Hi again everyone.. I guess I'm going to have a lot of questions for a few days! I'll make sure I give back once I'm clued up, promise

My iptables rules are as follows:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:9999

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

but when I nmap the IP from my box here I get:

PORT STATE SERVICE
80/tcp open http
110/tcp open pop3
1863/tcp open msnp
5190/tcp open aol

Any idea why 110, 1863, 5190 are open when (I think) my iptables should be blocking them? BTW googling 1863 and 5190 I'm not the only person who's noticed this on a webserver, but I could find no answer. I wonder if it's something on the host network (i.e. before the traffic gets to my server?) or if it's to do with having had an established ssh/LISH connection to the box?

I want my machine to be as secure as possible, but I don't want to be unneccessarily paranoid.. so if I'm worrying about nothing please say so

Ta,

D

output of : sudo netstat -tap, please

_________________
If it ain't broke, you didn't tweak it enough. If it is broke, use more duct tape.
http://independentchaos.com

Thanks for looking Freedom. Output of that command:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:9999 *:* LISTEN 1085/sshd
tcp 0 0 localhost.localdo:mysql *:* LISTEN 1167/mysqld
tcp 0 0 localhost.localdom:smtp *:* LISTEN 1503/exim4
tcp 0 300 myhostname.net:9999 customer8181.pool:49237 ESTABLISHED 1664/sshd: user [pr
tcp6 0 0 [::]:9999 [::]:* LISTEN 1085/sshd
tcp6 0 0 [::]:www [::]:* LISTEN 1538/apache2

(where 9999 is my ssh port)

nmap from the box I'm sitting at now (different machine, with an ssh session open to the server):

PORT STATE SERVICE
80/tcp open http
110/tcp open pop3
1863/tcp open msnp
3128/tcp open squid-http
5190/tcp open aol
8080/tcp open http-proxy

I haven't installed squid or exim btw, but I guess exim is in by default and the 'squid' port is part of this unknown open(?)ports situation I've got.

Just in case it's useful, here's a list of all the running processes (from ps -e; this is Debian 5): [edit] removed - nothing to see there, and making the thread too long [/edit]


And some more random output that might help with diagnosis:

# fuser 80/tcp
80/tcp: 1538 1557 1564
# ps -ef | grep 1538
root 1538 1 0 11:22 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1557 1538 0 11:22 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1564 1538 0 11:23 ? 00:00:00 /usr/sbin/apache2 -k start
root 1695 1672 0 13:55 pts/0 00:00:00 grep 1538
# fuser 110/tcp
# fuser 1863/tcp
# fuser 3128/tcp
# fuser 5190/tcp
# fuser 8080/tcp

Hmm there's 14 hops to port 80 (tcptraceroute) but only 1 to 1863 and 5190 (110, 3128, 8080 don't make it as far as my host). I think I need to nmap from outside of my ISP.
[edit] I did that, using lynx on my server and an online nmap service and from the point of view of that service there's only the one port open (80)... I don't know why those ports look open from my machine here, but I'm reassured that there's no massive problem here [/edit]

Looks like your ISP is proxying and/or filtering some of your internet access. If mine started doing that I'd either get a new ISP or tunnel out to somewhere that will route my packets properly (like Linode for example )

Hehe yeah.. hence my other thread about OpenVPN

Although, it can't do port sweeps, check out http://ping.eu. It can do a lot of server tests.

Otherewise, your server looks fine. For some reason my server always comes back with SMB ports open which confuses the hell out of nmap when I try to have it guess the OS. I know my server is good (ie not comp'd) as I just re-installed it the other day and these ports are still open.

_________________
If it ain't broke, you didn't tweak it enough. If it is broke, use more duct tape.

http://independentchaos.com

Yeah, when I scan, I always scan from both the inside and outside and compare the results. If I see more from the inside than from the outside, I know that my local router and firewall are what's making the difference. Taking into consideration upstream filtering helps also.