nmap interpretation help needed - Security

This is a discussion on nmap interpretation help needed - Security ; I would like to learn the basics of nmap for now to make my PC more secure. Ok so I ran nmap on my main PC ip address off my router/LAN, and got the results below. I know what ssh, ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: nmap interpretation help needed

  1. nmap interpretation help needed

    I would like to learn the basics of nmap for now to make my PC more
    secure. Ok so I ran nmap on my main PC ip address off my router/LAN, and
    got the results below. I know what ssh, ipp (CUPS), nessus ports are for,
    but I am puzzled as to the validity/usage of the other ports. Do I need
    smtp (mail) if I use my kmail client? What is rpcbind for? cvspserver?
    sun-answerbook? I want to close down any ports not really needed that
    could be security vulnerabilities. Any help appreciated. Thank you.

    [root@localhost beowulf]# nmap -O -sS 192.168.1.100
    Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-
    Interesting ports on (192.168.1.100):
    (The 1656 ports scanned but not shown below are in state: closed
    PORT STATE SERVICE
    22/tcp open ssh
    25/tcp open smtp
    111/tcp open rpcbind
    631/tcp open ipp
    1241/tcp open nessus
    2401/tcp open cvspserver
    8888/tcp open sun-answerbook
    Device type: general purpose
    Running: Linux 2.4.X|2.5.X|2.6.X
    OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-
    Uptime 0.103 days (since Sun Nov 26 10:59:01 2006)

    Nmap finished: 1 IP address (1 host up) scanned in 2.126 seconds
    [root@localhost beowulf]#


  2. Re: nmap interpretation help needed

    Beowulf wrote:

    > [root@localhost beowulf]# nmap -O -sS 192.168.1.100


    Depending on your iptable rules, what you get as result from the inside don't
    necessarily be the same as it will be from the outside of your network.


    > 111/tcp open rpcbind

    www.freesoft.org/CIE/RFC/1833/2.htm

    > 1241/tcp open nessus

    www.nessus.org

    > 2401/tcp open cvspserver

    www.taursys.com/howto/cvs

    > 8888/tcp open sun-answerbook

    http://diuf.unifr.ch/people/yoois/pe...sification.txt



    //Aho

  3. Re: nmap interpretation help needed

    On Sun, 26 Nov 2006 21:07:52 +0100, J.O. Aho inscribed to the world:
    >> 111/tcp open rpcbind

    > www.freesoft.org/CIE/RFC/1833/2.htm


    Ok I visited that website, I humbly admit I am clueless as to
    what rpcbind is all about-- can anybody toss me a bone?
    What type of software app on my system is using port 111 and
    can I disable it?

    >> 2401/tcp open cvspserver

    > www.taursys.com/howto/cvs


    I must have installed some CVS server program app at some time.
    I am guessing I can disable this server in my system services
    as I have no need of a cvs server program.


    >> 8888/tcp open sun-answerbook

    > http://diuf.unifr.ch/people/yoois/pe...sification.txt


    8888 sun-answerbook looks to perhaps be for some streaming music app I
    have installed?


  4. Re: nmap interpretation help needed

    Port 111, the rpc portmapper, is used by network file system (NFS) and
    a few others services that make remote procedure calls. If you don't
    use NFS, you likely won't require it, or you can bind it to 127.0.0.1
    and not make it externally available. You can run:

    rpcinfo -p

    to see what is using the portmapper.

    You can also find the process that is using a port by running lsof
    commands similar to the following:

    lsof -i TCP:25 # Find the program that has TCP port 25 open.
    lsof -i UDP:bootpc
    lsof -i UDP:68 # the port number for bootpc

    No services are required on a basic Linux system. You might want SSH
    for external access if your system is to be accessed remotely. The rest
    are based on your particular requirements.

    Doug

    --
    For UNIX, Linux and security articles
    visit http://SecurityBulletins.com/

  5. Re: nmap interpretation help needed

    If you do use sshd you should think about putting it on a different port
    and securing it by tuning your configuration file. This has been
    discussed ad nauseam by this group and you can probably find tons of
    suggestions if you google ssh security.

    Doug Spencer wrote:
    > Port 111, the rpc portmapper, is used by network file system (NFS) and
    > a few others services that make remote procedure calls. If you don't
    > use NFS, you likely won't require it, or you can bind it to 127.0.0.1
    > and not make it externally available. You can run:
    >
    > rpcinfo -p
    >
    > to see what is using the portmapper.
    >
    > You can also find the process that is using a port by running lsof
    > commands similar to the following:
    >
    > lsof -i TCP:25 # Find the program that has TCP port 25 open.
    > lsof -i UDP:bootpc
    > lsof -i UDP:68 # the port number for bootpc
    >
    > No services are required on a basic Linux system. You might want SSH
    > for external access if your system is to be accessed remotely. The rest
    > are based on your particular requirements.
    >
    > Doug
    >


