DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th February 2009
killa74 killa74 is offline
New User
 
Join Date: Feb 2009
Location: France
Posts: 6
Thanked 0 Times in 0 Posts
Default namp show me a 1720 open port ??

Hello,

I install a OpenBSD 4.4 whit:

Apache (listen on ext_if)
Postfix (listen on ext_if) + clamav (listen localhost) + spamassassin (listen localhost)
bind (listen int_if)
pf configured to use the ftp-proxy for clients

But when i scan my ext_if with nmap i show the port 1720 open.

Nothing on inetd.conf !!

I know this port can be use for communicate vi the H323 protocole but i don't use it.

How can i know why this port is open and how can block it.

if you want more detail on my config tell me.

Thank's
Reply With Quote
  #2   (View Single Post)  
Old 11th February 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

What does sockstat -4 -p 1720 produce?
Reply With Quote
  #3   (View Single Post)  
Old 11th February 2009
killa74 killa74 is offline
New User
 
Join Date: Feb 2009
Location: France
Posts: 6
Thanked 0 Times in 0 Posts
Default sockstat

Sorry,

but i don't have this command. And i dont find this package in my PKG_PATH.

May be it's include in another package ??

Can you tell where wan i find this ?

I thinks this port is dynamicly open like a inetd services because when i do a netstat -an |grep LISTEN i don't see this port.


Thank's

Last edited by killa74; 11th February 2009 at 09:58 AM.
Reply With Quote
  #4   (View Single Post)  
Old 11th February 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

sockstat is part of the FreeBSD base system. I had hoped it would be part of OpenBSD's as well. There's a python script that emulates its behaviour:

http://wiki.e-shell.org/OpenBSDSockstat
Reply With Quote
  #5   (View Single Post)  
Old 11th February 2009
killa74 killa74 is offline
New User
 
Join Date: Feb 2009
Location: France
Posts: 6
Thanked 0 Times in 0 Posts
Default

Tkank's for you quickly answer.

I test this .
Reply With Quote
  #6   (View Single Post)  
Old 11th February 2009
killa74 killa74 is offline
New User
 
Join Date: Feb 2009
Location: France
Posts: 6
Thanked 0 Times in 0 Posts
Default

So,

I install python 2.5 et download the e-shell

this is my output when i try

sockstat -l4 (and i connect from outside with telnet on the port 1720)

www httpd 13355 17* internet stream tcp 0xd849cc80 *:80
www httpd 3961 17* internet stream tcp 0xd849cc80 *:80
www httpd 28532 17* internet stream tcp 0xd849cc80 *:80
_clamav perl 3805 6* internet stream tcp 0xd8376e14 127.0.0.1:10024
_clamav perl 17851 6* internet stream tcp 0xd8376e14 127.0.0.1:10024
_clamav perl 29659 6* internet stream tcp 0xd8376e14 127.0.0.1:10024
_mysql mysqld 16257 16* internet stream tcp 0xd8376c84 127.0.0.1:3306
root couriertcpd 14199 3* internet stream tcp 0xd83767d4 127.0.0.1:143
_spamd spamd 19134 4* internet stream tcp 0xd8376194 *:8025
_spamd spamd 19134 5* internet stream tcp 0xd8376324 127.0.0.1:8026
_spamd spamd 1598 4* internet stream tcp 0xd8376194 *:8025
_spamd spamd 1598 5* internet stream tcp 0xd8376324 127.0.0.1:8026
_spamd spamd 2714 4* internet stream tcp 0xd8376194 *:8025
_spamd spamd 2714 5* internet stream tcp 0xd8376324 127.0.0.1:8026
www httpd 4466 17* internet stream tcp 0xd849cc80 *:80
www httpd 20633 17* internet stream tcp 0xd849cc80 *:80
www httpd 15699 17* internet stream tcp 0xd849cc80 *:80
www httpd 27640 17* internet stream tcp 0xd849cc80 *:80
www httpd 14502 17* internet stream tcp 0xd849cc80 *:80
root sshd 5086 5* internet stream tcp 0xd8376004 *:22
proxy ftp-proxy 24303 3* internet stream tcp 0xd849c960 127.0.0.1:8021
www httpd 21704 17* internet stream tcp 0xd849cc80 *:80
root master 24553 12* internet stream tcp 0xd849c640 127.0.0.1:25
root master 24553 13* internet stream tcp 0xd849c7d0 x.x.x.x:25
root master 24553 89* internet stream tcp 0xd849caf0 127.0.0.1:10025
named named 10908 21* internet stream tcp 0xd849c190 127.0.0.1:53
named named 10908 22* internet stream tcp 0xd849c000 x.x.x.x:53
named named 10908 23* internet stream tcp 0xd849c4b0 127.0.0.1:953
named named 10908 513* internet dgram udp 127.0.0.1:53
named named 10908 514* internet dgram udp x.x.x.x:53
named named 10908 515* internet dgram udp *:14149
_syslogd syslogd 22674 4* internet dgram udp *:514

This port is not present in the output.

bizzard bizzard
Reply With Quote
  #7   (View Single Post)  
Old 11th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

OpenBSD has the fstat(1) program which can show an application that has a TCP or UDP open port; e.g.:

$ fstat | grep :1720

But an application does not have to be listening to the port for it to be open -- if pf(4) is being used, a rdr rule may open the port.
Reply With Quote
  #8   (View Single Post)  
Old 11th February 2009
killa74 killa74 is offline
New User
 
Join Date: Feb 2009
Location: France
Posts: 6
Thanked 0 Times in 0 Posts
Default

I don't understand you last reply, but fstat commad show me nothing.
I say that :
1 - I don't use any progs who listen on this port
2 - I use PF to filtre all traffic
3 - When i do a netstat this port is not LISTEN but when i scan the interface it say 1720 open port H323.

