Page 1 of 2

Why these ports are open?

Posted: 2019/11/03 08:42:36
by hack3rcon
Hello,
I scanned my CentOS server by Nmap and it showed me that below ports are open:
portssss.png
portssss.png (10.5 KiB) Viewed 1077 times
I used below commands to see ports and services:

Code: Select all

# netstat -tulpn | grep LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      26978/sshd          
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      6109/master         
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      5987/mysqld         
tcp        0      0 127.0.0.1:3310              0.0.0.0:*                   LISTEN      5744/clamd          
tcp        0      0 :::22                       :::*                        LISTEN      26978/sshd          
tcp        0      0 ::1:25                      :::*                        LISTEN      6109/master         
tcp        0      0 :::80                       :::*                        LISTEN      6122/httpd       
And:

Code: Select all

# lsof -i:5060
# 
How can I find which programs or services using Ports "2000" and "5060" ?

Thank you.

Re: Why these ports are open?

Posted: 2019/11/03 15:01:04
by TrevorH
What firewall are you using? Because it's not set up correctly and it's allowing all traffic in!

Re: Why these ports are open?

Posted: 2019/11/03 16:13:33
by hack3rcon
TrevorH wrote:
2019/11/03 15:01:04
What firewall are you using? Because it's not set up correctly and it's allowing all traffic in!
I'm using iptables.
Allowing all traffic in? How you understand it?

Re: Why these ports are open?

Posted: 2019/11/03 21:19:17
by jlehtone
If you have some ports open and no clue of what you are doing, then it is safest to assume the worst.

You don't have to "scan with nmap", if you know what firewall rules you have.
If you know what firewall rules you have, then you don't have to ask why some port is open.

Read the upstream documentation:
https://access.redhat.com/documentation ... -firewalls

Re: Why these ports are open?

Posted: 2019/11/04 08:20:53
by hack3rcon
iptables rules are:

Code: Select all

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N SYN_FLOOD
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD 
-A OUTPUT -o lo -j ACCEPT 
-A SYN_FLOOD -m limit --limit 5/sec --limit-burst 10 -j RETURN 
-A SYN_FLOOD -j DROP 

Re: Why these ports are open?

Posted: 2019/11/04 12:32:18
by jlehtone
How did you scan your server with nmap?

Can you tell the rules that allow you to access those odd ports?

Re: Why these ports are open?

Posted: 2019/11/04 12:34:42
by hack3rcon
jlehtone wrote:
2019/11/04 12:32:18
How did you scan your server with nmap?

Can you tell the rules that allow you to access those odd ports?
I did:

Code: Select all

# nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" URL.com

Re: Why these ports are open?

Posted: 2019/11/05 12:46:17
by billwest
So you ran nmap on the server you are testing?

Because:

-A INPUT -i lo -j ACCEPT

will accept anything on localhost.

Re: Why these ports are open?

Posted: 2019/11/05 17:31:12
by hack3rcon
No, I did it from another PC.

Re: Why these ports are open?

Posted: 2019/11/05 20:06:19
by jlehtone
Are the firewall rules that you did show actually in use, or did you just find them from a file?

With those rules only ports 22/tcp and 80/tcp should look open from outside.