On Fri, Feb 03, 2006 at 11:02:33PM +0100, Mark-Walter@t-online.de wrote: > Hi, > > this is the nmap -sT scan from a friend: I guess you both are not in the same ISP > > > nmap -sT internet_address > > Port State Service > 25/tcp filtered smtp > 46/tcp open mpm-snd > 80/tcp filtered http > 119/tcp open nntp > 445/tcp filtered microsoft-ds > 1080/tcp filtered socks > 6000/tcp open X11 > 6346/tcp open gnutella The 'filtered' ones are probably filtered by your ISP. I can understand (but don't share) why they block port 25 or port 445) but I wonder why a ISP would filter out port 80, aren't people allowed to have a web server at home? > He has no firewall (like me) as he's saying a firewall is nothing good > and not usefull but there's an open X11 server available in the > internet. Well, he really should consider configuring his X11 server with '-nolisten tcp' (which is the default in Debian, BTW). And he probably wants to check what application he has running in port 46 and 119. He can use 'lsof' for that (or 'netstat -punta') > Isn't this vulnerable without a firewall ? IMHO, he is vulnerable only, and only if he either has: - vulnerable configurations (i.e. he runs 'xhost +' and allows anyone to access his desktop remotely) - has vulnerabile applications (i.e. with software bugs that might lead to remote code execution). Even if he fixes the first possibility, he might be unsure about the second one. Given the fact that the Gnutella source code has not been audited for security bugs (at least not that I know) he might be vulnerable there. But then again, even if he added in a firewall, since he wants to open up the Gnutella port for the Internet to do P2P he would remain just as vulnerable. I would suggest your friend to minimize his exposure by properly configuring (and/or stopping) those Internet servers he doesn't have a need for. He can add in a firewall, but if you end up having: > > nmap -sT internet_address > > Port State Service > 25/tcp filtered smtp > 80/tcp filtered http > 445/tcp filtered microsoft-ds > 1080/tcp filtered socks > 6346/tcp open gnutella And he opens up the 6346 port it doesn't make him less of a target with a firewall. What a firewall *does* buy you is defense in depth. If somebody gets access to his computer and opens up a server port, the firewall will prevent access ot it. Likewise, it also protects you against your own mistakes, if he is just testing software and installs a vulnerable server which automatically starts and he forgets about it. If your friend wans to get even more paranoid, he could configure his local firewall to close off *outgoing* access (host-based firewalls are typically configured just for *incoming* but that doesn't mean it's the only thing they can do), so that he could try to block applications that try to contact the Internet if he has not authorised them previously. That said, this is hardly Debian-specific, really. Javier
Attachment:
signature.asc
Description: Digital signature