Re: Why can I telnet my port 21

From: Tim Haynes (usenet-20040325_at_stirfried.vegetable.org.uk)
Date: 03/25/04


Date: Thu, 25 Mar 2004 20:41:50 +0000

Colin McKinnon <colin.thisisnotmysurname@ntlworld.deletemeunlessURaBot.com> writes:

>> doing a scan with nmap (using the -P0 option) I can see, that there is a
>> couple of ports open. One of them is port21. I do not have a server
>> running on this port 21 (no ftp). When I connect from the internet on my
>> machine on port 21 via telnet, I get a connection, but after a few seconds
>> a timeout occurs.
>
> What does netstat -ap say?

Speedier version: `netstat -plant | grep LISTEN'. Tcp is all that's
interesting here and we don't need names for things.

Other questions: is (x)inetd listening on 21/tcp but the ftpd behind it
nonexistent? What hosts.{allow,deny} rules are there of relevance? How
quick is the disconnection? Is there anything in a recently-modified
logfile relating to the connection attempt?

>> I appended my input rules:
> <snip>
> yeah, thanx.

Those were useful, because they allow us to say the firewall was designed
approximately in the stone-age. Specifically, they seem to be built around
allowing large tracts of source-IP#s to get at anything running on the box,
whilst dropping a few spot-services. This is not the way to firewall a
machine; you want stateful matching right up tops (INVALID, followed by
ESTABLISHED,RELATED rules), rules per provided service, LAN considerations,
then drop everything else. Nice clear well-organized blocks, statefulness
for extra security rather than trusting who the packet says it's from
(`hey, I'm a nice Tim, trust me!!'), etc.

~Tim

-- 
Can you tell me how to get,                 |piglet@stirfried.vegetable.org.uk
How to get to Sesame Street?                |http://spodzone.org.uk/cesspit/