From owner-freebsd-security Mon Jan 27 10:34:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B579137B405 for ; Mon, 27 Jan 2003 10:34:21 -0800 (PST) Received: from hotmail.com (dav67.sea1.hotmail.com [207.68.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD19A43F1E for ; Mon, 27 Jan 2003 10:34:20 -0800 (PST) (envelope-from kenzo_chin@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Jan 2003 10:34:20 -0800 X-Originating-IP: [209.187.233.156] From: "Kenzo" To: Subject: portscan question Date: Mon, 27 Jan 2003 12:34:19 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: X-OriginalArrivalTime: 27 Jan 2003 18:34:20.0698 (UTC) FILETIME=[B4FD9FA0:01C2C632] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is what I got when I ran nmap against my server from inside my network. everything looks good from the outsite. I'm curious to why when I have portsentry turned on, I see all these ports. and when I don't I only see the ones I'm runnin. --WITH PORTSENTRY ON BSDtest# nmap -v -O 10.25.x.x Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host mydomain(10.25.x.x) appears to be up ... good. Initiating SYN Stealth Scan against mydomain(10.25.x.x) Adding open port 15/tcp Adding open port 1524/tcp Adding open port 54320/tcp Adding open port 22/tcp Adding open port 32774/tcp Adding open port 540/tcp Adding open port 6667/tcp Adding open port 1/tcp Adding open port 32773/tcp Adding open port 12346/tcp Adding open port 32771/tcp Adding open port 27665/tcp Adding open port 11/tcp Adding open port 143/tcp Adding open port 12345/tcp Adding open port 1080/tcp Adding open port 79/tcp Adding open port 111/tcp Adding open port 2000/tcp Adding open port 25/tcp Adding open port 31337/tcp Adding open port 635/tcp Adding open port 80/tcp Adding open port 32772/tcp Adding open port 119/tcp The SYN Stealth Scan took 8 seconds to scan 1601 ports. For OSScan assuming that port 1 is open and port 2 is closed and neither are firewalled For OSScan assuming that port 1 is open and port 2 is closed and neither are firewalled For OSScan assuming that port 1 is open and port 2 is closed and neither are firewalled Interesting ports on mydomain(10.25.x.x): (The 1576 ports scanned but not shown below are in state: closed) Port State Service 1/tcp open tcpmux 11/tcp open systat 15/tcp open netstat 22/tcp open ssh 25/tcp open smtp 79/tcp open finger 80/tcp open http 111/tcp open sunrpc 119/tcp open nntp 143/tcp open imap2 540/tcp open uucp 635/tcp open unknown 1080/tcp open socks 1524/tcp open ingreslock 2000/tcp open callbook 6667/tcp open irc 12345/tcp open NetBus 12346/tcp open NetBus 27665/tcp open Trinoo_Master 31337/tcp open Elite 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 54320/tcp open bo2k No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.00%P=i386-portbld-freebsd4.7%D=1/27%Time=3E357695%O=1%C=2) TSeq(Class=TR%IPID=I%TS=100HZ) T1(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=N) T3(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E) Uptime 0.168 days (since Mon Jan 27 08:11:17 2003) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds --WITHOUT PORTSENTRY BSDtest# nmap -v -O 10.25.x.x Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host mydomain(10.25.x.x) appears to be up ... good. Initiating SYN Stealth Scan against mydomain(10.25.x.x) Adding open port 25/tcp Adding open port 22/tcp Adding open port 80/tcp The SYN Stealth Scan took 7 seconds to scan 1601 ports. For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled Interesting ports on mydomain(10.25.x.x): (The 1598 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.00%P=i386-portbld-freebsd4.7%D=1/27%Time=3E357B34%O=22%C=1) TSeq(Class=TR%IPID=I%TS=100HZ) T1(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=N) T3(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E) Uptime 0.181 days (since Mon Jan 27 08:11:17 2003) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds I thought that portsentry was suppose to monitor the ports, but I didn't know that it would add all these ports as being open. will it still be ok to run portsentry or is there a better program to use to monitor ports, for portscans and probes? thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message