On Sunday 26 December 2004 12:29, you wrote: | Gabor Szabo wrote: | > I am trying to secure a new server and as I am not an a real | > security expert I'd be glad to get some inuput. | > This is a Fedore-3 based server (I already shut down cupd - | > why do they need this in a server anyway ?) | > I ran nmap on the server and got this: | > | > Port State Service | > 22/tcp open ssh | > 55/tcp filtered isi-gl | > 80/tcp open http | > 135/tcp filtered loc-srv | > 137/tcp filtered netbios-ns | > 138/tcp filtered netbios-dgm | > 139/tcp filtered netbios-ssn | > 225/tcp open unknown | > 443/tcp open https | > 445/tcp filtered microsoft-ds | > 4444/tcp filtered krb524 | > 12345/tcp filtered NetBus | > 12346/tcp filtered NetBus | > 27374/tcp filtered subseven | > | > | > Port 22 and 80 are OK | > I guess I'll have to shut down the betbios and microsft-ds things, | > what are these? Samba ? | | I'd guess that your ISP is blocking some of those ports, under the (not | altogether outrageous) assumption that they can do no good. Get "hping2" | and read about fire walking. It's a technique that will allow you to | find out where the blocking firewall is. | | Shachar
Basically, Nmap decides weather a port is "open", "closed" or "filtered" by the response from the remote host when it is handed a (TCP) SYN packet. Respectively, Nmap will report a port as "open" when the remote host responds with a SYN/ACK packet, "closed" being an RST response packet and "filtered" - no response to the SYN sent. I suggest using tcptraceroute to discover the distance of hops to a "filtered" and to a "closed" port to discover the actual device dropping the traffic. Note, however, that some DoS protection or packet classification appliances respond with a SYN/ACK packet before it reaches the firewalls and the networks behind it in order to provide a basic protection agains SYN-flood attacks. By trying a few ports while capturing the traffic with a packet analyzer like Ethereal, you can estimate the distance from the actual such appliance to the destination host by comparing the TTL values on the SYN packet to an open and a closed port, thus learning more about the path of the traffic. Kind regards, Alex -- The difference between theory and practice, is that in theory, there is no difference between theory and practice.
pgpgdJLIiZvdc.pgp
Description: PGP signature
