I have a CentOS 4.2 machine. lokkit shows that a firewall is enabled, and it is customized to allow SSH, Web, and DNS traffic only.
But if I run nmap against the server IP (from my home machine, outside the local network) it shows over 1000 open ports. Am I not understanding nmap, or is there something seriously wrong here?
Here is a small snip of the nmap output (I can include it all if that is helpful, but it is quite long):
(The 202 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 1/tcp open tcpmux 2/tcp open compressnet 3/tcp open compressnet 4/tcp open unknown 5/tcp open rje 6/tcp open unknown 7/tcp open echo 8/tcp open unknown 9/tcp open discard 11/tcp open systat 12/tcp open unknown 13/tcp open daytime 14/tcp open unknown 15/tcp open netstat 16/tcp open unknown 17/tcp open qotd 20/tcp open ftp-data 22/tcp open ssh 24/tcp open priv-mail 25/tcp open smtp 26/tcp open unknown
On Sun, 2006-02-12 at 15:17 -0500, jim@datamantic.com wrote:
I have a CentOS 4.2 machine. lokkit shows that a firewall is enabled, and it is customized to allow SSH, Web, and DNS traffic only.
But if I run nmap against the server IP (from my home machine, outside the local network) it shows over 1000 open ports. Am I not understanding nmap, or is there something seriously wrong here?
Here is a small snip of the nmap output (I can include it all if that is helpful, but it is quite long):
(The 202 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 1/tcp open tcpmux 2/tcp open compressnet 3/tcp open compressnet 4/tcp open unknown 5/tcp open rje 6/tcp open unknown 7/tcp open echo 8/tcp open unknown 9/tcp open discard 11/tcp open systat 12/tcp open unknown 13/tcp open daytime 14/tcp open unknown 15/tcp open netstat 16/tcp open unknown 17/tcp open qotd 20/tcp open ftp-data 22/tcp open ssh 24/tcp open priv-mail 25/tcp open smtp 26/tcp open unknown
---- might as well get a root shell and type...
iptables -L
and see what's up with that.
Craig
On Feb 12, 2006, at 3:22 PM, Craig White wrote:
On Sun, 2006-02-12 at 15:17 -0500, jim@datamantic.com wrote:
I have a CentOS 4.2 machine. lokkit shows that a firewall is enabled, and it is customized to allow SSH, Web, and DNS traffic only.
But if I run nmap against the server IP (from my home machine, outside the local network) it shows over 1000 open ports. Am I not understanding nmap, or is there something seriously wrong here?
Here is a small snip of the nmap output (I can include it all if that is helpful, but it is quite long):
(The 202 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 1/tcp open tcpmux 2/tcp open compressnet 3/tcp open compressnet 4/tcp open unknown 5/tcp open rje 6/tcp open unknown 7/tcp open echo 8/tcp open unknown 9/tcp open discard 11/tcp open systat 12/tcp open unknown 13/tcp open daytime 14/tcp open unknown 15/tcp open netstat 16/tcp open unknown 17/tcp open qotd 20/tcp open ftp-data 22/tcp open ssh 24/tcp open priv-mail 25/tcp open smtp 26/tcp open unknown
might as well get a root shell and type...
iptables -L
and see what's up with that.
Craig
Thanks for the response. Any advice on understanding this is appreciated.
[root@ash ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt: 5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http REJECT all -- anywhere anywhere reject- with icmp-host-prohibited
On Sun, 2006-02-12 at 15:30 -0500, Jim Bassett wrote:
On Feb 12, 2006, at 3:22 PM, Craig White wrote:
On Sun, 2006-02-12 at 15:17 -0500, jim@datamantic.com wrote:
I have a CentOS 4.2 machine. lokkit shows that a firewall is enabled, and it is customized to allow SSH, Web, and DNS traffic only.
But if I run nmap against the server IP (from my home machine, outside the local network) it shows over 1000 open ports. Am I not understanding nmap, or is there something seriously wrong here?
might as well get a root shell and type...
iptables -L
and see what's up with that.
Craig
Thanks for the response. Any advice on understanding this is appreciated.
[root@ash ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere
Looks like the rules above are accepting anything for that server. The order of the rules makes a big difference.
On Feb 12, 2006, at 4:23 PM, ryan wrote:
On Sunday 12 February 2006 3:41 pm, Scot L. Harris wrote:
Looks like the rules above are accepting anything for that server. The order of the rules makes a big difference.
As root,
try service iptables stop && service iptables start
then check iptables -L _______________________________________________
Thanks for the replies.
iptables -L shows the same thing after stopping and starting service iptables.
I just did a minimal install of the OS. I've never messed with iptables. I only used lokkit to open up ports for ssh and http and dns. Does it make sense that my iptables -L looks like this? Obviously I have to learn about iptables for myself, and that will take some time - but should I be thinking that something nefarious happened here? Or is it just open everywhere because it is like that by default? (Doesn't seem right.)
