| View previous topic :: View next topic |
| Author |
Message |
AsianSpices
Tux's lil' helper
Joined: 30 May 2005
Posts: 82
|
 Posted: Mon May 30, 2005 10:12 pm Post subject: Open Ports problem |
 |
|
Hi
The only service I installed is SSH and TFTP
Does anyone know why the ports
21 - ftp
25-smtp
110-pop3
are open by default? and what are listening on them if the services is not even installed ( Or how can i check to see if the service is installed and running?)
and how to close them?
thanks alot  |
|
| Back to top |
|
 |
wjholden
l33t
Joined: 01 Mar 2004
Posts: 826
Location: Augusta, GA
|
| Posted: Mon May 30, 2005 10:15 pm Post subject: |
|
|
That's strange, it looks like you've set up a mailserver. Port 21 is obviously your FTP server. Once you've enabled SSH you'll see port 22 open as well.
Look for a mail server by typing "rc-update show". You can easily stop it with /etc/init.d/<program> stop and can start SSH with /etc/init.d/sshd restart (remember to "rc-update add sshd default" to make it run by default).
I guess you're scanning localhost with nmap? |
|
| Back to top |
|
|
tomaw
Guru
Joined: 26 Mar 2003
Posts: 429
Location: UK
|
| Posted: Mon May 30, 2005 10:17 pm Post subject: |
|
|
First find out what is listening. Port 21 is ftp. Gentoo does not install an ftp server by default, so this is probably something more wacky than that.
To find out what is listening, first emerge lsof then run, as root This will show you all open ports and the process that is using them. Hopefully that will be of some use.
_________________
Tom Wesley |
|
| Back to top |
|
|
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Mon May 30, 2005 10:21 pm Post subject: |
|
|
Or, if you haven't installed lsof, you can also use
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
AsianSpices
Tux's lil' helper
Joined: 30 May 2005
Posts: 82
|
| Posted: Tue May 31, 2005 1:32 pm Post subject: |
|
|
oKIE
Thank You all Very much for the replies, but i scanned my mechine from a remote mechine using nmap and nessus
and i got the same answer. Those 3 ports are open.
By the way
Yes port 22 is open bcuz i enables ssh.
BUt i want to close alll OTher ports.
I check the "rc-update show"
and there is no mail server.
Though there is in.tftp (but i want that- and thats suppose to be port 69 anyway)
So i have no idea, i did a netstat -npl and there is nothing unsual.
I am currently not in the office but when i get back i will post the results.
But how can you close the oprts?
Bcuz i knoe in Redhat you can just do a ntsysv and disable all unwated processes......:S |
|
| Back to top |
|
|
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Tue May 31, 2005 3:42 pm Post subject: |
|
|
Again, what is the output of? I'm not interested in the actual IP addresses, I'm interested in the ports and the process names.
Also please include the output of
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
christsong84
Veteran
Joined: 06 Apr 2003
Posts: 1003
Location: GMT-8 (Spokane)
|
| Posted: Tue May 31, 2005 7:39 pm Post subject: |
|
|
| AsianSpices wrote: |
But how can you close the oprts?
Bcuz i knoe in Redhat you can just do a ntsysv and disable all unwated processes......:S |
a good firewall will generally do that...shorewall or just straight iptables.
_________________
while(true) {self.input(sugar);}  |
|
| Back to top |
|
|
bone
Apprentice
Joined: 07 Jun 2002
Posts: 255
Location: Midwest, USA
|
| Posted: Tue May 31, 2005 7:53 pm Post subject: Re: Open Ports problem |
|
|
| AsianSpices wrote: | Hi
The only service I installed is SSH and TFTP
Does anyone know why the ports
21 - ftp
25-smtp
110-pop3
are open by default? and what are listening on them if the services is not even installed ( Or how can i check to see if the service is installed and running?)
and how to close them?
thanks alot |
Define what you mean by "are open by default". Do you mean that something is physically bound to them, or that you did an nmap on the server and found them to be unfiltered? I would suggest using lsof to find out what is bound to them, or even netstat -anp | grep <port>.
Get back to us once you find out more, if you still need help.
jt |
|
| Back to top |
|
|
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
| Posted: Tue May 31, 2005 9:28 pm Post subject: |
|
|
Run "netstat -lp" as root to find the name of the program that listens on the ports, then run "grep programname /etc/init.d/*".
Most mail servers have names that don't mean anything (except sendmail). If you don't know what it is, it might be a mail server. The cron daemon needs a mailer.
You can possibly close them in the mailer configuration, or bind to a specific interface (127.0.0.1), or use iptables. |
|
| Back to top |
|
|
AsianSpices
Tux's lil' helper
Joined: 30 May 2005
Posts: 82
|
| Posted: Wed Jun 01, 2005 3:44 pm Post subject: |
|
|
Okie guys,
I did a emerge --info and this is what i got | Code: |
Gentoo Base System version 1.4.16
Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11-gentoo-r3 i686)
=================================================================
System uname: 2.6.11-gentoo-r3 i686 Intel(R) Pentium(R) 4 CPU 2.80GHz
Python: dev-lang/python-2.3.5 [2.3.5 (#1, May 27 2005, 12:04:13)]
dev-lang/python: 2.3.5
sys-apps/sandbox: [Not Present]
sys-devel/autoconf: 2.59-r6, 2.13
sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.5
sys-devel/binutils: 2.15.92.0.2-r7
sys-devel/libtool: 1.5.16
virtual/os-headers: 2.6.8.1-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -mcpu=i686 -fomit-frame-pointer"
CHOST="i386-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -mcpu=i686 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X alsa apm arts avi berkdb bitmap-fonts crypt cups emboss encode foomaticdb fortran gdbm gif gnome gpm gtk gtk2 imlib ipv6 jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl snmp spell ssl tcpd truetype truetype-fonts type1-fonts xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc"
Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY |
then i did a netstat -npl
| Code: |
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::22 :::* LISTEN 8602/sshd
udp 0 0 0.0.0.0:514 0.0.0.0:* 8506/syslog-ng
udp 0 0 0.0.0.0:161 0.0.0.0:* 8517/snmpd
udp 0 0 0.0.0.0:162 0.0.0.0:* 8560/snmptrapd
udp 3616 0 0.0.0.0:68 0.0.0.0:* 8335/dhcpcd
udp 0 0 0.0.0.0:69 0.0.0.0:* 8766/in.tftpd
udp 0 0 0.0.0.0:32882 0.0.0.0:* 8676/tftp
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 5348/ping
raw 1840 0 0.0.0.0:1 0.0.0.0:* 7 5347/ping
raw 9552 0 0.0.0.0:1 0.0.0.0:* 7 11298/ping
raw 9552 0 0.0.0.0:1 0.0.0.0:* 7 7746/ping
raw 9552 0 0.0.0.0:1 0.0.0.0:* 7 7742/ping
raw 9552 0 0.0.0.0:1 0.0.0.0:* 7 7290/ping
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 593923 8506/syslog-ng /dev/log
|
then there are all the programs in my /etc.init.d
| Code: |
bootmisc
checkfs
checkroot
clock
coldplug
consolefont
crypto-loop
depscan.sh
domainname
functions.sh
gpm
halt.sh
hdparm
hostname
hotplug
in.tftpd
init.txt
ip6tables
iptables
keymaps
local
localmount
modules
net.eth0
net.lo
netmount
nscd
numlock
reboot.sh
rmnologin
rsyncd
runscript.sh
serial
shutdown.sh
snmpd
snmptrapd
sshd
syslog-ng
urandom
vixie-cron
xdm
xinetd
|
and just incase you guys wanted to kneo also
This is my iptables -L
| Code: |
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:69
ACCEPT udp -- anywhere anywhere udp dpt:snmp-trap
ACCEPT udp -- anywhere anywhere udp dpt:syslog
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
and the output from my nmap is
| Code: |
D:\nmap-3.81>nmap -sT -v 10.0.74.66
Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-06-01 09:38 Mountain
Daylight Time
Initiating Connect() Scan against h10.0.74.66.soc.shaw.ca (10.0.74.66) [1663 por
ts] at 09:38
Discovered open port 22/tcp on 10.0.74.66
Discovered open port 25/tcp on 10.0.74.66
Discovered open port 21/tcp on 10.0.74.66
Connect() Scan Timing: About 5.32% done; ETC: 09:47 (0:09:04 remaining)
Discovered open port 110/tcp on 10.0.74.66
Connect() Scan Timing: About 17.26% done; ETC: 09:44 (0:05:20 remaining)
Connect() Scan Timing: About 52.68% done; ETC: 09:41 (0:01:37 remaining)
The Connect() Scan took 175.25s to scan 1663 total ports.
