[c-nsp] Security scanner showed plenty of open ports but "show ip socket" doesn't

Cis Ckp cisckp8 at yahoo.com.sg
Tue Aug 23 07:14:39 EDT 2005


Hi,
 
 
Bear with me if I've got my basics wrong.
 
Our security guys has run a scan on one addr 10.196.8.4
which is owned by the Layer 2 sc0 interface of our 6509
(see the scan results furthest below) :
 
set interface sc0 2 10.196.8.4/255.255.255.128 10.196.8.127
 
How can I close those ports?
 
Does it make sense for me to login to this 6509's MSFC & issue
"sh ip socket" to see the open ports (which gives :
 
MSFC# sh ip socket
sp01qrtc1ist5f5#sh ip socket
Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF
 17 0.0.0.0          1985 10.196.22.1      1985   0   0    1   0
 17 10.196.16.9       514 10.196.22.1     53808   0   0   10   0
 17 10.196.16.11      514 10.196.22.1     55404   0   0   10   0
 17 10.196.16.14       49 10.196.22.1        49   0   0   11   0
 17 10.196.16.15       49 10.196.22.1        49   0   0   11   0
 17 10.196.16.10      162 10.196.22.1     56167   0   0    0   0
 17 10.196.16.8       162 10.196.22.1     57138   0   0    0   0
 17 0.0.0.0           123 10.196.22.1       123   0   0    1   0
 17 149.131.188.9   64827 10.196.75.5       161   0   0    1   0
 17 0.0.0.0             0 10.196.22.1       162   0   0    9   0
 17 0.0.0.0             0 10.196.22.1     52391   0   0    9   0

MSFC#sh tcp brief               gives :
TCB       Local Address           Foreign Address        (state)
52B535E4  127.0.0.12.23           127.0.0.11.4191        ESTAB
41FC5998  10.196.75.33.179        10.196.75.34.11002     ESTAB
551A1BF4  61.8.233.118.11401      61.8.233.117.179       ESTAB

 
Believe on the MSFC, the lines "no tcp-small-servers" &
"no udp-small-servers" are already in place - these lines
won't show up by default for the "no ..." statement.
 

Or should I tell the security guys that the scanner is faulty
& reporting faulty positives?
 
 
 
o 10.196.8.4: [attention] [7134/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [5553/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [2870/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [7684/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [7543/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [6066/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [1173/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [3238/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [4467/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [2357/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [9687/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [2461/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [9170/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [1269/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [8257/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [3815/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [2614/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [8359/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [4728/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [7853/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [9473/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [9472/TCP] Unidentified port is active.
      o 10.196.8.4: [attention] [4029/TCP] Unidentified port is active.
          .  .  .
 
 
Thanks
 

		
---------------------------------
Do you Yahoo!?
 New and Improved Yahoo! Mail - 1GB free storage!


More information about the cisco-nsp mailing list