Why these ports are open?

Support for security such as Firewalls and securing linux
hack3rcon
Posts: 458
Joined: 2014/11/24 11:04:37

Why these ports are open?

Post by hack3rcon » 2019/11/03 08:42:36

Hello,
I scanned my CentOS server by Nmap and it showed me that below ports are open:
portssss.png
portssss.png (10.5 KiB) Viewed 605 times
I used below commands to see ports and services:

Code: Select all

# netstat -tulpn | grep LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      26978/sshd          
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      6109/master         
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      5987/mysqld         
tcp        0      0 127.0.0.1:3310              0.0.0.0:*                   LISTEN      5744/clamd          
tcp        0      0 :::22                       :::*                        LISTEN      26978/sshd          
tcp        0      0 ::1:25                      :::*                        LISTEN      6109/master         
tcp        0      0 :::80                       :::*                        LISTEN      6122/httpd       
And:

Code: Select all

# lsof -i:5060
# 
How can I find which programs or services using Ports "2000" and "5060" ?

Thank you.

User avatar
TrevorH
Forum Moderator
Posts: 27164
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Why these ports are open?

Post by TrevorH » 2019/11/03 15:01:04

What firewall are you using? Because it's not set up correctly and it's allowing all traffic in!
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

hack3rcon
Posts: 458
Joined: 2014/11/24 11:04:37

Re: Why these ports are open?

Post by hack3rcon » 2019/11/03 16:13:33

TrevorH wrote:
2019/11/03 15:01:04
What firewall are you using? Because it's not set up correctly and it's allowing all traffic in!
I'm using iptables.
Allowing all traffic in? How you understand it?

User avatar
jlehtone
Posts: 2432
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Why these ports are open?

Post by jlehtone » 2019/11/03 21:19:17

If you have some ports open and no clue of what you are doing, then it is safest to assume the worst.

You don't have to "scan with nmap", if you know what firewall rules you have.
If you know what firewall rules you have, then you don't have to ask why some port is open.

Read the upstream documentation:
https://access.redhat.com/documentation ... -firewalls

hack3rcon
Posts: 458
Joined: 2014/11/24 11:04:37

Re: Why these ports are open?

Post by hack3rcon » 2019/11/04 08:20:53

iptables rules are:

Code: Select all

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N SYN_FLOOD
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD 
-A OUTPUT -o lo -j ACCEPT 
-A SYN_FLOOD -m limit --limit 5/sec --limit-burst 10 -j RETURN 
-A SYN_FLOOD -j DROP 

User avatar
jlehtone
Posts: 2432
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Why these ports are open?

Post by jlehtone » 2019/11/04 12:32:18

How did you scan your server with nmap?

Can you tell the rules that allow you to access those odd ports?

hack3rcon
Posts: 458
Joined: 2014/11/24 11:04:37

Re: Why these ports are open?

Post by hack3rcon » 2019/11/04 12:34:42

jlehtone wrote:
2019/11/04 12:32:18
How did you scan your server with nmap?

Can you tell the rules that allow you to access those odd ports?
I did:

Code: Select all

# nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" URL.com

billwest
Posts: 150
Joined: 2006/11/19 10:50:31
Location: Perth, Western Australia

Re: Why these ports are open?

Post by billwest » 2019/11/05 12:46:17

So you ran nmap on the server you are testing?

Because:

-A INPUT -i lo -j ACCEPT

will accept anything on localhost.

hack3rcon
Posts: 458
Joined: 2014/11/24 11:04:37

Re: Why these ports are open?

Post by hack3rcon » 2019/11/05 17:31:12

No, I did it from another PC.

User avatar
jlehtone
Posts: 2432
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Why these ports are open?

Post by jlehtone » 2019/11/05 20:06:19

Are the firewall rules that you did show actually in use, or did you just find them from a file?

With those rules only ports 22/tcp and 80/tcp should look open from outside.

Post Reply

Return to “CentOS 6 - Security Support”