Host h10.0.74.66.soc.shaw.ca (10.0.74.66) appears to be up ... good.
Interesting ports on h10.0.74.66.soc.shaw.ca (10.0.74.66):
(The 1659 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
MAC Address: 00:0D:60:0F:94:B0 (IBM)
Nmap finished: 1 IP address (1 host up) scanned in 177.250 seconds
Raw packets sent: 2 (68B) | Rcvd: 1 (46B)
|
Hopefully this can help you guys figure out whats wrong with my mechine.
I am trying to close ports 21, 25 and 110!! |
|
| Back to top |
|
|
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Wed Jun 01, 2005 4:26 pm Post subject: |
|
|
Your machine has quite clearly been broken into - open ports that don't show up in netstat are a dead giveaway. And my guess is it was a ssh password dictionary attack. The attacker also obviously got root privileges since ports under 1024 can only be opened by root. See my post here for how to react on this: https://forums.gentoo.org/viewtopic-p-2454155.html#2454155
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
AsianSpices
Tux's lil' helper
Joined: 30 May 2005
Posts: 82
|
| Posted: Wed Jun 01, 2005 5:43 pm Post subject: |
|
|
Okie
thanks for the reply,But thats not possible.
We are on our own little network a 192.168.0.x
and the ony time I put it in the company network was to do the nmap to show you guys.
and I am the only one doing any ssh into the mechine.
Even if the "attacker" opened it.....How are they going to do that and HOW can i close it? |
|
| Back to top |
|
|
kloune
Apprentice
Joined: 09 May 2004
Posts: 185
Location: lost
|
| Posted: Wed Jun 01, 2005 5:49 pm Post subject: |
|
|
Did someone suggested to install rkhunter or thelike ? It's easy to use and to install. Just emerge it and run
and see the result. |
|
| Back to top |
|
|
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Wed Jun 01, 2005 5:50 pm Post subject: |
|
|
| AsianSpices wrote: | | But thats not possible. |
Never say "that's not possible". | AsianSpices wrote: | | We are on our own little network a 192.168.0.x |
which means (in my understanding) the machine is physically connected to a network, which means it's at risk from the other machines on that network and the people using it.
If you can find a better explanation for having listening TCP ports with no process listening on them in the netstat output, I'd be delighted to hear it.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
christsong84
Veteran
Joined: 06 Apr 2003
Posts: 1003
Location: GMT-8 (Spokane)
|
| Posted: Wed Jun 01, 2005 5:56 pm Post subject: |
|
|
| AsianSpices wrote: |
Hopefully this can help you guys figure out whats wrong with my mechine.
I am trying to close ports 21, 25 and 110!! |
I still say that the best way to close a port is through the firewall (I'm assuming you have a firewall installed and running right?
_________________
while(true) {self.input(sugar);} |
|
| Back to top |
|
|
AsianSpices
Tux's lil' helper
Joined: 30 May 2005
Posts: 82
|
| Posted: Wed Jun 01, 2005 6:02 pm Post subject: |
|
|
| Quote: |
Did someone suggested to install rkhunter or thelike ? It's easy to use and to install. Just emerge it and run
Code:
rkhunter -c
and see the result. |
Why rkhunter?
| Quote: |
AsianSpices wrote:
But thats not possible.
Never say "that's not possible".AsianSpices wrote:
We are on our own little network a 192.168.0.x
which means (in my understanding) the machine is physically connected to a network, which means it's at risk from the other machines on that network and the people using it.
If you can find a better explanation for having listening TCP ports with no process listening on them in the netstat output, I'd be delighted to hear it |
I have no better solution to that.
But i have a 10/100 fastEthernet Switch just connected to my server and a 1700 router to test the collection of syslogs and traps. Nothing else......So i really have no idea what can have "ATTACKED" it.....the router:P ...r...i...t...eee
I was sorta hoping that i configured something wrong or emerged something that i should not have....
| Quote: |
AsianSpices wrote:
Hopefully this can help you guys figure out whats wrong with my mechine.
I am trying to close ports 21, 25 and 110!!
I still say that the best way to close a port is through the firewall (I'm assuming you have a firewall installed and running right? |
Dude, I am using Iptables, is not not a firewall?....???
plus since i am network-less everytime i do an emerge it fails due to the fact that they are saying "unable to resolve host"
but in my make.conf i dont even have any mrros specified :S |
|
| Back to top |
|
|
christsong84
Veteran
Joined: 06 Apr 2003
Posts: 1003
Location: GMT-8 (Spokane)
|
| Posted: Wed Jun 01, 2005 6:22 pm Post subject: |
|
|
| AsianSpices wrote: | | Quote: |
Did someone suggested to install rkhunter or thelike ? It's easy to use and to install. Just emerge it and run
Code:
rkhunter -c
and see the result. |
Why rkhunter?
|
rkhunter is a rootkit detector...the suggestion is working under the assumption that you've been compromised.
| Quote: |
Dude, I am using Iptables, is not not a firewall?....???
plus since i am network-less everytime i do an emerge it fails due to the fact that they are saying "unable to resolve host"
but in my make.conf i dont even have any mrros specified :S |
Is your ip tables setup to drop all connections/close all ports except the ones you specified? A firewall poorly configured is no better than being without one. 
I'm assuming you have iptables started too. 
You being networkless means that chances are...you weren't hacked. Either that or that hacker is damn good.
Configure your firewall to drop all incoming connections except to the ports you specify (and probably allow all connections out for your emerges/etc).
_________________
while(true) {self.input(sugar);} |
|
| Back to top |
|
|
AsianSpices
Tux's lil' helper
Joined: 30 May 2005
Posts: 82
|
| Posted: Wed Jun 01, 2005 6:27 pm Post subject: |
|
|
Yes my ip tables is setup to drop all connections/close all ports except the ones you specified
| Code: |
iptables -P INPUT DROP
|
And yes Iptables is started lol
| Quote: |
Configure your firewall to drop all incoming connections except to the ports you specify (and probably allow all connections out for your emerges/etc). |
Unfortunately my manager wants me to do a networkless install (which i already did)
but for any packages i want to install after that its all to be networkless
Unfortunatly it keeps askin to go out on the net :S
How do i solve this? |
|
| Back to top |
|
|
christsong84
Veteran
Joined: 06 Apr 2003
Posts: 1003
Location: GMT-8 (Spokane)
|
| Posted: Wed Jun 01, 2005 6:37 pm Post subject: |
|
|
| AsianSpices wrote: | Yes my ip tables is setup to drop all connections/close all ports except the ones you specified
| Code: |
iptables -P INPUT DROP
|
And yes Iptables is started lol
| Quote: |
Configure your firewall to drop all incoming connections except to the ports you specify (and probably allow all connections out for your emerges/etc). |
Unfortunately my manager wants me to do a networkless install (which i already did)
but for any packages i want to install after that its all to be networkless
Unfortunatly it keeps askin to go out on the net :S
How do i solve this? |
For the ports thing...if nmap can see the ports as open, the firewall's not doing it's job. It tests the port and if it doesn't get a response, it should be marked stealthed, not open. If it gets a deny response...it should be marked as closed. If it gets an accept response, it is marked as open. So double check your firewall config is my suggestion. I'm not very good at reading ip tables configs but perhaps someone else here can if you post them?
