check /etc/inetd.conf and disable all listed ports / services ! Mit freundlichen Grüßen Bruno Leonhardt CLP Domino R5 Systemadministrator ----------- AnalyTek Systemhaus Hospital Str. 2a D-65589 Hadamar Telefon : 06433/81403-15 Telefax : 06433/81403-40 Besuchen Sie uns im Internet unter : http://www.analytek.de Volker Spies <v.spies@ascaron.com> 27.11.02 10:58 An: suse-security@suse.com Kopie: Thema: [suse-security] ipchains and Portscan Hallo, I have problems with my ipchains firewall. When I run a portscan with nmapwin to my linux box form the internet it shows me the following ports as open: 7/tcp open echo 9/tcp open discard 13/tcp open daytime 17/tcp open qotd 18/tcp open msp 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 43/tcp open whois 53/tcp open domain 70/tcp open gopher 79/tcp open finger 80/tcp open http 81/tcp open hosts2-ns 88/tcp open kerberos-sec 109/tcp open pop-2 110/tcp open pop-3 113/tcp open auth 119/tcp open nntp 139/tcp open netbios-ssn 143/tcp open imap2 389/tcp open ldap 443/tcp open https 465/tcp open smtps 513/tcp open login 554/tcp open rtsp 563/tcp open snews 569/tcp open ms-rome 636/tcp open ldapssl 749/tcp open kerberos-adm 993/tcp open imaps 995/tcp open pop3s 1002/tcp open unknown 1494/tcp open citrix-ica 1720/tcp open H.323/Q.931 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-term-serv 5190/tcp open aol 5400/tcp open pcduo-old 6667/tcp open irc 7000/tcp open afs3-fileserver 7070/tcp open realserver 10000/tcp open snet-sensor-mgmt 12000/tcp open cce4x The only services that are running to the outside Sshd Httpd Ftpd There are other services but not reachable form outside: Smtp Imap Squid Webmin The rest is definitely blocked by the firewall rules (only to outside interface). The firewall log shows that the ports are blocked. I see the portscan and I see that, for example, Port 25 is denied. Wired: On Port 10000 i've webmin running only reachable from the inside. Why does nmap show snet-sensor-mgmt ???? Why shows nmapwin (and other port scanners) that so many ports are in the state OPEN??? By the way when I start nmap locally on the firewall then it shows the correct ports open Sshd Httpd Ftpd Smtp Imap Squid webmin Best regards Volker