Open Ports on Webserver - Why
Hi I tested my SUSE 7.2 Webserver with two Portscanners and both gave me the same result: 389 Lightweight Directory Access Protocol 1720 h323hostcall The first, LDAP, I don't know why this is open, it's not installed!?. And the 2nd, the H323-protocol which is used by, for example MS Netmeeting, the same question. I searched with 'netstat -ap' for PIDs of some unknown processes and then I had a look at them with 'ps aux | grep <PID>', but there was nothing unusual. Can that be or is there something wrong with the Portscanner? THX Florian
I tested my SUSE 7.2 Webserver with two Portscanners and both gave me the same result:
389 Lightweight Directory Access Protocol 1720 h323hostcall
Sometimes this Portscanner do not show, what's going on. I have Norton AV installed, which opens a local Port for Pop3 and Smtp for Mailscanning as loopback. I see on all machines this Ports open, which is fake! The scanner interpretes this locally loopbacked open Ports as open Ports on the system. I would test GFI's Languard for basic security testing (beta 3 shows out of date daemons and much more). Configure your machine, so that no open Port's banner show the version of the daemon, so it is harder to find out, where the bugs are in your system. Please check your local macine, from which you scanned for loopbacked ports (all tcp will be forwarded throug this ports and are interpreted as above shown). Check again from another PC if there are the same open ports. Philippe
On Sun, Aug 04, 2002 at 11:37:34PM +0200, Florian Schie?l wrote:
389 Lightweight Directory Access Protocol 1720 h323hostcall
I searched with 'netstat -ap' for PIDs of some unknown processes and then I had a look at them with 'ps aux | grep <PID>', but there was nothing unusual.
Does netstat report these ports as open? Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Does netstat report these ports as open?
No, with netstat -l -n they are not listed. Here it is: tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN Only the "normal" services of my server... Florian
Hi again ! When I close the whole Server whith iptables, the portscanner says the same. Iptables -P INPUT DROP Iptables -P OUTPUT DROP The scanner says, that pop,smtp,http,... And the other mentioned ports are open? Häh? AND I bevore I tried lsof | grep tcp and | grep LISTEN... There is nothing unusual...? Florian
Florian Schießl wrote:
When I close the whole Server whith iptables, the portscanner says the same.
Iptables -P INPUT DROP Iptables -P OUTPUT DROP
The scanner says, that pop,smtp,http,... And the other mentioned ports are open? Häh?
Understand your portscanner. If your utility expects a tcp-reset packet after a syn-packet to a closed port, your DROP-rules cause the scanner to misreport the open ports list. Peter
participants (5)
-
Florian Schie?l
-
Florian Schießl
-
Olaf Kirch
-
Peter Wiersig
-
Philippe Vogel