    --
    ----------------
    Barton L. Phillips
    Applied Technology Resources, Inc.
    Tel: (818)652-9850
    Web: http://www.applitec.com

  6. Re: nmap interpretation help needed

    On Sun, 26 Nov 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , Beowulf wrote:

    >I would like to learn the basics of nmap for now to make my PC more
    >secure.


    nmap is one tool of many

    >Interesting ports on (192.168.1.100):
    >(The 1656 ports scanned but not shown below are in state: closed

    ^^^^^^^^^^

    That's out of 131072 ports (65536 UDP and 65536 TCP). The place to
    start is actually 'netstat -anptu' which shows all ports, and the
    process that has the port open. See, nmap only knows what it sees
    out there, and is guessing - for example:

    >8888/tcp open sun-answerbook


    I _really_ doubt you are running Sun's AnswerBook (an online man page
    supplement). And in your answer to 'J.O. Aho' you think it might be some
    streaming music application. 'netstat' will show for sure.

    Once you have the netstat data digested, then you can look at the nmap
    testing from some other system (not the loopback), and tell it to look at
    _all_ ports to see if there might be something running under the covers.
    Be careful if you are running a reactive firewall, as a full range nmap
    scan may cause alarm bells like there is no tomorrow.

    >I want to close down any ports not really needed that could be security
    >vulnerabilities. Any help appreciated.


    A bit dated, but have you looked at the Security-Quickstart HOWTOs?

    -rw-rw-r-- 1 gferg ldp 278012 Jul 23 2002 Security-Quickstart-HOWTO
    -rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

    The Red Hat version includes stuff like xinetd, and some Red Hat specifics.


    Old guy

  7. Re: nmap interpretation help needed

    On Mon, 27 Nov 2006 18:34:07 -0600, Moe Trin inscribed to the world:
    ....
    > The place to
    > start is actually 'netstat -anptu' which shows all ports, and the
    > process that has the port open. See, nmap only knows what it sees
    > out there, and is guessing - for example:
    >
    >>8888/tcp open sun-answerbook

    >
    > I _really_ doubt you are running Sun's AnswerBook (an online man page
    > supplement). And in your answer to 'J.O. Aho' you think it might be some
    > streaming music application. 'netstat' will show for sure.


    netstat is awesome-- see output below, it does tell some interesting
    things that nmap does not. I need to learn to use various tools like these
    to monitor my LAN for security. Thank you for the tip! port 8888 indeed
    turned out to simply be xinetd not anything to do with sun or streaming
    music!


    [beowulf@localhost ~]$ su
    Password:
    [root@localhost beowulf]# netstat -anptu
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 127.0.0.1:7777 0.0.0.0:* LISTEN 3752/hts
    tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2451/portmap
    tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN 3660/privoxy
    tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 3357/mDNSResponder
    tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 2581/cupsd
    tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 3524/xinetd
    tcp 0 0 0.0.0.0:1241 0.0.0.0:* LISTEN 3685/nessusd: waiti
    tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 3789/tor
    tcp 0 0 0.0.0.0:7741 0.0.0.0:* LISTEN 3826/lisa
    tcp 0 0 :::22 :::* LISTEN 3471/sshd
    udp 0 0 0.0.0.0:7741 0.0.0.0:* 3826/lisa
    udp 0 0 0.0.0.0:68 0.0.0.0:* 3285/dhclient
    udp 0 0 0.0.0.0:68 0.0.0.0:* 3072/dhclient
    udp 0 0 0.0.0.0:5353 0.0.0.0:* 3357/mDNSResponder
    udp 0 0 0.0.0.0:111 0.0.0.0:* 2451/portmap
    [root@localhost beowulf]#




  8. Re: nmap interpretation help needed

    On Mon, 27 Nov 2006, in the Usenet newsgroup alt.os.linux, in article
    , Beowulf wrote:

    >netstat is awesome-- see output below, it does tell some interesting
    >things that nmap does not. I need to learn to use various tools like
    >these to monitor my LAN for security. Thank you for the tip!


    As you are running xinetd, see that Security-Quickstart-Redhat-HOWTO. It
    has some very good clues as well.

    >port 8888 indeed turned out to simply be xinetd not anything to do with
    >sun or streaming music!


    You'll have to look at xinetd and see what it's got the port open for.

    [Edited for space and context]

    >Active Internet connections (servers and established)
    >Proto Local Address Foreign Address State PID/Program name
    >tcp 127.0.0.1:7777 0.0.0.0:* LISTEN 3752/hts
    >tcp 127.0.0.1:8118 0.0.0.0:* LISTEN 3660/privoxy
    >tcp 127.0.0.1:5335 0.0.0.0:* LISTEN 3357/mDNSResponder
    >tcp 127.0.0.1:9050 0.0.0.0:* LISTEN 3789/tor


    These are no biggy, as they are only listening on the loopback.

