Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Fri, Dec 16, 2005 at 08:14:15AM -0500, Michael Stone wrote: On Fri, Dec 16, 2005 at 01:27:57PM +0100, Javier Fernández-Sanguino Peña wrote: On Thu, Dec 15, 2005 at 05:54:34PM -0500, Noah Meyerhans wrote: Well, at least there's still *some* level of physical security there; an attacker has to be at your user's desk to get the password. Plus, Noah, meet binoculars: http://www.thinkgeek.com/electronics/cameras/798d/ Don't be flippant, it lowers the level of the discourse. His point was that the password written on the paper is a completely different category of security risk, and may be a much less serious risk (approaching non-existence) based on the environment in question--and that point is entirely valid. Don't make knee-jerk reactions to security dogma like don't write down passwords unless you have an understanding of the risks involved in a particular situation. I'm not against people writing out passwords, actually, a very good security mechanism is generating a random password, writing it down, and keeping it in your wallet only taking it out when you forget it (but make sure you don't write down what does the password give access to, in case your wallet gets stolen). However, putting them in a screen and *thinking* that only people next to it will be able to read it out is missing the obvious. In most work environments I've been (and I've been to many offices outside my own) you can just walk down the office and remember passwords written in screens or, even, read the passwords of users from an opposite building. So my knee-jerk reaction is for people thinking that putting their passwords in plain view provides sufficient security. Had he said that he was dropping the post-it to his desk drawer I wouldn't have jumped in. FWIW, I'd love to know how your binoculars would be effective in an environment where the computer is facing a blank wall. Useless, but in office environments there is typically only *some* computers facing the blank wall. They are typically contented as they provide the higher privacy, but they are still few. I welcome people to test my theory in their own offices and think if writing down a password in a post-it (even if virtual, on screen) is a good idea. Regards Javier signature.asc Description: Digital signature
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Thursday 15 December 2005 23.54, Noah Meyerhans wrote: given the choice between having your users use weak but easy to remember passwords and having them use complex passwords that they have to write down, My experience suggests that users use weak passwords *and* need to write them down. :-( (This can be construed as an argument that encryption is not necessary: if the passwords are easily guessable anyway...) Including an 'official' note with all passwords hanging at the whiteboard in one small company (ca. 5 people).. -- vbi -- Beware of the FUD - know your enemies. This week * Patent Law, and how it is currently abused. * http://fortytwo.ch/opinion pgpzYVcRlC3Ib.pgp Description: PGP signature
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
Adrian von Bidder wrote: On Thursday 15 December 2005 23.54, Noah Meyerhans wrote: given the choice between having your users use weak but easy to remember passwords and having them use complex passwords that they have to write down, My experience suggests that users use weak passwords *and* need to write them down. :-( (This can be construed as an argument that encryption is not necessary: if the passwords are easily guessable anyway...) Including an 'official' note with all passwords hanging at the whiteboard in one small company (ca. 5 people).. -- vbi at least i use pwgen or gpw to generate passwords for the users which they then can't change. passwords generated with gpw seem to be acceptable by most people. kev -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Thu, Dec 15, 2005 at 05:54:34PM -0500, Noah Meyerhans wrote: On Thu, Dec 15, 2005 at 10:19:48PM +, kevin bailey wrote: good point - also the fact that the users stick their email passwords to their monitors using postits! Well, at least there's still *some* level of physical security there; an attacker has to be at your user's desk to get the password. Plus, (..) Noah, meet binoculars: http://www.thinkgeek.com/electronics/cameras/798d/ Regards Javier signature.asc Description: Digital signature
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Fri, Dec 16, 2005 at 01:27:57PM +0100, Javier Fernández-Sanguino Peña wrote: On Thu, Dec 15, 2005 at 05:54:34PM -0500, Noah Meyerhans wrote: Well, at least there's still *some* level of physical security there; an attacker has to be at your user's desk to get the password. Plus, Noah, meet binoculars: http://www.thinkgeek.com/electronics/cameras/798d/ Don't be flippant, it lowers the level of the discourse. His point was that the password written on the paper is a completely different category of security risk, and may be a much less serious risk (approaching non-existence) based on the environment in question--and that point is entirely valid. Don't make knee-jerk reactions to security dogma like don't write down passwords unless you have an understanding of the risks involved in a particular situation. FWIW, I'd love to know how your binoculars would be effective in an environment where the computer is facing a blank wall. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
hi, these ports seem to be open by default on a standard sarge setup PORT STATESERVICE 9/tcpopen discard 13/tcp open daytime 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 37/tcp open time 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 443/tcp open https 1720/tcp filtered H.323/Q.931 the server will just be serving email and websites so can these services be turned off? PORT STATESERVICE 9/tcpopen discard 13/tcp open daytime 37/tcp open time 111/tcp open rpcbind i presume they are mostly from inetd the service: 443/tcp open https is used to protect the webmail service. it is meant to stop the email passwords from being sniffed. what is 1720/tcp filtered H.323/Q.931 ? and how do i turn it off if it is uneccessary. thanks, kev -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Thu, Dec 15, 2005 at 12:35:09PM +, kevin bailey wrote:
these ports seem to be open by default on a standard sarge setup
[...]