Is it over reacting to pull the plug and start over?
Jim Bassett wrote:
Is it over reacting to pull the plug and start over?
Silly question. You are certain that the machine you are probing is your machine, right? The ip address of you cable modem hasn't changed without you knowing it, etc? (I've done sillier things, which is why I ask.)
It's odd that smtp shows to be open, e.g. Even without the firewall, isn't sendmail configured only to listen on 127.0.0.1?
-Steve
On Feb 12, 2006, at 4:56 PM, Steve Bergman wrote:
Jim Bassett wrote:
Is it over reacting to pull the plug and start over?
Silly question. You are certain that the machine you are probing is your machine, right? The ip address of you cable modem hasn't changed without you knowing it, etc? (I've done sillier things, which is why I ask.)
It's odd that smtp shows to be open, e.g. Even without the firewall, isn't sendmail configured only to listen on 127.0.0.1?
-Steve
I've done sillier things in the past. But I am probing the right machine. It is colocated on a static IP. I just ran it again.
The machine I am using to run nmap is connected to the net through a friends base station and I don't know anything about his setup. But I can successfully surf, send mail, and ssh into my server. Is there any chance that even though I am specifying my server IP in nmap that it is instead scanning my friends machine on my local network?
About smtp: I did just install a mail server, so I guess that is why smtp is open. But I didn't explicitly open the port myself. I can see in netstat that a bunch of stuff is open for mail (and spam assassin and clamav.) Maybe that install messed with iptables?
On Sun, 2006-02-12 at 17:09 -0500, Jim Bassett wrote:
On Feb 12, 2006, at 4:56 PM, Steve Bergman wrote:
Jim Bassett wrote:
Is it over reacting to pull the plug and start over?
Silly question. You are certain that the machine you are probing is your machine, right? The ip address of you cable modem hasn't changed without you knowing it, etc? (I've done sillier things, which is why I ask.)
It's odd that smtp shows to be open, e.g. Even without the firewall, isn't sendmail configured only to listen on 127.0.0.1?
-Steve
I've done sillier things in the past. But I am probing the right machine. It is colocated on a static IP. I just ran it again.
The machine I am using to run nmap is connected to the net through a friends base station and I don't know anything about his setup. But I can successfully surf, send mail, and ssh into my server. Is there any chance that even though I am specifying my server IP in nmap that it is instead scanning my friends machine on my local network?
About smtp: I did just install a mail server, so I guess that is why smtp is open. But I didn't explicitly open the port myself. I can see in netstat that a bunch of stuff is open for mail (and spam assassin and clamav.) Maybe that install messed with iptables?
Another possibility: Is there a firewall or server in front of the machine you think you are scanning? Is the IP address you are scanning configured directly on that machine or are you using a NATed address?
Have seen cases before where a machine in an ISP would report odd ports open but that was on the ISPs firewall that sits in front of the actual machine.
But based on the iptables rules you posted it looks like the order of the rules is the problem. The first two rules allow everything through. Check the contents of /etc/sysconfig/iptables, that is where the rules should be saved.
Scot L. Harris wrote:
But based on the iptables rules you posted it looks like the order of the rules is the problem. The first two rules allow everything through. Check the contents of /etc/sysconfig/iptables, that is where the rules should be saved.
_
So would:
# rpm -e iptables --nodeps # rm /etc/sysconfig/iptables (just to be sure) # yum install iptables
fix his problem?
Of course, that would leave the question of how it was caused in the first place...
-Steve
On Sun, 2006-02-12 at 16:23 -0600, Steve Bergman wrote:
Scot L. Harris wrote:
But based on the iptables rules you posted it looks like the order of the rules is the problem. The first two rules allow everything through. Check the contents of /etc/sysconfig/iptables, that is where the rules should be saved.
_
So would:
# rpm -e iptables --nodeps # rm /etc/sysconfig/iptables (just to be sure) # yum install iptables
fix his problem?
Of course, that would leave the question of how it was caused in the first place...
No no no! No need to remove iptables and using nodeps is not recommended.
He needs to reconfigure iptables to have a set of rules that allows the services he wants on that server.
Scot L. Harris wrote:
No no no! No need to remove iptables and using nodeps is not recommended.
He needs to reconfigure iptables to have a set of rules that allows the services he wants on that server.
Perhaps I should have been clearer. There should be no problem with --nodeps when the intent is to turn right around and reinstall the same package.
Also, the reinstall should be followed by:
# system-config-securitylevel
To create a good (and customized) /etc/sysconfig/iptables using the standard config tool, which should get the rule set right. (And if it doesn't, that's a bug.)
-Steve
On Feb 12, 2006, at 5:15 PM, Scot L. Harris wrote:
On Sun, 2006-02-12 at 17:09 -0500, Jim Bassett wrote:
On Feb 12, 2006, at 4:56 PM, Steve Bergman wrote:
Jim Bassett wrote:
Is it over reacting to pull the plug and start over?
