Date: Tue, 11 Feb 2003 12:52:26 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: John Fulcher <jfulcher@us-south.net>, freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211185226.GA3385@darkpossum> In-Reply-To: <005201c2d1fe$1ff1e4c0$1113020a@uss.net> References: <20030211183758.GA791@darkpossum> <005201c2d1fe$1ff1e4c0$1113020a@uss.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
ok. =20
sockstat on the machine i'm running nmap from
-------
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS =
=20
root sshd 29207 5 tcp4 129.x.x.20:22 129.x.x.22:49176 =20
root ssh 28858 3 tcp4 129.x.x.20:2641 129.x.x.35:22 =20
root sshd 27242 5 tcp4 129.x.x.20:22 129.x.x.23:1076 =20
www httpd 25325 16 tcp4 *:80 *:* =
=20
www httpd 25324 16 tcp4 *:80 *:* =
=20
www httpd 6649 16 tcp4 *:80 *:* =
=20
www httpd 407 16 tcp4 *:80 *:* =
=20
www httpd 378 16 tcp4 *:80 *:* =
=20
root perl 182 3 tcp4 *:10000 *:* =
=20
root perl 182 4 udp4 *:10000 *:* =
=20
mysql mysqld 181 5 tcp4 *:3306 *:* =
=20
www httpd 178 16 tcp4 *:80 *:* =
=20
www httpd 177 16 tcp4 *:80 *:* =
=20
www httpd 176 16 tcp4 *:80 *:* =
=20
www httpd 175 16 tcp4 *:80 *:* =
=20
www httpd 174 16 tcp4 *:80 *:* =
=20
nobody proftpd 168 0 tcp4 *:21 *:* =
=20
root httpd 150 16 tcp4 *:80 *:* =
=20
root sendmail 96 3 tcp4 *:25 *:* =
=20
root sendmail 96 5 tcp4 *:587 *:* =
=20
root sshd 91 4 tcp4 *:22 *:* =
=20
root syslogd 72 5 udp4 *:514 *:* =
=20
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS =
=20
root sshd 91 3 tcp46 *:22 *:* =
=20
root syslogd 72 4 udp6 *:514 *:* =
=20
USER COMMAND PID FD PROTO ADDRESS =
=20
www httpd 407 5 stream (none) =
=20
www httpd 378 5 stream (none) =
=20
root login 186 3 dgram syslogd[72]:3 =
=20
root login 185 3 dgram syslogd[72]:3 =
=20
mysql mysqld 181 6 stream /tmp/mysql.sock =
=20
www httpd 177 5 stream (none) =
=20
www httpd 176 5 stream (none) =
=20
www httpd 175 5 stream (none) =
=20
nobody proftpd 168 3 dgram syslogd[72]:3 =
=20
smmsp sendmail 99 3 dgram syslogd[72]:3 =
=20
root sendmail 96 4 dgram syslogd[72]:3 =
=20
root syslogd 72 3 dgram /var/run/log =20
sockstat on the gateway machine
-------
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS =
=20
root sshd 825 5 tcp4 129.x.x.35:22 129.x.x.20:2666 =20
root ssh 491 3 tcp4 192.168.1.1:1151 192.168.1.50:22 =
=20
root sshd 482 5 tcp4 129.x.x.35:22 129.x.x.20:2641 =20
root sendmail 105 3 tcp4 *:25 *:* =
=20
root sendmail 105 5 tcp4 *:587 *:* =
=20
root sshd 100 4 tcp4 *:22 *:* =
=20
root portsent 99 0 tcp4 *:1 *:* =
=20
root portsent 99 1 tcp4 *:11 *:* =
=20
root portsent 99 2 tcp4 *:15 *:* =
=20
root portsent 99 3 tcp4 *:79 *:* =
=20
root portsent 99 4 tcp4 *:111 *:* =
=20
root portsent 99 5 tcp4 *:119 *:* =
=20
root portsent 99 6 tcp4 *:143 *:* =
=20
root portsent 99 7 tcp4 *:540 *:* =
=20
root portsent 99 8 tcp4 *:635 *:* =
=20
root portsent 99 9 tcp4 *:1080 *:* =
=20
root portsent 99 10 tcp4 *:1524 *:* =
=20
root portsent 99 11 tcp4 *:2000 *:* =
=20
root portsent 99 12 tcp4 *:5742 *:* =
=20
root portsent 99 13 tcp4 *:6667 *:* =
=20
root portsent 99 14 tcp4 *:12345 *:* =
=20
root portsent 99 15 tcp4 *:12346 *:* =
=20
root portsent 99 16 tcp4 *:20034 *:* =
=20
root portsent 99 17 tcp4 *:27665 *:* =
=20
root portsent 99 18 tcp4 *:31337 *:* =
=20
root portsent 99 19 tcp4 *:32771 *:* =
=20
root portsent 99 20 tcp4 *:32772 *:* =
=20
root portsent 99 21 tcp4 *:32773 *:* =
=20
root portsent 99 22 tcp4 *:32774 *:* =
=20
root portsent 99 23 tcp4 *:40421 *:* =
=20
root portsent 99 24 tcp4 *:49724 *:* =
=20
root portsent 99 25 tcp4 *:54320 *:* =
=20
root portsent 98 0 udp4 *:1 *:* =
=20
root portsent 98 1 udp4 *:7 *:* =
=20
root portsent 98 2 udp4 *:9 *:* =
=20
root portsent 98 3 udp4 *:69 *:* =
=20
root portsent 98 4 udp4 *:161 *:* =
=20
root portsent 98 5 udp4 *:162 *:* =
=20
root portsent 98 6 udp4 *:513 *:* =
=20
root portsent 98 7 udp4 *:635 *:* =
=20
root portsent 98 8 udp4 *:640 *:* =
=20
root portsent 98 9 udp4 *:641 *:* =
=20
root portsent 98 10 udp4 *:700 *:* =
=20
root portsent 98 11 udp4 *:37444 *:* =
=20
root portsent 98 12 udp4 *:34555 *:* =
=20
root portsent 98 13 udp4 *:31335 *:* =
=20
root portsent 98 14 udp4 *:32770 *:* =
=20
root portsent 98 15 udp4 *:32771 *:* =
=20
root portsent 98 16 udp4 *:32772 *:* =
=20
root portsent 98 17 udp4 *:32773 *:* =
=20
root portsent 98 18 udp4 *:32774 *:* =
=20
root portsent 98 19 udp4 *:31337 *:* =
=20
root portsent 98 20 udp4 *:54321 *:* =
=20
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS =
=20
root sshd 100 3 tcp46 *:22 *:* =
=20
USER COMMAND PID FD PROTO ADDRESS =
=20
smmsp sendmail 108 3 dgram syslogd[81]:3 =
=20
root sendmail 105 4 dgram syslogd[81]:3 =
=20
root syslogd 81 3 dgram /var/run/log =
=20
root ipmon 53 0 dgram syslogd[81]:3 =20
sockstat on the webserver behind the gateway machine
-------
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS =
=20
root sshd 2287 5 tcp4 192.168.1.50:22 192.168.1.1:1186 =
=20
user1 proftpd 2283 0 tcp4 192.168.1.50:21 12.249.95.65:2595 =
=20
user1 proftpd 2283 1 tcp4 192.168.1.50:21 12.249.95.65:2595 =
=20
www httpd 2277 16 tcp4 *:80 *:* =
=20
www httpd 2276 16 tcp4 *:80 *:* =
=20
user2 proftpd 2180 0 tcp4 192.168.1.50:21 129.x.x.115:1845=
=20
user2 proftpd 2180 1 tcp4 192.168.1.50:21 129.x.x.115:1845=
=20
www httpd 1906 5 tcp4 192.168.1.50:1541 129.x.x.5:3306 =
=20
www httpd 1906 16 tcp4 *:80 *:* =
=20
www httpd 1905 5 tcp4 192.168.1.50:1539 129.x.x.5:3306 =
=20
www httpd 1905 16 tcp4 *:80 *:* =
=20
www httpd 1904 3 tcp4 192.168.1.50:80 65.56.131.11:3601=
=20
www httpd 1904 5 tcp4 192.168.1.50:1543 129.x.x.5:3306 =
=20
www httpd 1904 16 tcp4 *:80 *:* =
=20
www httpd 1903 5 tcp4 192.168.1.50:1530 129.x.x.5:3306 =
=20
www httpd 1903 16 tcp4 *:80 *:* =
=20
www httpd 1902 5 tcp4 192.168.1.50:1544 129.x.x.5:3306 =
=20
www httpd 1902 16 tcp4 *:80 *:* =
=20
www httpd 1901 5 tcp4 192.168.1.50:1538 129.x.x.5:3306 =
=20
www httpd 1901 16 tcp4 *:80 *:* =
=20
www httpd 1900 5 tcp4 192.168.1.50:1522 129.x.x.5:3306 =
=20
www httpd 1900 16 tcp4 *:80 *:* =
=20
www httpd 1899 5 tcp4 192.168.1.50:1549 129.x.x.5:3306 =
=20
www httpd 1899 16 tcp4 *:80 *:* =
=20
www httpd 1898 5 tcp4 192.168.1.50:1540 129.x.x.5:3306 =
=20
www httpd 1898 16 tcp4 *:80 *:* =
=20
www httpd 1897 3 tcp4 192.168.1.50:80 65.56.131.11:3603=
=20
www httpd 1897 5 tcp4 192.168.1.50:1521 129.x.x.5:3306 =
=20
www httpd 1897 16 tcp4 *:80 *:* =
=20
root sshd 1144 5 tcp4 192.168.1.50:22 192.168.1.1:1151 =
=20
root snmpd 159 6 udp4 *:161 *:* =
=20
nobody proftpd 153 0 tcp4 *:21 *:* =
=20
root httpd 146 16 tcp4 *:80 *:* =
=20
root sendmail 98 3 tcp4 *:25 *:* =
=20
root sendmail 98 5 tcp4 *:587 *:* =
=20
root sshd 93 4 tcp4 *:22 *:* =
=20
root syslogd 73 5 udp4 *:514 *:* =
=20
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS =
=20
root sshd 93 3 tcp46 *:22 *:* =
=20
root syslogd 73 4 udp6 *:514 *:* =
=20
USER COMMAND PID FD PROTO ADDRESS =
=20
user1 proftpd 2283 2 dgram syslogd[73]:3 =
=20
user1 proftpd 2283 3 dgram syslogd[73]:3 =
=20
user1 proftpd 2283 6 dgram syslogd[73]:3 =
=20
user1 proftpd 2283 7 dgram syslogd[73]:3 =
=20
user2 proftpd 2180 2 dgram syslogd[73]:3 =
=20
user2 proftpd 2180 3 dgram syslogd[73]:3 =
=20
user2 proftpd 2180 6 dgram syslogd[73]:3 =
=20
user2 proftpd 2180 7 dgram syslogd[73]:3 =
=20
smmsp sendmail 101 3 dgram syslogd[73]:3 =
=20
root sendmail 98 4 dgram syslogd[73]:3 =
=20
root syslogd 73 3 dgram /var/run/log =20
thanks for your help=20
redmond
>t Try running a sockstat and see what it says for the programs that are
> running on those ports.. =20
>=20
> -----Original Message-----
> From: r-militante@northwestern.edu [mailto:r-militante@northwestern.edu]
>=20
> Sent: Tuesday, February 11, 2003 1:38 PM
> To: freebsd-security@FreeBSD.ORG
> Subject: Re: n00b ipf/ipnat questions
>=20
> hi
>=20
> any comments? :)
> i'm thinking that it's probably a good thing the box behind the gateway
> is
> only listening on a select number of ports, but i don't understand why
> the
> gateway itself seems to be listening on a large number of ports.
