Security Basics mailing list archives
RE: Query: Filtered Ports I do not use. Should i be worried?
From: "Petter Bruland" <pbruland () fcglv com>
Date: Thu, 10 May 2007 09:47:49 -0700
Filtered just means that your firewall / router is responding to the port scan saying that there's no such service here. The better way (In my opinion) is to block these ports so that the person scanning does not get a reply at all. Might keep someone from trying different ways to get through, as they know something is there. -Petter -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of william fitzgerald Sent: Thursday, May 10, 2007 7:19 AM To: security-basics () securityfocus com Subject: Query: Filtered Ports I do not use. Should i be worried? Dear nmap guru's, I have a question about "filtered" ports that someone might be able to shed light on. I ran a scan from an external network on various ports. Below I will show the results of privileged port range. nmap -sT -p 0-1025 -PT MYIPAddress Interesting ports on MYIPAddress.ISPProviderDomain (MYIPAddress): Not shown: 1014 closed ports PORT STATE SERVICE 21/tcp filtered ftp 23/tcp filtered telnet 80/tcp filtered http 110/tcp filtered pop3 119/tcp filtered nntp 443/tcp filtered https 465/tcp filtered smtps 500/tcp filtered isakmp 501/tcp filtered stmf 873/tcp filtered rsync 993/tcp filtered imaps 995/tcp filtered pop3s Nmap finished: 1 IP address (1 host up) scanned in 13.582 seconds The following is scan of filtered ports between 1024 and 5060: 1099/tcp filtered unknown 1701/tcp filtered unknown 1723/tcp filtered pptp 2401/tcp filtered cvspserver 3299/tcp filtered saprouter 3389/tcp filtered ms-term-serv 3690/tcp filtered unknown 4445/tcp filtered unknown 4500/tcp filtered sae-urn 5060/tcp filtered sip My question is should i be concerned? NETWORK TOPOLOGY: ++++++++++++++++ DLINK G624T router/firewall ---> Linksys SPA9000 PBX ---> Linksys SPA942 ---> Linksys SPA942 ---> SBS External NIC ---> SBS Internal NIC --> 8-Port Linksys Switch ---> PC1 ---> PC2 ---> Printer Network Facts: ++++++++++ no port forwarding from DLINK to SBS 2003 server no port forwarding from DLINK to PBX. Note: the DLINK can seem to auto keep NAT alive to maintain an inbound and outbound VoIP connection!! Both PC's must pass through SBS server to hit the DLINK and then onto the Internet for Web and Email access. Note: Email from hosting provider is directly piped to thunderbird clients as exchange is not configured on SBS. the server is merely a file server at the moment. No remote access to network setup. Skype is running on both PC's also. AVG anti virus tool running on PC's. Questions: +++++++ Should I be concerned? I realize that nmap cannot decide if the ports are open or not. However, since the DLINK has a default policy of permit all outgoing and deny all incoming except traffic initiated within the network, I am wondering if rogue or unintentional services are working from the inside out? That is making a valid port opening as far as the DLINK firewall is concerned. For example, I do use port 5060 for SIP. its found to be "Filtered". I do not use imap or pop as email is not download to the SBS server and then distributed to clients. Hence my concern. It could be that DLINK G624T has a large list of filtered traffic ports it filters! any comments? The DLINK G624T has 2 firewall tabs: 1) Filter tab: I have not added any deny or accept rules for ip's or ports 2) Firewall Configuration Tab: I have enabled these features: see the following DoS Protection ------------------------- State = enabled Syn Flooding Checking = on ICMP Redirection Checking = on Port Scan Protection ---------------------------------- State = enabled NMAP FIN/URG/PSH attack =on Xmas Tree Scan = on Null Scan attack = on SYN/RST attack = on Service Filtering ----------------------------- State = enabled Ping from External Network = on Telnet from External Network = on FTP from External Network = on DNS from External Network = on IKE from External Network = on RIP from External Network = on DHCP from External Network = on ICMP from LAN = off I can sort of see why NMAP might return some "Filtered" results by for FTP and Telnet etc but why for ms-term-serv, isakmp and others? Any ideas or advice on how to analyze the nmap results is welcomed, regards, Will. -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford.
Current thread:
- Query: Filtered Ports I do not use. Should i be worried? william fitzgerald (May 10)
- RE: Query: Filtered Ports I do not use. Should i be worried? Petter Bruland (May 10)
- Re: Query: Filtered Ports I do not use. Should i be worried? Ansgar -59cobalt- Wiechers (May 10)
- Re: Query: Filtered Ports I do not use. Should i be worried? william fitzgerald (May 11)
- Re: Query: Filtered Ports I do not use. Should i be worried? Ansgar -59cobalt- Wiechers (May 10)
- RE: Query: Filtered Ports I do not use. Should i be worried? Petter Bruland (May 10)