On 17 Jul 2005, at 15:32, Timothy Murphy wrote:
> On Sun 17 Jul 2005 13:25, Niall O Broin wrote:
>>>> Most of these are targeted at ports 1026, 1027
>>> which I take to be some kind of ssh or ssl attack.
>>>> No - Calendar Access Protocol and ExoSee respectively - grep for the
>> number in /etc/services. ExoSee is some kind of personal file sharing
>> system, and I presume there is some Microsoft vulnerability on certain
>> machines providing CAP access.
>> Thanks for the correction.
Someone else pointed out different services which use these ports. The
problem with ports over 1024 is that there isn't really any agreement
about them, and what standards there are have evolved over time. What's
important from your POV though is that packets from the outside world
can't get to those ports on your LAN, no matter what is listening (or
>>> Is there any chance that this attack will succeed at some point?
>>>> Yes, yes there is. All you need to do is
>> a) Have a Windows box inside your LAN running the vulnerable software.
>> b) Have your Shorewall box forwarding 1026 and 1027 to that Windows
>> Well, as far as I can see, these packets are rejected as soon as they
> so I don't think they could get to my grand-daughter's Windows machine.
That's because your Shorewall is wrongly configured - you have to tell
it to forward those ports to your grand-daughter's Windows machine. Of
course, you might NOT want to do that.
>> nmap publicIP.of.your.firewall
>>>> and check that all ports shown as open are intentionally open.
>> Thanks for the suggestion.
> I've tried it out, and got quite a long list of ports:
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-07-17
> 15:24 BST
> Interesting ports on 83-70-225-169.b-ras1.prp.dublin.eircom.net
> (The 1020 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 110/tcp filtered pop3
> 143/tcp filtered imap
> 65301/tcp filtered pcanywhere
>> Nmap run completed -- 1 IP address (1 host up) scanned in 62.307
>> All of the ports say "filtered".
> Does that mean I'm safe?
Filtered is good - that means that a firewall (shorewall in your case,
though sometimes ISPs filter certain ports before they get to your
system - not sure if any Irish ISPs currently do though) is stopping
nmap from determining if the ports are open or closed.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!