open ports

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

open ports

dalila-2
aside from ssh how did all these ports remain open on a desktop installation?  
also how can i close them?

PORT     STATE    SERVICE
13/tcp   filtered daytime
19/tcp   filtered chargen
22/tcp   open     ssh
111/tcp  filtered rpcbind
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
512/tcp  filtered exec
513/tcp  filtered login
543/tcp  filtered klogin
544/tcp  filtered kshell
707/tcp  filtered unknown
1433/tcp filtered ms-sql-s
1720/tcp filtered H.323/Q.931

--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

Alexander Skwar-11
· [hidden email] <[hidden email]>:

> aside from ssh how did all these ports remain open on a desktop installation?  
> also how can i close them?

Ports are only open, if some application opens them. So, to close
them, shut down the appropriate application.

> PORT     STATE    SERVICE
> 13/tcp   filtered daytime
> 19/tcp   filtered chargen
> 22/tcp   open     ssh
> 111/tcp  filtered rpcbind
> 135/tcp  filtered msrpc
> 136/tcp  filtered profile
> 137/tcp  filtered netbios-ns
> 138/tcp  filtered netbios-dgm
> 139/tcp  filtered netbios-ssn
> 445/tcp  filtered microsoft-ds
> 512/tcp  filtered exec
> 513/tcp  filtered login
> 543/tcp  filtered klogin
> 544/tcp  filtered kshell
> 707/tcp  filtered unknown
> 1433/tcp filtered ms-sql-s
> 1720/tcp filtered H.323/Q.931

Hm - only ssh is for sure open.

To see which ports are open while on the system, run:

        sudo netstat -tulpen

Alexander Skwar
--
Children seldom misquote you.  In fact, they usually repeat word for
word what you shouldn't have said.



--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

albi@scii.nl
In reply to this post by dalila-2
On Sun, 03 Sep 2006 08:51:02 -0400 (EDT)
[hidden email] wrote:

> aside from ssh how did all these ports remain open on a desktop
> installation? also how can i close them?

they're filtered, not open, and.. see below

> PORT     STATE    SERVICE
> 13/tcp   filtered daytime
> 19/tcp   filtered chargen
> 22/tcp   open     ssh
> 111/tcp  filtered rpcbind
> 135/tcp  filtered msrpc
> 136/tcp  filtered profile
> 137/tcp  filtered netbios-ns
> 138/tcp  filtered netbios-dgm
> 139/tcp  filtered netbios-ssn
> 445/tcp  filtered microsoft-ds

from where did you did your portscan ? from the "outside" ?
then you have to realise this filtering is possibly from your ISP

--
grtjs,
albi

--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

Tony Arnold-3
In reply to this post by dalila-2
On Sun, 2006-09-03 at 08:51 -0400, [hidden email] wrote:

> aside from ssh how did all these ports remain open on a desktop installation?  
> also how can i close them?
>
> PORT     STATE    SERVICE
> 13/tcp   filtered daytime
> 19/tcp   filtered chargen
> 22/tcp   open     ssh
> 111/tcp  filtered rpcbind
> 135/tcp  filtered msrpc
> 136/tcp  filtered profile
> 137/tcp  filtered netbios-ns
> 138/tcp  filtered netbios-dgm
> 139/tcp  filtered netbios-ssn
> 445/tcp  filtered microsoft-ds
> 512/tcp  filtered exec
> 513/tcp  filtered login
> 543/tcp  filtered klogin
> 544/tcp  filtered kshell
> 707/tcp  filtered unknown
> 1433/tcp filtered ms-sql-s
> 1720/tcp filtered H.323/Q.931

Apart from the ssh port, all the other ports are firewalled off
somewhere, either by firewall settings on your desktop, or by some other
firewall that's between the scanning machine and the desktop machine.

The difference is that a firewall will silently drop any packets
arriving on these filtered ports, whereas a system that is just not
listening on these ports will respond with a negative acknowledgement.
Utilities such as nmap use this to distinguish the two cases.

