nmap interpretation help needed

I would like to learn the basics of nmap for now to make my PC more
secure. Ok so I ran nmap on my main PC ip address off my router/LAN, and
got the results below. I know what ssh, ipp (CUPS), nessus ports are for,
but I am puzzled as to the validity/usage of the other ports. Do I need
smtp (mail) if I use my kmail client? What is rpcbind for? cvspserver?
sun-answerbook? I want to close down any ports not really needed that
could be security vulnerabilities. Any help appreciated. Thank you.

[root@localhost beowulf]# nmap -O -sS 192.168.1.100
Starting nmap 3.81 ( [url]http://www.insecure.org/nmap/[/url] ) at 2006-11-
Interesting ports on (192.168.1.100):
(The 1656 ports scanned but not shown below are in state: closed
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
1241/tcp open nessus
2401/tcp open cvspserver
8888/tcp open sun-answerbook
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-
Uptime 0.103 days (since Sun Nov 26 10:59:01 2006)

Nmap finished: 1 IP address (1 host up) scanned in 2.126 seconds
[root@localhost beowulf]#

Beowulf wrote:
[color=blue]
> [root@localhost beowulf]# nmap -O -sS 192.168.1.100[/color]

Depending on your iptable rules, what you get as result from the inside don't
necessarily be the same as it will be from the outside of your network.

[color=blue]
> 111/tcp open rpcbind[/color]
[url]www.freesoft.org/CIE/RFC/1833/2.htm[/url]
[color=blue]
> 1241/tcp open nessus[/color]
[url]www.nessus.org[/url]
[color=blue]
> 2401/tcp open cvspserver[/color]
[url]www.taursys.com/howto/cvs[/url]
[color=blue]
> 8888/tcp open sun-answerbook[/color]
[url]http://diuf.unifr.ch/people/yoois/personal/Classifier/NetworkServiceClassification.txt[/url]



//Aho

On Sun, 26 Nov 2006 21:07:52 +0100, J.O. Aho inscribed to the world:[color=blue][color=green]
>> 111/tcp open rpcbind[/color]
> [url]www.freesoft.org/CIE/RFC/1833/2.htm[/url][/color]

Ok I visited that website, I humbly admit I am clueless as to
what rpcbind is all about-- can anybody toss me a bone?
What type of software app on my system is using port 111 and
can I disable it?
[color=blue][color=green]
>> 2401/tcp open cvspserver[/color]
> [url]www.taursys.com/howto/cvs[/url][/color]

I must have installed some CVS server program app at some time.
I am guessing I can disable this server in my system services
as I have no need of a cvs server program.

[color=blue][color=green]
>> 8888/tcp open sun-answerbook[/color]
> [url]http://diuf.unifr.ch/people/yoois/personal/Classifier/NetworkServiceClassification.txt[/url][/color]

8888 sun-answerbook looks to perhaps be for some streaming music app I
have installed?

Port 111, the rpc portmapper, is used by network file system (NFS) and
a few others services that make remote procedure calls. If you don't
use NFS, you likely won't require it, or you can bind it to 127.0.0.1
and not make it externally available. You can run:

rpcinfo -p

to see what is using the portmapper.

You can also find the process that is using a port by running lsof
commands similar to the following:

lsof -i TCP:25 # Find the program that has TCP port 25 open.
lsof -i UDP:bootpc
lsof -i UDP:68 # the port number for bootpc

No services are required on a basic Linux system. You might want SSH
for external access if your system is to be accessed remotely. The rest
are based on your particular requirements.

Doug

--
For UNIX, Linux and security articles
visit [url]http://SecurityBulletins.com/[/url]

If you do use sshd you should think about putting it on a different port
and securing it by tuning your configuration file. This has been
discussed ad nauseam by this group and you can probably find tons of
suggestions if you google ssh security.

Doug Spencer wrote:[color=blue]
> Port 111, the rpc portmapper, is used by network file system (NFS) and
> a few others services that make remote procedure calls. If you don't
> use NFS, you likely won't require it, or you can bind it to 127.0.0.1
> and not make it externally available. You can run:
>
> rpcinfo -p
>
> to see what is using the portmapper.
>
> You can also find the process that is using a port by running lsof
> commands similar to the following:
>
> lsof -i TCP:25 # Find the program that has TCP port 25 open.
> lsof -i UDP:bootpc
> lsof -i UDP:68 # the port number for bootpc
>
> No services are required on a basic Linux system. You might want SSH
> for external access if your system is to be accessed remotely. The rest
> are based on your particular requirements.
>
> Doug
>[/color]

--
----------------
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: [url]http://www.applitec.com[/url]

On Sun, 26 Nov 2006, in the Usenet newsgroup comp.os.linux.security, in article
<pan.2006.11.26.19.40.10.151078@wayoftheancients.trail>, Beowulf wrote:
[color=blue]
>I would like to learn the basics of nmap for now to make my PC more
>secure.[/color]

nmap is one tool of many
[color=blue]
>Interesting ports on (192.168.1.100):
>(The 1656 ports scanned but not shown below are in state: closed[/color]
^^^^^^^^^^

That's out of 131072 ports (65536 UDP and 65536 TCP). The place to
start is actually 'netstat -anptu' which shows all ports, and the
process that has the port open. See, nmap only knows what it sees
out there, and is guessing - for example:
[color=blue]
>8888/tcp open sun-answerbook[/color]

I _really_ doubt you are running Sun's AnswerBook (an online man page
supplement). And in your answer to 'J.O. Aho' you think it might be some
streaming music application. 'netstat' will show for sure.

