# Open Ports problem

## AsianSpices

Hi

The only service I installed is SSH and TFTP

Does anyone know why the ports 

21 - ftp

25-smtp

110-pop3

are open by default? and what are listening on them if the services is not even installed ( Or how can i check to see if the service is installed and running?)

and how to close them?

thanks alot  :Smile: 

----------

## wjholden

That's strange, it looks like you've set up a mailserver.  Port 21 is obviously your FTP server.  Once you've enabled SSH you'll see port 22 open as well.

Look for a mail server by typing "rc-update show".  You can easily stop it with /etc/init.d/<program> stop and can start SSH with /etc/init.d/sshd restart (remember to "rc-update add sshd default" to make it run by default).

I guess you're scanning localhost with nmap?

----------

## tomaw

First find out what is listening.  Port 21 is ftp.  Gentoo does not install an ftp server by default, so this is probably something more wacky than that.

To find out what is listening, first emerge lsof then run, as root 

```
lsof -i
```

  This will show you all open ports and the process that is using them.  Hopefully that will be of some use.

----------

## moocha

Or, if you haven't installed lsof, you can also use

```
netstat -npl
```

----------

## AsianSpices

oKIE

Thank You all Very much for the replies, but i scanned my mechine from a remote mechine using nmap and nessus

and i got the same answer. Those 3 ports are open.

By the way 

Yes port 22 is open bcuz i enables ssh.

BUt i want to close alll OTher ports.

I check the "rc-update show"

and there is no mail server.

Though there is in.tftp (but i want that- and thats suppose to be port 69 anyway)

So i have no idea, i did a netstat -npl and there is nothing unsual.

I am currently not in the office but when i get back i will post the results.

But how can you close the oprts?

Bcuz i knoe in Redhat you can just do a ntsysv and disable all unwated processes......:S

----------

## moocha

Again, what is the output of

```
netstat -npl
```

? I'm not interested in the actual IP addresses, I'm interested in the ports and the process names.

Also please include the output of

```
emerge --info
```

----------

## christsong84

 *AsianSpices wrote:*   

> 
> 
> But how can you close the oprts?
> 
> Bcuz i knoe in Redhat you can just do a ntsysv and disable all unwated processes......:S

 

a good firewall will generally do that...shorewall or just straight iptables.  :Smile: 

----------

## bone

 *AsianSpices wrote:*   

> Hi
> 
> The only service I installed is SSH and TFTP
> 
> Does anyone know why the ports 
> ...

 

Define what you mean by "are open by default". Do you mean that something is physically bound to them, or that you did an nmap on the server and found them to be unfiltered? I would suggest using lsof to find out what is bound to them, or even netstat -anp | grep <port>.

Get back to us once you find out more, if you still need help.

jt

----------

## jamapii

Run "netstat -lp" as root to find the name of the program that listens on the ports, then run "grep programname /etc/init.d/*".

Most mail servers have names that don't mean anything (except sendmail). If you don't know what it is, it might be a mail server. The cron daemon needs a mailer.

You can possibly close them in the mailer configuration, or bind to a specific interface (127.0.0.1), or use iptables.

----------

## AsianSpices

Okie guys,

I did a emerge --info and this is what i got

```

Gentoo Base System version 1.4.16

Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11-gentoo-r3 i686)

=================================================================

System uname: 2.6.11-gentoo-r3 i686 Intel(R) Pentium(R) 4 CPU 2.80GHz

Python:              dev-lang/python-2.3.5 [2.3.5 (#1, May 27 2005, 12:04:13)]

dev-lang/python:     2.3.5

sys-apps/sandbox:    [Not Present]

sys-devel/autoconf:  2.59-r6, 2.13

sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.5

sys-devel/binutils:  2.15.92.0.2-r7

sys-devel/libtool:   1.5.16

virtual/os-headers:  2.6.8.1-r2

ACCEPT_KEYWORDS="x86"

AUTOCLEAN="yes"

CFLAGS="-O2 -mcpu=i686 -fomit-frame-pointer"

CHOST="i386-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control"

CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"

CXXFLAGS="-O2 -mcpu=i686 -fomit-frame-pointer"

DISTDIR="/usr/portage/distfiles"

FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict"

GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="x86 X alsa apm arts avi berkdb bitmap-fonts crypt cups emboss encode foomaticdb fortran gdbm gif gnome gpm gtk gtk2 imlib ipv6 jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl snmp spell ssl tcpd truetype truetype-fonts type1-fonts xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc"

Unset:  ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
```

then i did a netstat -npl

```

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   

tcp        0      0 :::22                   :::*                    LISTEN      8602/sshd           

udp        0      0 0.0.0.0:514             0.0.0.0:*                           8506/syslog-ng      

udp        0      0 0.0.0.0:161             0.0.0.0:*                           8517/snmpd          

udp        0      0 0.0.0.0:162             0.0.0.0:*                           8560/snmptrapd      

udp     3616      0 0.0.0.0:68              0.0.0.0:*                           8335/dhcpcd         

udp        0      0 0.0.0.0:69              0.0.0.0:*                           8766/in.tftpd       

udp        0      0 0.0.0.0:32882           0.0.0.0:*                           8676/tftp           

raw        0      0 0.0.0.0:1               0.0.0.0:*               7           5348/ping           

raw     1840      0 0.0.0.0:1               0.0.0.0:*               7           5347/ping           

raw     9552      0 0.0.0.0:1               0.0.0.0:*               7           11298/ping          

raw     9552      0 0.0.0.0:1               0.0.0.0:*               7           7746/ping           

raw     9552      0 0.0.0.0:1               0.0.0.0:*               7           7742/ping           

raw     9552      0 0.0.0.0:1               0.0.0.0:*               7           7290/ping           

Active UNIX domain sockets (only servers)

Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path

unix  2      [ ACC ]     STREAM     LISTENING     593923 8506/syslog-ng      /dev/log

```

then there are all the programs in my /etc.init.d 

```

bootmisc

checkfs

checkroot

clock

coldplug

consolefont

crypto-loop

depscan.sh

domainname

functions.sh

gpm

halt.sh

hdparm

hostname

hotplug

in.tftpd

init.txt

ip6tables

iptables

keymaps

local

localmount

modules

net.eth0

net.lo

netmount

nscd

numlock

reboot.sh

rmnologin

rsyncd

runscript.sh

serial

shutdown.sh

snmpd

snmptrapd

sshd

syslog-ng

urandom

vixie-cron

xdm

xinetd

```

and just incase you guys wanted to kneo also

This is my iptables -L

```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:69 

ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp-trap 

ACCEPT     udp  --  anywhere             anywhere            udp dpt:syslog 

DROP       tcp  --  anywhere             anywhere            

DROP       udp  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination    

```

and the output from my nmap is

```

D:\nmap-3.81>nmap -sT -v 10.0.74.66

Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-06-01 09:38 Mountain

 Daylight Time

Initiating Connect() Scan against h10.0.74.66.soc.shaw.ca (10.0.74.66) [1663 por

ts] at 09:38

Discovered open port 22/tcp on 10.0.74.66

Discovered open port 25/tcp on 10.0.74.66

Discovered open port 21/tcp on 10.0.74.66

Connect() Scan Timing: About 5.32% done; ETC: 09:47 (0:09:04 remaining)

Discovered open port 110/tcp on 10.0.74.66

Connect() Scan Timing: About 17.26% done; ETC: 09:44 (0:05:20 remaining)

Connect() Scan Timing: About 52.68% done; ETC: 09:41 (0:01:37 remaining)

The Connect() Scan took 175.25s to scan 1663 total ports.

Host h10.0.74.66.soc.shaw.ca (10.0.74.66) appears to be up ... good.

Interesting ports on h10.0.74.66.soc.shaw.ca (10.0.74.66):

(The 1659 ports scanned but not shown below are in state: filtered)

PORT    STATE SERVICE

21/tcp  open  ftp

22/tcp  open  ssh

25/tcp  open  smtp

110/tcp open  pop3

MAC Address: 00:0D:60:0F:94:B0 (IBM)

Nmap finished: 1 IP address (1 host up) scanned in 177.250 seconds

               Raw packets sent: 2 (68B) | Rcvd: 1 (46B)

```

Hopefully this can help you guys figure out whats wrong with my mechine.

I am trying to close ports 21, 25 and 110!!

----------

## moocha

Your machine has quite clearly been broken into - open ports that don't show up in netstat are a dead giveaway. And my guess is it was a ssh password dictionary attack. The attacker also obviously got root privileges since ports under 1024 can only be opened by root. See my post here for how to react on this: https://forums.gentoo.org/viewtopic-p-2454155.html#2454155

----------

## AsianSpices

Okie 

thanks for the reply,But thats not possible.

We are on our own little network a 192.168.0.x

and the ony time I put it in the company network was to do the nmap to show you guys.

and I am the only one doing any ssh into the mechine.

Even if the "attacker" opened it.....How are they going to do that and HOW can i close it?

----------

## kloune

Did someone suggested to install rkhunter or thelike ? It's easy to use and to install. Just emerge it and run 

```
rkhunter -c

```

 and see the result.

----------

## moocha

 *AsianSpices wrote:*   

> But thats not possible.

 Never say "that's not possible". *AsianSpices wrote:*   

> We are on our own little network a 192.168.0.x

 which means (in my understanding) the machine is physically connected to a network, which means it's at risk from the other machines on that network and the people using it.

If you can find a better explanation for having listening TCP ports with no process listening on them in the netstat output, I'd be delighted to hear it.

----------

## christsong84

 *AsianSpices wrote:*   

> 
> 
> Hopefully this can help you guys figure out whats wrong with my mechine.
> 
> I am trying to close ports 21, 25 and 110!!

 

I still say that the best way to close a port is through the firewall (I'm assuming you have a firewall installed and running right?

----------

## AsianSpices

 *Quote:*   

> 
> 
> Did someone suggested to install rkhunter or thelike ? It's easy to use and to install. Just emerge it and run 
> 
> Code: 
> ...

 

Why rkhunter?

 *Quote:*   

> 
> 
> AsianSpices wrote: 
> 
> But thats not possible. 
> ...

 

I have no better solution to that.

But i have a 10/100 fastEthernet Switch just connected to my server and a 1700 router to test the collection of syslogs and traps. Nothing else......So i really have no idea what can have "ATTACKED" it.....the router:P ...r...i...t...eee

I was sorta hoping that i configured something wrong or emerged something that i should not have....

 *Quote:*   

> 
> 
> AsianSpices wrote: 
> 
> Hopefully this can help you guys figure out whats wrong with my mechine. 
> ...

 

Dude, I am using Iptables, is not not a firewall?....???

plus since i am network-less everytime i do an emerge it fails due to the fact that they are saying "unable to resolve host"

but in my make.conf i dont even have any mrros specified :S

----------

## christsong84

 *AsianSpices wrote:*   

>  *Quote:*   
> 
> Did someone suggested to install rkhunter or thelike ? It's easy to use and to install. Just emerge it and run 
> 
> Code: 
> ...

 

rkhunter is a rootkit detector...the suggestion is working under the assumption that you've been compromised.

 *Quote:*   

> 
> 
> Dude, I am using Iptables, is not not a firewall?....???
> 
> plus since i am network-less everytime i do an emerge it fails due to the fact that they are saying "unable to resolve host"
> ...

 

Is your ip tables setup to drop all connections/close all ports except the ones you specified?  A firewall poorly configured is no better than being without one.  :Wink: 

I'm assuming you have iptables started too.  :Razz: 

You being networkless means that chances are...you weren't hacked.  Either that or that hacker is damn good.  

Configure your firewall to drop all incoming connections except to the ports you specify (and probably allow all connections out for your emerges/etc).  :Smile: 

----------

## AsianSpices

Yes my ip tables is setup to drop all connections/close all ports except the ones you specified

```

iptables -P INPUT DROP

```

And yes Iptables is started lol

 *Quote:*   

> 
> 
> Configure your firewall to drop all incoming connections except to the ports you specify (and probably allow all connections out for your emerges/etc). 

 

Unfortunately my manager wants me to do a networkless install (which i already did)

but for any packages i want to install after that its all to be networkless

Unfortunatly it keeps askin to go out on the net :S

How do i solve this?

----------

## christsong84

 *AsianSpices wrote:*   

> Yes my ip tables is setup to drop all connections/close all ports except the ones you specified
> 
> ```
> 
> iptables -P INPUT DROP
> ...

 

For the ports thing...if nmap can see the ports as open, the firewall's not doing it's job.  It tests the port and if it doesn't get a response, it should be marked stealthed, not open.  If it gets a deny response...it should be marked as closed.  If it gets an accept response, it is marked as open.  So double check your firewall config is my suggestion.  I'm not very good at reading ip tables configs but perhaps someone else here can if you post them?

For networkless installs, download the source tarballs from the program website and then put it (somehow) into your /usr/portage/distfiles (since it looks there when it does an emerge install).  Then when you run an emerge, it should just pick that up and compile from there.

----------

## limn

Is it possible that your nmap is running against a different machine than the one in question? What is the output of ifconfig on the target box?

----------

## christsong84

 *limn wrote:*   

> Is it possible that your nmap is running against a different machine than the one in question? What is the output of ifconfig on the target box?

 

from the output, nmap looks to be running on a seperate windows box on the same isolated network.

----------

## AsianSpices

Okie guys,

I figured out what was wrong

Packages such as vixie-cron and tripwire automatically installs the mail services as their dependencies.

Hece the reason the ports were open.

So my question is how do i close the ports now 

seeing that i cannot even see the mail services installed.... :Razz: 

But on another note..

My boss wants me to install ceratin packages

such as lets say TfTP and Net-SNMp but he wants them done networkless.

I downloaded the tar files but i dont know how to install them

tar -xvjf <package name>

make

make install 

does not do it 

does emerge work for this?

Can anyone help me Please

----------

## christsong84

step 1: type in "emerge -p packagename" without the quotes and download the version mentioned

step 2: download package and get it to the computer somehow

step 3: put it un /usr/portage/distfiles/ (yes the whole tarball...not unzipped or anything)

step 4: type in "emerge packagename" without the quotes

step 5: watch the compile work

that's how it should work  :Smile: 

----------

## AsianSpices

Okie i got that part 

 The thing is i cannot find anywhere to dload a *.tbz2 files for tripwire , net-snmp and tftp  :Sad: 

I found teh one for iptables and it worked . tank god!

Does anone knoe of a link for this?

----------

## overkll

 *Quote:*   

> But on another note..
> 
> My boss wants me to install ceratin packages
> 
> such as lets say TfTP and Net-SNMp but he wants them done networkless. 

 

You could do a stage 3 install.  Then the whole system can be a networkless install.

With the package CD, you can install the apps you need - networkless.

You can also use nmap to scan your local interfaces - you don't need to do it from a remote machine.

Sounds to me like your boss wants to have a secure machine built and ready to put on a network, without previously being on a network.  That way the machine is sure not to have been compromised in the process of making it.  If that's the case, a stage 3 install and package CD is the way to go.

Or am I missing something here?

----------

## AsianSpices

I did do a stage 3 install 

but i need to run tripwire, tftp etc

and thos eare not on the package cd

unless i have the WRONg package cd and not seeing it....

Just to verify...i have the package-x86-2005.iso

can you send me the link for the cd that have the packages for tripwire, net-snmp, tftp please..

Ona nother note...my boss does not want any mail services or telnet running...

so if i did do a emerge -O and not install the dependencies such as the mail services is that going to be a problem?

Will the programs still function?

----------

## limn

 *Quote:*   

> Packages such as vixie-cron and tripwire automatically installs the mail services as their dependencies.
> 
> Hece the reason the ports were open.
> 
> 

 

So anytime someone wants cron services or file integrity checking they get a POP3 mail server automatically?

----------

## overkll

 *Quote:*   

> but i need to run tripwire, tftp etc
> 
> and thos eare not on the package cd 

 

Sorry about that!  You are correct.

----------

## christsong84

download from one of the gentoo mirrors...they should have the package file.

----------

## AsianSpices

Frankly this is what I am doing...