This is my pf.conf.

#Declaration des interfaces
ext_if="fxp1"
int_if="fxp2"
wifi_if="ath0"

good_if="{ 127.0.0.1, fxp2, ath0 }"

#Services accessible depuis le web
web_services="{ 22, 25, 80}"

#Services web accessible depuis le LAN
tcp_lan_services="{ 80, 22, 443, 1863}"
udp_lan_services="{ 1863 }"

#Acces DNS local
dns_services="{ 53 }"

#Free DNS
dns_free="212.27.53.252"

#Loopback
loopback="127.0.0.1"

#Declaration des tables
table <good> { 192.168.16.0/24 }
table <wifi> { 192.168.1.0/24 }

#les mechants
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

#Ne pas filtrer lo
set skip on { lo0 }

#Re-assemblage des paquets
scrub in all

#Activation du NAT sur ext_if
nat on $ext_if from !($ext_if) -> ($ext_if:0)

#Activation du proxy ftp
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from $good_if to any port 21 -> 127.0.0.1 port 8021

#Tout bloquer par defaut
block in all
block return

#On garde l'etat des paquets sortants
pass out keep state

#Declaration de l'ancre pour le proxy ftp
anchor "ftp-proxy/*"

#Antispoof
antispoof log for { $ext_if, $wifi_if, $int_if }

#On bloque les adresse de la RFC 1928
block drop in log (all) quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians

#Autoriser les ports web_services sur l'interface externe
pass in on $ext_if inet proto tcp from any to $ext_if port $web_services flags S/SA keep state

#autoriser le serveur * contacter le serveur dns de Free
pass out on $ext_if inet proto tcp from self to $dns_free port $dns_services flags S/SA keep state
pass out on $ext_if inet proto udp from self to $dns_free port $dns_services keep state
#----------------------------------------------------------------------------------------------------

#autoriser les pc * contacter le serveur dns de free
#pass in on $int_if proto tcp from <good> to $dns_free port $dns_services flags S/SA keep state
#pass in on $int_if proto udp from <good> to $dns_free port $dns_services keep state

pass in on $wifi_if proto tcp from <wifi> to $dns_free port $dns_services flags S/SA keep state
pass in on $wifi_if proto udp from <wifi> to $dns_free port $dns_services keep state

#autoriser les pc * contacter les serveurs web
pass in on $wifi_if proto tcp from <wifi> to port $tcp_lan_services flags S/SA keep state
pass in on $wifi_if proto udp from <wifi> to port $udp_lan_services keep state

Thank's
Reply With Quote
  #9   (View Single Post)  
Old 11th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Your pf.conf does not have a redirect for port 1720, only for port 21. Port 1720 is not being serviced by your OpenBSD system, as far as I can tell.

Port 1720 is used for Microsoft NetMeeting. Are you absolutely sure you are scanning the correct physical device? If you are testing connection to the OpenBSD platform via another router, you could be seeing a port redirection:
Code:
[nmap testing system] --- {NAT router} --- [OpenBSD]
                                 |
                                 |
                        [Windows system]
Reply With Quote
Old 11th February 2009
killa74 killa74 is offline
New User
 
Join Date: Feb 2009
Location: France
Posts: 6
Thanked 0 Times in 0 Posts
Default

Oki men.

<jggimi i right>

I understant what you say and after reflexion, i'm on my bisness lan behind a router who provide some Visio features in some rooms(i'm working in a hospital).

I'm telling a friend to scan my firewall and evrythings is OK.


Thank's a lot again.
Reply With Quote
Old 11th February 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

As jggimi said, the service isn't running locally.. and pf clearly isn't redirecting the port..

So, either you're scanning the wrong external IP address.. or.. perhaps you have a NAT router with UPnP connected to your modem?

I must ask, do you use VoIP services of any kind?
Reply With Quote
Old 11th February 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Does the following look familiar?
+-------------VoIP phone.
|
Modem
|
+-------------OpenBSD
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Following Stable. Why uname does NOT show patch #6. Greg_Morgan OpenBSD Installation and Upgrading 4 20th May 2009 06:21 AM
mplayer do not show subtitle mfaridi OpenBSD Packages and Ports 3 12th November 2008 05:41 AM
PF wont open port despite rules... Dain_L OpenBSD Security 3 12th September 2008 01:14 AM
Why does smartctl show my temperature threshold is 0? PeterSteele FreeBSD General 0 25th August 2008 03:33 PM
How to open port 80 on FreeBSD kapom FreeBSD General 14 19th June 2008 04:48 AM


All times are GMT. The time now is 06:13 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick