Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Anthony on October 27, 2003, 11:16:12 PM

Title: Private 6b3 not to private?
Post by: Anthony on October 27, 2003, 11:16:12 PM

Hi All.

Am trialling 6beta3 to replace 5.6.
Have setup my test machine as a private server/gateway (dedicated).

When I nmap the external interface (the web facing one), I get the following:


bash-2.05a$ nmap -sV 10.0.0.93

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-10-28 07:09 EST
Interesting ports on pc-00093 (10.0.0.93):
(The 1653 ports scanned but not shown below are in state: filtered)
PORT    STATE SERVICE VERSION
25/tcp  open  smtp
80/tcp  open  http    Apache httpd
113/tcp open  auth?
443/tcp open  ssl     OpenSSL



I can also ping the server.

This is quite different to 5.6.
Any I doing something wrong, or is this normal?

Title: Re: Private 6b3 not to private?
Post by: Reinhold on October 28, 2003, 01:39:49 PM

Anthony,

Actually ""25"-open even is a "false positive" alarm - try using it .-)
Also from 443 open I'd believe you haven't yet installed all 6.03 updates...

Personally I would not consider 6.03 open
- and what you see is either false or may "only though easily" be closed if you diable functionality (like the http-server...)

Have a look at what robert graham http://www.robertgraham.com/pubs/firewall-seen.html says to those ports ... then maybe decide what you will do with them.

Title: Re: Private 6b3 not to private?
Post by: Anthony on October 28, 2003, 01:56:15 PM

Ok,  looks like a bug.
I switches the box from Private Server/gateway to public server/gateway and my IPtables didn't change.
I then switched back to private and now all services are denied.

It still accepts ICMP though.
Is this normal?

Title: Re: Private 6b3 not to private?
Post by: Reinhold on October 28, 2003, 05:51:41 PM

Yes your 6.03b is pingable ...
... so let's see you (& I) have no "kiddy friends" out that ping us to death .-)

Seriously: I'm sure Mitel has many good reasons for this ...
I myself would really miss my gateway loss statistics and troubleshooting.
(remember: this is not just to mark you as a target for them "got-root-kids" out there
but network error announcement/network congestion/troubleshooting and timeouts do need this).

But again... it all may be turned off if you (really) are afraid.

Regards

Title: Re: Private 6b3 not to private?
Post by: Charlie Brady on October 28, 2003, 08:01:47 PM

Anthony wrote:

> Ok,  looks like a bug.

Then why haven't you reported it to the correct address? How many times do I need to remind people?

[Help me out here folks. Either find and fix all the bugs yourself, or report them to us. Which'll it be?]

Charlie

Title: Re: Private 6b3 not to private?
Post by: Anthony on October 29, 2003, 11:43:10 PM

You right Charlie.
I will submit a bug report.
I reloaded the machine with 6b3 and chose 'private' during the install process.
After it came up, I checked iptables and the InboundTCP rule allowed ports 113, 80, 443, 25, 110.

I then logged on as ADMIN and switched from 'private server/gateway' to just   'server-gateway' and it made no changes to IPTables.

I then changed back to 'private server/gateway'  and now iptables shows all ports as denylog in the InboundTCP rule.