nmap results
Results 1 to 4 of 4

Thread: nmap results

  1. #1
    Member
    Join Date
    Dec 2001
    Posts
    84

    nmap results

    I'm new to linux and I'm tying to make my box as secure as I can......I ran nmap against my ip and got this result..
    (The 1597 ports scanned but not shown below are in state: closed)
    Port State Service
    111/tcp open sunrpc
    631/tcp open ipp
    6000/tcp open X11
    10000/tcp open snet-sensor-mgmt

    I also ran an online scan at http://scan.sygatetech.com and got these results......
    web port 80 closed
    ident port 113 closed
    location service port 135 closed
    These were the only ports that wern't stealthed according to their scan.

    I have no idea what sunrpc, ipp, x11 and snet-sennsor-mgmt are.
    How bad is this? and what can I do to make it more secure?
    You can\'t squeeze cheese from a goat before it\'s hatched.............

  2. #2
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Lets see how i go ....

    Port 111 - generally is the Sun RPC (rpcbind, portmapper) service on your system. Coutesy of a Google search: "Many services based on Remote Procedure Call (RPC; defined in [Sr95a]) do not listen for requests on a ``well-known'' port, but rather pick an arbitrary port when initialized. They then register this port with a Portmapper service running on the same machine. Only the Portmapper needs to run on a well-known port; when clients want access to the service, they first contact the Portmapper, and it tells them which port they should then contact in order to reach the service."

    Port 631 - generally used for print service CUPS ... on my machine if I connect to port 631 (when enabled) I get the CUPS admin page for setting up the print server ...

    Port 6000 - generally the X Session - the GUI (Screen) you are looking at, this can easily be disabled from listening on tcp port 6000 by issuing the command "startx -nolisten tcp" when kicking off from run level 3.

    Do a Google on "startx nolisten tcp" and there is an abundance of information on where to put things in your config files to ensure it doesn't listen when fired up. With linux there is a multitude of way of doing the same thing, quick search will set you right for your version of linux.

    Port 10000 - generally used by webmin (snet-sensor-mgmt), a handy web based interface to mess with the inner workings of your linux box either on the machine itself or if allowed by one of the machines on the LAN or even remotely (this last one is probably not a good idea). Be careful when playing with webmin, a mistake in here can ruin your day as it is running as the superuser (root).

    If your results with an online firewall scan are closed and not stealthed it probably means the default setting on your firewall is to "deny" or "reject" the packet as opposed to "drop" ... bit of research here will set things right also ....

    I think I am half way on the money with these.

    With linux you are not on your own, there are many, many out there willing to help, but the best way to learn is to read and get in there and play with it !! As I have done, you may probably "hose" the system a few times but you soon learn the "do's" and "don't" - but dont give up on it - once running smoothly its a great OS to play with.

    I dont know what distro you are using but on my Mandrake 9.1 I dumped the shorewall firewall (default supplied by Mandrake) and grabbed gShield (http://muse.linuxmafia.org/gshield.html) ... small 47kb tarball ... unpacked it in a directory I created /etc/firewall and then just edited the well documented gShield.conf file ... then copied (not moved) the gShield.rc to /etc/init.d/gshield and fired it up with a "service gshield start" then to ensure it kicked in when the modem fires up ... I simply created an executable file /etc/ppp/ip-up.local and put /etc/firewall/gShield.rc start on the first line and saved ... now when the modem bursts into life the firewall comes up without me having to think about it. With this I am stealthed across the board !!

    Regards,

    PP

  3. #3
    Member
    Join Date
    Dec 2001
    Posts
    84
    Thank you very much Phat_Penguin...I was able to shut down those ports and my new nmap scan shows...
    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    All 1601 scanned ports on ip182.xxx.mynet.net (64.xxx.xx.xxx) are: closed
    Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

    I really apreciate the reply, as I said I'm new to Linux and I'm gald that someone is willing to take the time to help me out without treating me like an idiot.
    You can\'t squeeze cheese from a goat before it\'s hatched.............

  4. #4
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Old Man,

    Glad you got it sorted, nice warm feeling being stealthed - but that isn't the end of it - lots of reading and tweaking can be done to lock the box down tighter - but thats why your here, right ? - there are some really good people here with a wealth of knowledge on *nix and its security implications.

    I see you have been here a long time with so few posts - I guess reading is your strong point

    Don't be shy and fire away with your questions and I am sure someone will help you answer it - we all had to start somewhere and there is no benefit in making anyone feel like an idiot.

    Welcome to the world of *nix

    PS: If you get a chance to reply - did you end up trying out gShield ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •