Re: stange ports

To: debian-firewall@lists.debian.org
Subject: Re: stange ports
From: "Patrick Vermeij" <patrick@vermeij.net>
Date: Sun, 6 Aug 2000 17:02:52 +0200
Message-id: <[🔎] 398D9A3C.11235.1391941@localhost>

On 6 Aug 2000, at 15:21, Jean-Yves BARBIER wrote:

> On Sun, Aug 06, 2000 at 02:26:45PM +0200, Patrick Vermeij wrote:
> > Hi
> > 
> > Im configuring my firewall and before I connect it to the web I want be sure no unwanted services are public to the internet
> > But when I look with netstat -l , I see some strange ports open wich I don't reconize.
> > Has any of you any idea?
> > (I already telnet to the ports but no info is available)
> > 
> > tcp        0      0 *:797                   *:*                     LISTEN
> > tcp        0      0 *:757                   *:*                     LISTEN
> > tcp        0      0 *:826                   *:*                     LISTEN
> > tcp        0      0 *:746                   *:*                     LISTEN
> 
> Hi Patrick,
> 
> First, don't use netstat for this purpose, prefer nmap,
> which can give you reliable information.
> 
> These ports look quite strange if you're  running a
> Linux system (no port 111, nor 21, 23, 9... ???).
> 
> But don't worry so much: netstat tells you they're open
> on the machine you tested, that's a point; but that doesn't
> mean they can be accessed by anyone on the net (use netstat
> to check what is going where [route, masquerading...], then 
> use nmap to know about the reachability of these ports); 
> 
> To have a really good test, call a (good) friend and tell
> him to nmap (or strobe, or whatever tool that is able to make
> ports scanning *and* connections tests) toward your Internet
> IP.
> 
> In addition, goto http://www.psionic.com and get the portsentry
> program; install it on your internet gateway; make sure (only
> for the tests) it doesn't cover localhosts in its survey, then
> test from inside *and* outside.
> This is a very nice program, totally GNU/GPL which is able to
> discover a port scan (even a random one!) and take the counter-
> measures (such as putting the scanner IP in /etc/hosts.deny)
> 
> Make sure you've forbidden all internal-use segment (A, B & C
> classes) to come on your internet I/F, make sure you activated
> anti-spoof, check all ports to see if unnecessary ports are not
> opened.
> 
> Hope it will help ;-)
> 
> JY
> -- 
> Jean-Yves F. Barbier <jybarbier@wanadoo.fr>
>  VMS version 2.0 ==>

Hi All,

Thanx for help in the first place.
After this mail I still got some more questions :
(btw the ports I mean are not the only ports, eg ssh is also running but that's a "wanted" service")
After I put my machine online a few minutes, I've made a telnet connection to a host on the Internet ans telnetted to the 4 "strange" ports.
After I got a connection, I manualy disconnect.
All these 4 ports were reacheble :

[patrick@host_on_the_internet patrick]$ telnet 111.222.333.444 826
Trying 111.222.333.444...
Connected to 111.222.333.444.
Escape character is '^]'.
^]
telnet> Connection closed.

Well, I installed portsentry already, but that program doesn't forbid a connection
(It only detect a cnnection and take some pre-installed action upon it)

I can deny connections by using ipchains but that's preffered solutions because the services are still running and vulnerable for a localhost exploid.
So I want to completly disable this service, so I have to know wich service this is.

Any ideas?

Patrick

---

Encryption:  A powerful algorithmic encoding technique employed in the creation of computer manuals.

Reply to:

Prev by Date: stange ports
Next by Date: Re: stange ports
Previous by thread: Re: stange ports
Next by thread: IP-Masquerade all sussed
Index(es):
- Date
- Thread