Firewall causes false postives in port scans?
From: Randy Lawrence (jm_at_zzzzzzzzzzzz.com)
Date: 06/09/04
- Next message: \: "Re: any firewall that passes norton's test?"
- Previous message: Alec: "Re: Firewall comparisons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 09 Jun 2004 17:49:57 GMT
I ran a Nessus scan on a remote server recently and it detected port 21
as open and running an unknown (non-ftp) service.
When I ran "netstat -aln" on the server, it didn't show anything
listening on port 21.
When I activated these 2 iptables rules and rescanned, port 21 was STILL
being detected as open (yes, "venet0" is correct and it correctly blocks
all other ports without problems):
/sbin/iptables -A INPUT -p tcp -i venet0 --dport 21 -j DROP
/sbin/iptables -A INPUT -p udp -i venet0 --dport 21 -j DROP
When manually connecting to the remote server via FTP client, this is
the result (happens both with AND without the above iptables rules active):
$ ftp 123.123.123.123
Connected to 123.123.123.123.
421 Service not available, remote server has closed connection
ftp>
NOTE: when the 2 iptables rules listed above are active, the "421"
message appears after a much longer delay after the "Connected to" message.
The explanation the hosting company gave was that their firewall must be
accepting the FTP connection and then realizing there's no service
running on the destination host--which causes the initial connection to
be accepted and then dropped.
Does this make sense? Has anyone else seen firewalls do this?
I'm trying to find out if their firewall is ACTUALLY doing this rather
than some infected router somewhere or a trojan running on the server.
- Next message: \: "Re: any firewall that passes norton's test?"
- Previous message: Alec: "Re: Firewall comparisons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
