Linode Forum
https://forum.linode.com/

IPTables and nmap
https://forum.linode.com/viewtopic.php?f=19&t=4841		 Page 1 of 1
Author:  Daveo [ Sat Nov 14, 2009 7:53 am ]
Post subject:  IPTables and nmap
Hi again everyone.. I guess I'm going to have a lot of questions for a few days! I'll make sure I give back once I'm clued up, promise ;)

My iptables rules are as follows:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:9999

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

but when I nmap the IP from my box here I get:

PORT STATE SERVICE
80/tcp open http
110/tcp open pop3
1863/tcp open msnp
5190/tcp open aol

Any idea why 110, 1863, 5190 are open when (I think) my iptables should be blocking them? BTW googling 1863 and 5190 I'm not the only person who's noticed this on a webserver, but I could find no answer. I wonder if it's something on the host network (i.e. before the traffic gets to my server?) or if it's to do with having had an established ssh/LISH connection to the box?

I want my machine to be as secure as possible, but I don't want to be unneccessarily paranoid.. so if I'm worrying about nothing please say so ;)

Ta,

D
Author:  freedom_is_chaos [ Sat Nov 14, 2009 8:26 am ]
Post subject: 
output of : sudo netstat -tap, please
Author:  Daveo [ Sat Nov 14, 2009 10:04 am ]
Post subject: 
Thanks for looking Freedom. Output of that command:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:9999 *:* LISTEN 1085/sshd
tcp 0 0 localhost.localdo:mysql *:* LISTEN 1167/mysqld
tcp 0 0 localhost.localdom:smtp *:* LISTEN 1503/exim4
tcp 0 300 myhostname.net:9999 customer8181.pool:49237 ESTABLISHED 1664/sshd: user [pr
tcp6 0 0 [::]:9999 [::]:* LISTEN 1085/sshd
tcp6 0 0 [::]:www [::]:* LISTEN 1538/apache2

(where 9999 is my ssh port)

nmap from the box I'm sitting at now (different machine, with an ssh session open to the server):

PORT STATE SERVICE
80/tcp open http
110/tcp open pop3
1863/tcp open msnp
3128/tcp open squid-http
5190/tcp open aol
8080/tcp open http-proxy

I haven't installed squid or exim btw, but I guess exim is in by default and the 'squid' port is part of this unknown open(?)ports situation I've got.

Just in case it's useful, here's a list of all the running processes (from ps -e; this is Debian 5): [edit] removed - nothing to see there, and making the thread too long ;)[/edit]


And some more random output that might help with diagnosis:

# fuser 80/tcp
80/tcp: 1538 1557 1564
# ps -ef | grep 1538
root 1538 1 0 11:22 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1557 1538 0 11:22 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1564 1538 0 11:23 ? 00:00:00 /usr/sbin/apache2 -k start
root 1695 1672 0 13:55 pts/0 00:00:00 grep 1538
# fuser 110/tcp
# fuser 1863/tcp
# fuser 3128/tcp
# fuser 5190/tcp
# fuser 8080/tcp
Author:  Daveo [ Sat Nov 14, 2009 12:21 pm ]
Post subject: 
Hmm there's 14 hops to port 80 (tcptraceroute) but only 1 to 1863 and 5190 (110, 3128, 8080 don't make it as far as my host). I think I need to nmap from outside of my ISP.
[edit] I did that, using lynx on my server and an online nmap service and from the point of view of that service there's only the one port open (80)... I don't know why those ports look open from my machine here, but I'm reassured that there's no massive problem here ;)[/edit]
Author:  Stever [ Sat Nov 14, 2009 1:32 pm ]
Post subject: 
Daveo wrote:
Hmm there's 14 hops to port 80 (tcptraceroute) but only 1 to 1863 and 5190 (110, 3128, 8080 don't make it as far as my host).

Looks like your ISP is proxying and/or filtering some of your internet access. If mine started doing that I'd either get a new ISP or tunnel out to somewhere that will route my packets properly (like Linode for example :) )
Author:  Daveo [ Sat Nov 14, 2009 3:06 pm ]
Post subject: 
Stever wrote:
Looks like your ISP is proxying and/or filtering some of your internet access. If mine started doing that I'd either get a new ISP or tunnel out to somewhere that will route my packets properly (like Linode for example :) )


Hehe yeah.. hence my other thread about OpenVPN ;)
Author:  freedom_is_chaos [ Sun Nov 15, 2009 3:23 pm ]
Post subject: 
Although, it can't do port sweeps, check out http://ping.eu. It can do a lot of server tests.

Otherewise, your server looks fine. For some reason my server always comes back with SMB ports open which confuses the hell out of nmap when I try to have it guess the OS. I know my server is good (ie not comp'd) as I just re-installed it the other day and these ports are still open.
Author:  unixfool [ Thu Nov 19, 2009 2:56 pm ]
Post subject: 
Daveo wrote:
Hmm there's 14 hops to port 80 (tcptraceroute) but only 1 to 1863 and 5190 (110, 3128, 8080 don't make it as far as my host). I think I need to nmap from outside of my ISP.
[edit] I did that, using lynx on my server and an online nmap service and from the point of view of that service there's only the one port open (80)... I don't know why those ports look open from my machine here, but I'm reassured that there's no massive problem here ;)[/edit]


Yeah, when I scan, I always scan from both the inside and outside and compare the results. If I see more from the inside than from the outside, I know that my local router and firewall are what's making the difference. Taking into consideration upstream filtering helps also.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/