Re: Port 80 is shown open in port scan without any web server running

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 30/03/11 14:16, Thomas Bächler wrote:

Am 30.03.2011 10:36, schrieb Partha Chowdhury:



sudo /sbin/iptables-save
# Generated by iptables-save v1.4.7 on Wed Mar 30 13:59:44 2011
*filter
:INPUT DROP [2844:282816]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9999:990098]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 54215 -j ACCEPT
-A INPUT -p udp -m udp --dport 54215 -j ACCEPT
COMMIT
# Completed on Wed Mar 30 13:59:44 2011

The following is OT, but I have to say it:

This is an affront to every admin of smaller or bigger networks. It
hurts my eyes. What do you try to achieve by dropping unwanted traffic?
You even drop ICMP entirely - dropping ICMP is the cause of a large
number of problems.

There is no security advantage, but you deliberately prevent proper
communication between yourself and other computers on the internet.
Well I picked this configuration from Red Hat training books, except for port 54215 which I open for bit torrent.
What do you suggest about the ideal iptables configuration for basic desktop user - allowing proper connection as you said and yet stay secure from malicious port scanners ? 

On 30/03/11 14:20, Jan de Groot wrote:

. Try doing an nmap -sV and
you'll see what software is running on the proxyserver.

I did what you said:



nmap -sV 115.187.45.97

Starting Nmap 4.20 ( http://insecure.org ) at 2011-03-30 15:06 IST
Interesting ports on 115.187.45.97:
Not shown: 1696 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : 
SF-Port80-TCP:V=4.20%I=7%D=3/30%Time=4D92F9D0%P=i686-pc-linux-gnu%r(Help,D
SF:DD,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x20squid/3\.2\.0\.4-2
SF:0110203\r\nMime-Version:\x201\.0\r\nDate:\x20Wed,\x2030\x20Mar\x202011\
SF:x2009:37:20\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x20
SF:3234\r\nX-Squid-Error:\x20ERR_INVALID_REQ\x200\r\nContent-Language:\x20
SF:en\r\nX-Cache:\x20MISS\x20from\x20Streamride\r\nVia:\x201\.1\x20Streamr
SF:ide\x20\(squid/3\.2\.0\.4-20110203\)\r\nConnection:\x20close\r\n\r\n<!D
SF:OCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\x20\"h
SF:ttp://www\.w3\.org/TR/html4/strict\.dtd\">\n<html><head>\n<meta\x20http
SF:-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=utf-8\">\n<t
SF:itle>ERROR:\x20The\x20requested\x20URL\x20could\x20not\x20be\x20retriev
SF:ed</title>\n<style\x20type=\"text/css\"><!--\x20\n\x20/\*\n\x20Styleshe
SF:et\x20for\x20Squid\x20Error\x20pages\n\x20Adapted\x20from\x20design\x20
SF:by\x20Free\x20CSS\x20Templates\n\x20http://www\.freecsstemplates\.org\n
SF:\x20Released\x20for\x20free\x20under\x20a\x20Creative\x20Commons\x20Att
SF:ribution\x202\.5\x20License\n\*/\n\n/\*\x20Page\x20basics\x20\*/\n\*\x2
SF:0{\n\tfont-family:\x20verdana,\x20sans-serif;\n}\n\nhtml\x20body\x20{\n
SF:\tmargin:\x200;\n\tpadding:\x200;\n\tbackground:\x20#efefef;\n\tfont-si
SF:ze:\x2012px")%r(SSLSessionReq,DE3,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nServer:\x20squid/3\.2\.0\.4-20110203\r\nMime-Version:\x201\.0\r\nDate
SF::\x20Wed,\x2030\x20Mar\x202011\x2009:37:20\x20GMT\r\nContent-Type:\x20t
SF:ext/html\r\nContent-Length:\x203240\r\nX-Squid-Error:\x20ERR_INVALID_RE
SF:Q\x200\r\nContent-Language:\x20en\r\nX-Cache:\x20MISS\x20from\x20Stream
SF:ride\r\nVia:\x201\.1\x20Streamride\x20\(squid/3\.2\.0\.4-20110203\)\r\n
SF:Connection:\x20close\r\n\r\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DT
SF:D\x20HTML\x204\.01//EN\"\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\
SF:">\n<html><head>\n<meta\x20http-equiv=\"Content-Type\"\x20content=\"tex
SF:t/html;\x20charset=utf-8\">\n<title>ERROR:\x20The\x20requested\x20URL\x
SF:20could\x20not\x20be\x20retrieved</title>\n<style\x20type=\"text/css\">
SF:<!--\x20\n\x20/\*\n\x20Stylesheet\x20for\x20Squid\x20Error\x20pages\n\x
SF:20Adapted\x20from\x20design\x20by\x20Free\x20CSS\x20Templates\n\x20http
SF:://www\.freecsstemplates\.org\n\x20Released\x20for\x20free\x20under\x20
SF:a\x20Creative\x20Commons\x20Attribution\x202\.5\x20License\n\*/\n\n/\*\
SF:x20Page\x20basics\x20\*/\n\*\x20{\n\tfont-family:\x20verdana,\x20sans-s
SF:erif;\n}\n\nhtml\x20body\x20{\n\tmargin:\x200;\n\tpadding:\x200;\n\tbac
SF:kground:\x20#efefef;\n\tfont-size:\x2012px");
Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . 
Nmap finished: 1 IP address (1 host up) scanned in 114.226 seconds
So it seems my ISP is running squid version 3.2.0.4-20110203 in transparent mode , just like you said.
Interestingly when connecting to random ip addresses on port 80, the error page returned is quite different from normal ones. 

http://www.freeimagehosting.net/image.php?280f0ef980.png
Does this transparent proxy pose any threat and what can I do to stop that ?
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux