[arch-general] Port 80 is shown open in port scan without any web server running
Hallo to everyone on the list. It is my first message in a while. I have recently changed my internet provider as i have moved. My previous provider was a DSL provider and the current one is the local cable operator.Now with current provider port 80 is shown open in every port scan test , all other ports being shown as stealth. But with the previous provider , every port scanned was shown as stealth. I am not running any web service . And the change in software being the one that is used to authenticate. Previously it was rp-pppoe now it is the GNU/Linux client of cyberoam software. Output from lsof:
sudo /bin/lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME pdnsd 1207 nobody 4u IPv4 2434 TCP localhost:domain (LISTEN) pdnsd 1207 nobody 5u IPv4 2435 UDP localhost:domain pdnsd 1207 nobody 8u IPv4 81232 UDP 172.16.37.164:40131->AS-20144-has-not-REGISTERED-the-use-of-this-prefix:domain linc 1214 root 5u IPv4 2448 UDP *:55089 ntpd 1216 root 16u IPv4 2451 UDP *:ntp ntpd 1216 root 17u IPv4 2455 UDP localhost:ntp ntpd 1216 root 18u IPv4 2456 UDP 172.16.37.164:ntp X 1377 root 1u IPv4 2964 TCP *:x11 (LISTEN) gweather- 1538 partha 18u IPv4 78973 TCP 172.16.37.164:53421->a125-56.222-11.deploy.akamaitechnologies.com:http (CLOSE_WAIT)
Iptables configuration:
sudo /sbin/iptables-save # Generated by iptables-save v1.4.7 on Wed Mar 30 13:59:44 2011 *filter :INPUT DROP [2844:282816] :FORWARD DROP [0:0] :OUTPUT ACCEPT [9999:990098] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 54215 -j ACCEPT -A INPUT -p udp -m udp --dport 54215 -j ACCEPT COMMIT # Completed on Wed Mar 30 13:59:44 2011
With my new provider, I have to provide a static ip 172.16.37.x to eth0 and then start the linc daemon to authenticate, after that i am allocated a public ip. Now my question is: why is port 80 open and does it indicate any security vulnerability ?
Am 30.03.2011 10:36, schrieb Partha Chowdhury:
I have recently changed my internet provider as i have moved. My previous provider was a DSL provider and the current one is the local cable operator.Now with current provider port 80 is shown open in every port scan test , all other ports being shown as stealth. But with the previous provider , every port scanned was shown as stealth. I am not running any web service . And the change in software being the one that is used to authenticate. Previously it was rp-pppoe now it is the GNU/Linux client of cyberoam software.
I guess your provider is a douche. You could investigate more thoroughly if you try to connect to port 80 remotely, and use tcpdump to see if the packet ever reaches your Arch machine.
sudo /sbin/iptables-save # Generated by iptables-save v1.4.7 on Wed Mar 30 13:59:44 2011 *filter :INPUT DROP [2844:282816] :FORWARD DROP [0:0] :OUTPUT ACCEPT [9999:990098] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 54215 -j ACCEPT -A INPUT -p udp -m udp --dport 54215 -j ACCEPT COMMIT # Completed on Wed Mar 30 13:59:44 2011
The following is OT, but I have to say it: This is an affront to every admin of smaller or bigger networks. It hurts my eyes. What do you try to achieve by dropping unwanted traffic? You even drop ICMP entirely - dropping ICMP is the cause of a large number of problems. There is no security advantage, but you deliberately prevent proper communication between yourself and other computers on the internet.
On Wed, 2011-03-30 at 14:06 +0530, Partha Chowdhury wrote:
Now with current provider port 80 is shown open in every port scan test
This is usually caused by a transparent proxy. When nmap hits port 80, it will get redirected to the proxy server. Try doing an nmap -sV and you'll see what software is running on the proxyserver.
On 30/03/11 14:20, Jan de Groot wrote:
This is usually caused by a transparent proxy. When nmap hits port 80, it will get redirected to the proxy server. Try doing an nmap -sV and you'll see what software is running on the proxyserver.
While googling for ways of detecting transparent proxy the easy way :-D i came across this page. http://tracetcp.sourceforge.net/usage_proxy.html So i searched for GNU/Linux equivalent, found tcptraceroute from http://www.gnutoolbox.com/tcptraceroute/ and compiled and installed it. By default it uses tcp syn packet.The observation:
sudo tcptraceroute ftp.gnome.org http Selected device eth0, address 172.16.37.164, port 46375 for outgoing packets Tracing the path to ftp.gnome.org (130.239.18.173) on TCP port 80 (http), 30 hops max 1 napoleon.acc.umu.se (130.239.18.173) [open] 1.497 ms 2.010 ms 1.500 ms When using ftp
sudo tcptraceroute ftp.gnome.org ftp Selected device eth0, address 172.16.37.164, port 39535 for outgoing packets Tracing the path to ftp.gnome.org (130.239.18.163) on TCP port 21 (ftp), 30 hops max 1 172.16.37.129 2.307 ms 1.670 ms 1.774 ms 2 172.16.0.10 1.753 ms 1.496 ms 1.911 ms 3 203.171.242.17 2.773 ms 3.245 ms 2.176 ms 4 203.171.240.17 7.490 ms * 2.747 ms 5 203.171.240.1 6.358 ms 3.978 ms 4.870 ms 6 121.242.217.2.static-kolkata.vsnl.net.in (121.242.217.2) 3.915 ms 5.216 ms 6.892 ms 7 121.242.217.9.static-kolkata.vsnl.net.in (121.242.217.9) 41.771 ms 44.380 ms 41.794 ms 8 172.25.75.21 40.032 ms 40.094 ms 40.066 ms 9 172.31.17.13 41.524 ms 41.697 ms 41.873 ms 10 172.31.1.85 41.924 ms 41.847 ms 42.406 ms 11 59.163.55.149.static.vsnl.net.in (59.163.55.149) 41.753 ms 42.321 ms 44.446 ms 12 * * * 13 * Vlan704.icore1.LDN-London.as6453.net (80.231.130.10) 176.751 ms 177.973 ms 14 ldn-b5-link.telia.net (213.248.74.1) 170.663 ms 173.935 ms 169.595 ms 15 ldn-bb1-link.telia.net (80.91.246.144) 171.474 ms 172.571 ms 171.357 ms 16 hbg-bb1-link.telia.net (80.91.254.216) 190.353 ms 190.802 ms 190.443 ms 17 s-bb1-link.telia.net (213.155.130.6) 207.886 ms 206.998 ms 207.052 ms 18 s-b3-link.telia.net (80.91.249.220) 207.677 ms 207.136 ms 207.547 ms 19 nordunet-113055-s-b3.c.telia.net (213.248.97.18) 208.076 ms 207.249 ms 207.663 ms 20 t1fre.sunet.se (109.105.102.10) 208.246 ms 207.353 ms 207.793 ms 21 * * * 22 * * * 23 * * * 24 tutankhamon.acc.umu.se (130.239.18.163) [open] 215.384 ms 218.386 ms 220.146 ms So does this confirm that I am behind a transparent proxy ?
participants (3)
-
Jan de Groot
-
Partha Chowdhury
-
Thomas Bächler