Security :: Doorways On Non-default Ports - New Trend In Black Hat SEO?
Dec 4, 2010
Quote:
A year ago I blogged about how hackers managed to hijack hundreds of high-profile websites to make them promote online stores that sold pirated software at about 5-10% of a real cost. They used quite a standard scheme that involved cloaking (making spammy links visible only to search engine crawlers) and conditional redirects (visitors from search engines who clicked on specifically-crafted links on compromised sites got redirected to online stores of software pirates)
Despite of all my warnings, most of those site are still hacked and help sell pirated software and steal credit card numbers. This negligence of site/server administrators encouraged cyber criminals to step even further in abusing reputation and resources of compromised servers. This post will be about one of such steps.
"Ubuntu Server has no open ports by default" - [URL]. Does this mean right after a 10.04 Server Edition installation, if a user wants to start a web service e.g. a Java process to listen on say port 8080, he would have to configure the firewall first?
I just finished setting up a Natty box to act as my home router / home web server. I installed beta2 a few days before the final was out and updated all of the packages (also tried a dist-upgrade just in case ).
I performed the following setup:
- set up the webserver and sshd - set up dhcp server and adressing - set up rc.local to run rc.firewall with my filtering rules - set the router live (rebooting it)
And that was basically it. Everything worked fine, except when I tried to open any of the sites that are hosted on the webserver from the outside world. It turned out that all of the ports on the external interface were blocked.
I decided to stop my firewall rules (flushing all rules) and then scan my box from the outside - still, all ports seemed to be filtered. I then decided to reboot the machine, disabling all mention of the rc.firewall script, but the ports were still filtered!
I then disabled apparmor and made sure ufw is disabled, but the ports are still filtered for the outside world. For the internal network they are not filtered.
Is there some other mechanism besides iptables rules that filteres packets?
I've tried to set up a Hadoop cluster on a few freshly-installed 10.04 Server Edition machines and hit a problem. (I was able to set up the cluster using Desktop edition previously). The issue is that I can't connect to the service even though the Java process is running and listening on the port and there is no error in the logs. Anyway, I started to wonder if it was firewall issue so I googled it and found conflicting information.
1. "Ubuntu Server has no open ports by default" - [URL] 2. iptables shows different info. ufw is also disabled.
I even tried to enable ufw and did "sudo ufw default allow incoming" but still no help. The only package I manually selected during installation is OpenSSH server.
The other day I was using BitTornado and it was running so slow it was almost unholy. After some research I found out that if the yellow light was on it means I couldn't receive any incoming connections and had to open some ports on the firewall. That, my friends, is not the problem. I tried to manually open up the bittorrent port and did some other things that I can't quite remember but eventually I accidentally killed all bittorrent functionality on my laptop.
Is there any way I can reset my network and ports back to the default settings or am I utterly screwed? I'd really prefer not to have to reinstall my whole OS just to fix my bittorrent or worse, have to download on Vista *shudders*. I'd rather go back to my uber-slow bittorrent than none at all. I've tried everything I can think of, even the godlike might of Google couldn't get me out of this one. Now I am forced to bother you, all because I wanted to see a damn sci-fi film from Switzerland (Cargo[2009]).
tring to run an ftp server on default ports with port 10100-10199 as passive. Using vsftp. But the ports refuse to open what the heck am I doing wrong? see screen shot. oh using karmac, now.
I have open ports on my computer for vsftpd, pptpd, and I need help to filter this ports because they aper as open ports on internet, and this is pretty risky
After reading a lot about networking and security I decided to check the security of my own ubuntu box. So I went installing Nmap and discovered that port 139 was "open". Since I 'd read how to use ufw I created a deny rule for port 139. After a second scan with Nmap it still said that port 139 was open as shown below.
I'm locking down my laptop. I know I can use a firewall to ensure nothing gets through that I didn't catch, and I certainly plan on using one, but in the meantime, I want to know what exactly is running on my system.
nmap localhost returns: Code: james@james-linux:~$ nmap localhost Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-26 23:33 CDT Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): Not shown: 994 closed ports PORT STATE SERVICE 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 2049/tcp open nfs Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
However, I know that localhost goes back to the loopback interface, 127.0.0.1. So, to see what was really open, I ran nmap 192.168.0.108, which is my laptop's IP at the moment.
Code: james@james-linux:~$ nmap 192.168.0.108 Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-26 23:33 CDT Interesting ports on 192.168.0.108: Not shown: 996 closed ports PORT STATE SERVICE 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2049/tcp open nfs Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
Now if I understand correctly, I can attribute 139 and 445 to my Samba share. That I'm okay with. What I don't know is 111 and 2049. Does anyone know what these ports are, what's running on them, and how I could turn them off, supposing that they are a security risk?
I'm getting heat from the head networking office that ports 21, 110, and 143 are open. I can telnet to those ports from a remote machine (not localhost) and get a prompt. There does not seem to be anything listening on those ports according to netstat. I've tried using iptables to discard all traffic to a from those ports but I can still telnet to them. This is a lucid desktop machine.
We do NOT support samba on our Unbuntu servers but still zillions of windows machines are constantly trying to connect on the SMB ports. I've added a rule that drops access to destination ports 137-138 and that seems to work. But it creates many many log entries documenting that the packet has been dropped. I've been researching and cannot come up with a way to suppress logging for these drops.
looking at my router logs i've noticed for the past while a range of source ports from 60000 to about 65000 from my source external ip to destination external ip always on port 80. I have 3 boxes on this network and this only seems to happen when i connect the one laptop. I even reinstalled the distro downloaded from trusted source but the router is still logging this.. netstat -ntulp shows nothing operating in this range. chkrootkit shows nothing.. Was thinking maybe someone was spoofing the external address but it's been happening on network startup for a month now
have tried to close ports 443,80,22 & 23 without success.Does anybody have any idea how to do this. I close them in a terminal and their still opened. I closed them in services and their still open what am I not doing right?
I installed Ubuntu 9.10 recently. I heard that there will be no open ports in the system unless I specifically open one. How do I scan to find a open port in my system.
when i enable my ufw it completely shuts me out and closed my internet connection. i installed firewall configuraiton interface and through it defined rules to accept incoming internet connections on port 80, i can see the rules are there but when i enable my firewall it just shuts me out completely again. when i do(with my firewall enabled):
Code: $ sudo ufw status it gives me: Quote: Status: active
[Code].....
I also messed around with fwbuilder and iptables but since then deleted fwbuilder(besides i just compiled firewall policy and never actually installed it because of errors while trying to install it. Iptables I cleared with:
I know how to forward ports in my router. Now I need to open a port to help with testing a project and no matter what I've tried, every port under 1055 shows up as stealthed (with 1-71 closed) according to Shields Up! I'm happy to run it at a port > 1024, but whatever I try also shows up stealthed. I even tried (briefly) turning on DMZ and still the same thing. My ISP swears that they only block port 80, 21 and 25, none of which I'm trying to use. UFW status reports inactive and I'm not using firestarter. I'm not running any other server (apache, light speed etc). If it's not my router and it's not my ISP, and there's no other server apps running, then that kind of leaves Ubuntu as far as I can see,
It is vital to get a useful server performance monitoring tool that prevents growth related performance issues. Moreover, it should offer long term capacity planning and trend analysis along with detecting performance issues and unwanted outages.
my ufw rules have been loaded and active yet using iptraf i see tcp connections on ports that were never allowed by ufw. can anyone explain this too me does ufw just not work?
I'd like to set up a fileserver for myself and a few trusted individuals. I'm computer savvy and I use various linux servers frequently for work, but this is my first time trying to setup my own. Is it possible to have a Samba server setup so it is both secure and facing the Internet? Two questions:
Will opening Samba ports make my default Ubuntu server particularly vulnerable to penetration? More than having an SSH server running? Does Samba/ can Samba be configured to encrypt traffic or is it sent plainly? If so, does Windows and Mac support this secure communication?
If not, what would you suggest? I'd like to achieve something like a network drive and at a difficulty level that my parents could use this if they really wanted to. I will be storing things like financial information and tax returns, but no weapons-grade secrets.
I am trying to configure Bittorando and iptables using Firestarter. I have got it working but am concerned about security holes.
Let me explain.
AIUI, the Bittornado program contacts the "tracker" on various ports which (from the previously blocked connections in Firestarter) ranged from 4664 to 65532. Therefore, currently I have set this range to be open to allow downloads of the torrent.
However, this seems, IMHO, to devalue to point of having a restrictive exit policy for Firestarter since now virtually all ports are open. I can see nothing on the Bittornado client to restrict the outgoing ports although the "listening" (incoming) ports can be restricted.
I would prefer to have my system locked-down so that the minimal number of ports are open to initiate external connections so is there any way to achieve this with Bittornado?
While (attempting) to set up ssh on a couple of machines (not this one) I've noticed that I keep getting some strange unknown ports showing as open on my PC when I do a port scan on its address. They are only opened transiently, they are all high numbers eg 33348, 41147, 50370 etc. I have opened no ports on this machine at any time and ufw is set to deny all incoming.
