Newbie Scan Challenge

[Aftiel]

I am posting this as an exercise for Folks who are very new, and are just getting into ports, security, etc.

Please Friends, I know there are some here who could write a thesis on the the scan log below, but please refrain.

I offer this to our posters here who have asked about how to port scan, what does it mean, etc.

The Challenge:

Below is an actual nmap scan.

The address has been removed as it matters not.

You are given this scan and asked to assess it in terms of potential problems, as well as recommendations.

Please post your observations in two parts:

1. What are your initial observations? (i.e. "port xxxx is open and I don't think it should be")

2. What are your recommendations? (i.e. close port xxxx, disable service xxxx, etc.)


-------------------------------------------- SCAN LOG BELOW --------------------------------------------------


Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Interesting ports on xxxxxx.xxxx.xxx (xxx.xxx.xx.xxx):
(The 1116 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
75/tcp filtered priv-dial
80/tcp open http
135/tcp filtered loc-srv
139/tcp open netbios-ssn
147/tcp filtered iso-ip
208/tcp filtered at-8
443/tcp open https
447/tcp filtered ddm-dfm
487/tcp filtered saft
528/tcp filtered custix
535/tcp filtered iiop
560/tcp filtered rmonitor
582/tcp filtered scc-security
596/tcp filtered smsd
999/tcp filtered garcon
1027/tcp open IIS
1110/tcp filtered nfsd-status
1380/tcp filtered telesis-licman
1426/tcp filtered sas-1
1433/tcp open ms-sql-s
1989/tcp filtered tr-rsrb-p3
2000/tcp open callbook
2001/tcp open dc
2025/tcp filtered ellpack
2028/tcp filtered submitserver
2034/tcp filtered scoremgr
2232/tcp filtered ivs-video
3999/tcp filtered remoteanything
4132/tcp filtered nuts_dem
5191/tcp filtered aol-1
12345/tcp filtered NetBus
13709/tcp filtered VeritasNetbackup
32770/tcp filtered sometimes-rpc3
Remote OS guesses: Baystack Instant Internet 400 SoHo Router, NetScreen-100, FreeBSD 4.0-20000208-CURRENT, Linux 1.3.20 (X86), Solaris 2.5, 2.5.1, Solaris 2.6 - 7 (SPARC), Solaris 2.6 - 7 X86, Solaris 2.6

Nmap run completed -- 1 IP address (1 host up) scanned in 49 seconds

------------------------------------ END OF SCAN ---------------------------------------------------

.: Aftiel

[zigzag_8336]

(1) Ports are open that should not be. (2) Close all ports that are not vital and get a firewall that will cloak these ports.

[Aftiel]

Which ports are open that should not be?

How can we tell that open ports are not already cloaked? (or can we?)

.: Aftiel

[Aftiel]

rotfl - Definitely true.

Now that a Senior Member has weighed in, let's have some truly new Folks see if they can expand on this even farther.


Another question for the Challenge:

What is meant by a "filtered" port? What do you think that repesents?


.: Aftiel

[n01100110]

If your using the services, and are staying up to date with updates and vulnerabilities for that particular daemon then you should decrease the worrying level a little bit..But I don't know your internal policies of that particular system, or if it is in a dmz or what the tcp wrapper settings look like..Plus I don't know what ftpd your using or what sql..So unless you have absolutely no use for ftp, then it should definetely be closed..Renaming the port won't work, however because skiddie tools now a days can pretty much find any server on any port... Correct me on the answer if you will, but I have never heard of dc or callbook..Some googling is in order..So what it somes down to is turn off ftp definetely if you don't need it, turn off sql unless you need it...IIS ?

[FrameWork]

Filtered means there is probably a firewall dropping the packets to that port. You really don't know whether that port is closed/listening or not though.

Correct?!

[n01100110]

Yes, filtered means that some kind of firewall is in place (iptables in this case) whether it be zone alarm or whatever...lol yea I did kind of give it a funny look when I saw netbus sitting there....

[Aftiel]

Excellent observations.

IIS = has been exploited more times than I can count. Endless patches. That would be a prime target for a hacker.

By the way, this is not one of my machines, nor is it on a network I am responsible for. This was a blind scan on an .edu (big surprise.)

Bah! these Senior Members chiming in with the in-depth stuff -- no fair!! -

Filtered as I have seen it means that yes, the packets are being dropped, OR the port is filtered to permit only a certain IP Block.

BONUS QUESTION:

Is there any way to tell if this server is behind a firewall from looking at the scan?

.: Aftiel

[FrameWork]

BONUS QUESTION:

Is there any way to tell if this server is behind a firewall from looking at the scan?

Aren't the ports with the filtered state an indication that this is the case?

[Maestr0]

Actually nmap returns 'filtered' when the packets are explicity 'rejected' by the server(or en route),while 'dropping' the packets will not return any reply and subsequently the port will not be logged by the scanner. It is more common to find 'filtered' ports on routers and other older network devices and OS's as it is becoming increasingly common for firewalls to simply 'drop' the packets because even rejects cause the server to process the packets as well as create unneccesary traffic which can result in a DoS. Although some times perimeter firewalls reject packets to many commonly exploited ports in an attempt to discourage kiddies from scanning their subnet (once the attacker sees the packets will all be rejected)

-Maestr0