For networkless installs, download the source tarballs from the program website and then put it (somehow) into your /usr/portage/distfiles (since it looks there when it does an emerge install). Then when you run an emerge, it should just pick that up and compile from there.
_________________
while(true) {self.input(sugar);} |
|
| Back to top |
|
|
limn
l33t
Joined: 13 May 2005
Posts: 997
|
| Posted: Wed Jun 01, 2005 6:45 pm Post subject: |
|
|
| Is it possible that your nmap is running against a different machine than the one in question? What is the output of ifconfig on the target box? |
|
| Back to top |
|
|
christsong84
Veteran
Joined: 06 Apr 2003
Posts: 1003
Location: GMT-8 (Spokane)
|
| Posted: Wed Jun 01, 2005 6:46 pm Post subject: |
|
|
| limn wrote: | | Is it possible that your nmap is running against a different machine than the one in question? What is the output of ifconfig on the target box? |
from the output, nmap looks to be running on a seperate windows box on the same isolated network.
_________________
while(true) {self.input(sugar);} |
|
| Back to top |
|
|
AsianSpices
Tux's lil' helper
Joined: 30 May 2005
Posts: 82
|
| Posted: Thu Jun 02, 2005 7:55 pm Post subject: |
|
|
Okie guys,
I figured out what was wrong
Packages such as vixie-cron and tripwire automatically installs the mail services as their dependencies.
Hece the reason the ports were open.
So my question is how do i close the ports now
seeing that i cannot even see the mail services installed....
But on another note..
My boss wants me to install ceratin packages
such as lets say TfTP and Net-SNMp but he wants them done networkless.
I downloaded the tar files but i dont know how to install them
tar -xvjf <package name>
make
make install
does not do it
does emerge work for this?
Can anyone help me Please |
|
| Back to top |
|
|
christsong84
Veteran
Joined: 06 Apr 2003
Posts: 1003
Location: GMT-8 (Spokane)
|
| Posted: Thu Jun 02, 2005 8:09 pm Post subject: |
|
|
step 1: type in "emerge -p packagename" without the quotes and download the version mentioned
step 2: download package and get it to the computer somehow
step 3: put it un /usr/portage/distfiles/ (yes the whole tarball...not unzipped or anything)
step 4: type in "emerge packagename" without the quotes
step 5: watch the compile work
that's how it should work
_________________
while(true) {self.input(sugar);} |
|
| Back to top |
|
|
AsianSpices
Tux's lil' helper
Joined: 30 May 2005
Posts: 82
|
| Posted: Thu Jun 02, 2005 8:32 pm Post subject: |
|
|
Okie i got that part
The thing is i cannot find anywhere to dload a *.tbz2 files for tripwire , net-snmp and tftp 
I found teh one for iptables and it worked . tank god!
Does anone knoe of a link for this? |
|
| Back to top |
|
|
overkll
Veteran
Joined: 21 Sep 2004
Posts: 1249
Location: Austin, Texas
|
| Posted: Thu Jun 02, 2005 8:42 pm Post subject: |
|
|
| Quote: | But on another note..
My boss wants me to install ceratin packages
such as lets say TfTP and Net-SNMp but he wants them done networkless. |
You could do a stage 3 install. Then the whole system can be a networkless install.
With the package CD, you can install the apps you need - networkless.
You can also use nmap to scan your local interfaces - you don't need to do it from a remote machine.
Sounds to me like your boss wants to have a secure machine built and ready to put on a network, without previously being on a network. That way the machine is sure not to have been compromised in the process of making it. If that's the case, a stage 3 install and package CD is the way to go.
Or am I missing something here? |
|
| Back to top |
|
|
|
Networking & Security
