RE: [suse-security] TCP port 113
Hey Marc 1st to output of netstat: linux2:/var/log # netstat -ltnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 737/httpd tcp 0 0 :::22 :::* LISTEN 720/sshd linux2:/var/log # and the nmap output from another machine: linux1:/home/labuser # nmap -sS 10.51.103.115 Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports on (10.51.103.115): (The 1545 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh 80/tcp open http 113/tcp closed auth 443/tcp closed https Nmap run completed -- 1 IP address (1 host up) scanned in 160 seconds linux1:/home/labuser # How I turn of this tcp port 113? thnxs Oliver
===== Original Message From "Herbrechter, Marc"
===== oliver.z wrote: could anyone explain me why I get different results when I doing nmap -sS <ip> from a remote site to my system and when I do nmap -sS localhost on my system?
You are running a packet filter, so you should know.
From remote site I get results with a closed tcp port 113, with nmap with localhost not.
"Not" what? "Not" closed, "not" opened? What does ´netstat -ltnp´ say?
And of course, why respond the system to tcp port 113, even if inetd is not startet?
Port 113 is the identd. It is not fired up by inetd in most cases.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Am Dienstag, 16. Juli 2002 12:03 schrieb oliver.z:
Hey Marc
1st to output of netstat: linux2:/var/log # netstat -ltnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 737/httpd tcp 0 0 :::22 :::* LISTEN 720/sshd linux2:/var/log #
I think the port is being announced as closed because Port 113/TCP is being REJECTED instead of denied to accelerate access to services that do an ident-lookup (ftp for example). If it would be denied, the server would wait for a loong long timeout. You can check this with "iptables -nL -v|grep 113" Bjoern -- "The number of Unix installations has grown to ten, with more expected" [ The Unix programmers manual, 1972 ]
Hi, The Port 113/tcp _is_ closed!!! The Firewall Rule for port 113 is IMHO REJECT not DROP. To avoide long timeouts for ftp. try something like ip[tables|chains] -L -n | grep 113 Greetings Daniel
Hi, On Tue, Jul 16, 2002 at 01:19:21PM +0200, oliver.z wrote:
ya-indeed the port is in reject mode, ok thats fine. But, I don't use ftp, sendmail and so on, only http and ssh.
Whats the problem, just teach your firewall to DENY packages on port 113. Have a look at man ip[tables|chains] or your SuSEfirewall[2] Script or both ;-)
From my sight, tcp port 113 should not appaer in any scan!
What would be your benefit if the port is not listed as closed but instead is listed as filtered?!
Is there a way to do that? yes ;-)
Greetings Daniel PS.: I don't need every mail twice. Please only reply to the list.
participants (3)
-
Bjoern Engels
-
Daniel Lord
-
oliver.z