[c-nsp] Security scanner showed plenty of open ports but "show ipsocket" doesn't

Ted Mittelstaedt tedm at toybox.placo.com
Tue Aug 23 15:18:31 EDT 2005 

Tell your security guys that if they can crash your 6509 by sending
something to those ports then you will fix the problem, otherwise if
they cannot crash it, then they have dicks the size of Chicken Little
(since
that is what they are doing, running in circles shouting "the sky is
falling")

Just because a fool can drive a sophisticated scanner program nowadays
doesen't make him not a fool.  My mailserver's SMTP port is open -
using your security guy's logic I better close that too!!

You could always retaliate by running your own scanner on the
security guys scanning system and insisting on them turning of
ALL icmp ports since by golly, those are open too!!  That ought to
solve that problem.  Oh and by the way, their system is responding to
ARP requests, must be a security hole there too!!  Better shut that down!


Ted

>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Cis Ckp
>Sent: Tuesday, August 23, 2005 4:15 AM
>To: cisco-nsp at puck.nether.net
>Subject: [c-nsp] Security scanner showed plenty of open ports
>but "show ipsocket" doesn't
>
>
>Hi,
>
>
>Bear with me if I've got my basics wrong.
>
>Our security guys has run a scan on one addr 10.196.8.4
>which is owned by the Layer 2 sc0 interface of our 6509
>(see the scan results furthest below) :
>
>set interface sc0 2 10.196.8.4/255.255.255.128 10.196.8.127
>
>How can I close those ports?
>
>Does it make sense for me to login to this 6509's MSFC & issue
>"sh ip socket" to see the open ports (which gives :
>
>MSFC# sh ip socket
>sp01qrtc1ist5f5#sh ip socket
>Proto    Remote      Port      Local       Port  In Out Stat
>TTY OutputIF
> 17 0.0.0.0          1985 10.196.22.1      1985   0   0    1   0
> 17 10.196.16.9       514 10.196.22.1     53808   0   0   10   0
> 17 10.196.16.11      514 10.196.22.1     55404   0   0   10   0
> 17 10.196.16.14       49 10.196.22.1        49   0   0   11   0
> 17 10.196.16.15       49 10.196.22.1        49   0   0   11   0
> 17 10.196.16.10      162 10.196.22.1     56167   0   0    0   0
> 17 10.196.16.8       162 10.196.22.1     57138   0   0    0   0
> 17 0.0.0.0           123 10.196.22.1       123   0   0    1   0
> 17 149.131.188.9   64827 10.196.75.5       161   0   0    1   0
> 17 0.0.0.0             0 10.196.22.1       162   0   0    9   0
> 17 0.0.0.0             0 10.196.22.1     52391   0   0    9   0
>
>MSFC#sh tcp brief               gives :
>TCB       Local Address           Foreign Address        (state)
>52B535E4  127.0.0.12.23           127.0.0.11.4191        ESTAB
>41FC5998  10.196.75.33.179        10.196.75.34.11002     ESTAB
>551A1BF4  61.8.233.118.11401      61.8.233.117.179       ESTAB
>
>
>Believe on the MSFC, the lines "no tcp-small-servers" &
>"no udp-small-servers" are already in place - these lines
>won't show up by default for the "no ..." statement.
>
>
>Or should I tell the security guys that the scanner is faulty
>& reporting faulty positives?
>
>
>
>o 10.196.8.4: [attention] [7134/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [5553/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [2870/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [7684/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [7543/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [6066/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [1173/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [3238/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [4467/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [2357/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [9687/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [2461/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [9170/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [1269/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [8257/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [3815/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [2614/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [8359/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [4728/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [7853/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [9473/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [9472/TCP] Unidentified port is active.
>      o 10.196.8.4: [attention] [4029/TCP] Unidentified port is active.
>          .  .  .
>
>
>Thanks
>
>
>
>---------------------------------
>Do you Yahoo!?
> New and Improved Yahoo! Mail - 1GB free storage!
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>--
>No virus found in this incoming message.
>Checked by AVG Anti-Virus.
>Version: 7.0.338 / Virus Database: 267.10.14/79 - Release Date:
>8/22/2005
>
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.14/79 - Release Date: 8/22/2005

More information about the cisco-nsp mailing list