# Solved: Open ports, should I be concerned?



## absolutezero1287 (May 23, 2007)

I'm on Ubuntu and I noticed some odd behavior and decided to see if any ports were open and scanned for rootkits. I used chkrootkit and rkhunter both said that my system was clean. I nmapped myself and found these ports open.
I kno that pop3 is for email but I'm not using Evolution or any other mail client. Would it be a security risk to leave these ports open? I'm not even sure what some of these services are.

```
PORT     STATE SERVICE
25/tcp   open  smtp
110/tcp  open  pop3
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
2049/tcp open  nfs
2500/tcp open  rtsserv
```


----------



## lotuseclat79 (Sep 12, 2003)

Hi absolutezero1287,

I do not know if you run any software firewall on Ubuntu, however, I would advise you to either get Firestarter (if you are gui inclined) or learn how to do it with iptables in terms of the Beginner's version thread I posted in this forum here. At the end of my post is a link to a Beginner's version setup of iptables that should be able to close all of your ports if you comment out the services that are allowed (I do not use them) in it with a '#' at the start of those statements.

Then test with nmap to verify that all of your ports are stealthed.

The point is that a closed port indicates to a miscreant that there is a computer at the ip address, while a stealthed port indicates that the miscreant should not bother with the ip address under scan and move on to another ip address. As it stands now, if a miscreant notices your open ports, they can get into your system and if they know what they are doing cause problems - I'm sure you do not want that to happen. Also, if an experienced enough miscreant wants to get into your system (there are ways with half-baked packets) they will, but only if they notice you do not have stealthed ports.

If you are protected by a hardware firewall, at least make sure that you have changed the default admin password which is a common vulnerability and vector of attack from the miscreants - and very easy to compromise.

-- Tom


----------



## absolutezero1287 (May 23, 2007)

I already have firestarter but I didn't think to use it. I removed all the rules from it and nmapped myself and got the same results.

```
[email protected]:~# nmap -sS -v -v localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2008-03-14 16:34 EDT
Initiating SYN Stealth Scan at 16:34
Scanning localhost (127.0.0.1) [1697 ports]
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 111/tcp on 127.0.0.1
Discovered open port 110/tcp on 127.0.0.1
Discovered open port 445/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Discovered open port 2500/tcp on 127.0.0.1
Discovered open port 139/tcp on 127.0.0.1
Discovered open port 2049/tcp on 127.0.0.1
Completed SYN Stealth Scan at 16:34, 0.24s elapsed (1697 total ports)
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
Not shown: 1689 closed ports
PORT     STATE SERVICE
25/tcp   open  smtp
110/tcp  open  pop3
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
2049/tcp open  nfs
2500/tcp open  rtsserv

Nmap finished: 1 IP address (1 host up) scanned in 0.325 seconds
               Raw packets sent: 1697 (74.668KB) | Rcvd: 3402 (142.900KB)
```


----------



## tomdkat (May 6, 2006)

The above shows you're running a mail server of some kind (sendmail maybe?). If this isn't a server machine, there's no reason for you to be running a mail server. Ports 25 and 110 are for SMTP and POP3, respectively. Port 631 is for CUPS (ipp) and I'm not sure why you're running Samba (netbios-ssn and microsoft-ds) unless you're networking with Windows machines on your network.

I don't think there's anything wrong with having those ports open, per se, as long as the daemons listening to those ports are bound to localhost *only*. I believe running a "netstat -a" command will let you know to which IP any particular process that is listening on a port is bound. If they are all bound to localhost, I think you're safe since they won't accept connections from anything except apps running ON your system.

Peace...


----------



## absolutezero1287 (May 23, 2007)

No, I'm just on a desktop computer which is why these services puzzle me. I'm behind a wireless router and the access point is at a windows computer. I'm guessing that has something to do with it. I figured that if I disabled samba that these ports would be closed. I tried it via synaptic and if I uninstall samba I also uninstall ubuntu-desktop...I figure that it would be easier to just stealth all the ports. How would I do that?

Update! I ran the Shields Up! test at https://www.grc.com/ and my first 1056 ports are stealthed. So I think that I'm good...although nmap indicates differently.


----------



## lotuseclat79 (Sep 12, 2003)

Shields Up! is only a partial test - i.e. there are 65,535 ports and nmap tests them all. If they all are not stealthed, then you run the risk of making your computer become a target to the miscreants.

-- Tom


----------



## tomdkat (May 6, 2006)

lotuseclat79 said:


> Shields Up! is only a partial test - i.e. there are 65,535 ports and nmap tests them all. If they all are not stealthed, then you run the risk of making your computer become a target to the miscreants.


