Results 1 to 13 of 13

Thread: SG Security Scan

  1. #1
    Elite Member BaLa's Avatar
    Join Date
    Dec 2000
    Location
    Bell County, Tejas
    Posts
    14,352

    SG Security Scan

    I'm only have a basic membership for now..


    '22/tcp
    open
    ssh Secure Shell - most common use is command line access, secure replacement of Telnet. Could also be used as an encrypted tunnel for secure communication of virtually any service.'

    I have CableAmerica as my ISP (Cable MOdem)
    SB4100 Connected to a Linksys BEFSR41v2 Router w/ v1.442 Firmware
    In teh Router settings, I disabled all port forwarding and DMZ Host is off as well..


    Why is this port '22' showing up as open and how do I close it?


    also
    '53/tcp
    closed
    domain DNS (Domain Name Service) is used for domain name resolution'

    is 'only' closed and not filtered, should I be worried about that or is there a way I can 'filter' teh port?




    TIA
    TC

  2. #2
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    10,423
    Blog Entries
    6
    What OS ? Port 22/tcp and port 53 are usually open on Linux machines, as the portscan suggests their official uses ar SSH and DNS.

    The fact that a particular port is closed just means that the port responds about not accepting connections... Meaning, a potential intruder scanning for machines that are running will see that there is someone at that IP, although the port itself does not accept connections to it.

    Port 22 is usually associated with SSH... Depending on whether you are running this service, you should either acknowledge or worry about it. Either way the scan just allerts you that your end is acepting connections to that port...

    I would make sure the right IP is being scanned before hunting down why port 22 is open. Any web proxies ?
    Linux is user friendly, it's just picky about its friends...
    Disclaimer: Please use caution when opening messages, my grasp on reality may have shaken loose during transmission (going on rusty memory circuits).
    ๑۩۞۩๑

  3. #3
    Elite Member BaLa's Avatar
    Join Date
    Dec 2000
    Location
    Bell County, Tejas
    Posts
    14,352
    OS is W2k SP3
    no proxies...


    funny now that you mention it, I assumed it was scanning teh right IP but, in my rouyter config/status
    my ip is diff. than teh one being scanned...

    of course I can't and wont post either of teh 2 add but the IP add. the SG Security Scan tested/checked is teh same except for the last 2 Octets (I think that's what it's called)

    <edit> I did a 'DHCP Release' and 'DHCP Renew' in my router config and rescanned, and teh same thing I described above happend again..

  4. #4
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    10,423
    Blog Entries
    6
    Originally posted by BaLa
    OS is W2k SP3
    no proxies...


    funny now that you mention it, I assumed it was scanning teh right IP but, in my rouyter config/status
    my ip is diff. than teh one being scanned...

    of course I can't and wont post either of teh 2 add but the IP add. the SG Security Scan tested/checked is teh same except for the last 2 Octets (I think that's what it's called)

    <edit> I did a 'DHCP Release' and 'DHCP Renew' in my router config and rescanned, and teh same thing I described above happend again..
    In your browser, make sure you turn off any web proxy. For IE, go to Tools > Internet Options > Connections > LAN settings, and make sure there are no check marks in there.
    Linux is user friendly, it's just picky about its friends...
    Disclaimer: Please use caution when opening messages, my grasp on reality may have shaken loose during transmission (going on rusty memory circuits).
    ๑۩۞۩๑

  5. #5
    Elite Member BaLa's Avatar
    Join Date
    Dec 2000
    Location
    Bell County, Tejas
    Posts
    14,352
    I checked again...
    no web proxies on any of 4 computers

  6. #6
    Elite Member TonyT's Avatar
    Join Date
    Jan 2000
    Location
    Fairfax, VA
    Posts
    10,338
    The Service DNS Client is probably set to Automatic instead of manual or disabled.

    You also probably have the Telnet Service set to Automatic instead of disabled.

    If these services are running (started) then those ports will show as open if they are in use and closed if they are not in use. If the services are not started then they will not show up as in a scan.
    No one has any right to force data on you
    and command you to believe it or else.
    If it is not true for you, it isn't true.

    LRH

  7. #7
    Elite Member BaLa's Avatar
    Join Date
    Dec 2000
    Location
    Bell County, Tejas
    Posts
    14,352
    DNS Service was started
    I stopped the service and changed the setting to disabled..

