Ports open help!

Discussion in 'other firewalls' started by JayK, Jan 26, 2003.

Thread Status:
Not open for further replies.
  1. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    I had a friend scan me. And I found the following ports open

    TCP

    135
    412

    25
    110
    143
    366
    465
    993
    995

    Please advise,

    Worried.
     
  2. snowy

    snowy Guest

    Previous Post By JayK:

    "In fact, except for a few moderators etc. it would be laugable to call anyone here a "Security expert". Knowing how to use anti-virus, configure simple firewall rules , an expert one does not make.


    3) There are a lot of senior members who might be very knowledgable about security products by the virtue of trying almost everything, but they actually understand very little about the fundamental security principles and what the products they use really do, or how they do it.

    *********************************************

    JAY

    I sincerely wish you the very best in locating you port problem. Unfortunately, I am not a security expert so can't offer you any suggestions.......
     
  3. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    Most are related to Mail (pop or IMAP)

    First of all use a decent FW ;)
     
  4. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Well snowy, i consider you an expert. After all, for someone who is a guest, you sure post a lot.I'm guessin you are some mysterious expert, unwilling to reveal yourself. Or there is some past history I'm not aware of ?

    Or perhaps there are a dozen people who like the guest name snowy....
     
  5. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Hey Jack, would a decent FW prevent the mail related ports from showing open? the last time i tried a firewall (no idea if it's decent) it still showed port 110 open. Is there anyway to use a mailserver and still keep them closed ? I would think not, but I would be happy to learn how to set the firewall rules to set it up.

    Also What do you make of TCP 412?
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    JayK

    Can you refresh our memories on what specific OS you are using? It really helps to know that as a starting point... Also, can you trace the questionable ports back to the specific program that is holding them open (i.e. listening)? That is key to moving forward with your question.

    LowWaterMark
     
  7. snowy

    snowy Guest

    Jay

    by no means am I an expert...not my desire or intent...but my ports are closed...
    an yupper I do post alot.....hope you can find the post at least laughable.....as I am laughing right now.....
    history...lets hope with those open ports you remain on the internet long enough to make a minor dent in history....
    Jay do you notice I am not blinking
     
  8. snowy

    snowy Guest

    Administration and Mods

    its fairly obvious the direction this is leading....so in common respect for you folks I'll ignor any further comments
     
  9. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    If you're running XP or W2K then there are probably lots of unnecessary services running on your machine which hold those ports open. There's a site...blackhawk or something similar (can't remember right now but I'm sure someone will chip in with the correct URL) which can advise you which services to permanently shut down.

    HTH
     
  10. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Howdy

    As much as I remember the rules:

    1. get a decent firewall
    2. get M$ security patches available
    3. terminate all unnecessary applications running
    4. online scan all your 65535 ports [ as well use local scanner if you found free one on net to copy, I do not give any links ]
    5. Make sure any of your applications has not server rights

    If any of your 65535 ports appears being open, there is always a reason why, for example backport server or related.

    Did I forget something ?

    That is the particular reason we people are here at wilders JayK. We had to learn some basic rules.

    ~Ari~
     
  11. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    :412 is synoptics-trap Trap Convention Port.
    I don't know what it's used for but it is also blocked with a FW.
    I am running a personal SMTP server on an exotic port, and of course it appears blocked from outside the LAN. If your are running a POP server and you don't want to serve as an open relay for spammers, just allow this application for the trustfull addresses of your LAN on the needed ports and if your rule bellow is deny you will get a closed respons from outside the LAN.
    If the rule is reject, you 'll get stealth.

    Rgds,
     
  12. snowy

    snowy Guest

    JACK

    412 trap convention port = Remote MT Protocol

    While not absolutely certain..that may also be used by a trojan named: (BACKAGE)
    as a precaution Jay may want to consider scanning with a scanner of his choice.......you are best to advise
     
  13. snowy

    snowy Guest

    JACK

    good news.....trojan BACKAGE uses ports 411., 334 and 5333..........there are a few versions on this trojan
     
  14. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    27/1 12:44:44 [PortRef] 412: SYNOPTICS-TRAP - Trap Convention Port, Direct Connect Peer-2-Peer File Sharing
     
  15. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Snowy/Krusty/Jack/JayK: edit: hello also checkout, missed you

    How are you this fine day? :D [Sorry JayK about being cheerful, it's a Public Hol here in Oz, Australia Day]

    I hope JayK you can sort out Port Open problems and since I am also not a security expert I will leave offering advice to others.

    However Krusty mentioned scanning all 65,000+ ports.

    I have a nice site which breaks them up in groups and it works great.

    I have taken this little oddessy myself and it does take a while but the beauty of this site is you can scan so many then come back if out of time and continue with the next group.