I partially disagree with this. Shields Up! will test well-known ports, at least, that are exposed to the outside world. I mean it has to since it's a site that is external to your computer. nmap runs on your local computer so it will have access to more than an external computer would or could.

This is why I suggested running the netstat command. netstat DOES indicate which ports are bound to which IP addresses. Here is a sample from my Ubuntu system:



> [email protected]:~$ netstat -a | more
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 localhost:ipp *:* LISTEN
> ...


The "localhost:[port]" syntax means a process is running that is associated ONLY with the localhost interface on the indicated port. The "LISTEN" status means that process is listening on the specified port. So, the "localhost:ipp" entry means a process is listening on port 631 (the ipp port) only on the localhost interface. This is most likely CUPS.

The "*:[port]" syntax means a process is running that is associated with ANY IP address assigned to the computer on the indicated port. So, in my output above, a process is running that "bound" to all IPs assigned to my machine on the bootpc port (whatever port number that is). That process doesn't seem to be in a LISTEN state and I don't know if that means it will still be able to accept connections from external machines or not. This would be cause for concern, on my part.

This also gets to another aspect of Unix security that often gets overlooked: the ability or practice of processes to bind only to the localhost interface thereby allowing or receiving connections ONLY from processes contacting the listening process on the localhost interface. iptables would be great for blocking spoofed IP packets (where to AND from addresses are localhost).

I think his system is safe from external intrusion.

Peace...


----------



## absolutezero1287 (May 23, 2007)

I used the Shields Up test on ports past 1056 as well. They all seem to be stealthed.
I'm not sure but I think my box is pretty secure. I would just like the opinion of the more experienced members.



> [email protected]:~$ netstat -a | more
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 *:nfs *:* LISTEN
> ...


----------



## lotuseclat79 (Sep 12, 2003)

Hi tomdkat,

The nmapfe I initiate on my computer (localhost) seems to interface with http://insecure.org (host of nmap) and runs the nmap scan on my ip address assigned from my ISP from there, not from my localhost (i.e. my computer).

-- Tom


----------



## tomdkat (May 6, 2006)

I would go into Ubuntu's system admin menu and click "Services". I would disable "Mail agent", which is Postfix, since you don't need to have a mail server running on your system. That will close ports smtp and pop3 from being bound to ALL IP addresses, which is a risk.

NFS and SUNRPC being bound to all IPs might also be an issue so if you're concerned about security, I would either look into turning off NFS and see if you can configure SUNRPC to bind only to localhost. If you're not participating in a Windows network, you should turn off Samba completely or configure Samba to filter connections appropriately.

Don't get me wrong, I don't think lotuseclat79 is wrong when he advises making sure all your ports are "stealthed". My main point is having a process that is bound to localhost only isn't as bad as have a process bound to ALL IPs, which can open your system up to remote intrusion.

I would also track down what port 37708 is.

Peace...


----------



## tomdkat (May 6, 2006)

lotuseclat79 said:


> Hi tomdkat,
> 
> The nmapfe I initiate on my computer (localhost) seems to interface with http://insecure.org (host of nmap) and runs the nmap scan on my ip address assigned from my ISP from there, not from my localhost (i.e. my computer).


Cool. I'll have to see what nmapfe does on my system. I just ran the same nmap command as absolutezero1287 did above but with my network cable disconnected from my wireless router (meaning I was disconnected from everything) and it reported some "open" ports, just like absolutezero1287:



> [email protected]:~$ ifconfig
> eth0 Link encap:Ethernet HWaddr 00:133:9F:19:F7
> UP BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:75125 errors:0 dropped:0 overruns:0 frame:0
> ...


Both CUPS and boinc-client are bound to localhost on my system so it will be interesting to see what nmapfe reports. 

Peace...


----------



## tomdkat (May 6, 2006)

lotuseclat79 said:


> The nmapfe I initiate on my computer (localhost) seems to interface with http://insecure.org (host of nmap) and runs the nmap scan on my ip address assigned from my ISP from there, not from my localhost (i.e. my computer).


What command do you have nmapfe issue to conduct your test? nmapfe appears to be the executable name of Zenmap, the GUI frontend to nmap. I just ran it and it ran with these parameters (when I configured it to target localhost) to nmap:

nmap -T Aggressive -A -v localhost

What nmap parameters to you specify?

Peace...


----------



## lotuseclat79 (Sep 12, 2003)

My ISP assigned ip address in the command: nmap -sT -PT <ip address>
The command comes back with the name of my ip address and the status of all ports: closed except one for tcp (presumeably for the test).

