is showing for all
of us (myself included). I am definitely NOT running any such proxy here.
Port 3128 is not one I can find any info on.
My last guess is this: the probe app is a POS, and not to be trusted.
Dan
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Robert
Chambers
Sent: Tuesday, June 26, 2001 11:35 PM
To: [EMAIL PROTECTED]
Subject: Re: [Leaf-user] Firewall testing
I have also tried this site, and the same for me open ports 135, 137, 138,
139 and visable ports 1080, 3128. I am also running Eigerstien2beta.
When I test my system with Steve Gibson's site grc.com it says that I am a
hard target and all ports that are tested are in stealth mode.
Robert Chambers
Michael Leone wrote:
> On 09 Jun 2001 08:55:01 -0400, Sean E. Covel wrote:
> > To all,
> >
> > This is an interesting new test site. Uses IP Spoofing, so it does not
> > set off portsentry (first test that DIDN'T) It was also the first test
> > ever to say I had ports open/visible. I'm using EB2 LRP, and have been
> > on it awhile. I'm no expert, so could some of you experts take a look
> > at the tests (there are 2) and tell me what you see?
>
> This is the only scan I've ever taken (with EigerSteinBeta2) that told
> me I have ports 135, 137, 138 and 139 open. And ESB2 by default closes
> these ports.
>
> Also, it says port 21 (ftp), 80 (web) is open for me. This is true. Yet
> somehow, the scan missed port 22 (SSH), and port 113 (ident), both of
> which I am also running, and therefore should both show as open.
>
> Also says some of the 'scare' ports - 27374, 31337, etc (the ports that
> SubSeven, Back Oriface, and others use) - are visible, but not open.
>
> Makes me wonder about this scan. It missed some blatent ones, and
> reported on other ports that other scan sites did not.
>
> --
>
> ------------------------------------------------------------------
> Michael J. Leone Registered Linux user #201348
> <mailto:[EMAIL PROTECTED]> ICQ: 50453890
> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
>
> Pysche closed for renovations.
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