Once you have the netstat data digested, then you can look at the nmap
testing from some other system (not the loopback), and tell it to look at
_all_ ports to see if there might be something running under the covers.
Be careful if you are running a reactive firewall, as a full range nmap
scan may cause alarm bells like there is no tomorrow.
[color=blue]
>I want to close down any ports not really needed that could be security
>vulnerabilities. Any help appreciated.[/color]

A bit dated, but have you looked at the Security-Quickstart HOWTOs?

-rw-rw-r-- 1 gferg ldp 278012 Jul 23 2002 Security-Quickstart-HOWTO
-rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

The Red Hat version includes stuff like xinetd, and some Red Hat specifics.


Old guy

On Mon, 27 Nov 2006 18:34:07 -0600, Moe Trin inscribed to the world:
....[color=blue]
> The place to
> start is actually 'netstat -anptu' which shows all ports, and the
> process that has the port open. See, nmap only knows what it sees
> out there, and is guessing - for example:
>[color=green]
>>8888/tcp open sun-answerbook[/color]
>
> I _really_ doubt you are running Sun's AnswerBook (an online man page
> supplement). And in your answer to 'J.O. Aho' you think it might be some
> streaming music application. 'netstat' will show for sure.[/color]

netstat is awesome-- see output below, it does tell some interesting
things that nmap does not. I need to learn to use various tools like these
to monitor my LAN for security. Thank you for the tip! port 8888 indeed
turned out to simply be xinetd not anything to do with sun or streaming
music!


[beowulf@localhost ~]$ su
Password:
[root@localhost beowulf]# netstat -anptu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:7777 0.0.0.0:* LISTEN 3752/hts
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2451/portmap
tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN 3660/privoxy
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 3357/mDNSResponder
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 2581/cupsd
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 3524/xinetd
tcp 0 0 0.0.0.0:1241 0.0.0.0:* LISTEN 3685/nessusd: waiti
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 3789/tor
tcp 0 0 0.0.0.0:7741 0.0.0.0:* LISTEN 3826/lisa
tcp 0 0 :::22 :::* LISTEN 3471/sshd
udp 0 0 0.0.0.0:7741 0.0.0.0:* 3826/lisa
udp 0 0 0.0.0.0:68 0.0.0.0:* 3285/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 3072/dhclient
udp 0 0 0.0.0.0:5353 0.0.0.0:* 3357/mDNSResponder
udp 0 0 0.0.0.0:111 0.0.0.0:* 2451/portmap
[root@localhost beowulf]#

On Mon, 27 Nov 2006, in the Usenet newsgroup alt.os.linux, in article
<pan.2006.11.28.01.51.34.116106@wayoftheancients.trail>, Beowulf wrote:
[color=blue]
>netstat is awesome-- see output below, it does tell some interesting
>things that nmap does not. I need to learn to use various tools like
>these to monitor my LAN for security. Thank you for the tip![/color]

As you are running xinetd, see that Security-Quickstart-Redhat-HOWTO. It
has some very good clues as well.
[color=blue]
>port 8888 indeed turned out to simply be xinetd not anything to do with
>sun or streaming music![/color]

You'll have to look at xinetd and see what it's got the port open for.

[Edited for space and context]
[color=blue]
>Active Internet connections (servers and established)
>Proto Local Address Foreign Address State PID/Program name
>tcp 127.0.0.1:7777 0.0.0.0:* LISTEN 3752/hts
>tcp 127.0.0.1:8118 0.0.0.0:* LISTEN 3660/privoxy
>tcp 127.0.0.1:5335 0.0.0.0:* LISTEN 3357/mDNSResponder
>tcp 127.0.0.1:9050 0.0.0.0:* LISTEN 3789/tor[/color]

These are no biggy, as they are only listening on the loopback.
[color=blue]
>tcp 0.0.0.0:111 0.0.0.0:* LISTEN 2451/portmap
>tcp 0.0.0.0:631 0.0.0.0:* LISTEN 2581/cupsd
>tcp 0.0.0.0:8888 0.0.0.0:* LISTEN 3524/xinetd
>tcp 0.0.0.0:1241 0.0.0.0:* LISTEN 3685/nessusd: waiti
>tcp 0.0.0.0:7741 0.0.0.0:* LISTEN 3826/lisa
>udp 0.0.0.0:68 0.0.0.0:* 3285/dhclient
>udp 0.0.0.0:68 0.0.0.0:* 3072/dhclient
>udp 0.0.0.0:5353 0.0.0.0:* 3357/mDNSResponder
>udp 0.0.0.0:111 0.0.0.0:* 2451/portmap[/color]

