Sounds like exactly what you're seeing, I know our watchguard firebox proxies FTP connections so it looks like every box has FTP installed even if they don't.
-Drew
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Scot L. Harris Sent: Wednesday, August 17, 2005 3:08 PM To: CentOS mailing list Subject: Re: [CentOS] Strange TCP ports phenomena
On Wed, 2005-08-17 at 14:31, Dominik Składanowski wrote:
Hello list.
I have new server on CentOS 4.1 - fresh installation. During security tests I've noticed:
When I scan server ports (nmap) from the outside there is 21 tcp port open. But when I check on the server (netstat -tan or lsof -i) there is no any open 21 tcp port.
Any ideas? To be honest I'm confused.
Regards
P.S.: of course I don't have started FTP service. Even I don't have installed FTP server.
Do you have a router/firewall in front of your server? If you are using something like http://www.grc.com to scan from the Internet you are probably getting a response from the router/firewall in front of your server not from the server itself.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sounds like exactly what you're seeing, I know our watchguard firebox proxies FTP connections so it looks like every box has FTP installed even if they don't.
Few days ago I had another server on the same IP (it's IP for tests before production place), which was FTP server. So maybe that's a reason?
I have new server on CentOS 4.1 - fresh installation. During security tests I've noticed:
When I scan server ports (nmap) from the outside there is 21 tcp port open. But when I check on the server (netstat -tan or lsof -i) there is no any open 21 tcp port.
Any ideas? To be honest I'm confused.
Regards
P.S.: of course I don't have started FTP service. Even I don't have installed FTP server.
Do you have a router/firewall in front of your server? If you are using something like http://www.grc.com to scan from the Internet you are probably getting a response from the router/firewall in front of your server not from the server itself.
On Wed, 2005-08-17 at 15:45, Dominik Składanowski wrote:
Sounds like exactly what you're seeing, I know our watchguard firebox proxies FTP connections so it looks like every box has FTP installed even if they don't.
Do you have a router/firewall in front of your server? If you are using something like http://www.grc.com to scan from the Internet you are probably getting a response from the router/firewall in front of your server not from the server itself.
Few days ago I had another server on the same IP (it's IP for tests before production place), which was FTP server. So maybe that's a reason?
If the current server does not have those ports open they should show as closed or stealthed. I believe that you have a device providing NAT in front of your machine and it has that port open for some reason.
Is that at an ISP or a home network?
Sounds like exactly what you're seeing, I know our watchguard firebox proxies FTP connections so it looks like every box has FTP installed even if they don't.
Do you have a router/firewall in front of your server? If you are using something like http://www.grc.com to scan from the Internet you are probably getting a response from the router/firewall in front of your server not from the server itself.
Few days ago I had another server on the same IP (it's IP for tests before production place), which was FTP server. So maybe that's a reason?
If the current server does not have those ports open they should show as closed or stealthed. I believe that you have a device providing NAT in front of your machine and it has that port open for some reason.
Is that at an ISP or a home network?
There is no any NAT in the front of this machine. Besides it has public IP.
On Wed, 2005-08-17 at 16:23, Dominik Składanowski wrote:
Sounds like exactly what you're seeing, I know our watchguard firebox proxies FTP connections so it looks like every box has FTP installed even if they don't.
Do you have a router/firewall in front of your server? If you are using something like http://www.grc.com to scan from the Internet you are probably getting a response from the router/firewall in front of your server not from the server itself.
Few days ago I had another server on the same IP (it's IP for tests before production place), which was FTP server. So maybe that's a reason?
If the current server does not have those ports open they should show as closed or stealthed. I believe that you have a device providing NAT in front of your machine and it has that port open for some reason.
Is that at an ISP or a home network?
There is no any NAT in the front of this machine. Besides it has public IP.
What does netstat -l show?
Sounds like exactly what you're seeing, I know our watchguard firebox proxies FTP connections so it looks like every box has FTP installed even if they don't.