Regards,
Tony.
--
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: [hidden email], H: http://www.man.ac.uk/Tony.Arnold

--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

Gabriel Dragffy
On Sun, 2006-09-03 at 14:11 +0100, Tony Arnold wrote:

> On Sun, 2006-09-03 at 08:51 -0400, [hidden email] wrote:
> > aside from ssh how did all these ports remain open on a desktop installation?  
> > also how can i close them?
> >
> > PORT     STATE    SERVICE
> > 13/tcp   filtered daytime
> > 19/tcp   filtered chargen
> > 22/tcp   open     ssh
> > 111/tcp  filtered rpcbind
> > 135/tcp  filtered msrpc
> > 136/tcp  filtered profile
> > 137/tcp  filtered netbios-ns
> > 138/tcp  filtered netbios-dgm
> > 139/tcp  filtered netbios-ssn
> > 445/tcp  filtered microsoft-ds
> > 512/tcp  filtered exec
> > 513/tcp  filtered login
> > 543/tcp  filtered klogin
> > 544/tcp  filtered kshell
> > 707/tcp  filtered unknown
> > 1433/tcp filtered ms-sql-s
> > 1720/tcp filtered H.323/Q.931
>
> Apart from the ssh port, all the other ports are firewalled off
> somewhere, either by firewall settings on your desktop, or by some other
> firewall that's between the scanning machine and the desktop machine.
>
> The difference is that a firewall will silently drop any packets
> arriving on these filtered ports, whereas a system that is just not
> listening on these ports will respond with a negative acknowledgement.
> Utilities such as nmap use this to distinguish the two cases.
>
> Regards,
> Tony.
> --
> Tony Arnold, IT Security Coordinator, University of Manchester,
> IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
> T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
> E: [hidden email], H: http://www.man.ac.uk/Tony.Arnold
>

If you read the nmap documentation "filtered" is an alias for "not
open". This is the result you get when the ports are closed and the host
responds with a reject packet, rather than dropping the packets. The
result that you show is what you will get if you run nmap on the
localhost, however a scan from a remote computer will reveal only ssh is
open. If you want your machine to be invisible by dropping all packets
instead of rekecting them, I recommend firehol. Install it and edit
firehol.conf. You probably want something like:

interface eth+ internet
        client all accept
        protection strong 10/sec 10
        policy deny
        server shh accept

and that's it, it'll keep you ssh open to the outside world.


--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

Gabriel Dragffy
In reply to this post by Tony Arnold-3
On Sun, 2006-09-03 at 14:11 +0100, Tony Arnold wrote:

> On Sun, 2006-09-03 at 08:51 -0400, [hidden email] wrote:
> > aside from ssh how did all these ports remain open on a desktop installation?  
> > also how can i close them?
> >
> > PORT     STATE    SERVICE
> > 13/tcp   filtered daytime
> > 19/tcp   filtered chargen
> > 22/tcp   open     ssh
> > 111/tcp  filtered rpcbind
> > 135/tcp  filtered msrpc
> > 136/tcp  filtered profile
> > 137/tcp  filtered netbios-ns
> > 138/tcp  filtered netbios-dgm
> > 139/tcp  filtered netbios-ssn
> > 445/tcp  filtered microsoft-ds
> > 512/tcp  filtered exec
> > 513/tcp  filtered login
> > 543/tcp  filtered klogin
> > 544/tcp  filtered kshell
> > 707/tcp  filtered unknown
> > 1433/tcp filtered ms-sql-s
> > 1720/tcp filtered H.323/Q.931
>
> Apart from the ssh port, all the other ports are firewalled off
> somewhere, either by firewall settings on your desktop, or by some other
> firewall that's between the scanning machine and the desktop machine.
>
> The difference is that a firewall will silently drop any packets
> arriving on these filtered ports, whereas a system that is just not
> listening on these ports will respond with a negative acknowledgement.
> Utilities such as nmap use this to distinguish the two cases.
>
> Regards,
> Tony.
> --
> Tony Arnold, IT Security Coordinator, University of Manchester,
> IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
> T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
> E: [hidden email], H: http://www.man.ac.uk/Tony.Arnold
>

If you read the nmap documentation "filtered" is an alias for "not
open". This is the result you get when the ports are closed and the host
responds with a reject packet, rather than dropping the packets. The
result that you show is what you will get if you run nmap on the
localhost, however a scan from a remote computer will reveal only ssh is
open. If you want your machine to be invisible by dropping all packets
instead of rekecting them, I recommend firehol. Install it and edit
firehol.conf. You probably want something like:

interface eth+ internet
        client all accept
        protection strong 10/sec 10
        policy deny
        server shh accept

and that's it, it'll keep you ssh open to the outside world.


