[c-nsp] open ports on a Cisco device & IOS hardening

Jared Mauch jared at puck.nether.net
Mon Apr 18 14:41:37 EDT 2005 

	It should also be noted that in the past i've not been able to
get Cisco to fix the problem that "show tcp brief all" does not show
all listeners.

	Your best bet is to actually use some external
validation tool as IOS tends to lie.  (eg: nmap)

	I recommend that everyone be doing this as part of
their software validation procedures prior to loading it, and
to inquire to cisco tac, or even PSIRT if you see something
that smells strange.  Perhaps with enough pressure Cisco will
resolve these outstanding bugs.

	- Jared

On Mon, Apr 18, 2005 at 09:12:29AM -0400, Todd, Douglas M. wrote:
> Goh:
> 
> Try disabling your small udp/tcp servers:
> 
> No service tcp-small-servers
> No service udp-small-servers
> 
> You might want to try looking at this url:
> 
> http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186
> a0080120f48.shtml
> 
> ==DMT>
> 
> old>>-----Original Message-----
> old>>From: cisco-nsp-bounces at puck.nether.net 
> old>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> old>>Hank Nussbacher
> old>>Sent: Saturday, April 16, 2005 15:28
> old>>To: Cis Ckp; cisco-nsp at puck.nether.net
> old>>Subject: Re: [c-nsp] open ports on a Cisco device & IOS hardening
> old>>
> old>>At 11:46 PM 16-04-05 +0800, Cis Ckp wrote:
> old>>>Hi,
> old>>>
> old>>>
> old>>>Someone from the security group would do "Open port" scan 
> old>>monthly for 
> old>>>the networks & servers.  For the Sun servers, we would usually do 
> old>>>"netstat -n" to see the "open ports" & then edit the 
> old>>inetd.conf to 
> old>>>close up unnecessary ports.
> old>>>
> old>>>Is there something similar for Cisco devices/routers, say, tweak 
> old>>>existing ACLs or create new ACLs so that the unnecessary 
> old>>ports are not 
> old>>>opened?  Besides ACL, is there anything more I could do?  
> old>>If anyone can 
> old>>>point to a url that explains these, appreciate it.
> old>>>
> old>>>Is the command to see what's the open ports for a Cisco device as 
> old>>>follows :
> old>>
> old>>This only shows TCP ports.  You need also 'sho ip sockets':
> old>>
> old>>TAU-gp1#sho ip sockets
> old>>Proto    Remote      Port      Local       Port  In Out 
> old>>Stat TTY OutputIF
> old>>  17   --listen--          62.40.103.70     9875   0   0    1   0
> old>>  17 128.139.197.70    514 192.114.99.250  53806   0   0   10   0
> old>>  17 128.139.197.70     49 192.114.99.250     49   0   0   11   0
> old>>  17   --listen--          224.0.1.40        496   0   0   31   0
> old>>  17 0.0.0.0             0 62.40.103.70       67   0   0  489   0
> old>>  17   --listen--          62.40.103.70      123   0   0    1   0
> old>>  17 212.150.52.10   47836 192.114.99.250    161   0   0    1   0
> old>>  17   --listen--          62.40.103.70      162   0   0    9   0
> old>>  17   --listen--          62.40.103.70    58576   0   0    9   0
> old>>
> old>>protocol 17 is UDP.
> old>>
> old>>-Hank
> old>>
> old>>>
> old>>>Router#sh tcp brief
> old>>>TCB       Local Address           Foreign Address        (state)
> old>>>637202B8  10.0.0.19.12298       172.16.112.29.49       ESTAB
> old>>>6371C978  10.0.0.19.12238       172.16.112.29.49       ESTAB
> old>>>636CB228  10.0.0.19.12081       172.16.112.29.49       CLOSEWAIT
> old>>>
> old>>>
> old>>>Regards
> old>>>Goh
> old>>>
> old>>>  Yahoo! Mobile
> old>>>- Download the latest ringtones, games, and more!
> old>>>_______________________________________________
> old>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> old>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> old>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> old>>>
> old>>>  +++++++++++++++++++++++++++++++++++++++++++
> old>>>  This Mail Was Scanned By Mail-seCure System  at the Tel-Aviv 
> old>>> University CC.
> old>>
> old>>_______________________________________________
> old>>cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> old>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> old>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> old>>
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list