I am downloading the whole distfiles from a gentoo mirror 

Copying it to a CD and installing the necessary packages from there using

```

export PKGDIR="/mnt/cdrom"

emerge --usepkg <package name>

```

I have not exactly tested this theory yet since it is still dloading.

taking me 6hrs.////

hencee Imagine if i had to do a network install...i will be sittin here for DAYSSS

i installed a base gentoo server NETWORKLESS in 1 and a hf hrs MAX

 *Quote:*   

> Quote: 
> 
> Packages such as vixie-cron and tripwire automatically installs the mail services as their dependencies. 
> 
> Hece the reason the ports were open. 
> ...

 

yes for me i did a 

```
emerge -p <package name>
```

and it showed that it needs the dependencies of the mail service and smtp hence my pop3 and smpt ports were open.  :Razz: 

when i emerged it it automatically installed the services for me..which i DID NOT want...

so i am going to try doing 

```

emerge -O <package name>
```

and see if it works...as in if the service works properly... :Razz: 

I have yet to find out if these programs work without the mail service....

So for all thos out there who do have the smail service installed (pratically EVERYONE I BET)

how do you TURN it OFF??

Like close ports 25 and 110 and 21??

What are the steps?

----------

## limn

 *Quote:*   

> when i emerged it it automatically installed the services for me..which i DID NOT want... 

 

No, that does not just happen. As you note, that would mean almost everyone using Gentoo as a desktop would be running mail services they don't want or need, and that is not the case.

----------

## AsianSpices

 *Quote:*   

> Quote: 
> 
> when i emerged it it automatically installed the services for me..which i DID NOT want...  
> 
> No, that does not just happen. As you note, that would mean almost everyone using Gentoo as a desktop would be running mail services they don't want or need, and that is not the case.

 

So then WHAT is THe case???

First off, I am using Gentoo as a Server.

I did a VERYYY MINImal install with absoloutly nothinggggggg.

ran an nmap..only port that was open was port 22 for ssh...cuz i had to transfer some files in.

Then when i did a emerge -p vixie-cron

The dependencies were the mail services and smtp...

when i did a emerge vixie-cron

YOU CAN see the smpt and mail-base services being installed...

So what are you trying to tell me?

That they can be installed but not "Activated"???

If so then why are the ports "open" when i run an nmap??

and HOW do I close them?

----------

## limn

The footprints of nmap and netstat above do not match. They should, vixie-cron and the rest set aside. The first thing we need to do is figure out why they don't. The simplest answer is that the nmap output is for a different box than the netstat output. That's why I asked for the ifconfig output.

----------

## AsianSpices

Oh 

I kneo why it doesnt match......i had to change ip address so that i could get out on the net

It is for the same box

Dont worry about that

thats NOT the problem!!

----------

## christsong84

I still maintain that it's the firewall that closes ports...just needs proper configuration and having it applied.

----------

## limn

Humor me. Run an ifconfig on your box and compare the HWaddr address in the output to the MAC address listed in the output of nmap. If they are for the same box these should be the same, no matter what IP you assigned. If they are different, it supports the theory that we are talking about two different boxes. And if the MAC addresses are the same, you have a more serious problem than figuring out how to close the ports.

----------

## mcspiff

 *AsianSpices wrote:*   

> Okie 
> 
> thanks for the reply,But thats not possible.
> 
> We are on our own little network a 192.168.0.x
> ...

 

You...work...for a company?

Thats scary. machine.m-a-c-h-i-n-e

That was only my favourite spelling error for the thread. Id reinstall personally. Obviously something is gimped or you've been hacked. Accept it, move on. If you cant or wont get network access for gentoo, id suggest building the packages on a network facing serving, and then move them to the server and install that way. With a little NFS magic shouldnt be too much of a problem, given same arch's.

----------

## AsianSpices

 *Quote:*   

> Humor me. Run an ifconfig on your box and compare the HWaddr address in the output to the MAC address listed in the output of nmap. If they are for the same box these should be the same, no matter what IP you assigned. If they are different, it supports the theory that we are talking about two different boxes. And if the MAC addresses are the same, you have a more serious problem than figuring out how to close the ports.

 

Well my dear, I would humor you but i took that mechine down for a while

and i re-installed on a next mechine.