> is this normal? =20
>=20
> thanks
> redmond
>=20
>=20
>=20
> > hi
> >=20
> > ok.
> > netstat -na | grep LISTEN on the box i'm nmapping from
> > -------
> > tcp4 0 0 *.10000 *.*
> LISTEN
> > tcp4 0 0 *.3306 *.*
> LISTEN
> > tcp4 0 0 *.21 *.*
> LISTEN
> > tcp4 0 0 *.80 *.*
> LISTEN
> > tcp4 0 0 *.587 *.*
> LISTEN
> > tcp4 0 0 *.25 *.*
> LISTEN
> > tcp4 0 0 *.22 *.*
> LISTEN
> > tcp46 0 0 *.22 *.*
> LISTEN
> >=20
> >=20
> > netstat -na | grep LISTEN on the gateway box
> > -------
> > tcp4 0 0 *.587 *.*
> LISTEN
> > tcp4 0 0 *.25 *.*
> LISTEN
> > tcp4 0 0 *.22 *.*
> LISTEN
> > tcp46 0 0 *.22 *.*
> LISTEN
> > tcp4 0 0 *.54320 *.*
> LISTEN
> > tcp4 0 0 *.49724 *.*
> LISTEN
> > tcp4 0 0 *.40421 *.*
> LISTEN
> > tcp4 0 0 *.32774 *.*
> LISTEN
> > tcp4 0 0 *.32773 *.*
> LISTEN
> > tcp4 0 0 *.32772 *.*
> LISTEN
> > tcp4 0 0 *.32771 *.*
> LISTEN
> > tcp4 0 0 *.31337 *.*
> LISTEN
> > tcp4 0 0 *.27665 *.*
> LISTEN
> > tcp4 0 0 *.20034 *.*
> LISTEN
> > tcp4 0 0 *.12346 *.*
> LISTEN
> > tcp4 0 0 *.12345 *.*
> LISTEN
> > tcp4 0 0 *.6667 *.*
> LISTEN
> > tcp4 0 0 *.5742 *.*
> LISTEN
> > tcp4 0 0 *.2000 *.*
> LISTEN
> > tcp4 0 0 *.1524 *.*
> LISTEN
> > tcp4 0 0 *.1080 *.*
> LISTEN
> > tcp4 0 0 *.635 *.*
> LISTEN
> > tcp4 0 0 *.540 *.*
> LISTEN
> > tcp4 0 0 *.143 *.*
> LISTEN
> > tcp4 0 0 *.119 *.*
> LISTEN
> > tcp4 0 0 *.111 *.*
> LISTEN
> > tcp4 0 0 *.79 *.*
> LISTEN
> > tcp4 0 0 *.15 *.*
> LISTEN
> > tcp4 0 0 *.11 *.*
> LISTEN
> > tcp4 0 0 *.1 *.*
> LISTEN
> >=20
> > netstat -na | grep LISTEN on the webserver behind gateway
> > -------
> > tcp4 0 0 *.21 *.*
> LISTEN
> > tcp4 0 0 *.80 *.*
> LISTEN
> > tcp4 0 0 *.587 *.*
> LISTEN
> > tcp4 0 0 *.25 *.*
> LISTEN
> > tcp4 0 0 *.22 *.*
> LISTEN
> > tcp46 0 0 *.22 *.*
> LISTEN
> >=20
> >=20
> > thanks
> >=20
> > redmond
>=20
--T4sUOijqQbZv57TR
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+SUZqFNjun16SvHYRAgJcAJ0XjodYXeFQ/eIgvUoB7QaKMFn63QCguvLR
E5+hfqOyw/iWu9GiLGXoftw=
=TZH9
-----END PGP SIGNATURE-----
--T4sUOijqQbZv57TR--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211185226.GA3385>