Security Basics mailing list archives

RE: Query: Filtered Ports I do not use. Should i be worried?

From: "Petter Bruland" <pbruland () fcglv com>
Date: Thu, 10 May 2007 09:47:49 -0700

Filtered just means that your firewall / router is responding to the
port scan saying that there's no such service here. The better way (In
my opinion) is to block these ports so that the person scanning does not
get a reply at all. Might keep someone from trying different ways to get
through, as they know something is there.

-Petter


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of william fitzgerald
Sent: Thursday, May 10, 2007 7:19 AM
To: security-basics () securityfocus com
Subject: Query: Filtered Ports I do not use. Should i be worried?

Dear nmap guru's,

I have a question about "filtered" ports that someone might be able to
shed light on.

I ran a scan from an external network on various ports. Below I will
show the results of privileged port range.

nmap -sT -p 0-1025 -PT MYIPAddress

Interesting ports on MYIPAddress.ISPProviderDomain (MYIPAddress):
Not shown: 1014 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
23/tcp filtered telnet
80/tcp filtered http
110/tcp filtered pop3
119/tcp filtered nntp
443/tcp filtered https
465/tcp filtered smtps
500/tcp filtered isakmp
501/tcp filtered stmf
873/tcp filtered rsync
993/tcp filtered imaps
995/tcp filtered pop3s
Nmap finished: 1 IP address (1 host up) scanned in 13.582 seconds

The following is scan of filtered ports between 1024 and 5060:
1099/tcp filtered unknown
1701/tcp filtered unknown
1723/tcp filtered pptp
2401/tcp filtered cvspserver
3299/tcp filtered saprouter
3389/tcp filtered ms-term-serv
3690/tcp filtered unknown
4445/tcp filtered unknown
4500/tcp filtered sae-urn
5060/tcp filtered sip

My question is should i be concerned?

NETWORK TOPOLOGY:
++++++++++++++++
DLINK G624T router/firewall   ---> Linksys SPA9000 PBX
                                                   ---> Linksys SPA942
                                                    ---> Linksys SPA942
                                                    ---> SBS External
NIC
 

             ---> SBS Internal NIC --> 8-Port Linksys Switch
 

                                                                        
         ---> PC1
                                                                        
                                                                        
                       ---> PC2                                         
                                                                        
                                                                        
                                                   ---> Printer  

Network Facts:
++++++++++

no port forwarding from DLINK to SBS 2003 server no port forwarding from
DLINK to PBX. Note: the DLINK can seem to auto keep NAT alive to
maintain an inbound and outbound VoIP connection!!
Both PC's must pass through SBS server to hit the DLINK and then onto
the Internet for Web and Email access. Note: Email from hosting provider
is directly piped to thunderbird clients as exchange is not configured
on SBS. the server is merely a file server at the moment.
No remote access to network setup.
Skype is running on both PC's also.
AVG anti virus tool running on PC's.

Questions:
+++++++
Should I be concerned?   

I realize that nmap cannot decide if the ports are open or not. However,
since the DLINK has a default policy of permit all outgoing and deny all
incoming except traffic initiated within the network, I am wondering if
rogue or unintentional services are working from the inside out? That is
making a valid port opening as far as the DLINK firewall is concerned. 
For example, I do use port 5060 for SIP. its found to be "Filtered". I
do not use imap or pop as email is not download to the SBS server and
then distributed to clients. Hence my concern.

It could be that DLINK G624T has a large list of filtered traffic ports
it filters! any comments?

The DLINK G624T has 2 firewall tabs:
1) Filter tab: I have not added any deny or accept rules for ip's or
ports
2) Firewall Configuration Tab: I have enabled these features: see the
following DoS Protection
-------------------------
State = enabled
Syn Flooding Checking = on
ICMP Redirection Checking = on

Port Scan Protection
----------------------------------
State = enabled
NMAP FIN/URG/PSH attack =on
Xmas Tree Scan = on Null Scan attack = on SYN/RST attack = on

Service Filtering
-----------------------------
State = enabled
Ping from External Network = on
Telnet from External Network = on
FTP from External Network = on
DNS from External Network = on
IKE from External Network = on
RIP from External Network = on
DHCP from External Network = on
ICMP from LAN = off

I can sort of see why NMAP might return some "Filtered" results by for
FTP and Telnet etc but why for ms-term-serv, isakmp and others?

Any ideas or advice on how to analyze the nmap results is welcomed,
regards, Will.


--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group, ArcLabs Research and
Innovation Centre, Waterford Institute of Technology, WIT West Campus,
Carriganore, Waterford.

Current thread:

Query: Filtered Ports I do not use. Should i be worried? william fitzgerald (May 10)
- RE: Query: Filtered Ports I do not use. Should i be worried? Petter Bruland (May 10)
  - Re: Query: Filtered Ports I do not use. Should i be worried? Ansgar -59cobalt- Wiechers (May 10)
    - Re: Query: Filtered Ports I do not use. Should i be worried? william fitzgerald (May 11)