-- Tom


----------



## tomdkat (May 6, 2006)

Thanks for posting that info. I ran nmap with your settings in these configurations:

Network cable unplugged
Network cable plugged into my Netgear wireless router
Network cable plugged into my Motorola cable modem.
Here are the results:

*Network cable unplugged*:


> [email protected]:~$ ifconfig
> eth0 Link encap:Ethernet HWaddr 00:133:9F:19:F7
> UP BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:85863 errors:0 dropped:0 overruns:0 frame:0
> ...


*Network cable plugged into Netgear router*:


> [email protected]:~$ sudo nmap -sT -PT aa.bb.cc.dd
> 
> Starting Nmap 4.53 ( http://insecure.org ) at 2008-03-15 14:23 PDT
> Interesting ports on c-aa-bb-cc-dd.xxxx.ca.comcast.net (aa.bb.cc.dd):
> ...


 So, ports 23 and 80 are open on my router. Oh joy. 

*Network cable plugged into cable modem*:


> [email protected]:~$ ifconfig
> eth0 Link encap:Ethernet HWaddr 00:133:9F:19:F7
> inet addr:aa.bb.cc.dd Bcast:255.255.255.255 Mask:255.255.248.0
> inet6 addr: fe80::213:d3ff:fe9f:19f7/64 Scope:Link
> ...


Notice ALL scanned ports are closed as reported by nmap. Now, here's netstat output:



> [email protected]:~$ sudo nmap -sT -PT aa.bb.cc.dd
> 
> Starting Nmap 4.53 ( http://insecure.org ) at 2008-03-15 14:26 PDT
> All 1714 scanned ports on c-aa-bb-cc-dd.xxxx.ca.comcast.net (aa.bb.cc.dd) are closed
> ...


You'll notice I STILL have CUPS (port 631/ipp) and boinc-client (port 31416) up and running AND while my computer was directly connected to my cable modem. This illustrates my point. By virtue of being bound only to localhost, those processes aren't susceptible to external exploit since those processes won't get external connections. Of course, this isn't to imply that a firewall isn't "needed" but that the way processes and applications manage their network connections factors in. That's why CUPS comes pre-configured to be bound only to localhost. As a side note, I just realized even though I have iptables installed, it's configured to allow ALL inbound/outbound traffic. This was the case when I ran the nmap command while my machine was directly connected to my cable modem.

Peace...


----------



## lotuseclat79 (Sep 12, 2003)

Hi tomdkat,

I hope you have since modified iptables with a more restrictive setup.

-- Tom


----------



## tomdkat (May 6, 2006)

Not yet but I'll look into it at some point in the future. What concerns me MORE is FTP and HTTP ports being open on my Netgear router. *Sigh*

Peace...


----------



## lotuseclat79 (Sep 12, 2003)

Take a look at my iptables thread posts in this forum - that should help a great deal - and read the comments from the Ubuntu forum on which the guide(s) are located.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

tomdkat said:


> Not yet but I'll look into it at some point in the future. What concerns me MORE is FTP and HTTP ports being open on my Netgear router. *Sigh*
> 
> Peace...


Download the Netgear router documentation for your specific from the Netgear website if you don't already have it. There should be one there, like there is for the Linksys manuals in PDF. And also, make sure you have changed the default router admin password - a common vulnerability and easy to compromise for miscreants.

-- Tom


----------



## tomdkat (May 6, 2006)

lotuseclat79 said:


> Download the Netgear router documentation for your specific from the Netgear website if you don't already have it. There should be one there, like there is for the Linksys manuals in PDF. And also, make sure you have changed the default router admin password - a common vulnerability and easy to compromise for miscreants.


I changed the admin password when I first installed the router. I poked around the router's configuration interface and didn't seen anything related to FTP at all. We'll see if their doc mentions anything. My gut tells me it won't but I haven't actually looked. 

Peace...


----------



## absolutezero1287 (May 23, 2007)

Case solved: I used a different nmap scan and all open ports are bound to localhost and filtered.


----------



## tomdkat (May 6, 2006)

Which nmap scan settings did you end up using?

Peace...


----------



## absolutezero1287 (May 23, 2007)

```
[email protected]:~$ sudo -s
[sudo] password for leonardo: 
[email protected]:~# nmap -sX -v -v localhost

Starting Nmap 4.53 ( http://insecure.org ) at 2008-03-23 13:40 EDT
Initiating XMAS Scan at 13:40
Scanning localhost (127.0.0.1) [1714 ports]
Completed XMAS Scan at 13:40, 1.48s elapsed (1714 total ports)
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
Not shown: 1712 closed ports
PORT    STATE         SERVICE
25/tcp  open|filtered smtp
631/tcp open|filtered ipp

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.665 seconds
Raw packets sent: 1716 (68.640KB) | Rcvd: 3428 (137.120KB)
```


----------



## tomdkat (May 6, 2006)

Thanks! :up:

Peace...


----------

