Why would ports 21/25/110/143 show as open?

fonestar1978fonestar1978 Banned Posts: 55 ■■□□□□□□□□
in CCNA & CCENT
I have never had a ftp/smtp/pop3/imap service installed behind my router and have never used these ports for anything. I thought it may have had something to do with the fact I was using an advanced ip-services IOS on my 2611XM, so I uninstalled it and replaced with a standard ipbasek9 image and the ports are still open (scanned using nmap from outside on another network).

Also none of my SIP ports are showing as open, yet my remote ip softphone connects fine. Nmap has never lied to me! Any educated guesses? I did have SDM installed at one point.

Writing the CCNA tomorrow finally!
· Share on FacebookShare on Twitter

Comments

  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I think they are opened by default before you run auto secure.

    Here is some good reading:

    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
    · Share on FacebookShare on Twitter
  • mzinzmzinz Member Posts: 328
    Your SIP phones connect fine because those connections are happening from IN to OUT.

    It is likely (if your ACL's allow) that ALL outbound connections are permitted. This allows things like softphones to connect, just like it allows you to connect to web pages.

    I'm not sure why those ports you listed are open INBOUND. Let's take a look at your router config?
    _______LAB________
    2x 2950
    2x 3550
    2x 2650XM
    2x 3640
    1x 2801
    · Share on FacebookShare on Twitter
  • fonestar1978fonestar1978 Banned Posts: 55 ■■□□□□□□□□
    I will post it here in a bit, need to go have breakfast!
    · Share on FacebookShare on Twitter
  • fonestar1978fonestar1978 Banned Posts: 55 ■■□□□□□□□□
    mzinz wrote: »
    Your SIP phones connect fine because those connections are happening from IN to OUT.

    It is likely (if your ACL's allow) that ALL outbound connections are permitted. This allows things like softphones to connect, just like it allows you to connect to web pages.

    I'm not sure why those ports you listed are open INBOUND. Let's take a look at your router config?

    Been scratching my head about this one for awhile so I would appreciate some help!

    :

    Router1#sh run
    Building configuration...

    Current configuration : 16019 bytes
    !
    version 12.4
    no service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    no logging console
    enable secret 5 XXXXXXXXXXXXXXXXXXXXX
    !
    aaa new-model
    !
    !
    !
    aaa session-id common
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip gratuitous-arps
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    ip dhcp excluded-address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    !
    ip dhcp pool DATA_POOL
    network xxx.xxx.xxx.xxx 255.255.255.0
    !
    ip dhcp pool VOICE_POOL
    network xxx.xxx.xxx.xxx 255.255.255.0
    !
    !
    ip dhcp update dns
    ip domain name fonestar.kicks-ass.net
    ip name-server xxx.xxx.xxx.xxx
    !
    crypto pki trustpoint TP-self-signed-1175546438
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1175546438
    revocation-check none
    rsakeypair TP-self-signed-1175546438
    !
    !
    crypto pki certificate chain TP-self-signed-1175546438
    certificate self-signed 01
    30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31313735 35343634 3338301E 170D3032 30333133 30353334
    35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373535
    34363433 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100B6EC 1F10EFBF 86982EE7 BE10611C 564D6027 B65FD8D1 61710A14
    quit
    username xxxxxx privilege 15 password 7 XXXXXXXXXXXXXXXXXX
    !
    !
    ip tcp synwait-time 10
    !
    class-map match-all voice
    match access-group 105
    !
    !
    policy-map policy1
    class voice
    priority 96
    class class-default
    fair-queue
    !
    !
    !
    interface Tunnel0
    description Hurrican Electric IPv6 Tunnel Broker
    no ip address
    ip mask-reply
    ip directed-broadcast
    tunnel source xxx.xxx.xxx.xxx
    tunnel destination xxx.xxx.xxx.xxx
    !
    interface FastEthernet0/0
    description WAN-OUTSIDE
    ip address dhcp
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    interface Serial0/0
    no ip address
    ip mask-reply
    ip directed-broadcast
    shutdown
    !
    interface FastEthernet0/1
    no ip address
    ip mask-reply
    ip directed-broadcast
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.100
    encapsulation dot1Q 100
    ip address xxx.xxx.xxx.xxx 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    no keepalive
    !
    interface FastEthernet0/1.200
    encapsulation dot1Q 200
    ip address xxx.xxx.xxx.xxx 255.255.255.0
    ip mask-reply
    ip directed-broadcast
    ip nat inside
    no keepalive
    !
    interface Dialer0
    no ip address
    ip mask-reply
    ip directed-broadcast
    !
    ip default-network xxx.xxx.xxx.xxx
    ip forward-protocol nd
    !
    no ip http server
    no ip http secure-server
    ip nat translation timeout 15000
    ip nat inside source list 100 interface FastEthernet0/0 overload
    ip nat inside source static tcp xxx.xxx.xxx.xxx 4445 interface FastEthernet0/0 4445
    ip nat inside source static tcp xxx.xxx.xxx.xxx 1720 interface FastEthernet0/0 1720
    ip nat inside source static tcp xxx.xxx.xxx.xxx 8080 interface FastEthernet0/0 8080
    ip nat inside source static tcp xxx.xxx.xxx.xxx 5061 interface FastEthernet0/0 5061
    ip nat inside source static tcp xxx.xxx.xxx.xxx 5060 interface FastEthernet0/0 5060
    ip nat inside source static udp xxx.xxx.xxx.xxx 5060 interface FastEthernet0/0 5060
    ip nat inside source static tcp xxx.xxx.xxx.xxx 5901 interface FastEthernet0/0 5901
    ip nat inside source static tcp xxx.xxx.xxx.xxx 5900 interface FastEthernet0/0 5900
    ip nat inside source static udp xxx.xxx.xxx.xxx 443 interface FastEthernet0/0 443
    !
    ip access-list extended DENY-PRIVATE-IP
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 169.254.0.0 0.0.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny tcp any any eq smtp
    deny tcp any any eq pop3
    deny tcp any any eq nntp
    deny tcp any any eq 143
    deny tcp any any eq www
    deny tcp any any eq 443
    permit tcp any any eq 5060
    permit ip any any
    permit tcp any any
    permit udp any any
    permit icmp any any
    permit igmp any any
    !
    logging trap debugging
    logging source-interface FastEthernet0/0
    access-list 100 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
    access-list 100 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any
    no cdp run
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!
    ^C
    banner motd ^C
    This is a private network, all access is logged! Authorized Access Only!^C
    !
    line con 0
    privilege level 15
    password 7XXXXXXXXXXXXXX
    login authentication local_authen
    transport output telnet
    line aux 0
    password 7 XXXXXXXXXXXXXX
    login authentication local_authen
    transport output telnet
    line vty 0 4
    privilege level 15
    password 7 XXXXXXXXXXXXX
    logging synchronous limit 50000
    transport input ssh
    !
    !
    end
    · Share on FacebookShare on Twitter
  • mzinzmzinz Member Posts: 328
    You have no access-lists applied to your interfaces, therefore all ports are completely open, both inbound and outbound.

    In other words, your router is not blocking or filtering any traffic.

    Typically, on your WAN interface, you will have an access list applied. This access list should only permit traffic that you would like to enter inbound. For instance, if you are hosting a web server, and end-users on the internet need to view your website, you would have an access-list like this:

    ip access-list extended OUTSIDE_IN
    permit tcp any host 1.1.1.1 eq 80
    deny ip any any

    That access-list will allow connections from "any" - meaning any IP address - to "host 1.1.1.1" - meaning the device who's IP address is 1.1.1.1. Only connections on TCP port 80 are allowed.
    The line below signifies that all other connections are denied.
    _______LAB________
    2x 2950
    2x 3550
    2x 2650XM
    2x 3640
    1x 2801
    · Share on FacebookShare on Twitter
  • fonestar1978fonestar1978 Banned Posts: 55 ■■□□□□□□□□
    mzinz wrote: »
    You have no access-lists applied to your interfaces, therefore all ports are completely open, both inbound and outbound.

    In other words, your router is not blocking or filtering any traffic.

    I have tried with "ip access-group DENY-PRIVATE-IP in" on the ingress wan facing fa0/0 and it doesn't make a difference. In fact on that access-list I implicitly denied tcp ports 25, 110, 143.

    Also, if this was so why not port 7 tcp, port 514?, port 30 tcp being open? I'm kind of thinking this is not it.
    · Share on FacebookShare on Twitter
  • Forsaken_GAForsaken_GA Member Posts: 4,024 ■■■■■■■■■■
    Could you post the output nmap is giving you?

    And have you tried telnetting to the ports that it says are open just to see if you get any kind of banner or response?

    What I think is happening is that, since you're explicitly denying those ports in an access list, nmap is getting back an ICMP connection refused message, and assuming that the ports are open based on that.
    · Share on FacebookShare on Twitter
  • Forsaken_GAForsaken_GA Member Posts: 4,024 ■■■■■■■■■■
    To backup what I'm saying, here's a simple example on Ubuntu -


    root@forsaken-ubuntu:~# nmap 127.0.0.1

    Starting Nmap 5.00 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-10-19 18:00 EDT
    Interesting ports on localhost (127.0.0.1):
    Not shown: 998 closed ports
    PORT STATE SERVICE
    25/tcp open smtp
    631/tcp open ipp

    Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
    root@forsaken-ubuntu:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    root@forsaken-ubuntu:~# iptables -I INPUT -p tcp --dport 110 -j DROP
    root@forsaken-ubuntu:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DROP tcp -- anywhere anywhere tcp dpt:pop3

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    root@forsaken-ubuntu:~# nmap 127.0.0.1

    Starting Nmap 5.00 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-10-19 18:01 EDT
    Interesting ports on localhost (127.0.0.1):
    Not shown: 997 closed ports
    PORT STATE SERVICE
    25/tcp open smtp
    110/tcp filtered pop3
    631/tcp open ipp

    Nmap done: 1 IP address (1 host up) scanned in 1.41 seconds
    root@forsaken-ubuntu:~#


    So in the first instance, I had no indication of pop3, nor am I running a pop3 server on this box, but simply adding a rule to deny all traffic to port 110 caused nmap to show it as filtered
    · Share on FacebookShare on Twitter
Sign In or Register to comment.