[ale] Comments sought on port scan

Jonathan Rickman infosec at alltel.net
Thu Dec 21 19:03:28 EST 2000


On Thu, 21 Dec 2000, John Mills wrote:

> Jonathan -
> 
> I started with 'pmfirewall' and seem do be getting some results, but not
> what I expect.
> 
> On Tue, 12 Dec 2000, Jonathan Rickman wrote:
> > [jonathan at abacus jonathan]$ nmap 192.168.0.254
> > 
> > Starting nmap V. 2.53 by fyodor at insecure.org ( www.insecure.org/nmap/ )
> > Interesting ports on gate2 (192.168.0.254):
> > (The 1521 ports scanned but not shown below are in state: closed)
> > Port       State       Service
> > 22/tcp     open        ssh                     
> > 25/tcp     open        smtp                    
> > 
> > Nmap run completed -- 1 IP address (1 host up) scanned in 16 seconds
> 
> Are you running X11 and the printer port in this host? I added 515
> (printer) to the denied ports in my 'pmfirewall.rules.local' and when I
> scan from a remote host, a number of ports (including 515) are reported as
> "filtered", _even_ when they which do not show in-use at all on an
> internal scan.

That particular host does not use pmfirewall. When I posted that I was
referring to the sendmail configuration. The "stealthiness" is due to the
fact that there are no services bound to the external adaptor, therefore
it doesn't use input rules...nothing to connect to...nothing to block. The
quote above shows the internal interface which has only those 2 services
running, same deal there. No input rules, ssh and sendmail are started by
inetd and the /etc/hosts.allow [deny] takes care of the internal security.
The default forward policy is set to deny, with rules allowing all traffic
from the private LAN to pass through MASQ'ed. Everything from the external
net is denied. The system is basically an email gateway. Fetchmail is used
to get the incoming mail from an external pop3 server and forward it to an
Exchange box behind the gateway. As you can see, this machine has very
limited capabilities but it serves its purpose, protecting the Exchange
box from the big bad Internet.

> I notice that 'gnome' seems to use a goodly number of ports around
> [1024...] (which also scan as "filtered") which I assume have no need of
> an outside interface.

I'm a Blackbox user, it's been awhile since I played with Gnome...so I
can't be of much assistance there.

> I hypothesize these ports appear in the rules, and that has made them
> visible in their 'denial' behavior. Is that a likely explanation? If I
> remove them from the 'pmfirewall' default list they might then disappear.
> Easy to try, anyway.

That is exactly the case...try changing the rules to deny instead of
reject first though. That makes most of them vanish. 

> I'm going through the IPCHAINS-HOWTO-4 and haven't yet understood how the
> rules accumulate and interrelate on a chain. I expect I'll get there,
> because that writeup, Bob's book, and the Linux Firewalls book all come at
> this, but I am not effective yet.

It takes time...

> Should I be able to completely conceal a port used only internally from an
> external scan of 'eth0' on the box?

Yes, there are 2 ways. First, try tweaking the configs for the particular
service. For example...Bind, Sendmail, and ssh all allow binding to
specific interfaces. Second, use '-j DENY' as opposed to '-j REJECT' for
the port in question. CAUTION: Doing this on all ports can cause problems
for the machine scanning you. If this is a bad guy...great. If it's you
checking out your system...bad. Nmap generally does ok, but some other
scanners can crash.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list