[absolutezero1287]

I'm on Ubuntu and I noticed some odd behavior and decided to see if any ports were open and scanned for rootkits. I used chkrootkit and rkhunter both said that my system was clean. I nmapped myself and found these ports open.
I kno that pop3 is for email but I'm not using Evolution or any other mail client. Would it be a security risk to leave these ports open? I'm not even sure what some of these services are.

Code:

PORT     STATE SERVICE
25/tcp   open  smtp
110/tcp  open  pop3
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
2049/tcp open  nfs
2500/tcp open  rtsserv

[lotuseclat79]

Hi absolutezero1287,

I do not know if you run any software firewall on Ubuntu, however, I would advise you to either get Firestarter (if you are gui inclined) or learn how to do it with iptables in terms of the Beginner's version thread I posted in this forum here. At the end of my post is a link to a Beginner's version setup of iptables that should be able to close all of your ports if you comment out the services that are allowed (I do not use them) in it with a '#' at the start of those statements.

Then test with nmap to verify that all of your ports are stealthed.

The point is that a closed port indicates to a miscreant that there is a computer at the ip address, while a stealthed port indicates that the miscreant should not bother with the ip address under scan and move on to another ip address. As it stands now, if a miscreant notices your open ports, they can get into your system and if they know what they are doing cause problems - I'm sure you do not want that to happen. Also, if an experienced enough miscreant wants to get into your system (there are ways with half-baked packets) they will, but only if they notice you do not have stealthed ports.

If you are protected by a hardware firewall, at least make sure that you have changed the default admin password which is a common vulnerability and vector of attack from the miscreants - and very easy to compromise.

-- Tom

[absolutezero1287]

I already have firestarter but I didn't think to use it. I removed all the rules from it and nmapped myself and got the same results.

Code:

root@frankenputer:~# nmap -sS -v -v localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2008-03-14 16:34 EDT
Initiating SYN Stealth Scan at 16:34
Scanning localhost (127.0.0.1) [1697 ports]
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 111/tcp on 127.0.0.1
Discovered open port 110/tcp on 127.0.0.1
Discovered open port 445/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Discovered open port 2500/tcp on 127.0.0.1
Discovered open port 139/tcp on 127.0.0.1
Discovered open port 2049/tcp on 127.0.0.1
Completed SYN Stealth Scan at 16:34, 0.24s elapsed (1697 total ports)
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
Not shown: 1689 closed ports
PORT     STATE SERVICE
25/tcp   open  smtp
110/tcp  open  pop3
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
2049/tcp open  nfs
2500/tcp open  rtsserv

Nmap finished: 1 IP address (1 host up) scanned in 0.325 seconds
               Raw packets sent: 1697 (74.668KB) | Rcvd: 3402 (142.900KB)

[tomdkat]

The above shows you're running a mail server of some kind (sendmail maybe?). If this isn't a server machine, there's no reason for you to be running a mail server. Ports 25 and 110 are for SMTP and POP3, respectively. Port 631 is for CUPS (ipp) and I'm not sure why you're running Samba (netbios-ssn and microsoft-ds) unless you're networking with Windows machines on your network.

I don't think there's anything wrong with having those ports open, per se, as long as the daemons listening to those ports are bound to localhost only. I believe running a "netstat -a" command will let you know to which IP any particular process that is listening on a port is bound. If they are all bound to localhost, I think you're safe since they won't accept connections from anything except apps running ON your system.

Peace...

[absolutezero1287]

No, I'm just on a desktop computer which is why these services puzzle me. I'm behind a wireless router and the access point is at a windows computer. I'm guessing that has something to do with it. I figured that if I disabled samba that these ports would be closed. I tried it via synaptic and if I uninstall samba I also uninstall ubuntu-desktop...I figure that it would be easier to just stealth all the ports. How would I do that?


Update! I ran the Shields Up! test at https://www.grc.com/ and my first 1056 ports are stealthed. So I think that I'm good...although nmap indicates differently.

[lotuseclat79]

Shields Up! is only a partial test - i.e. there are 65,535 ports and nmap tests them all. If they all are not stealthed, then you run the risk of making your computer become a target to the miscreants.

