The following is the result of a scan for the host under my care.
So the ports that are here as "filtered" are the hosts that had been denied with the following rule sets.Code:(The 1532 ports scanned but not shown below are in state: closed) Port State Service 12/tcp filtered unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 192/tcp filtered osu-nms 1524/tcp filtered ingreslock 12345/tcp filtered NetBus 12346/tcp filtered NetBus 27665/tcp filtered Trinoo_Master 31337/tcp filtered Elit
Example code;
So it showed up as "filtered". I tried that with a few ports and it all showed up as "filtered". What if I don't want them to show up as "filtered" when I scan but would also like to put in the chain to make sure I'm blocking them ??Code:$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTDERNET 1524 -j DENY -l
Or is it that someone had already hacked and that leaving those port temporarily blocked??
What do you guys think??
I'm using "pmfirewall" BTW.
TIA.
As far as I know, Netbus is a cousin to Back Orifice and Trinoo Master is akin to Tribal Flood Network, which is a DDS tool. If those are really on that box, I would be a little worried. If I were you, I would think about reinstalling the box, then writing your own iptables rules that block everything by default and allow only that wjich is expilictly allowed. Also, make sure you are current on all versions of patches for all apps, be they network or local.
Well, first of all, this box is Debian GNU/Linux box so I'm not so sure what this Netbus is doing there.... Other than that, I run apt-get update once every two days or so ... so I think I'm pretty up to date. I also do not have alot of software on this box ( it's stricky a gateway box with some HTTP and SSH ) so it's fairly easy to keep an eye on.
Thanks for your input.
That is odd. I didn't even think of what OS you might be running. They could very well be false positives, or misidentified services (which is most likely the case). *However, these are a lot of high-numbered ports to have open, especially if you don't know what's running on them. Just for kicks, why not log all ip packets destined for those ports. If you truly have a trinoo master running on your box, *then someone must be trying to connect to it from it's client program (the trinoo client signals the trinoo master, which then launches a DOS attack against a third party). Chances are that the logged packets will come from the jerk that is messing with your box and will not be spoofed. Keep your logs and email them to your ISP's net abuse team.Well, first of all, this box is Debian GNU/Linux box so I'm not so sure what this Netbus is doing there
One more time someone misreads nmap output !
Everything is 100% all right.
If you DENY access to a port it means there will be no packets sent back to the scanning host. Normally a closed port replies to a TCP scan with a TCP packet with RST flag set. You want this behaviour use REJECT instead of DENY. nmap is intelligent enough to identify a port as filtered when no packets come back from it, but host is surely up (eg. replied to a ping probe or sent an RST packet from any other port).
Ports marked as filtered are closed.
I recommend # man nmap before using.
That why I asked, right??One more time someone misreads nmap output !
That's definitely a good thing to hear ....Everything is 100% all right.
So the basic idea is that if the scanner received reset, then it's closed. Otherwise, it's open ??If you DENY access to a port it means there will be no packets sent back to the scanning host. Normally a closed port replies to a TCP scan with a TCP packet with RST flag set.
What would a DROP would do? Would thins also create FILTERED PORT??You want this behaviour use REJECT instead of DENY.
That's why Nmap is so popular.nmap is intelligent enough to identify a port as filtered when no packets come back from it, but host is surely up (eg. replied to a ping probe or sent an RST packet from any other port).
That's what I wanted to know. Thank you.Ports marked as filtered are closed.
I did but still there is so much $hit to learn ..... ;DI recommend # man nmap before using.
When the protocol used is TCP (it's different for UDP !):
So the basic idea is that if the scanner received reset, then it's closed. Otherwise, it's open ??
If the scanner received a packet with RST flag set (and correct sequence numbers) then the port is closed.
If the scanner received a packet with SYN and ACK flags set (and ...) then the port is open.
If the scanner didn't receive anything back then it doesn't know whether the port is open or closed, assumes existence of a packet filter and marks the port as filtered, therefore unreachable.
If the scanner received a packet with any other combination of flags or bad sequence numbers, then it's utterly confused(in fact I have no idea what nmap does in such situation).
DROP is IPTables equivalent of DENY - a TCP port would show up as filtered.
What would a DROP would do? Would thins also create FILTERED PORT??
hth
Great information andrzej. Appreciated.
I now know why those ports show up as filtered. Since I use pmfirewall, the author included those ports rules in the rules set. When I disabled them ( by commenting out temporarily ), the filtered ports disappeared.
Great ... Thanks again... both of you.
Posting Permissions
Reply With Quote
Bookmarks