Re: n00b ipf/ipnat questions
From: Redmond Militante (r-militante@northwestern.edu)
Date: 02/11/03
- Next message: Nigel Houghton: "Re: n00b ipf/ipnat questions"
- Previous message: Redmond Militante: "Re: n00b ipf/ipnat questions"
- Maybe in reply to: Redmond Militante: "n00b ipf/ipnat questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Feb 2003 12:52:26 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: John Fulcher <jfulcher@us-south.net>, freebsd-security@freebsd.org
ok.
sockstat on the machine i'm running nmap from
-------
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 29207 5 tcp4 129.x.x.20:22 129.x.x.22:49176
root ssh 28858 3 tcp4 129.x.x.20:2641 129.x.x.35:22
root sshd 27242 5 tcp4 129.x.x.20:22 129.x.x.23:1076
www httpd 25325 16 tcp4 *:80 *:*
www httpd 25324 16 tcp4 *:80 *:*
www httpd 6649 16 tcp4 *:80 *:*
www httpd 407 16 tcp4 *:80 *:*
www httpd 378 16 tcp4 *:80 *:*
root perl 182 3 tcp4 *:10000 *:*
root perl 182 4 udp4 *:10000 *:*
mysql mysqld 181 5 tcp4 *:3306 *:*
www httpd 178 16 tcp4 *:80 *:*
www httpd 177 16 tcp4 *:80 *:*
www httpd 176 16 tcp4 *:80 *:*
www httpd 175 16 tcp4 *:80 *:*
www httpd 174 16 tcp4 *:80 *:*
nobody proftpd 168 0 tcp4 *:21 *:*
root httpd 150 16 tcp4 *:80 *:*
root sendmail 96 3 tcp4 *:25 *:*
root sendmail 96 5 tcp4 *:587 *:*
root sshd 91 4 tcp4 *:22 *:*
root syslogd 72 5 udp4 *:514 *:*
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 91 3 tcp46 *:22 *:*
root syslogd 72 4 udp6 *:514 *:*
USER COMMAND PID FD PROTO ADDRESS
www httpd 407 5 stream (none)
www httpd 378 5 stream (none)
root login 186 3 dgram syslogd[72]:3
root login 185 3 dgram syslogd[72]:3
mysql mysqld 181 6 stream /tmp/mysql.sock
www httpd 177 5 stream (none)
www httpd 176 5 stream (none)
www httpd 175 5 stream (none)
nobody proftpd 168 3 dgram syslogd[72]:3
smmsp sendmail 99 3 dgram syslogd[72]:3
root sendmail 96 4 dgram syslogd[72]:3
root syslogd 72 3 dgram /var/run/log
sockstat on the gateway machine
-------
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 825 5 tcp4 129.x.x.35:22 129.x.x.20:2666
root ssh 491 3 tcp4 192.168.1.1:1151 192.168.1.50:22
root sshd 482 5 tcp4 129.x.x.35:22 129.x.x.20:2641
root sendmail 105 3 tcp4 *:25 *:*
root sendmail 105 5 tcp4 *:587 *:*
root sshd 100 4 tcp4 *:22 *:*
root portsent 99 0 tcp4 *:1 *:*
root portsent 99 1 tcp4 *:11 *:*
root portsent 99 2 tcp4 *:15 *:*
root portsent 99 3 tcp4 *:79 *:*
root portsent 99 4 tcp4 *:111 *:*
root portsent 99 5 tcp4 *:119 *:*
root portsent 99 6 tcp4 *:143 *:*
root portsent 99 7 tcp4 *:540 *:*
root portsent 99 8 tcp4 *:635 *:*
root portsent 99 9 tcp4 *:1080 *:*
root portsent 99 10 tcp4 *:1524 *:*
root portsent 99 11 tcp4 *:2000 *:*
root portsent 99 12 tcp4 *:5742 *:*
root portsent 99 13 tcp4 *:6667 *:*
root portsent 99 14 tcp4 *:12345 *:*
root portsent 99 15 tcp4 *:12346 *:*
root portsent 99 16 tcp4 *:20034 *:*
root portsent 99 17 tcp4 *:27665 *:*
root portsent 99 18 tcp4 *:31337 *:*
root portsent 99 19 tcp4 *:32771 *:*
root portsent 99 20 tcp4 *:32772 *:*
root portsent 99 21 tcp4 *:32773 *:*
root portsent 99 22 tcp4 *:32774 *:*
root portsent 99 23 tcp4 *:40421 *:*
root portsent 99 24 tcp4 *:49724 *:*
root portsent 99 25 tcp4 *:54320 *:*
root portsent 98 0 udp4 *:1 *:*
root portsent 98 1 udp4 *:7 *:*
root portsent 98 2 udp4 *:9 *:*
root portsent 98 3 udp4 *:69 *:*