--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

Thilo Six
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Gabriel M Dragffy wrote the following on 03.09.2006 22:36:
<snip>
> interface eth+ internet
> client all accept
> protection strong 10/sec 10
> policy deny
> server shh accept

typo?
shouldn´t that be:
server ssh accept
        ^

> and that's it, it'll keep you ssh open to the outside world.

bye Thilo
- --
i am on Ubuntu 2.6 KDE
- - some friend of mine

gpg key: Ox4A411E09

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE+uKHgkdHiUpBHgkRA/68AKCExO8x2yWy9sGJdXUFCP+/ufJbNQCglVls
khcZLvdcQay+3nKUtZeg/fQ=
=GG9T
-----END PGP SIGNATURE-----


--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

Gabriel Dragffy
On Sun, 2006-09-03 at 16:11 +0200, Thilo Six wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> Gabriel M Dragffy wrote the following on 03.09.2006 22:36:
> <snip>
> > interface eth+ internet
> > client all accept
> > protection strong 10/sec 10
> > policy deny
> > server shh accept
>
> typo?
> shouldn´t that be:
> server ssh accept
>  

Yes, it's a typo, sorry, my emails are full of them, but you know what I
mean. Fortunately if you copied exactly my instructions firehol would
fail on the typo and not change anything so  it wouldn't cause a problem
there :)  In the future I'll be more careful though.


--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

Alexander Skwar-11
In reply to this post by Gabriel Dragffy
· Gabriel M Dragffy <[hidden email]>:

> If you want your machine to be invisible by dropping all packets
> instead of rekecting them,

By doing so, your machine is *VERY* visible. There's no such
thing as an invisible machine on the Internet.

Dropping packages is close to never a good suggestion. Rejecting
packages might be worthwhile, though. But for this, a packet
filter isn't needed.

> I recommend firehol. Install it and edit
> firehol.conf. You probably want something like:
>
> interface eth+ internet
>       client all accept
>       protection strong 10/sec 10
>       policy deny
>       server shh accept
>
> and that's it, it'll keep you ssh open to the outside world.

Hm - the same can be gained by not opening any ports in the
first place. And the less software used, the better.

Alexander Skwar
--
The wonderful thing about a dancing bear is not how well he dances,
but that he dances at all.



--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

Thilo Six
In reply to this post by Gabriel Dragffy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Gabriel M Dragffy wrote the following on 03.09.2006 23:30:

<snip>
> Yes, it's a typo, sorry, my emails are full of them, but you know what I
> mean. Fortunately if you copied exactly my instructions firehol would
> fail on the typo and not change anything so  it wouldn't cause a problem
> there :)  

allright then

> In the future I'll be more careful though.

no problem.  ;)

bye Thilo
- --
i am on Ubuntu 2.6 KDE
- - some friend of mine

gpg key: Ox4A411E09

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFE+u35gkdHiUpBHgkRA797AJQN3r2sbO6PH3Deu0JIMt4hpVESAJ9YHg3P
z2pmFnqRr4yVV663gvRQ8g==
=lhhI
-----END PGP SIGNATURE-----


--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

dalila-2
In reply to this post by Tony Arnold-3
Tony Arnold wrote ..

> On Sun, 2006-09-03 at 08:51 -0400, [hidden email] wrote:
> > aside from ssh how did all these ports remain open on a desktop installation?
> > also how can i close them?
> >
> > PORT     STATE    SERVICE
> > 13/tcp   filtered daytime
> > 19/tcp   filtered chargen
> > 22/tcp   open     ssh
> > 111/tcp  filtered rpcbind
> > 135/tcp  filtered msrpc
> > 136/tcp  filtered profile
> > 137/tcp  filtered netbios-ns
> > 138/tcp  filtered netbios-dgm
> > 139/tcp  filtered netbios-ssn
> > 445/tcp  filtered microsoft-ds
> > 512/tcp  filtered exec
> > 513/tcp  filtered login
> > 543/tcp  filtered klogin
> > 544/tcp  filtered kshell
> > 707/tcp  filtered unknown
> > 1433/tcp filtered ms-sql-s
> > 1720/tcp filtered H.323/Q.931
>
> Apart from the ssh port, all the other ports are firewalled off
> somewhere, either by firewall settings on your desktop, or by some other
> firewall that's between the scanning machine and the desktop machine.
>
> The difference is that a firewall will silently drop any packets
> arriving on these filtered ports, whereas a system that is just not
> listening on these ports will respond with a negative acknowledgement.
> Utilities such as nmap use this to distinguish the two cases.
>
> Regards,
> Tony.
gracias

--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

Tony Arnold-3
In reply to this post by Gabriel Dragffy
Gabe,

On Sun, 2006-09-03 at 21:26 +0100, Gabriel M Dragffy wrote:

> > The difference is that a firewall will silently drop any packets
> > arriving on these filtered ports, whereas a system that is just not
> > listening on these ports will respond with a negative acknowledgement.
> > Utilities such as nmap use this to distinguish the two cases.
> >
> > Regards,
> > Tony.
> > --
> > Tony Arnold, IT Security Coordinator, University of Manchester,
> > IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
> > T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
> > E: [hidden email], H: http://www.man.ac.uk/Tony.Arnold
> >
>
> If you read the nmap documentation "filtered" is an alias for "not
> open". This is the result you get when the ports are closed and the host
> responds with a reject packet, rather than dropping the packets.

This is not correct. I quote from the nmap man page:

> The state is either open,
>        filtered, closed, or unfiltered. Open means that an application on the
>        target machine is listening for connections/packets on that port.
>        Filtered means that a firewall, filter, or other network obstacle is
>        blocking the port so that Nmap cannot tell whether it is open or
>        closed.

I think you get a state of 'unfiltered' or maybe 'closed' for ports which have nothing
listening on them and no firewall blocking the connection.

Regards,
Tony.
--
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: [hidden email], H: http://www.man.ac.uk/Tony.Arnold

--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

Gabriel Dragffy
In reply to this post by Alexander Skwar-11
On Sun, 2006-09-03 at 16:54 +0200, Alexander Skwar wrote:
> By doing so, your machine is *VERY* visible. There's no such
> thing as an invisible machine on the Internet.

This goes against pretty much everything that I've ever read or heard
about computer security, which is fine. I am very eager to know - why is
this so?

> Dropping packages is close to never a good suggestion. Rejecting
> packages might be worthwhile, though. But for this, a packet
> filter isn't needed.
>

Should I open some ports or start rejecting packets in the future?

> Hm - the same can be gained by not opening any ports in the
> first place. And the less software used, the better.


The OP has already opened ssh and I assume (incorrectly?) that the OP
would like for it to remain open.



--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: open ports

dalila-2
Gabriel M Dragffy wrote ..

> On Sun, 2006-09-03 at 16:54 +0200, Alexander Skwar wrote:
> > By doing so, your machine is *VERY* visible. There's no such
> > thing as an invisible machine on the Internet.
>
> This goes against pretty much everything that I've ever read or heard
> about computer security, which is fine. I am very eager to know - why is
> this so?
>
> > Dropping packages is close to never a good suggestion. Rejecting
> > packages might be worthwhile, though. But for this, a packet
> > filter isn't needed.
> >
>
> Should I open some ports or start rejecting packets in the future?
>
> > Hm - the same can be gained by not opening any ports in the
> > first place. And the less software used, the better.
>
>
> The OP has already opened ssh and I assume (incorrectly?) that the OP
> would like for it to remain open.
>

FYI  ....i did want it open 22 ssh, i was not aware of the filtered status so i got a little alarmed as
other machines i have do not reveal that

--
ubuntu-users mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users