Too many UDP ports open

[Saeed42]

I only have few services running, please see below for chkconfig output, but if I scan my redhat8 server I have few UDP ports open and they are

88 Kerberos 5
123 NTP
138 Netbios-DGM
161 SNMP
520 RIP
1433 ms-sql
1512 win

My question is how can I block these ports or stop their services as I don't need any of those services running.

please I'm a newbie so go easy on me


More info



syslog 0ff 1ff 2n 3n 4n 5n 6ff
network 0ff 1ff 2n 3n 4n 5n 6ff
random 0ff 1ff 2n 3n 4n 5n 6ff
rawdevices 0ff 1ff 2ff 3n 4n 5n 6ff
xinetd 0ff 1ff 2ff 3n 4n 5n 6ff
atd 0ff 1ff 2ff 3n 4n 5n 6ff
gpm 0ff 1ff 2n 3n 4n 5n 6ff
autofs 0ff 1ff 2ff 3n 4n 5n 6ff
keytable 0ff 1n 2n 3n 4n 5n 6ff
kudzu 0ff 1ff 2ff 3n 4n 5n 6ff
sshd 0ff 1ff 2n 3n 4n 5n 6ff
iptables 0ff 1ff 2n 3n 4n 5n 6ff
nfslock 0ff 1ff 2ff 3n 4n 5n 6ff
rhnsd 0ff 1ff 2ff 3n 4n 5n 6ff
crond 0ff 1ff 2n 3n 4n 5n 6ff
anacron 0ff 1ff 2n 3n 4n 5n 6ff
xfs 0ff 1ff 2n 3n 4n 5n 6ff
vncserver 0ff 1ff 2ff 3ff 4ff 5n 6ff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[Morsing]

Go to /etc/inetd and turn them off.

Don't know what the other table is???

Cheers Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[Norwich]

A good command to use is netstat

netstat -lpnu

will list the listening udp ports and the associated programs

netstat -lpnt

will do the same for tcp


Fro info, a lot of internet daemons are controlled by the internet super daemon - either inetd or the newer xinetd. This super daemon listens on set ports and spawns the appropriate server application for that port as defined in it's config.

Apache is one of a few apps that doesn't use x/inetd - for perfomance resons when under a lot of connections.

 

[marsd]

Just because ports are unfiltered does not mean that they
are offering services.
Only worry about the services you are offering and not
open ports.

 

[Saeed42]

I don't mean to criticise, or be little your suggestion but why would you want to have a port listening for a service if you are not providing that service, every security conscience person will tell you that you should not have any services that you don't need running and you surely should not have any ports that are not in use listening for services.

We have an old Redhat6.1 box as a DNS server and when I scanned that all I can see are 53 and 22 ports and I'm trying to achieve the same result

I'll try "Norwich's" suggestion and report back on Monday.

Thank you ever so much guys for taking the time to help me out.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[Norwich]

Have to agree - a port is only listening if it is offering a service. Of course you have the option to close it (reject) or hide it (deny). But the port can only be open if something (either x/inetd or a particular daemon) is listening.

 

[Saeed42]

After following you suggestions I get the following

netstat lpnu gives me the following

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:993 0.0.0.0:* 817/xinetd

netstat -lpnt gives me

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 817/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 803/sshd


But if I scan my server with Landgaurd I get all of the UDP ports that I have mentioned above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[ChrisCW]

I might be missing the point, but if you run setup from a root login, you can select which services are started, and so if you dont start them, they wont listen?

The only way to get top performance out of a box is to stop it running services that are never used...

CCW

 

[Saeed42]

I've already done that, and if you see the chkconfig output you will notice that there are very few services running
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[sco21]

Use iptables and block the outside world for this ports

then search to find wich process running those ports with safety.

Landgaurd ????? not trusted

try to use nmap and check the two results if they are the same


88 Kerberos 5 maybe ssh uses kerberos authedication
123 NTP look for innd if runnig
138 Netbios-DGM stop samba nmbd smbd maybe smbd running
161 SNMP snmpd running
520 RIP check that lsof|grep RIP
1433 ms-sql that is strange ms bliach
1512 win are you portscanning from the same network? very odd!!!!!!!!


ps awxu|grep servise


check the ps fax output for strange process running

=-=-=-=-=-=-=-=-=-=-=-=
Unix Systems Engineer
=-=-=-=-=-=-=-=-=-=-=-=

 

[sco21]

Probably you are not scanning from the same network


wins 1512/tcp Microsoft's Windows Internet Name Service
wins 1512/udp Microsoft's Windows Internet Name Service

this isn't from the unix system

=-=-=-=-=-=-=-=-=-=-=-=
Unix Systems Engineer
=-=-=-=-=-=-=-=-=-=-=-=

 

[Saeed42]

The two computers are on the same network 192.168.253/24, I'm using Languard3.1 to scan my redhat server, unless Languard is messing things up
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[ChrisCW]

Why dont you scan yourself from the redhat box? If you have nmap installed you could try nmap -P0 -p1-1024 -sTU localhost

See what that portscan uncovers?? Looks like LanGuard could be causing the problem though...

ChrisCW

 

[Saeed42]

when I do that nmap doesn't show any UDP ports only TCP ports i.e. 22 and 21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[ChrisCW]

The -sTU enables TCP and UDP scanning - I dont believe they are listening - NMAP would have picked them up - why dont you try to connect to them from another PC to be sure??
For example, try snmpwalk -c public 192.168.253.x to see if it responds to snmp requests (your first post states snmp is listening).

Looks like either LanGuard is causing a problem, or maybe even a typo (dare I say it??)!! Lots of windows type services listening here...

 

[Saeed42]

I have a proposition I'll temporarily put the server online tomorrow at 10:00a.m GMT and I'll post the IP address here, so if any of you have time can you please scan it? And let me know what you can see.

I used nmap and that doesn't come up with any surprises, I also used Shields Up at

https://www.grc.com

and that only came up with ssh and ftp as expected, but I'm little bit paranoid about the results that Languard gave me and I want to make sure.

Thank ever so much guys you have been a greet help.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[Saeed42]

Server IP is 213.143.128.20, please let me know your findings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[sco21]

Starting nmap V. 3.00 (

http://www.insecure.org/nmap/

)
Interesting ports on (213.143.128.20):
(The 1593 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp filtered imap2
445/tcp filtered microsoft-ds

Nmap run completed -- 1 IP address (1 host up) scanned in 21 seconds

Languard3 mess thing up,

Do you have any windows mashines to the same segment with the pc has Languard3?

The scanning from Languard3 pass trought a gateway?

The box seems OK!

Languard3 is for UNIX or Windo$e?

Try to use nmap. much more trusted.



=-=-=-=-=-=-=-=-=-=-=-=
Unix Systems Engineer
=-=-=-=-=-=-=-=-=-=-=-=

 

[Saeed42]

Languard is on my wind2000 pro machine in win environment and it’s not going through anything as the two devices are on the same segment.

Some of the ports you listed show up as “filtered” why not closed if I’m not running those services.


Thank in advance

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[sco21]

Probably you have a firewall I assume...

and you have filtered all traffic to this ports...
for the inside network.
If in your iptables rules you have the -j DROP option
nmap shows it as filtered.

You may consider change it to REJECT then nmap will see them
as closed...... =-=-=-=-=-=-=-=-=-=-=-=
Unix Systems Engineer
=-=-=-=-=-=-=-=-=-=-=-=