Firewall Wizards mailing list archives
RE: Help Required
From: Don Tuer <Don_Tuer () dtaadv on ca>
Date: Tue, 16 Jan 2001 18:03:38 -0500
Hi Ben/Sim: Thanks for the notes. I've identified the following ports: Port 6666 - Windows Media Unicast Service - Provides Windows Media streaming content on-demand to networked clients Port 7007 - Windows Media Station Service - Provides multicasting and distribution services for streaming Windows Media content Port 7778 - Windows Media Monitor Service - Provides services to monitor client and server connections to the Windows Media services I am still fighting with some of the other one's but don't think they are from a hack. Thanks for the tip about Stefan Norberg's book, looks quite good. Will add it to my reading list... Thanks Don -----Original Message----- From: Ben Nagy [mailto:ben.nagy () marconi com au] Sent: Tuesday, January 16, 2001 6:22 PM To: Don Tuer; Firewall Wizards Subject: RE: [fw-wiz] Help Required
-----Original Message----- From: sim [mailto:simeonuj () eetc com] Sent: Wednesday, 17 January 2001 1:31 To: Don Tuer; Firewall Wizards Subject: Re: [fw-wiz] Help Required
A few more comments inline...
From: Don Tuer <Don_Tuer () dtaadv on ca> Date: Sat, 13 Jan 2001 17:07:53 -0500 To: "'firewall-wizards () nfr net'" <firewall-wizards () nfr net> Subject: [fw-wiz] Help Required Hello: I just ran nmap on my web server and received the following, rather disturbing picture. I'm quite surprised about the netbiosstuff as I haveunbound the Microsoft client and server from the nic facingthe net. Anyhelp on what these other ports could be would be appreciated. Thanks Don
First - have you run a few different nmap scans? In particular, run the UDP scan - you might well turn up 137,138 udp. It doesn't look like your NetBIOS stuff is completely unbound. On the plus side, there are couple of the nmap scans which are listed in the docco as being prone to produce false positives. Make sure you're not getting any of those - try running netstat and / or inzider on the server and reconcile the outputs. Secondly, have you worked through one of the web server hardening docs? They're quite good.[1] More further down...
NMAP output Port State Service 25/tcp open smtpSimple Mail Transfer Protocol
Is this expected? I think you can disable the crazy SMTP listener in IIS, can't you?
53/tcp open domainThis port is used for DNS.80/tcp open httpWeb119/tcp open nntpNetwork News Transfer Protocol.
Again - is this expected? NNTP is abnormal for a webserver.
135/tcp open loc-srv
You won't get rid of this - it's the RPC endpoint mapper.
139/tcp open netbios-ssn
This is a bad sign.
389/tcp open ldapLightweight Directory Access Protocol
Again - presumably this is because it's a Win2K box? If you unbind all the M$ networking stuff and remove the Server and Workstation service it should go away.
563/tcp open snewsNNTP over SSL. Secure News.1002/tcp open unknown 1058/tcp open nim
1002 is a worry. Normally the random fluff ports are between 1024 and maybe 1100 depending on workload etc. 1058 may well be random fluff. Restart and scan again - see if it's still there.
1723/tcp open pptp
[sim]
PPTP is Microsoft's VPN protocol. Supposedly it is a security risk on a Microsoft machine acting as a server. I am not sure about this but something about the way they implement it, NOT the protocol itself, has some problems. Don't quote me on this:-)
The protocol has problems. The implementation has more problems before they fixed it. It's still dependant on strong passwords for key entropy, AFAIK, which is a Bad Thing crypto-wise. I don't lose _too_ much sleep over PPTP with the 128-bit patch, but it's definately worth looking at your password strength.
3005/tcp open deslogin 6666/tcp open irc-serv
[sim]
This looks like an IRC server. As far as I know IRC is rather insecure.
Are you running Backup Exec on this server? I've seen it use 6666 before - gave me a nasty fright.
7007/tcp open afs3-bos
No idea. netstat and inzider might tell you, or you can start killing services one by one until it goes away. In summary, it looks to me like your main problems are IIS configuration issues (NNTP and SMTP listeners) and M$ networking guff. Cheers, [1] Random reference: Stefan Norberg did some good stuff for NT4, and has an ORA book out for 2k (which it looks like you're using). I have a methodology somewhere but it's mainly for firewalls and may be too pared-down for a WWW box. Or just webgrep for 'hardening NT'. -- Ben Nagy Marconi Services Network Integration Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Help Required Don Tuer (Jan 15)
- Re: Help Required sim (Jan 16)
- <Possible follow-ups>
- RE: Help Required Ben Nagy (Jan 18)
- RE: Help Required Don Tuer (Jan 18)
- RE: Help Required Ben Nagy (Jan 18)
- re: Help Required Freddie Cash (Jan 18)