Just incase you wanted to knoe, I am not mad, and i KNOW what pc i am doing my tests on, no mistake about that

Here is the new one i am working on :

```

eth0      Link encap:Ethernet  HWaddr 00:0D:60:0F:96:1C  

          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fe80::20d:60ff:fe0f:961c/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:9325 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1705 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:1109490 (1.0 Mb)  TX bytes:109198 (106.6 Kb)

          Interrupt:22 

```

```

D:\nmap-3.81>nmap -sS -v 192.168.0.2

Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-06-03 09:43 Mountain

 Daylight Time

Initiating SYN Stealth Scan against 192.168.0.2 [1663 ports] at 09:43

Discovered open port 22/tcp on 192.168.0.2

Discovered open port 199/tcp on 192.168.0.2

The SYN Stealth Scan took 0.38s to scan 1663 total ports.

Host 192.168.0.2 appears to be up ... good.

Interesting ports on 192.168.0.2:

(The 1661 ports scanned but not shown below are in state: closed)

PORT    STATE SERVICE

22/tcp  open  ssh

199/tcp open  smux

MAC Address: 00:0D:60:0F:96:1C (IBM)

Nmap finished: 1 IP address (1 host up) scanned in 1.218 seconds

               Raw packets sent: 1665 (66.6KB) | Rcvd: 1665 (76.6KB)

D:\nmap-3.81>nmap -sT -v 192.168.0.2

Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-06-03 09:48 Mountain

 Daylight Time

Initiating Connect() Scan against 192.168.0.2 [1663 ports] at 09:48

Discovered open port 25/tcp on 192.168.0.2

Connect() Scan Timing: About 24.86% done; ETC: 09:50 (0:01:30 remaining)

The Connect() Scan took 123.81s to scan 1663 total ports.

Host 192.168.0.2 appears to be up ... good.

Interesting ports on 192.168.0.2:

(The 1662 ports scanned but not shown below are in state: filtered)

PORT   STATE SERVICE

25/tcp open  smtp

Nmap finished: 1 IP address (1 host up) scanned in 124.469 seconds

               Raw packets sent: 2 (68B) | Rcvd: 1 (46B)

```

But check that 

I still didnt install any SMTp service and its still open... 

and what the heck is smux??

 *Quote:*   

> You...work...for a company? 

 

Yea, they pay me to play ......Last edited by AsianSpices on Fri Jun 03, 2005 6:22 pm; edited 1 time in total

----------

## christsong84

smux/port 199

http://www.seifried.org/security/ports/0/199.html

----------

## AsianSpices

Yea I figured that much.

But now after re-installing the OS and the services all network less 

the snmptrapd daemon cannot be found

Since i am a total newbie to this and this is my 2nd week into gentoo, please bear with me.  :Sad: 

But I 

emerge net-snmp

and then i did a snmpconf -i and created the scripts

then i started the daemon

/etc/init.d/snmpd restart

in my previous install i could have done

/etc/init.d/snmptrapd restart

Why can i not find it now?

What did i miss?

----------

## limn

Now your nmap output is inconsistent scanning the same IP.

----------

## AsianSpices

 *Quote:*   

> 
> 
> Now your nmap output is inconsistent scanning the same IP.
> 
> 

 

Okie so....its inconsitent../

whats the reason for that then...

----------

## limn

The first nmap shows a MAC address that matches with the ifconfig of the box you are working on and the ports match what you say you want. The second nmap shows only one port open and does not report a MAC address.  Two machines using the same IP address could cause this result. That's easy to test. 

And if that's the case, you don't have a problem with ports you don't want open, on a box that shows a different port configuration depending on how you look at it, and a Gentoo install doesn't set you up with a mail server just because tripwire and cron need to be able to send mail locally on the box.

The other possible causes are worse, going all the way up to what moocha suspected. For all I know your nmap is compromised, or maybe your network.

----------

## AsianSpices

 *Quote:*   

> 
> 
> The first nmap shows a MAC address that matches with the ifconfig of the box you are working on and the ports match what you say you want. The second nmap shows only one port open and does not report a MAC address. Two machines using the same IP address could cause this result. That's easy to test. 
> 
> And if that's the case, you don't have a problem with ports you don't want open, on a box that shows a different port configuration depending on how you look at it, and a Gentoo install doesn't set you up with a mail server just because tripwire and cron need to be able to send mail locally on the box. 
> ...