    Also you can scan just individual ones if you like separated with commas, so JayK I can give you a small piece of advice after all, select those ports that are open and maybe confirm with another test. ;)

    http://www.auditmypc.com/freescan/main.asp?S=2066

    Cheers, TAS
     

    Attached Files:

  16. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Controller, here are those sites for tweaking Services. [BlackViper you were thinking of?]

    Thomas McGuire's Tweak Win2000 Services Guide [this one is excellent, laid out in one page, very easy to understand, look at this first as it's similar to XP with Services]:
    http://www.techspot.com/tweaks/win2k_services/print.shtml

    Thomas McGuire's Tweak XP Services Guide [this one is by same guy, but from within another site, and you have to keep going to "Next Page", but still laid out comprehensively]:
    http://www.techspot.com/tweaks/winxp_services/index.shtml

    BlackViper's Services Tweaks: http://blackviper.com/
     
  17. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Do not forget to bookmark http://ports.tantalo.net
     
  18. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Well Krusty, thanks, but I do know all the basics you mentioned above. I'm looking for more specific help .

    As for applications having "Server rights" I'm not sure what that means, though it sounds like a ZA term? I've never seen that in Kerio or another firewall.
     
  19. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Thanks to all for helping.

    To Lowwatermark

    I'm running a LAN working through ICS. The main computer (win2K) that acts as the internet gateway.

    The use of ICS totally complicates things compared to a single stand alone, so my problems are perhaps a little unusual.

    I've "mapped the ports" and accounted for
    25
    110
    143
    366
    465
    993
    995

    Those are basically held open by a email server. Not too bad, but not too good either.

    Currently it is not set as an open relay. I think since we can't figure out how to use the other exortic SSL email stuff we are only using 25 and 110, so I'm going to close down the rest just to be safe.

    After some googling I figured that 412 had something to do with Kazza or emule, and i checked, on another computer in the LAN, one computer was port forwarding to TCP 412 for emule use.

    Admittedly I'm not very familar (lol) with port forwarding, so it's more research time.


    Hello as you can see , I don't really understand the difference between SMTP and POP servers.

    Hmm. I guess I was mislead. Someone advised me that the SMTP server must always be open. At least you wanted to receive mail. If it appears blocked from outside the LAN, how do you receive SMTP Mail?


    As mentioned before the POP server application itself has an option to accept relays from only certain ip ranges. I have set it to allow only local LAN addresses, I did a check it's not an open relay. It still appears open to the world though?? I'll add a firewall and see what happens.

    Thanks all for the help again.

    I must be an idiot to have so many ports open , while all the senior members and even newbies here manages to keep all their ports stealthed. without even knowing what TCP/IP is..

    I guess I must blame my complicated system which is not the atypical stand alone machine that runs no servers and is directly connected to the net.

    Mine has a email server, a ICS NAT, port forwarding and what not, it sure confused the heck out of me.

    Add to the fact that, 2 other people on the network are doing all kinds of weird stuff that you don't typically see on computers (at least for someone like me), so I'm trying to keep up.

    Well at least I lead a mroe exciting life, than when I had a standalone directly connected to the net.
     
  20. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi JayK

    The terminology different vendors use does add to the confusion at times.

    "Server rights" is a term used by ZA and simply means allowing the application to hold open a local service/port (listen) and permit "Inbound" communication to the application given server rights.

    Other rule based firewalls, such as Kerio, accomplish the same thing with a rule permitting "Inbound" traffic for a specific local service/port and server application.

    Regards,
    CrazyM
     
  21. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    ZA has the option for server rights both locally and on the internet. So you can have the port held open on the internet also (not just locally) if the app requires it.

    The apps I use, for example, don't require server rights of any kind. So it's not a standard configuration but used only if the app requires server rights in order to perform its function.
     
  22. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Are you running a firewall on the gateway system? Are you running firewalls on the systems behind the gateway? If not, you might want to consider doing so as that would allow you more control over what is permitted to the different systems in your unique set up.

    Your decision to limit the forwarded ports to only those actually being used is a good one. Check the settings on the server to see if it is still listening on any of the others. You may have to disable those so it is only listening/using the services you want it to.

    Can/have you restricted the forwarding of that port to that one system?

    Unfortunately running a server requires the server to listen/hold open the appropriate service/port. The only way for it not to show open to the world would be if you could restrict access to it to certain remote IP's. Your use of the server and needs will determine if this is an option. If you have to leave the server open to the Internet, ensuring it is up to date, patched and configured properly is essential.

    Regards,
    CrazyM
     
  23. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    ADMIN note: a missing closing quote was messin up the page so I added it. ~unicron
     
  24. Jackie Hanes

    Jackie Hanes Guest

    Try visiting this url http://www.auditmypc.com/freescan/portsearch.asp?do=mje2002 and enter the port or ports you're looking for.


    :D
     
Loading...
Thread Status:
Not open for further replies.