Not a standard, default setup; you've installed and enabled other
services which aren't turned on by default.
the server will just be serving email and websites so can these
services be turned off?
[...]
Yes, those services can be turned off in most environments; still,
you should verify that there aren't any users for them before
removing them entirely.
what is
1720/tcp filtered H.323/Q.931
?
H.323 is usually used by Voice Over IP applications. To find out
what particular application on your server is listening on that
port, try the following:
# lsof -Pni :1720
and how do i turn it off if it is uneccessary.
This depends very much on the particular application; it may be
started in rc.d or via inetd.conf.
Most of these questions are asked rather frequently; their answers
can be found in the archives and on google.
--
o--{ Will Maier }--o
| jabber:[EMAIL PROTECTED] | email:[EMAIL PROTECTED] |
| [EMAIL PROTECTED] | [EMAIL PROTECTED] |
*---[ Debian: The Universal Operating System (www.debian.org) ]*
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Thu, Dec 15, 2005 at 12:35:09PM +, kevin bailey wrote: what is 1720/tcp filtered H.323/Q.931 Are you running any VOIP? H323 is the standard for telephone interchanges. and how do i turn it off if it is uneccessary. netstat, lsof, fuser, the usual suspects... -- -- Artemis Systems Development Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel -- signature.asc Description: Digital signature
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
* Quoting kevin bailey ([EMAIL PROTECTED]): hi, these ports seem to be open by default on a standard sarge setup PORT STATESERVICE 21/tcp open ftp This is not part of the default install. 25/tcp open smtp This is only open to localhost. 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 1720/tcp filtered H.323/Q.931 This is not part of the default install. what is 1720/tcp filtered H.323/Q.931 ? `netstat -tulpen` shows you the listening UDP/TCP services and the corresponding program names. and how do i turn it off if it is uneccessary. Uninstall the program or edit the configuration files for the services, edit /etc/inetd.conf, /etc/hosts.allow. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Thu, Dec 15, 2005 at 12:35:09PM +, kevin bailey wrote: the service: 443/tcp open https is used to protect the webmail service. it is meant to stop the email passwords from being sniffed. If you're concerned about passwords being sniffed, you better shut off pop3 and imap, too (unless you configure IMAP such that plaintext passwords will never be prompted for, which should be possible according to section 6.2.2 of RFC 3501). In the case of pop3, it is not possible to configure secure authentication mechanisms, and you should switch to the SSL-tunnelled pop3s if you really need POP support. what is 1720/tcp filtered H.323/Q.931 ? and how do i turn it off if it is uneccessary. It may be nothing. The fact that it showed up as filterd in the nmap output indicates that nmap didn't received a TCP RST packet back when it tried to contact that port. That may mean you have iptables configured to DROP packets to that port. noah signature.asc Description: Digital signature
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
* Noah Meyerhans: what is 1720/tcp filtered H.323/Q.931 ? and how do i turn it off if it is uneccessary. It may be nothing. The fact that it showed up as filterd in the nmap output indicates that nmap didn't received a TCP RST packet back when it tried to contact that port. That may mean you have iptables configured to DROP packets to that port. It could also mean that the the ISP filters 1720/TCP, in order to prevent its customers from using VoIP. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Thu, Dec 15, 2005 at 06:46:02PM +0100, Florian Weimer wrote: It may be nothing. The fact that it showed up as filterd in the nmap output indicates that nmap didn't received a TCP RST packet back when it tried to contact that port. That may mean you have iptables configured to DROP packets to that port. It could also mean that the the ISP filters 1720/TCP, in order to prevent its customers from using VoIP. Good point. I suspect that's more likely. noah signature.asc Description: Digital signature
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
Noah Meyerhans wrote: On Thu, Dec 15, 2005 at 12:35:09PM +, kevin bailey wrote: the service: 443/tcp open https is used to protect the webmail service. it is meant to stop the email passwords from being sniffed. If you're concerned about passwords being sniffed, you better shut off pop3 and imap, too (unless you configure IMAP such that plaintext passwords will never be prompted for, which should be possible according to section 6.2.2 of RFC 3501). In the case of pop3, it is not possible to configure secure authentication mechanisms, and you should switch to the SSL-tunnelled pop3s if you really need POP support. good point - also the fact that the users stick their email passwords to their monitors using postits! i'm almost thinking to switch the webmail service to normal apache - this would save me from having to run apache-ssl altogether. the email accounts are virtual accounts and are not system/FTP accounts run on a courier email server. what is 1720/tcp filtered H.323/Q.931 ? and how do i turn it off if it is uneccessary. It may be nothing. The fact that it showed up as filterd in the nmap output indicates that nmap didn't received a TCP RST packet back when it tried to contact that port. That may mean you have iptables configured to DROP packets to that port. iptables has not been set up - but i take what you say. so if i set up a firewall and drop nearly all packets does nmap report ports as unfiltered? thanks for your points, kev noah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
Dale Amon wrote: On Thu, Dec 15, 2005 at 12:35:09PM +, kevin bailey wrote: what is 1720/tcp filtered H.323/Q.931 Are you running any VOIP? H323 is the standard for telephone interchanges. and how do i turn it off if it is uneccessary. netstat, lsof, fuser, the usual suspects... i've not used the first couple of tools - will check them out, kev -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