 

```

D:\nmap-3.81>namp -sS -v 192.168.0.2

'namp' is not recognized as an internal or external command,

operable program or batch file.

D:\nmap-3.81>nmap -sS -v 192.168.0.2

Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-06-03 15:12 Mountain

 Daylight Time

Initiating SYN Stealth Scan against 192.168.0.2 [1663 ports] at 15:12

The SYN Stealth Scan took 0.38s to scan 1663 total ports.

Host 192.168.0.2 appears to be up ... good.

All 1663 scanned ports on 192.168.0.2 are: closed

MAC Address: 00:0D:60:0F:96:1C (IBM)

Nmap finished: 1 IP address (1 host up) scanned in 1.157 seconds

               Raw packets sent: 1665 (66.6KB) | Rcvd: 1665 (76.6KB)

D:\nmap-3.81>

D:\nmap-3.81>nmap -sT -v 192.168.0.2

Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-06-03 15:12 Mountain

 Daylight Time

Initiating Connect() Scan against 192.168.0.2 [1663 ports] at 15:12

Discovered open port 25/tcp on 192.168.0.2

Connect() Scan Timing: About 7.48% done; ETC: 15:19 (0:06:13 remaining)

Discovered open port 110/tcp on 192.168.0.2

The Connect() Scan took 356.22s to scan 1663 total ports.

Host 192.168.0.2 appears to be up ... good.

Interesting ports on 192.168.0.2:

(The 1661 ports scanned but not shown below are in state: closed)

PORT    STATE SERVICE

25/tcp  open  smtp

110/tcp open  pop3

MAC Address: 00:0D:60:0F:96:1C (IBM)

Nmap finished: 1 IP address (1 host up) scanned in 356.984 seconds

               Raw packets sent: 2 (68B) | Rcvd: 1 (46B)

D:\nmap-3.81>nmap -sS -v 192.168.0.2

Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-06-03 15:21 Mountain

 Daylight Time

Initiating SYN Stealth Scan against 192.168.0.2 [1663 ports] at 15:21

Discovered open port 199/tcp on 192.168.0.2

The SYN Stealth Scan took 0.38s to scan 1663 total ports.

Host 192.168.0.2 appears to be up ... good.

Interesting ports on 192.168.0.2:

(The 1662 ports scanned but not shown below are in state: closed)

PORT    STATE SERVICE

199/tcp open  smux

MAC Address: 00:0D:60:0F:96:1C (IBM)

Nmap finished: 1 IP address (1 host up) scanned in 1.172 seconds

               Raw packets sent: 1665 (66.6KB) | Rcvd: 1665 (76.6KB)

```

Dude I ran an nmap again just to PROVE to you that 

1. NOTHINg is wrong with my NMAP!. i probly just forget to paste that line in when i was posting.

2 My system is NOT compromised!!!

Yes i knoe its possible fo systems to be compromised, but this one is not

and there is no other system on the network with this address so you can FORget that notion also...

So then tell me whats the diffence between the two nmap outputs and why does -sS show a different output to -sT?

----------

## overkll

 *Quote:*   

> So then tell me whats the diffence between the two nmap outputs and why does -sS show a different output to -sT?

 

nmap -sS is a stealth scan and nmap -sT is a connect scan.  Although an open port is an open port. :Very Happy:    Different outputs can be due to your iptables settings.  Is iptables running?

IMHO, you should scan your linux box FROM your linux box.  Forget the windows box.  nmap is on the package CD.

Disconnect your linux box from the net.  Install nmap (if you haven't already).  Turn off iptables.  Scan you linux box FROM your linux box?  What's the output?

What's the output of " netstat -anA inet " and " netstat -anpA inet " ?

----------

## AsianSpices

Okie nmap is installing as i type 

these things take foreverrrr to install ..

anyway 

question

I am tryin to set up a TFTP server

I installed the daemon TFTP-HPA

did a /etc/init.d/in.tftpd start 

but teh service does not start 

Why?

