From owner-freebsd-security Tue Feb 11 11: 1:50 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DFFB37B401 for ; Tue, 11 Feb 2003 11:01:36 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BD1143FBD for ; Tue, 11 Feb 2003 11:01:35 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (6f4c9ede6e622da6a17737340a562287@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1BIqR74003419; Tue, 11 Feb 2003 12:52:27 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1BIqR1E003418; Tue, 11 Feb 2003 12:52:27 -0600 (CST) Date: Tue, 11 Feb 2003 12:52:26 -0600 From: Redmond Militante To: John Fulcher , freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211185226.GA3385@darkpossum> Reply-To: Redmond Militante References: <20030211183758.GA791@darkpossum> <005201c2d1fe$1ff1e4c0$1113020a@uss.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline In-Reply-To: <005201c2d1fe$1ff1e4c0$1113020a@uss.net> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ok. =20 sockstat on the machine i'm running nmap from ------- USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 29207 5 tcp4 129.x.x.20:22 129.x.x.22:49176 =20 root ssh 28858 3 tcp4 129.x.x.20:2641 129.x.x.35:22 =20 root sshd 27242 5 tcp4 129.x.x.20:22 129.x.x.23:1076 =20 www httpd 25325 16 tcp4 *:80 *:* = =20 www httpd 25324 16 tcp4 *:80 *:* = =20 www httpd 6649 16 tcp4 *:80 *:* = =20 www httpd 407 16 tcp4 *:80 *:* = =20 www httpd 378 16 tcp4 *:80 *:* = =20 root perl 182 3 tcp4 *:10000 *:* = =20 root perl 182 4 udp4 *:10000 *:* = =20 mysql mysqld 181 5 tcp4 *:3306 *:* = =20 www httpd 178 16 tcp4 *:80 *:* = =20 www httpd 177 16 tcp4 *:80 *:* = =20 www httpd 176 16 tcp4 *:80 *:* = =20 www httpd 175 16 tcp4 *:80 *:* = =20 www httpd 174 16 tcp4 *:80 *:* = =20 nobody proftpd 168 0 tcp4 *:21 *:* = =20 root httpd 150 16 tcp4 *:80 *:* = =20 root sendmail 96 3 tcp4 *:25 *:* = =20 root sendmail 96 5 tcp4 *:587 *:* = =20 root sshd 91 4 tcp4 *:22 *:* = =20 root syslogd 72 5 udp4 *:514 *:* = =20 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 91 3 tcp46 *:22 *:* = =20 root syslogd 72 4 udp6 *:514 *:* = =20 USER COMMAND PID FD PROTO ADDRESS = =20 www httpd 407 5 stream (none) = =20 www httpd 378 5 stream (none) = =20 root login 186 3 dgram syslogd[72]:3 = =20 root login 185 3 dgram syslogd[72]:3 = =20 mysql mysqld 181 6 stream /tmp/mysql.sock = =20 www httpd 177 5 stream (none) = =20 www httpd 176 5 stream (none) = =20 www httpd 175 5 stream (none) = =20 nobody proftpd 168 3 dgram syslogd[72]:3 = =20 smmsp sendmail 99 3 dgram syslogd[72]:3 = =20 root sendmail 96 4 dgram syslogd[72]:3 = =20 root syslogd 72 3 dgram /var/run/log =20 sockstat on the gateway machine ------- USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 825 5 tcp4 129.x.x.35:22 129.x.x.20:2666 =20 root ssh 491 3 tcp4 192.168.1.1:1151 192.168.1.50:22 = =20 root sshd 482 5 tcp4 129.x.x.35:22 129.x.x.20:2641 =20 root sendmail 105 3 tcp4 *:25 *:* = =20 root sendmail 105 5 tcp4 *:587 *:* = =20 root sshd 100 4 tcp4 *:22 *:* = =20 root portsent 99 0 tcp4 *:1 *:* = =20 root portsent 99 1 tcp4 *:11 *:* = =20 root portsent 99 2 tcp4 *:15 *:* = =20 root portsent 99 3 tcp4 *:79 *:* = =20 root portsent 99 4 tcp4 *:111 *:* = =20 root portsent 99 5 tcp4 *:119 *:* = =20 root portsent 99 6 tcp4 *:143 *:* = =20 root portsent 99 7 tcp4 *:540 *:* = =20 root portsent 99 8 tcp4 *:635 *:* = =20 root portsent 99 9 tcp4 *:1080 *:* = =20 root portsent 99 10 tcp4 *:1524 *:* = =20 root portsent 99 11 tcp4 *:2000 *:* = =20 root portsent 99 12 tcp4 *:5742 *:* = =20 root portsent 99 13 tcp4 *:6667 *:* = =20 root portsent 99 14 tcp4 *:12345 *:* = =20 root portsent 99 15 tcp4 *:12346 *:* = =20 root portsent 99 16 tcp4 *:20034 *:* = =20 root portsent 99 17 tcp4 *:27665 *:* = =20 root portsent 99 18 tcp4 *:31337 *:* = =20 root portsent 99 19 tcp4 *:32771 *:* = =20 root portsent 99 20 tcp4 *:32772 *:* = =20 root portsent 99 21 tcp4 *:32773 *:* = =20 root portsent 99 22 tcp4 *:32774 *:* = =20 root portsent 99 23 tcp4 *:40421 *:* = =20 root portsent 99 24 tcp4 *:49724 *:* = =20 root portsent 99 25 tcp4 *:54320 *:* = =20 root portsent 98 0 udp4 *:1 *:* = =20 root portsent 98 1 udp4 *:7 *:* = =20 root portsent 98 2 udp4 *:9 *:* = =20 root portsent 98 3 udp4 *:69 *:* = =20 root portsent 98 4 udp4 *:161 *:* = =20 root portsent 98 5 udp4 *:162 *:* = =20 root portsent 98 6 udp4 *:513 *:* = =20 root portsent 98 7 udp4 *:635 *:* = =20 root portsent 98 8 udp4 *:640 *:* = =20 root portsent 98 9 udp4 *:641 *:* = =20 root portsent 98 10 udp4 *:700 *:* = =20 root portsent 98 11 udp4 *:37444 *:* = =20 root portsent 98 12 udp4 *:34555 *:* = =20 root portsent 98 13 udp4 *:31335 *:* = =20 root portsent 98 14 udp4 *:32770 *:* = =20 root portsent 98 15 udp4 *:32771 *:* = =20 root portsent 98 16 udp4 *:32772 *:* = =20 root portsent 98 17 udp4 *:32773 *:* = =20 root portsent 98 18 udp4 *:32774 *:* = =20 root portsent 98 19 udp4 *:31337 *:* = =20 root portsent 98 20 udp4 *:54321 *:* = =20 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 100 3 tcp46 *:22 *:* = =20 USER COMMAND PID FD PROTO ADDRESS = =20 smmsp sendmail 108 3 dgram syslogd[81]:3 = =20 root sendmail 105 4 dgram syslogd[81]:3 = =20 root syslogd 81 3 dgram /var/run/log = =20 root ipmon 53 0 dgram syslogd[81]:3 =20 sockstat on the webserver behind the gateway machine ------- USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 2287 5 tcp4 192.168.1.50:22 192.168.1.1:1186 = =20 user1 proftpd 2283 0 tcp4 192.168.1.50:21 12.249.95.65:2595 = =20 user1 proftpd 2283 1 tcp4 192.168.1.50:21 12.249.95.65:2595 = =20 www httpd 2277 16 tcp4 *:80 *:* = =20 www httpd 2276 16 tcp4 *:80 *:* = =20 user2 proftpd 2180 0 tcp4 192.168.1.50:21 129.x.x.115:1845= =20 user2 proftpd 2180 1 tcp4 192.168.1.50:21 129.x.x.115:1845= =20 www httpd 1906 5 tcp4 192.168.1.50:1541 129.x.x.5:3306 = =20 www httpd 1906 16 tcp4 *:80 *:* = =20 www httpd 1905 5 tcp4 192.168.1.50:1539 129.x.x.5:3306 = =20 www httpd 1905 16 tcp4 *:80 *:* = =20 www httpd 1904 3 tcp4 192.168.1.50:80 65.56.131.11:3601= =20 www httpd 1904 5 tcp4 192.168.1.50:1543 129.x.x.5:3306 = =20 www httpd 1904 16 tcp4 *:80 *:* = =20 www httpd 1903 5 tcp4 192.168.1.50:1530 129.x.x.5:3306 = =20 www httpd 1903 16 tcp4 *:80 *:* = =20 www httpd 1902 5 tcp4 192.168.1.50:1544 129.x.x.5:3306 = =20 www httpd 1902 16 tcp4 *:80 *:* = =20 www httpd 1901 5 tcp4 192.168.1.50:1538 129.x.x.5:3306 = =20 www httpd 1901 16 tcp4 *:80 *:* = =20 www httpd 1900 5 tcp4 192.168.1.50:1522 129.x.x.5:3306 = =20 www httpd 1900 16 tcp4 *:80 *:* = =20 www httpd 1899 5 tcp4 192.168.1.50:1549 129.x.x.5:3306 = =20 www httpd 1899 16 tcp4 *:80 *:* = =20 www httpd 1898 5 tcp4 192.168.1.50:1540 129.x.x.5:3306 = =20 www httpd 1898 16 tcp4 *:80 *:* = =20 www httpd 1897 3 tcp4 192.168.1.50:80 65.56.131.11:3603= =20 www httpd 1897 5 tcp4 192.168.1.50:1521 129.x.x.5:3306 = =20 www httpd 1897 16 tcp4 *:80 *:* = =20 root sshd 1144 5 tcp4 192.168.1.50:22 192.168.1.1:1151 = =20 root snmpd 159 6 udp4 *:161 *:* = =20 nobody proftpd 153 0 tcp4 *:21 *:* = =20 root