RE: Open Ports
- From: "Hugo Caye" <Hugo@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 31 Aug 2001 16:47:04 -0300
If you can "stealth" ports not advertising that they're "closed for business"
in any TCP/IP host, configure it not sending ICMP Unreachable. In a Cisco
router, in the interface level use the "no ip unreachables" command.
In ISA, just disable the packet filter called "ICMP unreachable in" that's
enable by default. Please note that this preconfigured packet filter disables
all type 3 codes, and to stealth ports only code 3 (port unreachable) is enough.
ICMP Type=3 Destination Unreachable, Code=3 Port Unreachable (RFC792).
-----Original Message-----
From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
Sent: sexta-feira, 31 de agosto de 2001 10:25
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Open Ports
http://www.ISAserver.org
According to the TCP/IP spec, every port should respond with one of two
options:
1: "Here I am, what can I do for you?"
2: "Sorry, closed for business."
Paranoid Internet security types have added a third to the mix:
3: "..."
which Steve Gibson so charmingly refers to as 'stealthed' ports.
In other words, you should get a response on every port, but shouldn't
be able to open a connection that you haven't allowed.
Now, also, bear in mind that what you're doing is NAT. In other words,
if you were to throw your firewall wide open, people still wouldn't be
able to access anything that wasn't explicitly running on your ISA box,
but is running behind your ISA box, unless you set up specific
publishing rules. With a forwarding firewall, you'd be thinking
differently.
-----Original Message-----
From: Chris Bond [mailto:chris@xxxxxxxxxxxx]
Sent: Friday, August 31, 2001 7:27 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Open Ports
http://www.ISAserver.org
Hi,
Just ran a port scan on the external interface of ISA and get the
following
results:
25 smtp
53 domain
88 kerberos
110 pop3
135 epmap
139 netbios-ssn
143 imap
389 ldap
443 https
445 microsoft-ds
464 kpasswd
636 ldaps
1723 pptp
Plus a few others
Luckly at the moment the cisco router has an ACL on that only allows 25
through. What is the correct solution to stop it listening for these
requests on the external interface (apart from port 25 ofcourse).
Although
it does seem to say "* BYE Connection refused" and drop the packets, I
just
find it werid that it has the ports are open in the first place?
Anybody got any ideas?
Kind Regards,
Chris Bond
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
slebrun@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
Hugo@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
