256, 257, 258, 259 are used by Firewall-1 and are not a red flag.  


However, things like smtp, ftp, telnet, rpcbind, lockd, and X11 are
generally not seen on firewall-1.  All these applications are either very
insecure or often exploited by attackers.

telnet should never be running.  Use ssh instead.  lockd is also
considered evil (you're not running NFS on your firewall are you?).  
rpcbind is generally only used if you're running DiskSuite to mirror disks
or something like NetBackup to back them up.  In which case you should be
running Wietse Venema's rpcbind replacement.  Last, you probably really
don't want to be running X on the firewall either.  As for FTP and SMTP,
if you're not using the Firewall-1 proxies (which actually suck) you
sfhouldn't be running that either.

-- 
Aaron Turner        [EMAIL PROTECTED]  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com

On Mon, 17 Jul 2000, Padden, Greg wrote:

> I've got a friend how is more or less a LAN Admin type that recently took
> over a FW-1 installation running on Solaris and found the following ports
> open on his box.
> 
> Are the ports 256, 257, 258, 259 an indication that his FW has been hacked?
> I haven't see these ports open on other FW-1 boxes.
> 
> Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/)
> Interesting ports on r4keytower-qfe-0.metrokc.gov (146.129.191.142):
> Port    State       Protocol  Service
> 21      open        tcp        ftp
> 23      open        tcp        telnet
> 25      open        tcp        smtp
> 111     open        tcp        sunrpc
> 256     open        tcp        rap
> 257     open        tcp        set
> 258     open        tcp        yak-chat
> 259     open        tcp        esro-gen
> 4045    open        tcp        lockd
> 6000    open        tcp        X11
> 
> 
> Network Engineer, MSCE, CCNA
> Information and Telecommunications Services
> King County
> 700 5th Ave, Suite 1800
> Seattle, WA 98104
> (206)263-4804 Fax (206)263-4834
>  <<Padden, Greg.vcf>> 
> 




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to