httpd 146 16 tcp4 *:80 *:* = =20 root sendmail 98 3 tcp4 *:25 *:* = =20 root sendmail 98 5 tcp4 *:587 *:* = =20 root sshd 93 4 tcp4 *:22 *:* = =20 root syslogd 73 5 udp4 *:514 *:* = =20 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS = =20 root sshd 93 3 tcp46 *:22 *:* = =20 root syslogd 73 4 udp6 *:514 *:* = =20 USER COMMAND PID FD PROTO ADDRESS = =20 user1 proftpd 2283 2 dgram syslogd[73]:3 = =20 user1 proftpd 2283 3 dgram syslogd[73]:3 = =20 user1 proftpd 2283 6 dgram syslogd[73]:3 = =20 user1 proftpd 2283 7 dgram syslogd[73]:3 = =20 user2 proftpd 2180 2 dgram syslogd[73]:3 = =20 user2 proftpd 2180 3 dgram syslogd[73]:3 = =20 user2 proftpd 2180 6 dgram syslogd[73]:3 = =20 user2 proftpd 2180 7 dgram syslogd[73]:3 = =20 smmsp sendmail 101 3 dgram syslogd[73]:3 = =20 root sendmail 98 4 dgram syslogd[73]:3 = =20 root syslogd 73 3 dgram /var/run/log =20 thanks for your help=20 redmond >t Try running a sockstat and see what it says for the programs that are > running on those ports.. =20 >=20 > -----Original Message----- > From: r-militante@northwestern.edu [mailto:r-militante@northwestern.edu] >=20 > Sent: Tuesday, February 11, 2003 1:38 PM > To: freebsd-security@FreeBSD.ORG > Subject: Re: n00b ipf/ipnat questions >=20 > hi >=20 > any comments? :) > i'm thinking that it's probably a good thing the box behind the gateway > is > only listening on a select number of ports, but i don't understand why > the > gateway itself seems to be listening on a large number of ports. > is this normal? =20 >=20 > thanks > redmond >=20 >=20 >=20 > > hi > >=20 > > ok. > > netstat -na | grep LISTEN on the box i'm nmapping from > > ------- > > tcp4 0 0 *.10000 *.* > LISTEN > > tcp4 0 0 *.3306 *.* > LISTEN > > tcp4 0 0 *.21 *.* > LISTEN > > tcp4 0 0 *.80 *.* > LISTEN > > tcp4 0 0 *.587 *.* > LISTEN > > tcp4 0 0 *.25 *.* > LISTEN > > tcp4 0 0 *.22 *.* > LISTEN > > tcp46 0 0 *.22 *.* > LISTEN > >=20 > >=20 > > netstat -na | grep LISTEN on the gateway box > > ------- > > tcp4 0 0 *.587 *.* > LISTEN > > tcp4 0 0 *.25 *.* > LISTEN > > tcp4 0 0 *.22 *.* > LISTEN > > tcp46 0 0 *.22 *.* > LISTEN > > tcp4 0 0 *.54320 *.* > LISTEN > > tcp4 0 0 *.49724 *.* > LISTEN > > tcp4 0 0 *.40421 *.* > LISTEN > > tcp4 0 0 *.32774 *.* > LISTEN > > tcp4 0 0 *.32773 *.* > LISTEN > > tcp4 0 0 *.32772 *.* > LISTEN > > tcp4 0 0 *.32771 *.* > LISTEN > > tcp4 0 0 *.31337 *.* > LISTEN > > tcp4 0 0 *.27665 *.* > LISTEN > > tcp4 0 0 *.20034 *.* > LISTEN > > tcp4 0 0 *.12346 *.* > LISTEN > > tcp4 0 0 *.12345 *.* > LISTEN > > tcp4 0 0 *.6667 *.* > LISTEN > > tcp4 0 0 *.5742 *.* > LISTEN > > tcp4 0 0 *.2000 *.* > LISTEN > > tcp4 0 0 *.1524 *.* > LISTEN > > tcp4 0 0 *.1080 *.* > LISTEN > > tcp4 0 0 *.635 *.* > LISTEN > > tcp4 0 0 *.540 *.* > LISTEN > > tcp4 0 0 *.143 *.* > LISTEN > > tcp4 0 0 *.119 *.* > LISTEN > > tcp4 0 0 *.111 *.* > LISTEN > > tcp4 0 0 *.79 *.* > LISTEN > > tcp4 0 0 *.15 *.* > LISTEN > > tcp4 0 0 *.11 *.* > LISTEN > > tcp4 0 0 *.1 *.* > LISTEN > >=20 > > netstat -na | grep LISTEN on the webserver behind gateway > > ------- > > tcp4 0 0 *.21 *.* > LISTEN > > tcp4 0 0 *.80 *.* > LISTEN > > tcp4 0 0 *.587 *.* > LISTEN > > tcp4 0 0 *.25 *.* > LISTEN > > tcp4 0 0 *.22 *.* > LISTEN > > tcp46 0 0 *.22 *.* > LISTEN > >=20 > >=20 > > thanks > >=20 > > redmond >=20 --T4sUOijqQbZv57TR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SUZqFNjun16SvHYRAgJcAJ0XjodYXeFQ/eIgvUoB7QaKMFn63QCguvLR E5+hfqOyw/iWu9GiLGXoftw= =TZH9 -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message