Re: Do I need these services listening?
From: Gerald Vogt (vogt_at_spamcop.net)
Date: 03/15/05
- Next message: Sskb: "Re: Annoying pop-ups with Norton Internet security"
- Previous message: Derek: "ZA Trojans & Hijackers"
- In reply to: rodlinkowitz_at_whale-mail.com: "Re: Do I need these services listening?"
- Next in thread: rodlinkowitz_at_whale-mail.com: "Re: Do I need these services listening?"
- Reply: rodlinkowitz_at_whale-mail.com: "Re: Do I need these services listening?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Mar 2005 07:33:00 +0900
rodlinkowitz@whale-mail.com wrote:
> Sorry, when I say the second computer has a "cable attached to the
> first computer", I was not being very specific. But by that, I mean the
> cable is attached to the LAN port on the router, which sits on top of
> the first computer. (I've just always "seen" the second computer as
> being attached to and dependent upon the first computer, since its the
> one that houses the modem and router. But of course, since this is
> a simple standard configuration, technically speaking, the 2nd machine
> is being connected to the LAN port on the router, as is the first one).
O.K. This is the only important description for anyone who has to help
you. You may say at home "computer one hosts router and modem" because
they stand there next to each other. For other outside home always say
"computer 1 & 2 connect to the router which connects to the modem" ;-)
That will expedite the process and avoid confusion. (So, not only IP
ports look different from the inside and outside ;-)
> I think we discovered via netstat (and "WhoIsConnected") that 25 & 110
> were not listening to the net, because the software port
> monitor/analysis programs don't report that, nor do the online
> scanners. Only some of the (software) port scanners do.
Yes, but you had a connect with telnet on ports 25... This should not
happen. If nothings there, telnet reports an error message.
> Because it helps me sleep at night? My story begins... after countless
Well, as long as it is properly running for you... Generally, each added
security software usually adds to the complexity of the whole system,
makes various changes to your system etc. Two security components can
possibly nullify each other just by some coincidence in their
configurations (kind of the first changes (a) and depends on a certain
(b) setting while the second one changes (b) and depends on a certain
(a) setting and in the end both (a) and (b) have been changed and
neither one gets anything properly right). So, in general, the
recommendation is to stick to one PFW and to one AV on a system... O.K,
but this was a side comment and as you have spent some time getting this
all tight up is supposed you have learn a few things about your system.
> I tried that and the IP of my two computers, using port 5066 as the
> random port no.
> Every time I get "Could not open connection to the host on port 5066,
> Connect failed". I'm assuming this is normal. More interestingly, when
> I tried telnetting smtp using the private IP of either of my two
> computers, I got the same message (ie. telnet privateIP smtp = "connect
> failed"). So what happened yesterday is not
> being repeated today.
O.K. That is, well, I hope good news. As you did not get an error
message yesterday I would still highly recommend to do some scans on
your system with your AV and maybe also an online virus scan. Also look
for ad-aware from www.lavasoftusa.com and for spybot
http://www.safer-networking.org/en/index.html which are fairly well in
detecting malware and adware on a computer along with more privacy
related stuff (which all requires some reading to understand what they
report...) Also hijackthis has a quite good reputation which you get
here http://www.hijackthis.de/en You can upload your hijackthis output
on that webpage, too, for some detailed interpretation as the hijackthis
output itself is pretty much low-level, raw information.
It's good that telnet reports the ports as closed today. I would just
doublecheck that there is really no indication of other problems which
were there, yesterday, when it seemed as if there is something listening
on port 25 and 110.
> This is the output as done from the second computer:
Looks good. But didn't you write that you have changed the internal ip
address of your Netgear router? To me, 192.168.1.1 looks like the
default address.
> Yes. No. After turning Kaspersky's email guard off, and doing a quick
> scan with FreePortScanner, The 25 and 110 ports are reported as closed.
O.K. (I already wrote everything above, but I won't go through it and
edit it. I hope you can make the adjustments ;-)) That means that the
Kaspersky's email guard does relay all your mails through its own
scanner engine. I suppose your email configuration in your email client
does not show your ISP's smtp server and POP server but instead has
something like "localhost" in it. When you retrieve e-mails, you
retrieve them from localhost (which is the computer you are on) port
110, which is Kaspersky's relay/scanner server which retrieves the
e-mails from your ISP's pop server, scanning everything on the way
through. Similiar for the outgoing emails.
This is O.K. I think, however, that those ports 25 and 110 servers of
Kaspersky should show up normally in netstat output. It should report
them, if they did it properly, as listening. If you use "netstat -a -n"
it reports the IP addresses where the ports are bound, which can be
"0.0.0.0" or "127.0.0.1" or "192.168.1.2" for your local computer. The
Kaspersky should be bound on 127.0.0.1 and not on 0.0.0.0 or
192.168.1.*. That way these servers are exclusively available to your
local computer and not accessible from anywhere else including your
other computers in the LAN. If port 25 and port 110 do not show up in
netstat while you are running the email guard, and telnet can connect to
port 25 or port 110 on your local computer ("telnet localhost 25"),
then, well, this is not a problem but not really nice. It would indicate
some technical problem with the Kaspersky email guard or your PFW as I
would see no reason why Kaspersky would intentionally try to hide open
ports they run from the user like any hacker would try to do.
Anyway, I think this solves the problem with the ports 25 and 110. I
should have thought about that sooner...
Regarding the rest of the ports: you should be able to close ports 135
and 445 as I elsewhere. The other ports you won't most likely be able to
close. What you may be able to do is to block any in-coming connections
on the client computer to these ports. The trick is, however, that you
need a proper SPI here, as simply blocking the ports would mean that
nothing gets through which is necessary as you receive the UDP replies
on these ports. I do know that a XP SP2 firewall configured with no
exceptions still allows the client to access shares in the network. I am
not sure if your PFW can be configured in this way, too, to block
unrelated traffic to these ports while still allowing UDP responses through.
O.K. I think we are getting there... ;-)
Gerald
- Next message: Sskb: "Re: Annoying pop-ups with Norton Internet security"
- Previous message: Derek: "ZA Trojans & Hijackers"
- In reply to: rodlinkowitz_at_whale-mail.com: "Re: Do I need these services listening?"
- Next in thread: rodlinkowitz_at_whale-mail.com: "Re: Do I need these services listening?"
- Reply: rodlinkowitz_at_whale-mail.com: "Re: Do I need these services listening?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
