open ports

Forum: Networking
Topic: open ports
started by: gray

Posted by gray on Dec. 25 2005,09:14

Hello

While I was using DSL 2.0, I asked a buddy to do a portscan on my connection (dial-up modem) and was informed that 4 ports were open - in fact he was able to login and send an e-mail to me from my system ! Could the ports not be set to closed - ideally to drop - for all internet connections not started by a program from the system ? That apart I was very happy with the system - just not willing to be that unsafe.

Cheers - Gray

Posted by roberts on Dec. 25 2005,16:42

Hmmm, first post. Unsubstantiated claim.
Could this be a drive by FUD attack
or a real concerned new user?

netstat -tul
The above command will display all open listening tcp and udp ports.
.
On dialup, after booting up DSL with nodhcp and making the connection there are NO default open ports.

You would have to start a server process for there to be such with a Foreign Address of *.*
And you would have to set a password for your buddy to login.

On broadband using dhcp, or if you didn't boot with nodhcp, then you will see port 68.
For the paraniod after establishing your IP you may then sudo pkill pump to close this port used to obtain your IP.

Damn Small Linux is pretty damn safe out of the box.

Posted by gray on Dec. 25 2005,17:28

Hello

Actually I rather like DSL !! My comments here are supplied in the hopes that it might improve a damn fine system even further.

I never used any OS that reacts so fast to input and being able to install a system to hard drive in a matter of seconds is stunning - especially as my other favourite is Gentoo, which requires compilation and hence can take a day or more, if KDE is added to the mix....

I do admit to one error for which I humbly apologise: the number of ports was two - NOT four and the open port numbers were 68,554 and 1755.

Gray

Posted by roberts on Dec. 25 2005,17:46

I have already covered port 68.
Port 68 is needed for obtaining IP via dhcp.
On dialup you should boot
dsl nodhcp

or you may manually close it with sudo pkill pump

Port 554 is not part of DSL.
It is for real player. Real Player is not part of DSL.

Port 1755 is Windows Media ASF which it not part of DSL.

Posted by gray on Dec. 25 2005,18:23

Thanks for the info - just getting the RC2 now and will try those commands.

Best wishes

Gray

Posted by vees on Dec. 26 2005,15:24

also - if you have any doubts at all, you can download the myDSL extension iptables and then run the following script:

#!/bin/sh
iptables -F
iptables -A INPUT -p all -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

Save this script in a file called foo, then just chmod +x foo in the directory you placed it in, then "sudo ./foo" from there. You will have a very effective firewall running. Want to shut it down? Just to "sudo iptables -F".

Easy, fast, simple, effective.

But as they said - DSL is very safe out from the box, accepts no connections, has no listening ports, etc...

Good luck!

Posted by doobit on Dec. 26 2005,20:13

I've been playing around with firestarter, but not on DSL because it doesn't need it. Still, firestarter is Debian packaged so you can apt-get it with a hard drive install of DSL, or you can compile it from the source code. It's a pretty cool firewall to use if you are going to use samba, or some other sharing utility.

Posted by vees on Dec. 26 2005,23:05

agreed. firestarter is top notch for a basic firewall. Simply, fast, effective. One of its best features is that you can see "live" every hit your comuter get, you also resolve the ip of any offender. And it is far more flexible that the little script I gave above. Also, to make firestarter workl you will have to install iptables anyway.

Posted by gray on Dec. 27 2005,18:18

thanks for the advice

I'm busy running 2.1 RC2 at the moment and have asked for a port scan on that. I'm actually wondering if the issue might not be with Zonealarm some how - my buddy is running XP.

The prob I have is that when he did a scan of my system when I was in XP (gotta have the games...), and I use Zonealarm too there, he found no ports open at all - stealthed in fact, and I even went as far as to delete my Linux partitions and install SUSE 9.3, which has a firewall, and he found no ports open there, also stealthed.

But previously with me running DSL 2.0 (granted I didn't know about the nodhcp command which would close port 68) he found ports open, hence my original query.

