Server Security

iNaNimAtE · Posted: Sat Apr 24, 2004 2:56 am Post subject: Server Security

I recently did a port scan on my server, and I noticed:

Those are all UDP ports.

I've tried many ways to block those; and the truth is; they may be blocked anyway. I have not forwarded any of those ports on my router, and my firewall s set to deny all requests from those, but they still show up on port scans.

Anyone have an idea on how to get rid of those?
_________________
Bienvenidos!

Anonymoose · - Joined: 09 Sep 2003 Posts: 2192

What OS are you running as a server, and what are you using to scan? Some port scanners struggle to return reliable results particularly on older Windows OS's. Don't hold much faith in pre-written port number lists for anything over port 1024 either...

I wouldn't expect to see anything but the Netbios open on most Windows desktop OS's once you've finished disabling all the pointless services. Did you scan it from behind your router? As you said yourself, remember these ports will be inaccessible anyway unless you put your server into the DMZ.

Use FPort from Foundstone to track what processes have what services open.

http://www.foundstone.com/middleframe.htm?subnav=resources/navigation.htm&subcontent=%2Fresources%2Fintrusion_detection.htm

Either remove or disable the relevant services...

iNaNimAtE · Posted: Sat Apr 24, 2004 9:14 am Post subject:

I got a chance to scan from in front of my router (the outside) and that is what I got. I am usually inside, so port scans are useless.

XP is my server (I want to go back to 2003) and no, it is definitely not in the DMZ. I just don't like them showing up in a port scan, even if they don't work.

I was using GFI LanGuard Network Security Scanner for the port scan (a very useful tool to secure computers).
_________________
Bienvenidos!

Foxified · - Joined: 13 Apr 2004 Posts: 487 Location: Canada

http://scan.sygate.com/

Tests all sorts of ways to get into your comp, udp, icmp, trojan, stealth, tcp

My firewall blocks all (well most of them, 80 is open)

try this also?

Maybe your firewall isnt as good as they tell u 8O or something else..

olly86 · - Joined: 25 Apr 2003 Posts: 993 Location: Wiltshire, UK

I would highly recommend using this one from GRC, as it's the best free one that I've found. It can do allsorts of other things as well

https://grc.com/x/ne.dll?bh0bkyd2
_________________
Olly

Anonymoose · - Joined: 09 Sep 2003 Posts: 2192

Scans from in front of the router could be affected by various ISP settings such as transparent proxy/caches etc. Also UDP is a very unreliable protocol to scan - I wouldn't trust the results much... It could also be that your router lets random ports appear open to confuse scanners with OS detection. The port list may also be inaccurate for UDP ports rather than TCP... I wouldn't worry about it.

iNaNimAtE · Posted: Sat Apr 24, 2004 10:04 pm Post subject:

Foxified and Olly86: I know about both ShieldsUP! and Sygate.
Anonymoose: GFI LanGuard does use OS Detection, so that may be the problem. I am not really worried about people getting in on those ports, I just don't want them showing up in a security scan. When I get a chance, I'll use NMap and see what it says.
_________________
Bienvenidos!

Anonymoose · - Joined: 09 Sep 2003 Posts: 2192

Want me to PM you an Nmap scan ?

iNaNimAtE · Posted: Sun Apr 25, 2004 12:55 am Post subject:

Sure (since it will be a couple days until I get back to my Linux box).
_________________
Bienvenidos!