-- Tom

[tomdkat]

Quote:

Originally Posted by lotuseclat79

Shields Up! is only a partial test - i.e. there are 65,535 ports and nmap tests them all. If they all are not stealthed, then you run the risk of making your computer become a target to the miscreants.

I partially disagree with this. Shields Up! will test well-known ports, at least, that are exposed to the outside world. I mean it has to since it's a site that is external to your computer. nmap runs on your local computer so it will have access to more than an external computer would or could.

This is why I suggested running the netstat command. netstat DOES indicate which ports are bound to which IP addresses. Here is a sample from my Ubuntu system:

Quote:

tom@deathstar:~$ netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 localhost:31416 *:* LISTEN
tcp 0 0 deathstar.local:45823 cf-in-f17.google.co:www TIME_WAIT
tcp 1 0 deathstar.local:60347 basic-rank.go.dream:www CLOSE_WAIT
tcp 1 0 deathstar.local:32899 wf-in-f189.google.c:www CLOSE_WAIT
tcp 1 0 deathstar.local:46319 cf-in-f17.google.co:www CLOSE_WAIT
tcp 0 0 localhost:31416 localhost:37894 ESTABLISHED
tcp 1 0 deathstar.local:53263 my.opera.com:www CLOSE_WAIT
tcp 0 0 deathstar.local:45837 cf-in-f17.google.co:www ESTABLISHED
tcp 1 0 deathstar.local:55044 cf-in-f103.google.c:www CLOSE_WAIT
tcp 0 0 localhost:37894 localhost:31416 ESTABLISHED
udp 0 0 *:32768 *:*
udp 0 0 *:bootpc *:*
udp 0 0 *:mdns *:*

The "localhost:[port]" syntax means a process is running that is associated ONLY with the localhost interface on the indicated port. The "LISTEN" status means that process is listening on the specified port. So, the "localhost:ipp" entry means a process is listening on port 631 (the ipp port) only on the localhost interface. This is most likely CUPS.

The "*:[port]" syntax means a process is running that is associated with ANY IP address assigned to the computer on the indicated port. So, in my output above, a process is running that "bound" to all IPs assigned to my machine on the bootpc port (whatever port number that is). That process doesn't seem to be in a LISTEN state and I don't know if that means it will still be able to accept connections from external machines or not. This would be cause for concern, on my part.

This also gets to another aspect of Unix security that often gets overlooked: the ability or practice of processes to bind only to the localhost interface thereby allowing or receiving connections ONLY from processes contacting the listening process on the localhost interface. iptables would be great for blocking spoofed IP packets (where to AND from addresses are localhost).

I think his system is safe from external intrusion.

Peace...

[absolutezero1287]

I used the Shields Up test on ports past 1056 as well. They all seem to be stealthed.
I'm not sure but I think my box is pretty secure. I would just like the opinion of the more experienced members.

Quote:

leonardo@frankenputer:~$ netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:nfs *:* LISTEN
tcp 0 0 *:58889 *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:37708 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:43761 *:* LISTEN
tcp 0 0 localhost:8118 *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 localhost:9050 *:* LISTEN
tcp 0 0 *:microsoft-ds *:* LISTEN
tcp 0 0 192.168.1.102:59571 an-in-f19.google.co:www ESTABLISHED
tcp6 0 0 *:2500 *:* LISTEN
tcp6 0 0 *: pop3 *:* LISTEN
udp 0 0 *:32768 *:*
udp 0 0 *:nfs *:*
udp 0 0 *:32769 *:*
udp 0 0 *:32770 *:*
udp 0 0 *:32771 *:*
udp 0 0 *:bootpc *:*
udp 0 0 *:mdns *:*
udp 0 0 *:sunrpc *:*
udp 0 0 *:756 *:*
udp 0 0 192.168.1.102:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
udp6 0 0 fe80::216:b6ff:fe53:ntp *:*
udp6 0 0 ip6-localhost:ntp *:*
udp6 0 0 *:ntp *:*

[lotuseclat79]

Hi tomdkat,

The nmapfe I initiate on my computer (localhost) seems to interface with http://insecure.org (host of nmap) and runs the nmap scan on my ip address assigned from my ISP from there, not from my localhost (i.e. my computer).