Silly question. You are certain that the machine you are probing is your machine, right? The ip address of you cable modem hasn't changed without you knowing it, etc? (I've done sillier things, which is why I ask.)
It's odd that smtp shows to be open, e.g. Even without the firewall, isn't sendmail configured only to listen on 127.0.0.1?
-Steve
I've done sillier things in the past. But I am probing the right machine. It is colocated on a static IP. I just ran it again.
The machine I am using to run nmap is connected to the net through a friends base station and I don't know anything about his setup. But I can successfully surf, send mail, and ssh into my server. Is there any chance that even though I am specifying my server IP in nmap that it is instead scanning my friends machine on my local network?
About smtp: I did just install a mail server, so I guess that is why smtp is open. But I didn't explicitly open the port myself. I can see in netstat that a bunch of stuff is open for mail (and spam assassin and clamav.) Maybe that install messed with iptables?
Another possibility: Is there a firewall or server in front of the machine you think you are scanning? Is the IP address you are scanning configured directly on that machine or are you using a NATed address?
Have seen cases before where a machine in an ISP would report odd ports open but that was on the ISPs firewall that sits in front of the actual machine.
But based on the iptables rules you posted it looks like the order of the rules is the problem. The first two rules allow everything through. Check the contents of /etc/sysconfig/iptables, that is where the rules should be saved.
The machine is in a colocation facility. I'm not sure exactly what that means in terms of firewalls. The IP address is configured directly on the machine.
I am beginning to think you are right and the nmap results I am seeing are not really for the IP address I am attempting to scan. I tried it against another server that I know is locked down and it reported tons of open ports (although not exactly the same ones as on the machine in question here.)
What is the canonical way to get a list of all open ports from the command line? Or maybe it's not so straightforward?
Someone else suggested running netstat -a | grep LISTEN, and that indeed shows only services I would expect.
I understand that iptables is very powerful, and therefore not the easiest tool to use. But I would guess that the setup I want is pretty standard. I've found a bunch of info in google and I am digging in, but are there some iptables cookbook type recipes for a basic web/mail/dns server anyone could point me to?
Thanks for all the replies.
Someone else suggested running netstat -a | grep LISTEN, and that indeed shows only services I would expect.
Also worth keeping in mind that it's getting more common for ISPs and other providers to filter specific ports or answer for you. Most times this shows up as "Filtered" in nmap, but anything's possible.
-- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety'' Benjamin Franklin 1775
On 12/02/06, Jim Bassett jim@datamantic.com wrote:
What is the canonical way to get a list of all open ports from the command line? Or maybe it's not so straightforward?
$ netstat -ln
Though netstat -a | grep LISTEN should give the same result I'd have thought.
Someone else suggested running netstat -a | grep LISTEN, and that indeed shows only services I would expect.
I understand that iptables is very powerful, and therefore not the easiest tool to use. But I would guess that the setup I want is pretty standard. I've found a bunch of info in google and I am digging in, but are there some iptables cookbook type recipes for a basic web/mail/dns server anyone could point me to?
The O'Reilly Linux Server Security book covers firewalling in quite an easy to understand fashion and there's a decent bastion host firewall script which is well commented...
http://examples.oreilly.com/linuxss2/
Will.
This might be silly, but could you remote ssh into that machine and run nmap pointing to its IP address so you could find out with no doubt which ports are opened?
Have a nice day
Will McDonald wrote:
On 12/02/06, Jim Bassett jim@datamantic.com wrote:
What is the canonical way to get a list of all open ports from the command line? Or maybe it's not so straightforward?
$ netstat -ln
Though netstat -a | grep LISTEN should give the same result I'd have thought.
Someone else suggested running netstat -a | grep LISTEN, and that indeed shows only services I would expect.
I understand that iptables is very powerful, and therefore not the easiest tool to use. But I would guess that the setup I want is pretty standard. I've found a bunch of info in google and I am digging in, but are there some iptables cookbook type recipes for a basic web/mail/dns server anyone could point me to?
The O'Reilly Linux Server Security book covers firewalling in quite an easy to understand fashion and there's a decent bastion host firewall script which is well commented...
http://examples.oreilly.com/linuxss2/
Will. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- Subject: Re: [CentOS] nmap showing lots of ports open that shouldn't be
Thanks for the replies.
iptables -L shows the same thing after stopping and starting service iptables.
I just did a minimal install of the OS. I've never messed with iptables. I only used lokkit to open up ports for ssh and http and dns. Does it make sense that my iptables -L looks like this? Obviously I have to learn about iptables for myself, and that will take some time - but should I be thinking that something nefarious happened here? Or is it just open everywhere because it is like that by default? (Doesn't seem right.)
Is it over reacting to pull the plug and start over? _______________________________________________
Jim,
What boggles my mind is that there should be process's answering on all those ports for namp to respond Unless I am mistaken, As you has stated (Doesn't seem right.)
Brian.