[c-nsp] open ports on a Cisco device & IOS hardening
Hank Nussbacher
hank at mail.iucc.ac.il
Sat Apr 16 15:27:32 EDT 2005
At 11:46 PM 16-04-05 +0800, Cis Ckp wrote:
>Hi,
>
>
>Someone from the security group would do "Open port" scan
>monthly for the networks & servers. For the Sun servers, we
>would usually do "netstat -n" to see the "open ports" & then
>edit the inetd.conf to close up unnecessary ports.
>
>Is there something similar for Cisco devices/routers, say,
>tweak existing ACLs or create new ACLs so that the unnecessary
>ports are not opened? Besides ACL, is there anything more I
>could do? If anyone can point to a url that explains these,
>appreciate it.
>
>Is the command to see what's the open ports for a Cisco
>device as follows :
This only shows TCP ports. You need also 'sho ip sockets':
TAU-gp1#sho ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 62.40.103.70 9875 0 0 1 0
17 128.139.197.70 514 192.114.99.250 53806 0 0 10 0
17 128.139.197.70 49 192.114.99.250 49 0 0 11 0
17 --listen-- 224.0.1.40 496 0 0 31 0
17 0.0.0.0 0 62.40.103.70 67 0 0 489 0
17 --listen-- 62.40.103.70 123 0 0 1 0
17 212.150.52.10 47836 192.114.99.250 161 0 0 1 0
17 --listen-- 62.40.103.70 162 0 0 9 0
17 --listen-- 62.40.103.70 58576 0 0 9 0
protocol 17 is UDP.
-Hank
>
>Router#sh tcp brief
>TCB Local Address Foreign Address (state)
>637202B8 10.0.0.19.12298 172.16.112.29.49 ESTAB
>6371C978 10.0.0.19.12238 172.16.112.29.49 ESTAB
>636CB228 10.0.0.19.12081 172.16.112.29.49 CLOSEWAIT
>
>
>Regards
>Goh
>
> Yahoo! Mobile
>- Download the latest ringtones, games, and more!
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> +++++++++++++++++++++++++++++++++++++++++++
> This Mail Was Scanned By Mail-seCure System
> at the Tel-Aviv University CC.
More information about the cisco-nsp
mailing list