root portsent 98 4 udp4 *:161 *:*
root portsent 98 5 udp4 *:162 *:*
root portsent 98 6 udp4 *:513 *:*
root portsent 98 7 udp4 *:635 *:*
root portsent 98 8 udp4 *:640 *:*
root portsent 98 9 udp4 *:641 *:*
root portsent 98 10 udp4 *:700 *:*
root portsent 98 11 udp4 *:37444 *:*
root portsent 98 12 udp4 *:34555 *:*
root portsent 98 13 udp4 *:31335 *:*
root portsent 98 14 udp4 *:32770 *:*
root portsent 98 15 udp4 *:32771 *:*
root portsent 98 16 udp4 *:32772 *:*
root portsent 98 17 udp4 *:32773 *:*
root portsent 98 18 udp4 *:32774 *:*
root portsent 98 19 udp4 *:31337 *:*
root portsent 98 20 udp4 *:54321 *:*
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 100 3 tcp46 *:22 *:*
USER COMMAND PID FD PROTO ADDRESS
smmsp sendmail 108 3 dgram syslogd[81]:3
root sendmail 105 4 dgram syslogd[81]:3
root syslogd 81 3 dgram /var/run/log
root ipmon 53 0 dgram syslogd[81]:3
sockstat on the webserver behind the gateway machine
-------
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 2287 5 tcp4 192.168.1.50:22 192.168.1.1:1186
user1 proftpd 2283 0 tcp4 192.168.1.50:21 12.249.95.65:2595
user1 proftpd 2283 1 tcp4 192.168.1.50:21 12.249.95.65:2595
www httpd 2277 16 tcp4 *:80 *:*
www httpd 2276 16 tcp4 *:80 *:*
user2 proftpd 2180 0 tcp4 192.168.1.50:21 129.x.x.115:1845
user2 proftpd 2180 1 tcp4 192.168.1.50:21 129.x.x.115:1845
www httpd 1906 5 tcp4 192.168.1.50:1541 129.x.x.5:3306
www httpd 1906 16 tcp4 *:80 *:*
www httpd 1905 5 tcp4 192.168.1.50:1539 129.x.x.5:3306
www httpd 1905 16 tcp4 *:80 *:*
www httpd 1904 3 tcp4 192.168.1.50:80 65.56.131.11:3601
www httpd 1904 5 tcp4 192.168.1.50:1543 129.x.x.5:3306
www httpd 1904 16 tcp4 *:80 *:*
www httpd 1903 5 tcp4 192.168.1.50:1530 129.x.x.5:3306
www httpd 1903 16 tcp4 *:80 *:*
www httpd 1902 5 tcp4 192.168.1.50:1544 129.x.x.5:3306
www httpd 1902 16 tcp4 *:80 *:*
www httpd 1901 5 tcp4 192.168.1.50:1538 129.x.x.5:3306
www httpd 1901 16 tcp4 *:80 *:*
www httpd 1900 5 tcp4 192.168.1.50:1522 129.x.x.5:3306
www httpd 1900 16 tcp4 *:80 *:*
www httpd 1899 5 tcp4 192.168.1.50:1549 129.x.x.5:3306
www httpd 1899 16 tcp4 *:80 *:*
www httpd 1898 5 tcp4 192.168.1.50:1540 129.x.x.5:3306
www httpd 1898 16 tcp4 *:80 *:*
www httpd 1897 3 tcp4 192.168.1.50:80 65.56.131.11:3603
www httpd 1897 5 tcp4 192.168.1.50:1521 129.x.x.5:3306
www httpd 1897 16 tcp4 *:80 *:*
root sshd 1144 5 tcp4 192.168.1.50:22 192.168.1.1:1151
root snmpd 159 6 udp4 *:161 *:*
nobody proftpd 153 0 tcp4 *:21 *:*
root httpd 146 16 tcp4 *:80 *:*
root sendmail 98 3 tcp4 *:25 *:*
root sendmail 98 5 tcp4 *:587 *:*
root sshd 93 4 tcp4 *:22 *:*
root syslogd 73 5 udp4 *:514 *:*
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 93 3 tcp46 *:22 *:*
root syslogd 73 4 udp6 *:514 *:*
USER COMMAND PID FD PROTO ADDRESS
user1 proftpd 2283 2 dgram syslogd[73]:3
user1 proftpd 2283 3 dgram syslogd[73]:3
user1 proftpd 2283 6 dgram syslogd[73]:3
user1 proftpd 2283 7 dgram syslogd[73]:3
user2 proftpd 2180 2 dgram syslogd[73]:3
user2 proftpd 2180 3 dgram syslogd[73]:3
user2 proftpd 2180 6 dgram syslogd[73]:3
user2 proftpd 2180 7 dgram syslogd[73]:3
smmsp sendmail 101 3 dgram syslogd[73]:3
root sendmail 98 4 dgram syslogd[73]:3
root syslogd 73 3 dgram /var/run/log
thanks for your help
redmond
>t Try running a sockstat and see what it says for the programs that are
> running on those ports..