-- Tom

[tomdkat]

I would go into Ubuntu's system admin menu and click "Services". I would disable "Mail agent", which is Postfix, since you don't need to have a mail server running on your system. That will close ports smtp and pop3 from being bound to ALL IP addresses, which is a risk.

NFS and SUNRPC being bound to all IPs might also be an issue so if you're concerned about security, I would either look into turning off NFS and see if you can configure SUNRPC to bind only to localhost. If you're not participating in a Windows network, you should turn off Samba completely or configure Samba to filter connections appropriately.

Don't get me wrong, I don't think lotuseclat79 is wrong when he advises making sure all your ports are "stealthed". My main point is having a process that is bound to localhost only isn't as bad as have a process bound to ALL IPs, which can open your system up to remote intrusion.

I would also track down what port 37708 is.

Peace...

[tomdkat]

Quote:

Originally Posted by lotuseclat79

Hi tomdkat,

The nmapfe I initiate on my computer (localhost) seems to interface with http://insecure.org (host of nmap) and runs the nmap scan on my ip address assigned from my ISP from there, not from my localhost (i.e. my computer).

Cool. I'll have to see what nmapfe does on my system. I just ran the same nmap command as absolutezero1287 did above but with my network cable disconnected from my wireless router (meaning I was disconnected from everything) and it reported some "open" ports, just like absolutezero1287:

Quote:

tom@deathstar:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:133:9F:19:F7
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:75125 errors:0 dropped:0 overruns:0 frame:0
TX packets:72411 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:49380959 (47.0 MB) TX bytes:9600437 (9.1 MB)
Interrupt:20

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:439997 errors:0 dropped:0 overruns:0 frame:0
TX packets:439997 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:270114080 (257.6 MB) TX bytes:270114080 (257.6 MB)

tom@deathstar:~$ sudo nmap -sS -v -v localhost

Starting Nmap 4.53 ( http://insecure.org ) at 2008-03-15 13:23 PDT
Initiating SYN Stealth Scan at 13:23
Scanning localhost (127.0.0.1) [1714 ports]
Discovered open port 631/tcp on 127.0.0.1
Discovered open port 31416/tcp on 127.0.0.1
Completed SYN Stealth Scan at 13:23, 0.09s elapsed (1714 total ports)
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
Not shown: 1712 closed ports
PORT STATE SERVICE
631/tcp open ipp
31416/tcp open boinc-client

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.209 seconds
Raw packets sent: 1714 (75.416KB) | Rcvd: 3430 (144.064KB)
tom@deathstar:~$

Both CUPS and boinc-client are bound to localhost on my system so it will be interesting to see what nmapfe reports.

Peace...

[tomdkat]

Quote:

Originally Posted by lotuseclat79

The nmapfe I initiate on my computer (localhost) seems to interface with http://insecure.org (host of nmap) and runs the nmap scan on my ip address assigned from my ISP from there, not from my localhost (i.e. my computer).

What command do you have nmapfe issue to conduct your test? nmapfe appears to be the executable name of Zenmap, the GUI frontend to nmap. I just ran it and it ran with these parameters (when I configured it to target localhost) to nmap:

nmap -T Aggressive -A -v localhost

What nmap parameters to you specify?

Peace...

[lotuseclat79]

My ISP assigned ip address in the command: nmap -sT -PT <ip address>
The command comes back with the name of my ip address and the status of all ports: closed except one for tcp (presumeably for the test).

-- Tom

[tomdkat]

Thanks for posting that info. I ran nmap with your settings in these configurations:

1. Network cable unplugged
2. Network cable plugged into my Netgear wireless router
3. Network cable plugged into my Motorola cable modem.