I dont even know where to start in troubleshooting for this..

here is the /etc/conf.d/in.tftpd file

```

# Config file for /etc/init.d/in.tftpd

# Remove the -l if you use [x]inetd

INTFTPD_PATH="/tftproot"

INTFTPD_OPTS="-l -v -s ${INTFTPD_PATH}"

```

Any ideas?

----------

## overkll

One thing at a time.  Fix a problem, then move on.

----------

## AsianSpices

Well my dear

here is the output from the nmap FROM my Linux box  :Razz: 

```

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-06-03 16:57 UTC

Initiating SYN Stealth Scan against 192.168.0.2 [1663 ports] at 16:57

The SYN Stealth Scan took 35.02s to scan 1663 total ports.

Host 192.168.0.2 appears to be up ... good.

All 1663 scanned ports on 192.168.0.2 are: filtered

Nmap run completed -- 1 IP address (1 host up) scanned in 35.141 seconds

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-06-03 16:58 UTC

Initiating SYN Stealth Scan against 192.168.0.2 [1663 ports] at 16:58

The SYN Stealth Scan took 35.00s to scan 1663 total ports.

Host 192.168.0.2 appears to be up ... good.

All 1663 scanned ports on 192.168.0.2 are: filtered

Nmap run completed -- 1 IP address (1 host up) scanned in 35.125 seconds
```

very interesting that no ports are shown open...

 *Quote:*   

> One thing at a time. Fix a problem, then move on.

 

Thats easy for you to say. 

I am hoping as i go along I will eventually find the answers to my problems.  :Smile: 

----------

## overkll

What was the nmap command you issued?  You should include that at the top of the output.  Helps us help you.

And what is the output of " netstat -anA inet " and " netstat -anpA inet "

Yes, it is easy for me to say.  It is a good standard practice.  Install something test and troubleshoot.  If all is well move to next program.  Otherwise you can complicate things and make it difficult to trace the problem down.

----------

## AsianSpices

```

nmap -sT -v 192.168.0.2

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-06-03 16:57 UTC 

Initiating SYN Stealth Scan against 192.168.0.2 [1663 ports] at 16:57 

The SYN Stealth Scan took 35.02s to scan 1663 total ports. 

Host 192.168.0.2 appears to be up ... good. 

All 1663 scanned ports on 192.168.0.2 are: filtered 

nmap -sS -v 192.168.0.2

Nmap run completed -- 1 IP address (1 host up) scanned in 35.141 seconds 

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-06-03 16:58 UTC 

Initiating SYN Stealth Scan against 192.168.0.2 [1663 ports] at 16:58 

The SYN Stealth Scan took 35.00s to scan 1663 total ports. 

Host 192.168.0.2 appears to be up ... good. 

All 1663 scanned ports on 192.168.0.2 are: filtered 

Nmap run completed -- 1 IP address (1 host up) scanned in 35.125 seconds

```

```

netstat -anpA inet 

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   

udp        0      0 0.0.0.0:514             0.0.0.0:*                           8569/syslog-ng      

udp        0      0 0.0.0.0:68              0.0.0.0:*                           8949/dhcpcd         

raw        0      0 0.0.0.0:255             0.0.0.0:*               7           2511/nmap      

netstat -anA inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

udp        0      0 0.0.0.0:514             0.0.0.0:*                           

udp        0      0 0.0.0.0:68              0.0.0.0:*                           

raw        0      0 0.0.0.0:255             0.0.0.0:*               7  

```

----------

## AsianSpices

 *Quote:*   

> Yes, it is easy for me to say. It is a good standard practice. Install something test and troubleshoot. If all is well move to next program. Otherwise you can complicate things and make it difficult to trace the problem down.

 

in terms of that i do agree

But due to the fact i am new at gentoo

i wanted to get a  feel of how things work

hence i went about experimenting things

----------

## overkll

What's the output of " nmap -sU -P0 -v 192.168.0.2 " ? (that's P ZERO, not o)

 *Quote:*   

> in terms of that i do agree
> 
> But due to the fact i am new at gentoo
> 
> i wanted to get a feel of how things work
> ...

 

Then the rule is even more applicable.

----------

