[arch-general] Port 80 is shown open in port scan without any web server running

Partha Chowdhury partha at gmx.us
Wed Mar 30 06:15:18 EDT 2011


On 30/03/11 14:16, Thomas Bächler wrote:
> Am 30.03.2011 10:36, schrieb Partha Chowdhury:
>
>
>>> sudo /sbin/iptables-save
>>> # Generated by iptables-save v1.4.7 on Wed Mar 30 13:59:44 2011
>>> *filter
>>> :INPUT DROP [2844:282816]
>>> :FORWARD DROP [0:0]
>>> :OUTPUT ACCEPT [9999:990098]
>>> -A INPUT -i lo -j ACCEPT
>>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> -A INPUT -p tcp -m tcp --dport 54215 -j ACCEPT
>>> -A INPUT -p udp -m udp --dport 54215 -j ACCEPT
>>> COMMIT
>>> # Completed on Wed Mar 30 13:59:44 2011
> The following is OT, but I have to say it:
>
> This is an affront to every admin of smaller or bigger networks. It
> hurts my eyes. What do you try to achieve by dropping unwanted traffic?
> You even drop ICMP entirely - dropping ICMP is the cause of a large
> number of problems.
>
> There is no security advantage, but you deliberately prevent proper
> communication between yourself and other computers on the internet.
>
Well I picked this configuration from Red Hat training books, except for 
port 54215 which I open for bit torrent.

What do you suggest about the ideal iptables configuration for basic 
desktop user - allowing proper connection as you said and yet stay 
secure from malicious port scanners ?

On 30/03/11 14:20, Jan de Groot wrote:
> . Try doing an nmap -sV and
> you'll see what software is running on the proxyserver.
I did what you said:


> nmap -sV 115.187.45.97
>
> Starting Nmap 4.20 ( http://insecure.org ) at 2011-03-30 15:06 IST
> Interesting ports on 115.187.45.97:
> Not shown: 1696 filtered ports
> PORT   STATE SERVICE VERSION
> 80/tcp open  http?
> 1 service unrecognized despite returning data. If you know the 
> service/version, please submit the following fingerprint at 
> http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
> SF-Port80-TCP:V=4.20%I=7%D=3/30%Time=4D92F9D0%P=i686-pc-linux-gnu%r(Help,D
> SF:DD,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x20squid/3\.2\.0\.4-2
> SF:0110203\r\nMime-Version:\x201\.0\r\nDate:\x20Wed,\x2030\x20Mar\x202011\
> SF:x2009:37:20\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x20
> SF:3234\r\nX-Squid-Error:\x20ERR_INVALID_REQ\x200\r\nContent-Language:\x20
> SF:en\r\nX-Cache:\x20MISS\x20from\x20Streamride\r\nVia:\x201\.1\x20Streamr
> SF:ide\x20\(squid/3\.2\.0\.4-20110203\)\r\nConnection:\x20close\r\n\r\n<!D
> SF:OCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\x20\"h
> SF:ttp://www\.w3\.org/TR/html4/strict\.dtd\">\n<html><head>\n<meta\x20http
> SF:-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=utf-8\">\n<t
> SF:itle>ERROR:\x20The\x20requested\x20URL\x20could\x20not\x20be\x20retriev
> SF:ed</title>\n<style\x20type=\"text/css\"><!--\x20\n\x20/\*\n\x20Styleshe
> SF:et\x20for\x20Squid\x20Error\x20pages\n\x20Adapted\x20from\x20design\x20
> SF:by\x20Free\x20CSS\x20Templates\n\x20http://www\.freecsstemplates\.org\n
> SF:\x20Released\x20for\x20free\x20under\x20a\x20Creative\x20Commons\x20Att
> SF:ribution\x202\.5\x20License\n\*/\n\n/\*\x20Page\x20basics\x20\*/\n\*\x2
> SF:0{\n\tfont-family:\x20verdana,\x20sans-serif;\n}\n\nhtml\x20body\x20{\n
> SF:\tmargin:\x200;\n\tpadding:\x200;\n\tbackground:\x20#efefef;\n\tfont-si
> SF:ze:\x2012px")%r(SSLSessionReq,DE3,"HTTP/1\.1\x20400\x20Bad\x20Request\r
> SF:\nServer:\x20squid/3\.2\.0\.4-20110203\r\nMime-Version:\x201\.0\r\nDate
> SF::\x20Wed,\x2030\x20Mar\x202011\x2009:37:20\x20GMT\r\nContent-Type:\x20t
> SF:ext/html\r\nContent-Length:\x203240\r\nX-Squid-Error:\x20ERR_INVALID_RE
> SF:Q\x200\r\nContent-Language:\x20en\r\nX-Cache:\x20MISS\x20from\x20Stream
> SF:ride\r\nVia:\x201\.1\x20Streamride\x20\(squid/3\.2\.0\.4-20110203\)\r\n
> SF:Connection:\x20close\r\n\r\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DT
> SF:D\x20HTML\x204\.01//EN\"\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\
> SF:">\n<html><head>\n<meta\x20http-equiv=\"Content-Type\"\x20content=\"tex
> SF:t/html;\x20charset=utf-8\">\n<title>ERROR:\x20The\x20requested\x20URL\x
> SF:20could\x20not\x20be\x20retrieved</title>\n<style\x20type=\"text/css\">
> SF:<!--\x20\n\x20/\*\n\x20Stylesheet\x20for\x20Squid\x20Error\x20pages\n\x
> SF:20Adapted\x20from\x20design\x20by\x20Free\x20CSS\x20Templates\n\x20http
> SF:://www\.freecsstemplates\.org\n\x20Released\x20for\x20free\x20under\x20
> SF:a\x20Creative\x20Commons\x20Attribution\x202\.5\x20License\n\*/\n\n/\*\
> SF:x20Page\x20basics\x20\*/\n\*\x20{\n\tfont-family:\x20verdana,\x20sans-s
> SF:erif;\n}\n\nhtml\x20body\x20{\n\tmargin:\x200;\n\tpadding:\x200;\n\tbac
> SF:kground:\x20#efefef;\n\tfont-size:\x2012px");
>
> Service detection performed. Please report any incorrect results at 
> http://insecure.org/nmap/submit/ .
> Nmap finished: 1 IP address (1 host up) scanned in 114.226 seconds

So it seems my ISP is running squid version 3.2.0.4-20110203 in 
transparent mode , just like you said.

Interestingly when connecting to random ip addresses on port 80, the 
error page returned is quite different from normal ones.

http://www.freeimagehosting.net/image.php?280f0ef980.png

  Does this transparent proxy pose any threat and what can I do to stop 
that ?



More information about the arch-general mailing list