Re: stange ports
On 6 Aug 2000, at 15:21, Jean-Yves BARBIER wrote:
> On Sun, Aug 06, 2000 at 02:26:45PM +0200, Patrick Vermeij wrote:
> > Hi
> > Im configuring my firewall and before I connect it to the web I want be sure no unwanted services are public to the internet
> > But when I look with netstat -l , I see some strange ports open wich I don't reconize.
> > Has any of you any idea?
> > (I already telnet to the ports but no info is available)
> > tcp 0 0 *:797 *:* LISTEN
> > tcp 0 0 *:757 *:* LISTEN
> > tcp 0 0 *:826 *:* LISTEN
> > tcp 0 0 *:746 *:* LISTEN
> Hi Patrick,
> First, don't use netstat for this purpose, prefer nmap,
> which can give you reliable information.
> These ports look quite strange if you're running a
> Linux system (no port 111, nor 21, 23, 9... ???).
> But don't worry so much: netstat tells you they're open
> on the machine you tested, that's a point; but that doesn't
> mean they can be accessed by anyone on the net (use netstat
> to check what is going where [route, masquerading...], then
> use nmap to know about the reachability of these ports);
> To have a really good test, call a (good) friend and tell
> him to nmap (or strobe, or whatever tool that is able to make
> ports scanning *and* connections tests) toward your Internet
> In addition, goto http://www.psionic.com and get the portsentry
> program; install it on your internet gateway; make sure (only
> for the tests) it doesn't cover localhosts in its survey, then
> test from inside *and* outside.
> This is a very nice program, totally GNU/GPL which is able to
> discover a port scan (even a random one!) and take the counter-
> measures (such as putting the scanner IP in /etc/hosts.deny)
> Make sure you've forbidden all internal-use segment (A, B & C
> classes) to come on your internet I/F, make sure you activated
> anti-spoof, check all ports to see if unnecessary ports are not
> Hope it will help ;-)
> Jean-Yves F. Barbier <firstname.lastname@example.org>
> VMS version 2.0 ==>
Thanx for help in the first place.
After this mail I still got some more questions :
(btw the ports I mean are not the only ports, eg ssh is also running but that's a "wanted" service")
After I put my machine online a few minutes, I've made a telnet connection to a host on the Internet ans telnetted to the 4 "strange" ports.
After I got a connection, I manualy disconnect.
All these 4 ports were reacheble :
[patrick@host_on_the_internet patrick]$ telnet 111.222.333.444 826
Connected to 111.222.333.444.
Escape character is '^]'.
telnet> Connection closed.
Well, I installed portsentry already, but that program doesn't forbid a connection
(It only detect a cnnection and take some pre-installed action upon it)
I can deny connections by using ipchains but that's preffered solutions because the services are still running and vulnerable for a localhost exploid.
So I want to completly disable this service, so I have to know wich service this is.
Encryption: A powerful algorithmic encoding technique employed in the creation of computer manuals.