On Sat, Apr 27, 2002 at 12:17:12PM +0300, Nadav Har'El wrote:
> On Sat, Apr 27, 2002, Eliran wrote about "Unknown Ports":
> > I have just ran netstat and found out that these ports are open:
> > 515, 6000, 113, 25
> > there are others but only these are connectable and in State LISTEN
> > (netstat --inet -an), the 25 port is the mail server postscript and
> > I allowed it.
>
> You probably mean "postfix", not postscript ;)
> To see which process is listening on these ports, add a "-p" option to
> netstat (and run it as root, this is important!).
Yep I do. and port 6000 is being used by X.
Here is the output of netstat --inet -an -p
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
647/lpd Waiting
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1021/X
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
605/identd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
932/master
since when X opens a port on my computer ? and accessible by anyone with an internet
connection ?
>
> > Then what is port 515, 6000, 113 I thought 113 is some kind of another
> > mail server (not to send mail, to receive mail) but its not that.
> >
> > I have checked a list of ports but they were only trojans ports only.
>
> Your linux installation probably includes a file /etc/services with a
> list of ports useful on Linux machines. From my /etc/services:
>
> auth 113/tcp authentication tap ident
> printer 515/tcp spooler # line printer spooler
> x11 6000/tcp X # the X Window System
>
> So you probably have an identd listening on port 113, lpd listening on
> 515 and X Windows listening on 6000 (this is your.machine:0.0). A
> netstat -p (like I explained above) would show you that.
>
>
> > After googling for "Port 515" I found out this is a printer daemon
> > (lpd) and I dont want others to be able to connect to it, is there
> > a way to block it so only 127.0.0.1 will able to connect to it ?
> > (ipchains ?)
>
> Yes.
>
> Here's a simple rule (untested, so please test it) not allowing anything
> from ppp0 (assuming you connect externally with a modem) to connect to these
> ports:
> ipchains -A input -i ppp0 --dport 515 -j DENY -l
> ipchains -A input -i ppp0 --dport 6000:6063 -j DENY -l
> ipchains -A input -i ppp0 --dport 113 -j DENY -l
>
> (note that the last rule, barring ident, will sometime give you trouble if
> you're trying to run a mail server or an IRC client on your machine, because
> these things may insist that you run a responsive ident client).
>
ipchains: can only specify ports for icmp, tcp or udp
Try `ipchains -h' or 'ipchains --help' for more information.
I think you need to specify what protocol to use : icmp, tcp or udp. They are all TCP
> What I actually do instead is to block all ports, except only a few which
> I allow. But I'm really paranoid :)
>
me too.
> > Googling for port 6000 tells me it is a remote X server, others
> > can connect to it ?
>
> Right...
>
> > I also run an Identd application for IRC ident and that should be port 113.
>
> So you already know the answers, so why ask? :)
Its not the point, read the rest.
>
> > I need port 113 and 25 open, about the printer daemon... I need it to
> ...
> > Port 25 is important for my mail, and I need it too.
>
> Are you sure you need port 25 open? Why? Are you trying to run a mail
> *server* on your machine?
I know sendmail is problematic, I searched bugtraq and packetstorm for
exploits/holes/bugs
in my current sendmail 8.11.2-14
>
> > So what I don't need is port 25 and 113 , X server (is this xfs?) should
>
> No, xfs is the X *font* server.
So how do I block this the X port or just not LISTENing ?
Thanks!
>
> --
> Nadav Har'El | Saturday, Apr 27 2002, 15 Iyyar 5762
> [EMAIL PROTECTED] |-----------------------------------------
> Phone: +972-53-245868, ICQ 13349191 |Preserve wildlife -- pickle a squirrel
> http://nadav.harel.org.il |today!
>
--
<a href="http://eg-site.tripod.com";>Eliran</a>
I wrote a song, but I can't read music so I don't know what it is.
Every once in a while I'll be listening to the radio and I say, "I think
I might have written that."
-- Stephen Wright
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
