Re: Open Ports on Cisco Router
From: Vladamir (wireless.insecurity_at_gmail.com)
Date: 03/28/05
- Previous message: Michael Bartha: "Re: GIAC Dilution"
- In reply to: bob bob: "Open Ports on Cisco Router"
- Next in thread: adisegna_at_siscocorp.com: "RE: Open Ports on Cisco Router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Mar 2005 13:53:59 -0500 To: bob bob <bb88011@yahoo.com>
Just as a safety precaution, you should issue:
no ip tcp-small-servers
no ip udp-small-servers
It'll get rid of Time, Echo, Chargen, etc.
bob bob wrote:
> I have a Cisco 1720 router that showed telnet open
> after a recent audit. I closed down telnet by
> applying an acl to the vty lines and then nmap'ed from
> the outside to verify. Telnet is indeed closed, but
> other ports appeared open now! What's more, different
> ports appear open when scanning at different times.
> It showed tcp ports 21, 25 and 80 open at one time,
> but in another scan showed 143 in addition to the
> above. Late in the evening, it showed none of the
> above open, but a range of ports starting around 8000.
> No UDP ports show open.
>
> I ran nmap with the following command:
>
> nmap -sT -P0 -sV -v -p 1-65535 A.B.C.D
>
> Here is a portion of the router config:
>
> version 12.3
>
> . . .
> ip subnet-zero
> no ip source-route
>
> . . .
> interface FastEthernet0
> ip address 10.0.0.1 255.255.255.0
> ip nat outside
> speed auto
> half-duplex
> !
> interface Serial0
> ip address A.B.C.D 255.255.255.252
> ip access-group filter_outside_in in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no nat outside
> no fair-queue
> no cdp enable
> !
> ip nat inside source list 10 interface Serial0
> overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0
> no ip http server
>
> . . .
>
> ip access-list extended filter_outside_in
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 224.0.0.0 15.255.255.255 any
> deny ip host 0.0.0.0 any
> deny icmp any timestamp-request
> deny icmp any redirect
> deny icmp any mask-request
> deny icmp any traceroute
> deny icmp any echo
> permit ip any any
> access-list 10 permit 10.0.0.0 0.0.0.255
> ----------------------------------------
>
> So, the router is NAT'ing, and, btw, it also has a
> firewall behind it. The ports that show up in the
> scans of the router match up very well with the ports
> used regularly at this location, so I thought it might
> have something to do with NAT dynamically openning
> ports. However, it still seems very strange to me and
> I wanted to know if anyone else has seen this behavior
> and what explains it. TIA!
>
> Bob
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
>
- Previous message: Michael Bartha: "Re: GIAC Dilution"
- In reply to: bob bob: "Open Ports on Cisco Router"
- Next in thread: adisegna_at_siscocorp.com: "RE: Open Ports on Cisco Router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
