[arch-general] Port 80 is shown open in port scan without any web server running

Wed Mar 30 09:00:10 EDT 2011

On 30/03/11 16:25, Thomas Bächler wrote:
>
> This comes with our iptables package:
>
> $ cat /etc/iptables/simple_firewall.rules
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -j REJECT --reject-with tcp-reset
> -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
> -A INPUT -j REJECT --reject-with icmp-proto-unreachable
> COMMIT
>
>
According to the source from where i got the iptables configuration , 
the approach is "Block all incoming connections except for established 
connections, then open only specific ports which you want outside world 
to connect to".About blocking icmp ping, i quote one website as-is:

> Your system REPLIED to our Ping (ICMP Echo) requests, making it 
> visible on the Internet. Most personal firewalls can be configured to 
> block, drop, and ignore such ping requests in order to better hide 
> systems from hackers. This is highly recommended since "Ping" is among 
> the oldest and most common methods used to locate systems prior to 
> further exploitation
is what they say is true ?

> -A INPUT -j REJECT --reject-with icmp-proto-unreachable

isn't this seem redundant ? I mean icmp is allowed, then except for 
established and related connections, a tcp rst packet is sent for all 
unwanted tcp traffic and  icmp-port-unreachable message is sent for 
every unwanted udp packets, right ? Then what packets that rule match ?

> What is a "malicious port scanner" and how can you stay "secure" from it?
>
I meant to avoid random packets coming from random machines at random times:

for example:
one random packet from sys.log

> IN=eth0 OUT= MAC=20:cf:30:5a:ea:aa:00:00:cd:27:e5:03:08:00 
> SRC=182.177.140.45 DST=172.16.37.164 LEN=48 TOS=0x00 PREC=0x00 TTL=103 
> ID=32623 DF PROTO=TCP SPT=17511 DPT=39384 WINDOW=8192 RES=0x00 SYN URGP=0 

On 30/03/11 16:40, Richard Schütz wrote:
>  The output of "ip addr show" would be interesting.
>
here is the output:

> ip addr show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
> state UP qlen 1000
>     link/ether 20:cf:30:5a:ea:aa brd ff:ff:ff:ff:ff:ff
>     inet 172.16.37.164/26 brd 172.16.37.191 scope global eth0
> 3: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 
> 1000
>     link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff

On 30/03/11 16:44, Simon Perry wrote:
> So your machine is 172.16.37.164, which you have to configure and tell 
> your ISP because they NAT externally from 115.187.45.97 to many 
> internal 172.16.37.* users?
>
> Therefore more than one person could have an external address of 
> 115.187.45.97 mapping back to their 172.16.37.* IP?
>
> Even though only one person could have 115.187.45.97:80 mapped back to 
> them?
>
> Are you sure about how this works?
>
With my previous dsl provider , an address in the range 59.93.x.x was 
assigned to ppp0 interface by authenticating with rp-pppoe software.But 
now i have to provide the private ip to eth0, authenticate and then 
visit any website to know my public ip.