    >tcp 0.0.0.0:111 0.0.0.0:* LISTEN 2451/portmap
    >tcp 0.0.0.0:631 0.0.0.0:* LISTEN 2581/cupsd
    >tcp 0.0.0.0:8888 0.0.0.0:* LISTEN 3524/xinetd
    >tcp 0.0.0.0:1241 0.0.0.0:* LISTEN 3685/nessusd: waiti
    >tcp 0.0.0.0:7741 0.0.0.0:* LISTEN 3826/lisa
    >udp 0.0.0.0:68 0.0.0.0:* 3285/dhclient
    >udp 0.0.0.0:68 0.0.0.0:* 3072/dhclient
    >udp 0.0.0.0:5353 0.0.0.0:* 3357/mDNSResponder
    >udp 0.0.0.0:111 0.0.0.0:* 2451/portmap


    These are of more concern, because they are accepting connections from the
    entire world. Be sure that your firewall to the world prevents ALL access
    to these. (I don't know about you, but I see no reason to share my printer
    with the Internet - never mind portmapper. But then, some think me selfish.)

    >tcp :::22 :::* LISTEN 3471/sshd


    Here, you have sshd listening to everything (IPv4 and IPv6). Again, I
    simply see no need for that openness. If you want to do this, that's
    fine, but you'd better protect it with the firewall, restricting access
    to those addresses where you may actually have a specific need to connect
    from.

    I also don't allow my systems to go walkies, so I don't need DHCP, and
    thus I don't need the mDNS security problems.

    Old guy

  9. Re: nmap interpretation help needed

    ["Followup-To:" header set to alt.os.linux.]
    Moe Trin :
    > On Mon, 27 Nov 2006, in the Usenet newsgroup alt.os.linux, in article
    > , Beowulf wrote:
    >
    > >netstat is awesome-- see output below, it does tell some interesting
    > >things that nmap does not. I need to learn to use various tools like
    > >these to monitor my LAN for security. Thank you for the tip!

    >
    > As you are running xinetd, see that Security-Quickstart-Redhat-HOWTO. It
    > has some very good clues as well.
    >
    > >port 8888 indeed turned out to simply be xinetd not anything to do with
    > >sun or streaming music!

    >
    > You'll have to look at xinetd and see what it's got the port open for.
    >
    > [Edited for space and context]


    I'm trying the same.

    > >Active Internet connections (servers and established)
    > >Proto Local Address Foreign Address State PID/Program name
    > >tcp 127.0.0.1:7777 0.0.0.0:* LISTEN 3752/hts

    >
    > These are no biggy, as they are only listening on the loopback.
    >
    > >tcp 0.0.0.0:111 0.0.0.0:* LISTEN 2451/portmap
    > >tcp 0.0.0.0:631 0.0.0.0:* LISTEN 2581/cupsd
    > >tcp 0.0.0.0:8888 0.0.0.0:* LISTEN 3524/xinetd
    > >tcp 0.0.0.0:1241 0.0.0.0:* LISTEN 3685/nessusd: waiti
    > >tcp 0.0.0.0:7741 0.0.0.0:* LISTEN 3826/lisa
    > >udp 0.0.0.0:68 0.0.0.0:* 3285/dhclient
    > >udp 0.0.0.0:68 0.0.0.0:* 3072/dhclient
    > >udp 0.0.0.0:5353 0.0.0.0:* 3357/mDNSResponder
    > >udp 0.0.0.0:111 0.0.0.0:* 2451/portmap

    >
    > These are of more concern, because they are accepting connections from the
    > entire world. Be sure that your firewall to the world prevents ALL access


    Note on Debian, I have /etc/default/portmap:

    # By default listen on all interfaces
    OPTIONS="-i 127.0.0.1"

    Your distro may have this?

    > to these. (I don't know about you, but I see no reason to share my printer
    > with the Internet - never mind portmapper. But then, some think me selfish.)


    :-)

    > >tcp :::22 :::* LISTEN 3471/sshd

    >
    > Here, you have sshd listening to everything (IPv4 and IPv6). Again, I
    > simply see no need for that openness. If you want to do this, that's
    > fine, but you'd better protect it with the firewall, restricting access
    > to those addresses where you may actually have a specific need to connect
    > from.


    Or don't run sshd if you only ssh out.


    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://www.spots.ab.ca/~keeling Linux Counter #80292
    - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.
    Spammers! http://www.spots.ab.ca/~keeling/emails.html

  10. Re: nmap interpretation help needed

    ["Followup-To:" header set to alt.os.linux.]
    Moe Trin enlightened us with:
    > These are of more concern, because they are accepting connections
    > from the entire world. Be sure that your firewall to the world
    > prevents ALL access to these.


    I'd even go further and change the configuration so that they don't
    even listen on the outside interface, if possible. That way you won't
    even need to firewall those ports.

    Sybren
    --
    Sybren Stüvel
    Stüvel IT - http://www.stuvel.eu/

+ Reply to Thread