Firewall Wizards mailing list archives
Re: Port 37628....Is it just another port or out of the extra ordinary???
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 22 Jul 2004 13:15:46 +0530
On 21/07/04 16:52 -0700, InHisGrip wrote:
Hi everyone, I have setup an apache web server in my small home network and have configured this web server by enabling port forwarding for web requests and redirection using a non standard port other than port 80. I have also used my dns registrar/provider in
Assuming that the world can access this on port 80 on your public IP, the non standard port is not likely to be a very useful step.
particular dyndns.org to do the job of custom dns and redirecting web traffic on my host machine. My question is related to security/firewall and in particular with linux ports being compromised. Based
Daemons (services in Windows terms) get compromised. A port is just a 16 bit integer.
from the information below, can anyone please let me know if the information I have attached based on open ports or listening ports on the output will somehow compromise my small home network or the linux web server box I have just set up?
Which of those services should be available publicly? Ask a friend to run nmap on your home IP from the real world.
Oh, by the way, just wanted to make sure because I have placed the web server in a DMZ port and zone from my linksys router and I think but not sure that I am being shielded and protected atleast? Likewise, I
Not necessarily.
have enabled advanced firewall protection on my linksys router. Am I just paranoid, or is there something to get alarmed especially on port 37628 which has a LISTEN state on all interfaces or on the Internet?
You should be alarmed if there is something that you don't know happening on your system. By default. Paranoia is good for you.
Here is a copy of my netstat -an output:
I would suggest netstat -lnp on Linux. This needs to be run as root to get program name information. Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 853/httpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 797/sshd Here is a sample output from my system. This shows ports 80 (my little webserver, serving a few static pages for when I need to point people on IRC to usable configuration files.) and sshd (I do need to access this system remotely.) Without the -p output, it is hard to know what is happening, but I will make a few reasonable guesses.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign
Address State
tcp 0 0 0.0.0.0:32768 0.0.0.0:*
LISTEN
This could be anything. I would have said a rpc service, but this is TCP.
tcp 0 0 127.0.0.1:32769 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:783 0.0.0.0:*
LISTEN
This are only on your loopback, most likely rpc.
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN
The portmapper service. If you are not using nfs, turn this off.
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
sshd. If you don't need to access this system remotely, turn this off.
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN
Sendmail on loopback, looks like a redhat system to me.
tcp 0 0 0.0.0.0:8090 0.0.0.0:*
LISTEN
This is Apache, serving http
tcp 0 0 0.0.0.0:443 0.0.0.0:*
LISTEN
Apache serving https
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:750 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
Definitely looks like rpc to me. <snip unix sockets>
I am asking this question because the URL below mentioned about a trojan on his system and this could also be happening to mine. Is this a security threat both on UDP and TCP ports 32768 among others?
Possibly. Possibly not. Everything on the Internet that you do not know is dangerous. Turn off all services that you do not need. ntsysv is a quick way of doing things on RedHat. Then init 1 and init 3.
http://www.linuxquestions.org/questions/archive/4/2002/01/2/11641 Any tips or thoughts on how to eliminate this threat would be highly appreciated. Thanks in advance.
The first thing to do is to determine if it is truly a threat. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Port 37628....Is it just another port or out of the extra ordinary??? InHisGrip (Jul 21)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? Chuck Swiger (Jul 22)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? InHisGrip (Jul 22)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? Paul D. Robertson (Jul 22)
- Re: Port 37628....Is it just another port or out of theextra ordinary??? Kerry Thompson (Jul 23)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? InHisGrip (Jul 22)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? Luca Berra (Jul 22)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? Devdas Bhagat (Jul 22)
- <Possible follow-ups>
- Re: Port 37628....Is it just another port or out of the extra ordinary??? InHisGrip (Jul 23)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? Victor Williams (Jul 25)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? Mark Tinberg (Jul 26)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? R. DuFresne (Jul 26)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? Marcus J. Ranum (Jul 27)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? Victor Williams (Jul 25)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? Chuck Swiger (Jul 22)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? vbwilliams (Jul 26)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? Mark Tinberg (Jul 26)
- Re: Port 37628....Is it just another port or out of the extra ordinary??? InHisGrip (Jul 26)