too many open ports!

too many open ports!

Post by Kernel Pani » Thu, 14 Jun 2001 12:16:40



Hi,
    I don't have too much experience with Windows 2000, but needed to
install it on my sister's laptop for stability reasons (W98 crashed too
often, 2K works great on it).  Anyways, she uses it at college and has a
constant connection to the Internet with a static IP address.  Because of
this (and the fact the I get port scanned at least once a day) I'm worried
about her security.  I know how to secure Windows 98 (within reason. i.e..
turn off file sharing and run ZoneAlarm), but need some advice for 2K. Since
she got it through the UW-Madison at a student discount, it came with no
instructions.
    If anyone has any advice, or links to sites that might help close the
ports, I would greatly appreciate it.  Also, if anyone can tell me what
might be on port TCP 1025, and UDP 1026, I'm curious to learn.  I do have
SP2 with ALL of the updates on the http://www.windowsupdate.com website.
    Thanks for your time and help.
    --Brian

Below is the result of a port scan that I ran from out LAN with her machine
directly connected.


 Interesting ports on  (x.x.x.x):
(The 65531 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
445/tcp    open        microsoft-ds
1025/tcp   open        listen

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=16673 (Worthy challenge)
Remote operating system guess: Windows 2000 RC1 through final release

Nmap run completed -- 1 IP address (1 host up) scanned in 878 seconds


 Warning:  No TCP ports found open on this machine, OS detection will be
MUCH less reliable
Interesting ports on  (x.x.x.x):
(The 65529 ports scanned but not shown below are in state: closed)
Port       State       Service
135/udp    open        loc-srv
137/udp    open        netbios-ns
138/udp    open        netbios-dgm
445/udp    open        microsoft-ds
500/udp    open        isakmp
1026/udp   open        unknown

Too many fingerprints match this host for me to give an accurate OS guess
Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds

 
 
 

too many open ports!

Post by Jerry Lesl » Thu, 14 Jun 2001 14:46:00


: Also, if anyone can tell me what might be on port TCP 1025, and UDP 1026,
: I'm curious to learn.  

  http://www.robertgraham.com/pubs/firewall-seen.html
  FAQ: Firewall Forensics (What am I seeing?)

--Jerry Leslie

 
 
 

too many open ports!

Post by bomb » Thu, 14 Jun 2001 19:49:52



Quote:> Hi,
>     I don't have too much experience with Windows 2000, but needed to
> install it on my sister's laptop for stability reasons (W98 crashed too
> often, 2K works great on it).  Anyways, she uses it at college and has a
> constant connection to the Internet with a static IP address.

Static IP?  Public or private IP range?  Looking at the NMAP scans, it looks
as if it's running on a public address range.  That's not really good.  If
the uni are worth their salts, they'll have some pretty heavy duty security
if they're running this sort of scheme, however, I know that unis are a
popular hunting ground for crackers.

Because of

Quote:> this (and the fact the I get port scanned at least once a day) I'm worried
> about her security.  I know how to secure Windows 98 (within reason. i.e..
> turn off file sharing and run ZoneAlarm), but need some advice for 2K.
Since
> she got it through the UW-Madison at a student discount, it came with no
> instructions.

You can run ZA on W2K too.  Good start.  I'd put it in super-paranoid mode
[not actually a setting, but you get the idea].

Quote:>     If anyone has any advice, or links to sites that might help close the
> ports, I would greatly appreciate it.  Also, if anyone can tell me what
> might be on port TCP 1025, and UDP 1026, I'm curious to learn.  I do have
> SP2 with ALL of the updates on the http://www.windowsupdate.com website.
>     Thanks for your time and help.
>     --Brian

You've got the right ideas - keeping the patches up to date is the most
important thing with Windows.  TCP/UDP ports above 1024 are dynamic ports
for various services that aren't linked to a specific port.  However, this
isn't something to be too worried about, the ports 1023 and below, are the
ones regarded as the 'sensitive' ports.  For this reason, provided your
sister doesn't need them for uni work, I'd look to block the NetBIOS ports
and the MS-DS ports.  You can do this through customising ZA or through the
Advanced properties of TCP/IP [a feature of W2K].  We'd be better off
knowing how your sister will be using her computer though - you may not have
the option to do this if she has to connect to shares on the college
servers.

As a couple of final recommendations, I'd make sure she keeps up-to-date
anti-virus software on there, and I suggest you occasionally run netstat,
or, if you prefer, run NMAP remotely.  You might also want to raise some of
these security issues with the college - ask what sort of protection they're
running, etc.

bomba

> Below is the result of a port scan that I ran from out LAN with her
machine
> directly connected.


>  Interesting ports on  (x.x.x.x):
> (The 65531 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 135/tcp    open        loc-srv
> 139/tcp    open        netbios-ssn
> 445/tcp    open        microsoft-ds
> 1025/tcp   open        listen

> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=16673 (Worthy challenge)
> Remote operating system guess: Windows 2000 RC1 through final release

> Nmap run completed -- 1 IP address (1 host up) scanned in 878 seconds


>  Warning:  No TCP ports found open on this machine, OS detection will be
> MUCH less reliable
> Interesting ports on  (x.x.x.x):
> (The 65529 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 135/udp    open        loc-srv
> 137/udp    open        netbios-ns
> 138/udp    open        netbios-dgm
> 445/udp    open        microsoft-ds
> 500/udp    open        isakmp
> 1026/udp   open        unknown

> Too many fingerprints match this host for me to give an accurate OS guess
> Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds