Open ports across the network. [tentatively resolved]

Lord.DragonFly.of.Dawn

I'm running into an interesting problem.

I have a server setup with some daemons and nothing else. I set this up yesterday and have yet to move outside my private subnet.

Here is why.

when I nmap my ports from the machine it presents the list i would expect, but if i do it form any other machine on the net it presents a MUCH different view.

From Naru (the affected machine)

crouse · Site Admin Joined: 17 Apr 2024 Posts: 11833 Location: Iowa

Scanned Archie -- ssh port hasn't been changed yet... gives me exactly what I thought it should.

hakova · Posted: Sat Mar 14, 2024 5:50 pm Post subject:

I don't mean to hijack the thread but here is what I have:

masinick · Posted: Sat Mar 14, 2024 6:30 pm Post subject:

Port 587 is sometimes implemented as the replacement SMTP port; the old SMTP port used to be 25 if I remember right, and 110 was the POP port. I have seen port 631 used by webmin in the past, so that port might be used by a printer administration tool, possibly CUPS. Try shutting down a few of those ports and see if any functionality that you need stops. If you don't miss the ports open, leave them off. At least you will then find out if they are actively being used. You can turn them on when you need them and shut them off when you don't need them; nothing prevents you from doing that, other than your own time and your level of concern.

_________________
Brian Masinick
Distros: SimplyMEPIS
sidux - no CAPS!, antiX, Debian

hakova · Posted: Sat Mar 14, 2024 6:59 pm Post subject:

masinick · Posted: Sat Mar 14, 2024 9:08 pm Post subject:

I do not see all that many ports open, and the ports listed are commonly used for real network activity. If your paranoia is that high, turn on a packet sniffer and watch everything that comes by. I do not think that you are being seriously compromised. In the past, when I have monitored network activity, I find software that is trying to access my system all the time - and not getting very far at all. Such processes usually give up when they realize that they are not getting anywhere.

_________________
Brian Masinick
Distros: SimplyMEPIS
sidux - no CAPS!, antiX, Debian

hakova · Posted: Sun Mar 15, 2024 12:10 am Post subject:

Thanks for the expert opinion masinick. I actually don't have a high paranoia, whatever amount I have stems from my ignorance. Your insight was enough to calm it down.

Lord.DragonFly.of.Dawn · Posted: Sun Mar 15, 2024 3:01 am Post subject:

I've identified the open ports in the listings i posted previously and they are all valid for the servers I have set up. I have configured iptables to block all other ports and have lost no functionality.

however I still periodically get the odd nmap readings. I'll get a huge jump in open ports (despite having iptables configured) that stay open for between 5 minutes and an hour before closing again. running a packet sniffer during this shows no activity on any of the questionable ports aside from the occasional icmp ping that is is not acknowledged (due to iptables probably). Below is a copy of the output from one of those scans.

I am running a vanilla install of debian lenny with no 3rd party debs/apps installed. It was installed via the official ISO (the same one that i used to install my laptop which does *NOT* show the same issue)

I'm not planning to use the box for any sensitive data, but I am worried that this issue might manifest on other machines on my network which will carry data that is sensitive. I'm not normally a paranoid man but I do worry when network ports are open for no apparent reason (a throwback to my windows days)

Thank your for your time and assistance.

-Pat

masinick · Posted: Sun Mar 15, 2024 3:48 am Post subject: I'd close those ports!

Wow, Lord.DragonFly.of.Dawn, that is a huge number of open ports! I don't knowingly ever open or leave open anywhere near that many ports! I would say that in your case you will want to look into closing 98% of those and leaving them closed unless you have a specific reason to do otherwise.

_________________
Brian Masinick
Distros: SimplyMEPIS
sidux - no CAPS!, antiX, Debian

mr_ed · Posted: Mon Mar 16, 2024 1:22 pm Post subject:

wow that's bizarre. Shocked

_________________
Desktop: Ubuntu 7.10 "Gutsy Gibbon"
Laptop: Ubuntu 7.04 "Feisty Fawn"

Lord.DragonFly.of.Dawn · Posted: Mon Mar 16, 2024 1:34 pm Post subject:

mmmna · . . . . Joined: 21 Apr 2024 Posts: 7224

Wow. A quick paste onto a spreadsheet produced over 1070 open ports. No ideas, I'm network challenged.

_________________
-Kubuntu 10.04 LTS Beta2 on Celeron D desktop
-PCLinuxOS 2024 LXDE on EeePC 900A with Atom n270 (modded with 32G SATA drive and 2G ram).

crouse · Site Admin Joined: 17 Apr 2024 Posts: 11833 Location: Iowa

IP Tables won't block the services from starting, but it should block the port scan.
With this many ports open, I would do some heavy duty digging into WHY everything is turned on, and if I couldn't figure it out, I know what I would do personally.

This is one of the things I really like about Arch Linux. Everything is by default, off/not installed. The only things that ever get started are what YOU tell it start by installing programs and turning on the dameons in the rc.conf file DAMEONS list. With that one line and I can tell you what services should be running, and one place to turn off anything I want to disable.
[root@VistaCrusher2 ~]# less /etc/rc.conf | grep DAEM
# DAEMONS
DAEMONS=(syslog-ng hal !dbus network netfs @openntpd @crond @sshd @kdm @cups @httpd)

on this particular system I have ports open for ntp, ssh,

I would definitely thing Gentoo is similar, but since I don't run it, I can't offer many good suggestions, other than if it were me, I'd be figuring this out ASAP.

_________________
Veronica - Arch Linux 64-bit -- Kernel 2.6.33.4-1
Archie/Jughead - Arch Linux 32-bit -- Kernel 2.6.33.4-1
Betty/Reggie - Arch Linux (VBox) 32-bit -- Kernel 2.6.33.4-1
BumbleBee - OpenSolaris-SunOS 5.11

platinummonkey · Posted: Tue Mar 17, 2024 5:04 pm Post subject:

sounds like inetd is having a field day on you Wink

try closing all the ports you dont need in /etc/inetd.conf

_________________
desktop - FreeBSD 7.2
laptop & server - Archlinux i686 kernel26 2.6.32.10-1
- TAMULinux-2.0.2-ALPHA
USB Boot - Archlinux i686 kernel26 2.6.32.10-1 USB boot

masinick · Posted: Tue Mar 17, 2024 5:20 pm Post subject:

	USA Linux Users Group Forum Index » Networking	All times are GMT Goto page 1, 2 Next
Page 1 of 2