Will Maier wrote: On Thu, Dec 15, 2005 at 12:35:09PM +, kevin bailey wrote: these ports seem to be open by default on a standard sarge setup [...] Not a standard, default setup; you've installed and enabled other services which aren't turned on by default. the server will just be serving email and websites so can these services be turned off? [...] Yes, those services can be turned off in most environments; still, you should verify that there aren't any users for them before removing them entirely. what is 1720/tcp filtered H.323/Q.931 ? H.323 is usually used by Voice Over IP applications. To find out what particular application on your server is listening on that port, try the following: # lsof -Pni :1720 thanks for the help and how do i turn it off if it is uneccessary. This depends very much on the particular application; it may be started in rc.d or via inetd.conf. Most of these questions are asked rather frequently; their answers can be found in the archives and on google. i did have a quick look but nothing much eemed to come up RE this particular response - will look further, thanks, kev -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Thu, Dec 15, 2005 at 10:19:48PM +, kevin bailey wrote: good point - also the fact that the users stick their email passwords to their monitors using postits! Well, at least there's still *some* level of physical security there; an attacker has to be at your user's desk to get the password. Plus, given the choice between having your users use weak but easy to remember passwords and having them use complex passwords that they have to write down, the latter is the better option. I'd suggest that they keep their password in their wallet or something, though, and only take it out when they need it. Treat it like a credit card or something, and it's basically safe. i'm almost thinking to switch the webmail service to normal apache - this would save me from having to run apache-ssl altogether. the email accounts are virtual accounts and are not system/FTP accounts run on a courier email server. Apache+mod_ssl is the way to go. If your users will only access their mail via the web interface, then configure your your IMAP server to only listen on the loopback interface. It may be nothing. The fact that it showed up as filterd in the nmap output indicates that nmap didn't received a TCP RST packet back when it tried to contact that port. That may mean you have iptables configured to DROP packets to that port. iptables has not been set up - but i take what you say. so if i set up a firewall and drop nearly all packets does nmap report ports as unfiltered? ^^ You mean filtered. Yes. Normally, when a TCP SYN is sent to a port with nothing on it, the OS sends back a TCP RST packet, basically saying there's nothing here. If you configure iptables to DROP the packets, then nmap realizes that it didn't get the RST back and lists the port as filtered. If you want to firewall off a port such that it appears to the outside world that there is nothing on that port at all, use -j REJECT --reject-with tcp-reset in the iptables rule. As Florian pointed out, though, it's likely that your ISP is actually dropping the SYN packet, and that's why nmap isn't getting the RST back. Your OS never sees the SYN at all so it never sends back the RST. noah signature.asc Description: Digital signature
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
Noah Meyerhans wrote: On Thu, Dec 15, 2005 at 06:46:02PM +0100, Florian Weimer wrote: It may be nothing. The fact that it showed up as filterd in the nmap output indicates that nmap didn't received a TCP RST packet back when it tried to contact that port. That may mean you have iptables configured to DROP packets to that port. It could also mean that the the ISP filters 1720/TCP, in order to prevent its customers from using VoIP. Good point. I suspect that's more likely. noah will check with demon to see if this is the case for my connection -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Thu, Dec 15, 2005 at 12:35:09PM +, kevin bailey wrote: } hi, } } these ports seem to be open by default on a standard sarge setup } } PORT STATESERVICE } 9/tcpopen discard Useless. Turn it off. will do } 13/tcp open daytime Useless. Time in text format, without a timezone. Off. ok } 21/tcp open ftp Off. Security hole if passwords are sent, they aren't encrypted. will be trying to move to SFTP } 22/tcp open ssh I move to another port number to foil port scanners. good idea } 25/tcp open smtp I run postfix for my mailserver. Much simpiler than exim. i have actually switched to courier for this server because i was able to set up virtual domains i have used postfix for other clients and will be moving to it now because it handles virtual domains and i simply prefer it. } 37/tcp open time Can be turned off, but I leave it on and change the user from root to nobody. I am a public ntp server and many people like to use this time service also. rdate gets the time from this service. will turn off } 110/tcp open pop3 I firewall this off from the outside. I don't want passwords being passed to this from the outside. they are virtual accounts which are probably left by the users all over the place - there's not much i can do to protect these passwords - but at least they are not system accounts } 111/tcp open rpcbind Do NOT leave this one open. will do. } 143/tcp open imap You probably don't need this AND pop 110. I don't run this. } 1720/tcp filtered H.323/Q.931 Don't know what this is. But I don't have it. seems like it may be due to demon stopping VOIP traffic. thanks for your help,, kev -- E Frank Ball [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
Quoting kevin bailey ([EMAIL PROTECTED]): } 21/tcp open ftp Off. Security hole if passwords are sent, they aren't encrypted. Even in deployments where the only login supported is anonymous? ;- P.S.: http://linuxmafia.com/faq/Network_Other/ftp-justification.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