I might have suspected his own system if it were not for the fact that when he scanned 2 totally different systems of mine (XP and SUSE 9.3) he found nothing open. Anyhow, all this isn't really an issue as I will be huddled behind a router shortly, but I thought that what I thought was a problem should be brought to light.

Best wishes - Gray

Posted by gray on Dec. 27 2005,18:38

OK the portscan has been done. Ports to be considered are:

port 554 which is for Real Time Stream Control Protocol
and 1755 which is Streaming ASF with TCP In/Out designated for Windows Media

totally weird !!! - at least port 68 is closed, so I learnt something there...

I have to admit I'm confused, but have submitted the above in the hope that it might be useful anyway. best wishes - Gray

Posted by roberts on Dec. 27 2005,18:40

There would have to be a process running on those ports.
There are no such processes in base DSL
Instead of my buddy why not use
< http://www.dslreports.com/scan >

Posted by gray on Dec. 27 2005,18:54

just one last comment - I went to Shields Up at www.grc.com and found that the first 1056 port were closed but:

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.

Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

Again this leaves me confused but once again submit it in the hopes it might be of use - Gray

Posted by cbagger01 on Dec. 27 2005,19:48

Shields UP! is unnecessarily paranoid.

A rejected response to a port request or a "ping" response is not a security problem in and of itself.

It is only a problem if you are running an OS+services that are vulnerable to certain exploits, and even that is not a problem if you keep your security up to date.

The Shields Up! guy is a known FUD antagonist who likes to create fear in order to sell you his company's products for a profit.

Posted by vees on Dec. 27 2005,20:44

Quote (gray @ Dec. 27 2005,13:38)

you gotta be kiddin'?!

are you sure you are scanning the right machine?

maybe your windows box has a problem somewhere...

what do you see when you do "netstat -lp" ?

Posted by gray on Dec. 28 2005,18:52

Hello, to answer you query, I'm running a dual-boot here. ie: XP for games and some version of Linux on the other side, Gentoo, DSL, Debian or SUSE.

When the second round of scans was done I was running the live-CD of DSL 2.1 RC2 in ram - not physically installed at that time - all I did was configure the dial-up, e-mail and login in here with Firefox. I had DSL 2.0 installed to hard drive when I FIRST started this thread however and was all excited as I thought I had found the zappiest OS yet, then wiped it to try SUSE 9.3 as a test of my friend's portscanner - ie: if he was doing something wrong the result should have been the same in all cases, such as if he somehow had scanned his own system (unlikely as networking is his job, but worthwhile checking anyway).

A portscan was done of SUSE 9.3, then I rebooted into XP and a portscan was done of that. In each case I sent an e-mail to the friend doing the port-scan so he could get my IP address and in each case the portscan showed no ports open and in fact stealthed.

Guys and Gals, I get the impression that all I am really doing here is making enemies and generally irritating the devs and admins working with DSL and this forum.

I have stated what has happened, I have tried to be as clear as possible about the situation and how the tests have been done. I am sorry if there seems to be mis-information or an attempt to run down DSL, but all I have posted is my experiences and results.

I am not a tecchie with an agenda or similar - I work for a newpaper making adverts on an Apple Mac all day. I try out various Linux versions in the hopes of escaping Old Bill and his OS, and DSL comes very close. Quite what the prob is I am not qualified to say.

My best wishes to you all and goodbye.
Gray

Posted by doobit on Dec. 28 2005,19:24

I don't think anyone is taking this badly, really. We are just trying to get to the bottom of it as simply as possible. That might take a few investigative questions, so hang in there, please.

Posted by gray on Dec. 28 2005,19:52

OK, I'll keep on trying

BTW another portscan site is here < http://scan.sygatetech.com > and yes I know they are a firewall / security company, but I have just done all the tests through Zonealarm and they couldn't find anything at all. - despite their obvious aim of wanting people to buy security from 'em...
GRC is here < http://www.grc.com/default.htm > and he too found nothing. Granted in both cases I am behind a firewall but it is a good check to see if they try for a false result.

Personally, I think anyone without a router should have a firewall in place, but speaking as a long-time XP user, Guard Dog is the closest I have seen to a user-friendly GUI for configuring a firewall in Linux.

