open ports

Gabriel M Dragffy dragffy at yandex.ru
Sun Sep 3 20:36:33 UTC 2006 

On Sun, 2006-09-03 at 14:11 +0100, Tony Arnold wrote:
> On Sun, 2006-09-03 at 08:51 -0400, dalila at despiertapr.com wrote:
> > aside from ssh how did all these ports remain open on a desktop installation?  
> > also how can i close them?
> > 
> > PORT     STATE    SERVICE
> > 13/tcp   filtered daytime
> > 19/tcp   filtered chargen
> > 22/tcp   open     ssh
> > 111/tcp  filtered rpcbind
> > 135/tcp  filtered msrpc
> > 136/tcp  filtered profile
> > 137/tcp  filtered netbios-ns
> > 138/tcp  filtered netbios-dgm
> > 139/tcp  filtered netbios-ssn
> > 445/tcp  filtered microsoft-ds
> > 512/tcp  filtered exec
> > 513/tcp  filtered login
> > 543/tcp  filtered klogin
> > 544/tcp  filtered kshell
> > 707/tcp  filtered unknown
> > 1433/tcp filtered ms-sql-s
> > 1720/tcp filtered H.323/Q.931
> 
> Apart from the ssh port, all the other ports are firewalled off
> somewhere, either by firewall settings on your desktop, or by some other
> firewall that's between the scanning machine and the desktop machine.
> 
> The difference is that a firewall will silently drop any packets
> arriving on these filtered ports, whereas a system that is just not
> listening on these ports will respond with a negative acknowledgement.
> Utilities such as nmap use this to distinguish the two cases.
> 
> Regards,
> Tony.
> -- 
> Tony Arnold, IT Security Coordinator, University of Manchester,
> IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
> T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
> E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold
> 

If you read the nmap documentation "filtered" is an alias for "not
open". This is the result you get when the ports are closed and the host
responds with a reject packet, rather than dropping the packets. The
result that you show is what you will get if you run nmap on the
localhost, however a scan from a remote computer will reveal only ssh is
open. If you want your machine to be invisible by dropping all packets
instead of rekecting them, I recommend firehol. Install it and edit
firehol.conf. You probably want something like:

interface eth+ internet
	client all accept
	protection strong 10/sec 10
	policy deny
	server shh accept

and that's it, it'll keep you ssh open to the outside world.

More information about the ubuntu-users mailing list