Do you have a router/firewall in front of your server? If you are using something like http://www.grc.com to scan from the Internet you are probably getting a response from the router/firewall in front of your server not from the server itself.
Few days ago I had another server on the same IP (it's IP for tests before production place), which was FTP server. So maybe that's a reason?
If the current server does not have those ports open they should show as closed or stealthed. I believe that you have a device providing NAT in front of your machine and it has that port open for some reason.
Is that at an ISP or a home network?
There is no any NAT in the front of this machine. Besides it has public IP.
What does netstat -l show?
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:imaps *:* LISTEN tcp 0 0 *:pop3s *:* LISTEN tcp 0 0 server.domain.pl:10024 *:* LISTEN tcp 0 0 server.domain.pl:10025 *:* LISTEN tcp 0 0 *:pop3 *:* LISTEN tcp 0 0 server.domain.pl:783 *:* LISTEN tcp 0 0 *:imap *:* LISTEN tcp 0 0 server.domain.pl:domain *:* LISTEN tcp 0 0 server.domain.pl:domain *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 server.domain.pl:rndc *:* LISTEN tcp 0 0 *:afs3-vlserver *:* LISTEN tcp 0 0 *:http *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 ::1:rndc *:* LISTEN tcp 0 0 *:https *:* LISTEN udp 0 0 *:32768 *:* udp 0 0 server.domain.pl:domain *:* udp 0 0 server.domain.pl:domain *:* udp 0 0 *:32769 *:* Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6010 /tmp/.font-unix/fs7100 unix 2 [ ACC ] STREAM LISTENING 6030 /var/run/saslauthd/mux unix 2 [ ACC ] STREAM LISTENING 27404 /tmp/.X11-unix/X1003 unix 2 [ ACC ] STREAM LISTENING 27468 /tmp/orbit-webmaster/linc-19fb-0-5a733f9ac78cf unix 2 [ ACC ] STREAM LISTENING 6054 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 27477 /tmp/orbit-webmaster/linc-19ef-0-2c46999c853f unix 2 [ ACC ] STREAM LISTENING 27627 /tmp/.ICE-unix/6639 unix 2 [ ACC ] STREAM LISTENING 27636 /tmp/keyring-NYpDeq/socket unix 2 [ ACC ] STREAM LISTENING 27684 @/tmp/fam-webmaster- unix 2 [ ACC ] STREAM LISTENING 27647 /tmp/orbit-webmaster/linc-1a00-0-53755928eaa15 unix 2 [ ACC ] STREAM LISTENING 5369 /var/run/clamav/clamd.sock unix 2 [ ACC ] STREAM LISTENING 14468 public/cleanup unix 2 [ ACC ] STREAM LISTENING 27669 /tmp/orbit-webmaster/linc-1a02-0-4f3764207dba unix 2 [ ACC ] STREAM LISTENING 27780 /tmp/orbit-webmaster/linc-1a29-0-119ee8349c3af unix 2 [ ACC ] STREAM LISTENING 14475 private/rewrite unix 2 [ ACC ] STREAM LISTENING 27949 /tmp/mapping-webmaster unix 2 [ ACC ] STREAM LISTENING 14479 private/bounce unix 2 [ ACC ] STREAM LISTENING 27814 /tmp/orbit-webmaster/linc-1a2d-0-4f376420c8f39 unix 2 [ ACC ] STREAM LISTENING 14483 private/defer unix 2 [ ACC ] STREAM LISTENING 14487 private/trace unix 2 [ ACC ] STREAM LISTENING 27842 /tmp/orbit-webmaster/linc-1a2f-0-4f376420ce04d unix 2 [ ACC ] STREAM LISTENING 14491 private/verify unix 2 [ ACC ] STREAM LISTENING 27852 /tmp/orbit-webmaster/linc-1a31-0-4f376420d9fa8 unix 2 [ ACC ] STREAM LISTENING 14495 public/flush unix 2 [ ACC ] STREAM LISTENING 27918 /tmp/orbit-webmaster/linc-1a3a-0-1f8a01562e50c unix 2 [ ACC ] STREAM LISTENING 14499 private/proxymap unix 2 [ ACC ] STREAM LISTENING 27973 /tmp/orbit-webmaster/linc-1a46-0-797478ceb5ad9 unix 2 [ ACC ] STREAM LISTENING 27999 /tmp/orbit-webmaster/linc-1a37-0-797478cee535e unix 2 [ ACC ] STREAM LISTENING 28021 /tmp/orbit-webmaster/linc-1a48-0-2b54eb092d0ba unix 2 [ ACC ] STREAM LISTENING 28051 /tmp/orbit-webmaster/linc-1a4a-0-2b54eb097974b unix 2 [ ACC ] STREAM LISTENING 28080 /tmp/orbit-webmaster/linc-1a4c-0-2b54eb099a5e0 unix 2 [ ACC ] STREAM LISTENING 28156 /tmp/orbit-webmaster/linc-1a4e-0-30c03dfb20aae unix 2 [ ACC ] STREAM LISTENING 14503 private/smtp unix 2 [ ACC ] STREAM LISTENING 14507 private/relay unix 2 [ ACC ] STREAM LISTENING 14512 public/showq unix 2 [ ACC ] STREAM LISTENING 14516 private/error unix 2 [ ACC ] STREAM LISTENING 14520 private/local unix 2 [ ACC ] STREAM LISTENING 14524 private/virtual unix 2 [ ACC ] STREAM LISTENING 14528 private/anvil unix 2 [ ACC ] STREAM LISTENING 14532 private/maildrop unix 2 [ ACC ] STREAM LISTENING 14536 private/old-cyrus unix 2 [ ACC ] STREAM LISTENING 14540 private/cyrus unix 2 [ ACC ] STREAM LISTENING 14544 private/uucp unix 2 [ ACC ] STREAM LISTENING 14548 private/ifmail unix 2 [ ACC ] STREAM LISTENING 14552 private/bsmtp unix 2 [ ACC ] STREAM LISTENING 14560 private/smtp-amavis unix 2 [ ACC ] STREAM LISTENING 5757 /dev/gpmctl unix 2 [ ACC ] STREAM LISTENING 5310 /var/run/dovecot-login/default unix 2 [ ACC ] STREAM LISTENING 5092 /var/run/acpid.socket
On Wed, 2005-08-17 at 16:38, Dominik Składanowski wrote:
Sounds like exactly what you're seeing, I know our watchguard firebox proxies FTP connections so it looks like every box has FTP installed even if they don't.
Do you have a router/firewall in front of your server? If you are using something like http://www.grc.com to scan from the Internet you are probably getting a response from the router/firewall in front of your server not from the server itself.
Few days ago I had another server on the same IP (it's IP for tests before production place), which was FTP server. So maybe that's a reason?
If the current server does not have those ports open they should show as closed or stealthed. I believe that you have a device providing NAT in front of your machine and it has that port open for some reason.
Is that at an ISP or a home network?
There is no any NAT in the front of this machine. Besides it has public IP.
What does netstat -l show?
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:imaps *:* LISTEN tcp 0 0 *:pop3s *:* LISTEN tcp 0 0 server.domain.pl:10024 *:*
Does not appear you have ftp open on this machine. I still think you have some kind of router or device in front of your system that has that port open.
I forgot... I'm testing this server from home, where I'm behind NAT.
On Wed, 2005-08-17 at 16:53, Dominik Składanowski wrote:
I forgot... I'm testing this server from home, where I'm behind NAT.
DOH!! :)
Then check the NAT router. Pretty sure that is where you will find the port open. Most likely you had it opened for the previous test you mentioned. Turn off the port forwarding and your scan should show what you expect.
I forgot... I'm testing this server from home, where I'm behind NAT.
DOH!! :)
Then check the NAT router. Pretty sure that is where you will find the port open. Most likely you had it opened for the previous test you mentioned. Turn off the port forwarding and your scan should show what you expect.
Thanks.
-
Dominik Składanowski -
Drew Weaver -
Scot L. Harris