I used it for a while when running Gentoo, but discovered one issue: even after saving the iptables config file and ensuring that iptables ran at startup, I always had to re-run Guard Dog to access the Web after a reboot, and other people in the Gentoo forums mentioned this - a pity as otherwise it was simple and effective: stealthed ports all the way. Possibly by now this issue has been fixed. Anyhow I just used that as an example of what could be done.

I try an installtion of the RC2 DSL and see what comes up.

Gray

Posted by cbagger01 on Dec. 28 2005,20:08

gray,

Don't take my response personally.

I was just pontificating on the whole ShieldsUp! paranoia. Unless you and him are the same guy, then please don't feel persecuted by me.

Maybe someone will solve the "mystery of the open ports", but unless you are running DSL embedded or you are running DSL + some additional myDSL extensions, then I cannot see how those ports can be open.

I am not saying that your eyes are lying.

I am just saying that I am at a loss to explain it.

Posted by gray on Dec. 29 2005,19:49

hehe - nope Ol' GRC and me are definitely not the same people - wish I had his salary and was earning a real currency tho' !!

OK, I shut the PC down totally, to remove any possibility of something coming over from XP and then went over to GRC and Sygate and ALL THE PORTS WERE CLOSED.

I also did specific tests for 554 and for 1755 - BOTH WERE CLOSED

These are the comments each made, Sygate first and GRC second:

1. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

2. Solicited TCP Packets: RECEIVED (FAILED) ? As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.

Unsolicited Packets: PASSED ? No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

Ping Reply: RECEIVED (FAILED) ? Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
---------------------------------------------------------------------

Now I have to ask: is it possible for a Windows service to affect the ports of another system after a reboot ? I remember seeing someplace that a mere reboot doesn't clear memory, only a total shutdown (which is why I did the shut down before starting this) - of course the ideal is to totally remove XP from this box - wonder if the Devs here can tweak wine to run my Pirates (new version)

. I'll try that tomorrow - am on a dial-up here so it all costs - monopoly telco.

Guys and Gals, thanks for your patience

Gray

PS: still don't know why my friends didn't see ports open in SUSE and XP but just in DSL, and before you reckon he hates the OS, HE was the one that mentioned DSL to me (has it on 3 of his own boxes for figuring how to make a Super PC with nodes etc)

Posted by cbagger01 on Dec. 29 2005,21:09

FYI,

If you really want a firewall running on DSL, you can install

iptables

from the System area of the Mydsl repository and even

rcfirewall

from the Network area of the repository.

Then you can block/stealth any ports that you wish. Although I maintain that merely respoding to a port request is not a security risk in and of itself.

Posted by gray on Dec. 30 2005,17:56

Hello cbagger01

Thank you for the info - I'm just waiting for my router to be installed (well, for the phone line to be upgraded to an adsl capable exchange really) and then I will be giving DSL a shot - one thing I'd like to ask, tho' not a network issue:

Where do I set the parameters for the wheel of my mouse - there's no xorg.conf or similar that I can see in DSL and I need to set the usual "4 5" to activate the wheel.

Cheers - Gray

Posted by cbagger01 on Dec. 30 2005,20:20

You can either set it by doing the following:

Boot with the

dsl xsetup

cheatcode and say yes to IMPS2 mouse,

or exit the Window manager (not "Shutdown", just exit window manager) and then type:

xsetup.sh

and answer the prompts.

Then type

startx

to resume graphical mode.

Posted by gray on Jan. 04 2006,18:02

thanks cbagger01 - guess I'm used to looking for text files to edit

Gray

Posted by icpeanuts on Jan. 22 2006,19:53

Quote (doobit @ Dec. 26 2005,15:13)

I am Linux Newbie. Firestarter looks like a nice firewall to try. Can you give me detail instruction on how to use apt-get to get the firewall and install it?

I am a beginer linux learner. Thanks in advance.

Posted by newby on July 01 2006,14:10

Quote (roberts @ Dec. 25 2005,12:46)

I have already covered port 68.
Port 68 is needed for obtaining IP via dhcp.

I have to boot using dhcp.

How could I configure to turn it off, after dhcp has done it's thing?