>
> -----Original Message-----
> From: r-militante@northwestern.edu [mailto:r-militante@northwestern.edu]
>
> Sent: Tuesday, February 11, 2003 1:38 PM
> To: freebsd-security@FreeBSD.ORG
> Subject: Re: n00b ipf/ipnat questions
>
> hi
>
> any comments? :)
> i'm thinking that it's probably a good thing the box behind the gateway
> is
> only listening on a select number of ports, but i don't understand why
> the
> gateway itself seems to be listening on a large number of ports.
> is this normal?
>
> thanks
> redmond
>
>
>
> > hi
> >
> > ok.
> > netstat -na | grep LISTEN on the box i'm nmapping from
> > -------
> > tcp4 0 0 *.10000 *.*
> LISTEN
> > tcp4 0 0 *.3306 *.*
> LISTEN
> > tcp4 0 0 *.21 *.*
> LISTEN
> > tcp4 0 0 *.80 *.*
> LISTEN
> > tcp4 0 0 *.587 *.*
> LISTEN
> > tcp4 0 0 *.25 *.*
> LISTEN
> > tcp4 0 0 *.22 *.*
> LISTEN
> > tcp46 0 0 *.22 *.*
> LISTEN
> >
> >
> > netstat -na | grep LISTEN on the gateway box
> > -------
> > tcp4 0 0 *.587 *.*
> LISTEN
> > tcp4 0 0 *.25 *.*
> LISTEN
> > tcp4 0 0 *.22 *.*
> LISTEN
> > tcp46 0 0 *.22 *.*
> LISTEN
> > tcp4 0 0 *.54320 *.*
> LISTEN
> > tcp4 0 0 *.49724 *.*
> LISTEN
> > tcp4 0 0 *.40421 *.*
> LISTEN
> > tcp4 0 0 *.32774 *.*
> LISTEN
> > tcp4 0 0 *.32773 *.*
> LISTEN
> > tcp4 0 0 *.32772 *.*
> LISTEN
> > tcp4 0 0 *.32771 *.*
> LISTEN
> > tcp4 0 0 *.31337 *.*
> LISTEN
> > tcp4 0 0 *.27665 *.*
> LISTEN
> > tcp4 0 0 *.20034 *.*
> LISTEN
> > tcp4 0 0 *.12346 *.*
> LISTEN
> > tcp4 0 0 *.12345 *.*
> LISTEN
> > tcp4 0 0 *.6667 *.*
> LISTEN
> > tcp4 0 0 *.5742 *.*
> LISTEN
> > tcp4 0 0 *.2000 *.*
> LISTEN
> > tcp4 0 0 *.1524 *.*
> LISTEN
> > tcp4 0 0 *.1080 *.*
> LISTEN
> > tcp4 0 0 *.635 *.*
> LISTEN
> > tcp4 0 0 *.540 *.*
> LISTEN
> > tcp4 0 0 *.143 *.*
> LISTEN
> > tcp4 0 0 *.119 *.*
> LISTEN
> > tcp4 0 0 *.111 *.*
> LISTEN
> > tcp4 0 0 *.79 *.*
> LISTEN
> > tcp4 0 0 *.15 *.*
> LISTEN
> > tcp4 0 0 *.11 *.*
> LISTEN
> > tcp4 0 0 *.1 *.*
> LISTEN
> >
> > netstat -na | grep LISTEN on the webserver behind gateway
> > -------
> > tcp4 0 0 *.21 *.*
> LISTEN
> > tcp4 0 0 *.80 *.*
> LISTEN
> > tcp4 0 0 *.587 *.*
> LISTEN
> > tcp4 0 0 *.25 *.*
> LISTEN
> > tcp4 0 0 *.22 *.*
> LISTEN
> > tcp46 0 0 *.22 *.*
> LISTEN
> >
> >
> > thanks
> >
> > redmond
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: stored
- Next message: Nigel Houghton: "Re: n00b ipf/ipnat questions"
- Previous message: Redmond Militante: "Re: n00b ipf/ipnat questions"
- Maybe in reply to: Redmond Militante: "n00b ipf/ipnat questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