    TELNET was set to Automatic (but not started)
    I changed it to disabled..

    Port 53/TCP is closed now..

    22 is still open..

    although it still seems like it's not even scanning the right IP add.

  8. #8
    Security Specialist greEd's Avatar
    Join Date
    May 2001
    Location
    Maryland
    Posts
    807
    Why not connect to your router find out your wan ip then when you connect to speedguide make sure the ip address they are getting ($REMOTE_ADDR) matches the one found on the linksys.

    The chance of you having 22 open on the computer is slim to none unless you explicitly set up an ssh server on windows for some odd reason.

    I'm not to sure about the remote management features on your router but that would be first supsect as it is the first thing being hit when the scan takes place. Try telnetting into port 22 of your routers lan and wan ip address (example: telnet 192.168.0.1 <replace 192.168.0.1 with lan> 22) if it connects then the router allows encrypted remote management.
    "I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
    http://www.computerglitch.net
    curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
    EOF

  9. #9
    Elite Member TonyT's Avatar
    Join Date
    Jan 2000
    Location
    Fairfax, VA
    Posts
    10,338
    correction:
    telnet 192.168.0.1 > telnet 192.168.1.1
    No one has any right to force data on you
    and command you to believe it or else.
    If it is not true for you, it isn't true.

    LRH

  10. #10
    Security Specialist greEd's Avatar
    Join Date
    May 2001
    Location
    Maryland
    Posts
    807
    Originally posted by TonyT
    correction:
    telnet 192.168.0.1 > telnet 192.168.1.1
    Thanks Tony ... it varies from manufacturer and personalizations
    "I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
    http://www.computerglitch.net
    curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
    EOF

  11. #11
    Elite Member BaLa's Avatar
    Join Date
    Dec 2000
    Location
    Bell County, Tejas
    Posts
    14,352
    oh like I said before..

    after I checked my routers config/WAN IP

    the 2 IPs are diff.

    SG Security Scan checks IP **.***.***.**
    my WAN IP is **.***.***.***

    they are teh same except for the last two numbers (octects?, I think each set of numbers is called octet, I forget it's been awhile..that's besides the point..)

    oddly enough though IF the SG Security Scanner scanned the wrong IP add. (which seems to be teh case) after I stoped the DNS Service it should not have affected the scan..

    this is as weird as it gets...I will reboot my router...to see if that will make a diff..

    <edit> rebooted teh router twice also rebooted my cable modem and still the WAN IP differs from teh IP SG Security Scan is reporting, and again I'm not using any proxies...

    any ideas Philip?..
    or somebody else maybe?

    also for what is worth, (not much I know )
    the security scan @ DSLReports is reporting my correct IP add.

  12. #12
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    10,423
    Blog Entries
    6
    I've just included a test for transparent proxies within the Security scan... If that's the case the correct IP should be shown now.

    Please try again and let me know wheter it's detecting the correct IP now.

    BTW, the request to SG pages (your posting IP) is from:

    66.218.***.**. The host name is: ip-66-218-***-**.cablemo.net

    That means for all pratical purposes that's what connects to our server...


    TIA for testing.
    Linux is user friendly, it's just picky about its friends...
    Disclaimer: Please use caution when opening messages, my grasp on reality may have shaken loose during transmission (going on rusty memory circuits).
    ๑۩۞۩๑

  13. #13
    Elite Member BaLa's Avatar
    Join Date
    Dec 2000
    Location
    Bell County, Tejas
    Posts
    14,352
    thanks


    as I stated in the PM it works now..

    I'm still a bit confused as to what the trans. proxy is..
    I shall do some research, before I head of to work...\

    <edit>

    for anybody that is interested as well

    http://www.speedguide.net/faq_in_q.p...egory=88&qid=2

    http://www.transproxy.nlc.net.au/
    only thing interesting in this page is this
    How Is It Used?
    Take for example the network configuration of a FreeBSD or Linux box acting as a dialin server (or terminal server), and another FreeBSD or Linux box acting as a Squid (or any other) proxy cache. Normally users would have to configure their browser to access the proxy. This transparent proxy will automatically intercept HTTP accesses and re-direct them to the Squid (or any other) proxy server. The users need not even know that a proxy is being used, it's that transparent.

    basically it seems like a proxy server on the ISPs end to save on their bandwith..
    and I see no way around it..


    interesting...

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •