-----Original Message----- From: steve [mailto:mail@steve-ss.com] Sent: Friday, May 05, 2006 11:41 AM To: suse-linux-e@suse.com Subject: Re: [SLE] worrying port scan
Hi Ian and thanks for the excellent explanation of filtered and open.
Is your web server directly connected to the internet, or is there a cable/DSL router and/or firewall between it and the rest of the
world?
Via an adsl router
If you do `netstat -anet | grep LISTEN`, are there any lines with a local address of "0.0.0.0:21" or "0.0.0.0:23"?
No, here is the output: /home/steve # netstat -anet | grep LISTEN tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 0 12241 tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 10700 tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 0 14074 tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 12053 tcp 0 0 :::80 :::* LISTEN 0 13062
Are these the ports that are open to the outside world?
Is xinetd running? Telnet and ftp most often run as xinetd
services...
xinetd is not running.
So why did the porstscan give me those ports as being open?
Confused! Steve.
FTP and Telnet are _not_ running on your box. I would assume that they're running on the router, and are probably filtered to allow only internal addresses and to drop anything from outside. Looks like you've got the standard local-only Postfix install, a web server, MySQL (you did remember to set the root password, right? :-), and RPC services. Totally vanilla, in other words. It's also possible that your ISP has a DROP rule in place for incoming connections to those ports. Many do DROP connections in to certain ports (port 25 and port 80 being the two that are most commonly filtered). If an upstream firewall/ACL is preventing access to those ports and dropping the packets, they would appear in the list designated the same way. If you've got access to an external box that allows you to portscan, you can probably do a telnet out, right? Try telneting to yourself, and see what the greeting line turns up...if it's a standard telnet server, it'll probably identify itself.
Confused! Steve.
FTP and Telnet are _not_ running on your box. I would assume that they're running on the router, and are probably filtered to allow only internal addresses and to drop anything from outside. Looks like you've got the standard local-only Postfix install, a web server, MySQL (you did remember to set the root password, right? :-), and RPC services. Totally vanilla, in other words.
It's a 10.0 install right from the box. Is that what vanilla means? Yes, there's a root password for mysql too.
It's also possible that your ISP has a DROP rule in place for incoming connections to those ports. Many do DROP connections in to certain ports (port 25 and port 80 being the two that are most commonly filtered). If an upstream firewall/ACL is preventing access to those ports and dropping the packets, they would appear in the list designated the same way.
If you've got access to an external box that allows you to portscan, you can probably do a telnet out, right?
Yes it lets me.
Try telneting to yourself, and see what the greeting line turns up...if it's a standard telnet server, it'll probably identify itself.
I get 'connection refused'. that's from my internal box though. Bottom line, do you think this is safe? Cheers and thank you for your excellently clear explantions. Steve.
participants (2)
-
Marlier, Ian
-
steve