Why can I telnet my port 21

From: Alexander Harsch (infodude_at_gmx.de)
Date: 03/25/04

• Next message: Matthias Czapla: "Re: encryption programs"
• Previous message: Michael Sims: "How reliable is netstat?"
• Next in thread: Colin McKinnon: "Re: Why can I telnet my port 21"
• Reply: Colin McKinnon: "Re: Why can I telnet my port 21"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Mar 2004 18:47:04 +0100

Hi,

doing a scan with nmap (using the -P0 option) I can see, that there is a
couple of ports open. One of them is port21. I do not have a server running
on this port 21 (no ftp). When I connect from the internet on my machine on
port 21 via telnet, I get a connection, but after a few seconds a timeout
occurs.
When I try to access port 21 from the internet, my firewall puts an entry in
hte logs, that the packet on port 21 was rejected. Sounds very suspicious
to me. Netstat don't say anything about port 21. I already tried the
chkrootkit, but it didn't find anything.
What surprises me mostly, even after checking my firewall settings on and
on, I don't see why the firewall lets this packet pass. The interface where
this happens is ppp0, my internet flatrate. I also saw in the logs, that
over a peroid of several days somebody tried to access this port. If I can
believe my firewall, all these packets were Denied. Why is port 21
accessible to the internet?

I appended my input rules:
-A INPUT -d 192.168.1.1 -j ACCEPT #cipe tunnel (internal)
-A INPUT -d 192.168.99.1 -i wlan0 -p tcp -m multiport --dports
ssh,mdqs,nfs,x11 -j DROP #wlan (internal)
-A INPUT -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 4660:4669 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 16743 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 16743 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 1214 -j ACCEPT #fasttrack
-A INPUT -i ppp0 -p tcp -m tcp --dport 6882 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 255.255.255.255 -i wlan0 -p udp -m state --state ESTABLISHED -m
udp --sport 67 -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix ...
-A INPUT -d 127.0.0.0/255.0.0.0 -j LOG --log-prefix ...
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 192.168.99.1 -j LOG ......
-A INPUT -s 192.168.99.1 -j DROP
-A INPUT -s 213.54.127.104 -j LOG .....
-A INPUT -s 213.54.127.104 -j DROP
-A INPUT -d 213.54.127.104 -i ppp0 -j input_ext #these rules I also appended
-A INPUT -d 192.168.99.1 -i wlan0 -j input_int
-A INPUT -d 192.168.99.255 -i wlan0 -j DROP
-A INPUT -d 255.255.255.255 -i wlan0 -j DROP
-A INPUT -d 213.54.127.104 -i wlan0 -j LOG --log-prefix "S....
-A INPUT -d 213.54.127.104 -i wlan0 -j DROP
-A INPUT -j LOG --log-prefix "SuSE-FW-ILLEGAL-TARGET " --log-tcp-o...
-A INPUT -j DROP

-A input_ext -s 192.168.99.0/255.255.255.0 -j LOG ....
-A input_ext -s 192.168.99.0/255.255.255.0 -j DROP
-A input_ext -s 213.54.127.104 -p icmp -m icmp --icmp-type 4 -j LOG
--log-prefix "SuSE-FW-ACCEPT-SOURCEQUENCH " --log-tcp-options
--log-ip-options
-A input_ext -s 213.54.127.104 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 3 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 18 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix
"SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix
"SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix
"SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix
"SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix
"SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -j DROP
-A input_ext -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j
reject_func
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG...
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG...
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j LOG...
-A input_ext -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 700 --tcp-flags SYN,RST,ACK SYN -j LOG..
-A input_ext -p tcp -m tcp --dport 700 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 841 --tcp-flags SYN,RST,ACK SYN -j LOG...
-A input_ext -p tcp -m tcp --dport 841 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 1024 --tcp-flags SYN,RST,ACK SYN -j LOG..
-A input_ext -p tcp -m tcp --dport 1024 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 2049 --tcp-flags SYN,RST,ACK SYN -j LOG..
-A input_ext -p tcp -m tcp --dport 2049 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 6000 --tcp-flags SYN,RST,ACK SYN -j LOG..
-A input_ext -p tcp -m tcp --dport 6000 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport
1024:65535 --tcp-flags SYN,RST,ACK SYN -j LOG --log-ip-options
-A input_ext -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport
1024:65535 -j ACCEPT
-A input_ext -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 !
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_ext -p tcp -m state --state ESTABLISHED -m tcp --dport 20 !
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_ext -s 212.122.137.24 -p udp -m state --state
NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_ext -s 195.185.185.195 -p udp -m state --state
NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_ext -p udp -m state --state RELATED,ESTABLISHED -m udp --dport
1024:65535 -j ACCEPT
-A input_ext -p udp -m state --state ESTABLISHED -m udp --dport 61000:65095
-j ACCEPT
-A input_ext -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG ....
-A input_ext -p udp -j LOG ...
-A input_ext -m state --state INVALID -j LOG ....
-A input_ext -j DROP

Thanx

• Next message: Matthias Czapla: "Re: encryption programs"
• Previous message: Michael Sims: "How reliable is netstat?"
• Next in thread: Colin McKinnon: "Re: Why can I telnet my port 21"
• Reply: Colin McKinnon: "Re: Why can I telnet my port 21"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint