Re: Why can I telnet my port 21

From: Tim Haynes (usenet-20040325_at_stirfried.vegetable.org.uk)
Date: 03/25/04


Date: Thu, 25 Mar 2004 20:41:50 +0000

Colin McKinnon <colin.thisisnotmysurname@ntlworld.deletemeunlessURaBot.com> writes:

>> doing a scan with nmap (using the -P0 option) I can see, that there is a
>> couple of ports open. One of them is port21. I do not have a server
>> running on this port 21 (no ftp). When I connect from the internet on my
>> machine on port 21 via telnet, I get a connection, but after a few seconds
>> a timeout occurs.
>
> What does netstat -ap say?

Speedier version: `netstat -plant | grep LISTEN'. Tcp is all that's
interesting here and we don't need names for things.

Other questions: is (x)inetd listening on 21/tcp but the ftpd behind it
nonexistent? What hosts.{allow,deny} rules are there of relevance? How
quick is the disconnection? Is there anything in a recently-modified
logfile relating to the connection attempt?

>> I appended my input rules:
> <snip>
> yeah, thanx.

Those were useful, because they allow us to say the firewall was designed
approximately in the stone-age. Specifically, they seem to be built around
allowing large tracts of source-IP#s to get at anything running on the box,
whilst dropping a few spot-services. This is not the way to firewall a
machine; you want stateful matching right up tops (INVALID, followed by
ESTABLISHED,RELATED rules), rules per provided service, LAN considerations,
then drop everything else. Nice clear well-organized blocks, statefulness
for extra security rather than trusting who the packet says it's from
(`hey, I'm a nice Tim, trust me!!'), etc.

~Tim

-- 
Can you tell me how to get,                 |piglet@stirfried.vegetable.org.uk
How to get to Sesame Street?                |http://spodzone.org.uk/cesspit/


Relevant Pages

  • Re: chatting program
    ... > I opened port 9050 in the firewall, but I still got this error. ... No connection could be made because ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: I am having connectivity problems
    ... firewall and turned ON Windows firewall. ... When I tried to install SP2 I was unable to get it thru Windows Update. ... does the connection problem persist? ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Serious Security Issue in Windows XP SP2s Firewall
    ... Subject: AW: Serious Security Issue in Windows XP SP2's Firewall ... If you update a WinXP SP-1 with enabled Internet ... Connection Firewall ...
    (Focus-Microsoft)
  • Re: Still cant connect to RWW or OWA remotely
    ... No, I don't have a 3rd party firewall, and it's a pretty plain vanilla WinXP ... Connected to the network like the other workstations, ... I could go to any workstation and connect to them just fine. ... match the broadband connection, the two NIC firewall, the remote ...
    (microsoft.public.windows.server.sbs)
  • RE: Serious Security Issue in Windows XP SP2s Firewall
    ... file and printer sharing is available for network login from any network (I ... Internet Connection Sharing of the PC has to be disabled." ... Serious Security Issue in Windows XP SP2's Firewall ...
    (Focus-Microsoft)