Re: nmap shows: 1863/tcp open, 5190/tcp open

On 17 Mar 2006, in the Usenet newsgroup comp.os.linux.security, in article
<1142652548.865583.129920@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, anon9878@xxxxxxxxxxx
wrote:

There were two series of scans, but both behind the gateway/router. The
first from within the DMZ and the second from a private network behind
a wireless router scanning the DMZ. Both indicated that ports 1863 and
5190 are open.

tcpdump or equal - on the server as well as on the scanning system. On
the server, do the SYNs even reach the server? If so, how does it respond.
On the scanning box, look at the IP and TCP headers. Do the "SYN/ACK"
packets match those from known open ports - specifically in the TTLs and
flags. You could also try using nmap to really probe the apparent
responder - perhaps using the O/S identification options.

Curiously, I had a friend run nmap from the internet ( outside my
gateway/router ) and ports 1863 and 5190 do NOT show up in his scan.

The responses _could_be_ getting blocked/dropped, etc., either by your
gateway, or an intermediate router. That's a reason I like to use a
packet sniffer at the target (or "teed" off the target's network cable), so
I can verify that it's the target that is responding.

Interestingly, today, I got a clean set of fileutils and chkrootkit and
ran it from CDROM. Chkrootkit comes up clean.

'chkrootkit' and the similar 'rkhunter' (http://www.rootkit.nl/) are only
going to find old rootkits/exploits. They look for specific signs - often
files or directories - and you have to hope that the author of the rootkit
hasn't changed this/that name from '/tmp/.../a' to '/tmp/.../b' (the first
being the tested indication of a '55808.A' worm).

Also, interesting he said my gateway/router (a netopia product) is
running telnet.d. Don't know if that is a security risk?

If you didn't know about it, you certainly do want to find out more. No,
that's not the safest service. I don't like the idea of my gateway, router
or firewall accepting ANY connections from outside. To get in, you have
to SSH or tunnel into an internal host, and run a SSH connection from there
out to the gateway.

Thanks for the tip. I'll give it a try. But I think my system is ok,
but I remain paranoid.

There is nothing wrong with that!

Old guy
.

Relevant Pages

  • Re: W2K3 domain in DMZ
    ... as each one is the gate to that entire private network. ... > Yes a single domain DMZ ... > Main concerns is getting a DMZ that we can centrally manage and backup ... > server, ...
    (microsoft.public.windows.server.security)
  • RE: DMZ and VPN
    ... > I'm curious as to how it applies to a server providing VPN ... > have one interface on the private network, and the other in a DMZ ...
    (Security-Basics)
  • Dual NICs, Routing Problem
    ... I am using SLES 9 & have a server set up with dual NICs, ... from my DMZ and the other has the IP of a private network that my ... DMZ subnet: 192.1.34.0 ... I should be able to make the default gateway to ...
    (alt.os.linux.suse)
  • Re: TS 2008 Web Access with RDP
    ... other machines on the internal network. ... Yes the TS Gateway is on the Server in the DMZ, ...
    (microsoft.public.windows.terminal_services)
  • Re: FE-BE configuration
    ... I think the cheapest and easiest solution would be to install an SMTP ... your single exchange server on your LAN, that way you do not allow inbound ... scanned for viruses or spam (offloading resources to the smtp gateway rather ... you can just install IIS SMTP on the dmz server and harden the OS. ...
    (microsoft.public.exchange2000.admin)