Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???
From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 07/22/04
- Previous message: Luca Berra: "Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"
- In reply to: InHisGrip: "[fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"
- Next in thread: InHisGrip: "Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards <firewall-wizards@honor.icsalabs.com> Date: Thu, 22 Jul 2004 13:15:46 +0530
On 21/07/04 16:52 -0700, InHisGrip wrote:
>
> Hi everyone,
>
> I have setup an apache web server in my small home
> network and have configured this web server by
> enabling port forwarding for web requests and
> redirection using a non standard port other than port
> 80. I have also used my dns registrar/provider in
Assuming that the world can access this on port 80 on your public IP,
the non standard port is not likely to be a very useful step.
> particular dyndns.org to do the job of custom dns and
> redirecting web traffic on my host
> machine.
>
> My question is related to security/firewall and in
> particular with linux ports being compromised. Based
Daemons (services in Windows terms) get compromised. A port is just a 16
bit integer.
> from the information below, can anyone please let me
> know if the information I have attached based on open
> ports or listening ports on the output will somehow
> compromise my small home network or the linux web
> server box I have just set up?
Which of those services should be available publicly? Ask a friend to
run nmap on your home IP from the real world.
> Oh, by the way, just wanted to make sure because I
> have placed the web server in a DMZ port and zone
> from my linksys router and I think but not sure that
> I am being shielded and protected atleast? Likewise, I
Not necessarily.
> have enabled advanced firewall protection on my
> linksys router. Am I just paranoid, or is there
> something to get alarmed especially on port 37628
> which has a LISTEN state on all interfaces or on the
> Internet?
You should be alarmed if there is something that you don't know
happening on your system. By default. Paranoia is good for you.
>
> Here is a copy of my netstat -an output:
I would suggest netstat -lnp on Linux. This needs to be run as root to
get program name information.
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
853/httpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
797/sshd
Here is a sample output from my system. This shows ports 80 (my little
webserver, serving a few static pages for when I need to point people on
IRC to usable configuration files.) and sshd (I do need to access this
system remotely.)
Without the -p output, it is hard to know what is happening, but I will
make a few reasonable guesses.
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign
> Address State
> tcp 0 0 0.0.0.0:32768 0.0.0.0:*
> LISTEN
This could be anything. I would have said a rpc service, but this is
TCP.
> tcp 0 0 127.0.0.1:32769 0.0.0.0:*
> LISTEN
> tcp 0 0 127.0.0.1:783 0.0.0.0:*
> LISTEN
This are only on your loopback, most likely rpc.
> tcp 0 0 0.0.0.0:111 0.0.0.0:*
> LISTEN
The portmapper service. If you are not using nfs, turn this off.
> tcp 0 0 0.0.0.0:22 0.0.0.0:*
> LISTEN
sshd. If you don't need to access this system remotely, turn this off.
> tcp 0 0 127.0.0.1:25 0.0.0.0:*
> LISTEN
Sendmail on loopback, looks like a redhat system to me.
> tcp 0 0 0.0.0.0:8090 0.0.0.0:*
> LISTEN
This is Apache, serving http
> tcp 0 0 0.0.0.0:443 0.0.0.0:*
> LISTEN
Apache serving https
> udp 0 0 0.0.0.0:32768 0.0.0.0:*
>
> udp 0 0 0.0.0.0:750 0.0.0.0:*
>
> udp 0 0 0.0.0.0:111 0.0.0.0:*
Definitely looks like rpc to me.
<snip unix sockets>
> I am asking this question because the URL below
> mentioned about a trojan on his system and this could
> also be happening to mine. Is this a security threat
> both on UDP and TCP ports 32768 among others?
Possibly. Possibly not. Everything on the Internet that you do not know is
dangerous. Turn off all services that you do not need. ntsysv is a quick
way of doing things on RedHat. Then init 1 and init 3.
> http://www.linuxquestions.org/questions/archive/4/2002/01/2/11641
>
> Any tips or thoughts on how to eliminate this threat
> would be highly appreciated. Thanks in advance.
The first thing to do is to determine if it is truly a threat.
Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Luca Berra: "Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"
- In reply to: InHisGrip: "[fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"
- Next in thread: InHisGrip: "Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