Here are the results:

Network cable unplugged:

Quote:

tom@deathstar:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:133:9F:19:F7
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:85863 errors:0 dropped:0 overruns:0 frame:0
TX packets:84409 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:55237706 (52.6 MB) TX bytes:11738082 (11.1 MB)
Interrupt:20

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:469643 errors:0 dropped:0 overruns:0 frame:0
TX packets:469643 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:284528426 (271.3 MB) TX bytes:284528426 (271.3 MB)

tom@deathstar:~$ sudo nmap -sT -PT aa.bb.cc.dd
[sudo] password for tom:

Starting Nmap 4.53 ( http://insecure.org ) at 2008-03-15 14:23 PDT
nexthost: failed to determine route to aa.bb.cc.dd
QUITTING!
tom@deathstar:~$

Network cable plugged into Netgear router:

Quote:

tom@deathstar:~$ sudo nmap -sT -PT aa.bb.cc.dd

Starting Nmap 4.53 ( http://insecure.org ) at 2008-03-15 14:23 PDT
Interesting ports on c-aa-bb-cc-dd.xxxx.ca.comcast.net (aa.bb.cc.dd):
Not shown: 1712 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 1.795 seconds
tom@deathstar:~$

So, ports 23 and 80 are open on my router. Oh joy.

Network cable plugged into cable modem:

Quote:

tom@deathstar:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:133:9F:19:F7
inet addr:aa.bb.cc.dd Bcast:255.255.255.255 Mask:255.255.248.0
inet6 addr: fe80::213:d3ff:fe9f:19f7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88785 errors:0 dropped:0 overruns:0 frame:0
TX packets:86401 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:55478547 (52.9 MB) TX bytes:11914743 (11.3 MB)
Interrupt:20

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:470883 errors:0 dropped:0 overruns:0 frame:0
TX packets:470883 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:285291502 (272.0 MB) TX bytes:285291502 (272.0 MB)

tom@deathstar:~$ sudo nmap -sT -PT aa.bb.cc.dd

Starting Nmap 4.53 ( http://insecure.org ) at 2008-03-15 14:26 PDT
All 1714 scanned ports on c-aa-bb-cc-dd.xxxx.ca.comcast.net (aa.bb.cc.dd) are closed

Nmap done: 1 IP address (1 host up) scanned in 0.614 seconds
tom@deathstar:~$

Notice ALL scanned ports are closed as reported by nmap. Now, here's netstat output:

Quote:

tom@deathstar:~$ sudo nmap -sT -PT aa.bb.cc.dd

Starting Nmap 4.53 ( http://insecure.org ) at 2008-03-15 14:26 PDT
All 1714 scanned ports on c-aa-bb-cc-dd.xxxx.ca.comcast.net (aa.bb.cc.dd) are closed

Nmap done: 1 IP address (1 host up) scanned in 0.614 seconds
tom@deathstar:~$ netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 localhost:31416 *:* LISTEN
tcp 0 1158 192.168.2.2:56213 cf-in-f19.google.co:www ESTABLISHED
tcp 1 0 c-aa-bb-cc-dd.hsd:33242 cf-in-f19.google.co:www CLOSE_WAIT
tcp 0 0 localhost:31416 localhost:37894 ESTABLISHED
tcp 0 1 192.168.2.2:56216 cf-in-f19.google.co:www FIN_WAIT1
tcp 1 0 192.168.2.2:49794 cf-in-f103.google.c:www CLOSE_WAIT
tcp 1 0 192.168.2.2:38743 wf-in-f189.google.c:www CLOSE_WAIT
tcp 0 0 localhost:37894 localhost:31416 ESTABLISHED
udp 0 0 *:32768 *:*
udp 0 0 *:bootpc *:*
udp 0 0 *:mdns *:*

You'll notice I STILL have CUPS (port 631/ipp) and boinc-client (port 31416) up and running AND while my computer was directly connected to my cable modem. This illustrates my point. By virtue of being bound only to localhost, those processes aren't susceptible to external exploit since those processes won't get external connections. Of course, this isn't to imply that a firewall isn't "needed" but that the way processes and applications manage their network connections factors in. That's why CUPS comes pre-configured to be bound only to localhost. As a side note, I just realized even though I have iptables installed, it's configured to allow ALL inbound/outbound traffic. This was the case when I ran the nmap command while my machine was directly connected to my cable modem.

Peace...

[lotuseclat79]

Hi tomdkat,

I hope you have since modified iptables with a more restrictive setup.

-- Tom