Topic: Advice on security scan and open ports please..

[mizou]

I did a scan on my SME Server 6.0.1-01 at http://scan.sygate.com and got the following results.
Could anyone advise me if those open ports are ok or should I be attending to them?

FTP DATA 20 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.

FTP 21 OPEN File Transfer Protocol is used to transfer files between computers. A misconfigured FTP server can allow an attacker to transfer files, Trojan horses, and virus programs at will.
 
SSH 22 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
 
TELNET 23 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
 
SMTP 25 OPEN SMTP is used to send email across the internet. This allows an attacker to verify user accounts on your system, send anonymous (spam) email, or even access files on your hard drive.
 
DNS 53 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.

DCC 59 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
 
FINGER 79 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
 
WEB 80 OPEN HTTP web services publish web pages. A misconfigured web server can not only offer an attacker needed information about his target, but it can allow for various security breaches.

POP3 110 OPEN Post Office Protocol is used to receive email. It can be used by attackers to create fake email addresses, execute programs, and even intercept your private email.
 
IDENT 113 OPEN Ident is often used for IRC (chat), but also provides information about your system and who is using it.

NetBIOS 139 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.

HTTPS 443 OPEN Secure Web Servers are often used by banks and online vendors.

Server Message Block 445 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.

SOCKS PROXY 1080 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.

WEB PROXY 8080 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.

SOURCE PORT 59801 BLOCKED This is the port you are using to communicate to our Web Server. A firewall that uses Stateful Packet Inspection will show a 'BLOCKED' result for this port.

[cc_skavenger]

port 21
You have ftp enabled in the server manager. You can disable this in Remote Access in the server manager.  You can use ssh for file transfer instead.  Programs like WinSCP have the same functionability of ftp, but the security of ssh.

port 25
There is a transparent smtp proxy in place, direct connection will not be allowed. It seems to work well.

port 80
This is the web server part of the server.  This can't be disabled, that I know of, since it would interfere with the function of the server manager.

port 110
You have enabled public access to your pop server in the server manager. You can disable this in Remote Access in the server manager.

port 113
This is enabled by default.  You can disable oidentd with the command:  service oidentd stop.

port 443
This is enabled by default.  Https is used to manage the server remotely, and securely, if you enable this in the Remote Access section of the server manager.

Off topic,
I have been using this software in a production environment for about 3.5 years since version 5.0.
If you watch your message logs and use strong passwords, you should not have any problems.

HTH

[chris burnat]

Greetings cc_skavenger.

port 113
This is enabled by default. You can disable oidentd with the command: service oidentd stop.

Could you please enlarge on the purpose of Port 113, What functionality will be affected on the sever if ths port is blocked - I am at a loss on this.  Many thanks.  christian

PS: Appologies if I am off topic.

[cc_skavenger]

I personally am not sure what ident is used for, but here is what I found:

http://www.irchelp.org/irchelp/security/fwfaq.html#6

"6. Q: What is identd?
A: identd is a server for the "Identification Protocol" defined by RFC 1413 [ext. link]. Essentially, it provides for the accountability of individual users beyond the local system. It was originally created at a time when most systems on the internet were large, multi-user systems. It is still used today, mostly by IRC, SMTP, and FTP servers."

I personally have always turned this off.  Back in version 5.5, I had a problem with IRC users and Ident.  The process would hang and not terminate.  There would be several ident processes running (between 50 and 100) and this would cause my server to lockup.

HTH

[mizou]

Hi cc_skavenger,

Thanks for the information.. Much appreciated.

I had an unexplained 3 gigabytes of data used up in 4 days on my sme server. I have contacted my ISP to look into this matter and that's why i tested my security settings.

Do you have any further advice on where / what to look for in my logs?

Cheers

Mizou

[cc_skavenger]

I would look at the messages log.  Look for any strange logins from IPs you do not know.  Look at the mail log and look at the outgoing mail que.  Basically, start looking at all the logs for anything funny.  You might also check for any new users you do not know and even change the admin password.

Are you doing any heavy duty caching?

Just possible answers

good luck

[texinick]

If you don't want any ports exposed to the internet, you could always choose the option to configure to "private server & gateway".   This would close all ports to external traffic but still let you connect to the net.

It just means that you won't be able to receive any email or any web servers you have running won't be accessible by people outside your network.  I don't use sme as a server, instead I have a server sitting on my internal network that runs fetchmail to get mail from external sources.