These are of more concern, because they are accepting connections from the
entire world. Be sure that your firewall to the world prevents ALL access
to these. (I don't know about you, but I see no reason to share my printer
with the Internet - never mind portmapper. But then, some think me selfish.)
[color=blue]
>tcp :::22 :::* LISTEN 3471/sshd[/color]

Here, you have sshd listening to everything (IPv4 and IPv6). Again, I
simply see no need for that openness. If you want to do this, that's
fine, but you'd better protect it with the firewall, restricting access
to those addresses where you may actually have a specific need to connect
from.

I also don't allow my systems to go walkies, so I don't need DHCP, and
thus I don't need the mDNS security problems.

Old guy

["Followup-To:" header set to alt.os.linux.]
Moe Trin <ibuprofin@painkiller.example.tld>:[color=blue]
> On Mon, 27 Nov 2006, in the Usenet newsgroup alt.os.linux, in article
> <pan.2006.11.28.01.51.34.116106@wayoftheancients.trail>, Beowulf wrote:
>[color=green]
> >netstat is awesome-- see output below, it does tell some interesting
> >things that nmap does not. I need to learn to use various tools like
> >these to monitor my LAN for security. Thank you for the tip![/color]
>
> As you are running xinetd, see that Security-Quickstart-Redhat-HOWTO. It
> has some very good clues as well.
>[color=green]
> >port 8888 indeed turned out to simply be xinetd not anything to do with
> >sun or streaming music![/color]
>
> You'll have to look at xinetd and see what it's got the port open for.
>
> [Edited for space and context][/color]

I'm trying the same. <Erg. Ugh.>
[color=blue][color=green]
> >Active Internet connections (servers and established)
> >Proto Local Address Foreign Address State PID/Program name
> >tcp 127.0.0.1:7777 0.0.0.0:* LISTEN 3752/hts[/color]
>
> These are no biggy, as they are only listening on the loopback.
>[color=green]
> >tcp 0.0.0.0:111 0.0.0.0:* LISTEN 2451/portmap
> >tcp 0.0.0.0:631 0.0.0.0:* LISTEN 2581/cupsd
> >tcp 0.0.0.0:8888 0.0.0.0:* LISTEN 3524/xinetd
> >tcp 0.0.0.0:1241 0.0.0.0:* LISTEN 3685/nessusd: waiti
> >tcp 0.0.0.0:7741 0.0.0.0:* LISTEN 3826/lisa
> >udp 0.0.0.0:68 0.0.0.0:* 3285/dhclient
> >udp 0.0.0.0:68 0.0.0.0:* 3072/dhclient
> >udp 0.0.0.0:5353 0.0.0.0:* 3357/mDNSResponder
> >udp 0.0.0.0:111 0.0.0.0:* 2451/portmap[/color]
>
> These are of more concern, because they are accepting connections from the
> entire world. Be sure that your firewall to the world prevents ALL access[/color]

Note on Debian, I have /etc/default/portmap:

# By default listen on all interfaces
OPTIONS="-i 127.0.0.1"

Your distro may have this?
[color=blue]
> to these. (I don't know about you, but I see no reason to share my printer
> with the Internet - never mind portmapper. But then, some think me selfish.)[/color]

:-)
[color=blue][color=green]
> >tcp :::22 :::* LISTEN 3471/sshd[/color]
>
> Here, you have sshd listening to everything (IPv4 and IPv6). Again, I
> simply see no need for that openness. If you want to do this, that's
> fine, but you'd better protect it with the firewall, restricting access
> to those addresses where you may actually have a specific need to connect
> from.[/color]

Or don't run sshd if you only ssh out.


--
Any technology distinguishable from magic is insufficiently advanced.
(*) [url]http://www.spots.ab.ca/~keeling[/url] Linux Counter #80292
- - [url]http://www.faqs.org/rfcs/rfc1855.html[/url] Please, don't Cc: me.
Spammers! [url]http://www.spots.ab.ca/~keeling/emails.html[/url]

["Followup-To:" header set to alt.os.linux.]
Moe Trin enlightened us with:[color=blue]
> These are of more concern, because they are accepting connections
> from the entire world. Be sure that your firewall to the world
> prevents ALL access to these.[/color]

I'd even go further and change the configuration so that they don't
even listen on the outside interface, if possible. That way you won't
even need to firewall those ports.

Sybren
--
Sybren Stüvel
Stüvel IT - [url]http://www.stuvel.eu/[/url]