I have 4 Slackware machines running as web servers. Nmap results on
one of them show the following:

PORT STATE SERVICE
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
4444/tcp filtered krb524

Is something running that opens these ports? I can't find anything
that would do this and as I say it's only on one machine, I thought I
had them all set up the same. How can I close these ports?

thanks,

--charlie

cfarinella@gmail.com wrote:

> I have 4 Slackware machines running as web servers. Nmap results on
> one of them show the following:
>
> PORT STATE SERVICE
> 135/tcp filtered msrpc
<cut>
>
> Is something running that opens these ports?

First filtered != Open.

This machine that shows this output does it use another ISP than the others?

To me it looks more like a ISP level filter that should prevent M$ worms
from infesting other vulnerable M$ computers.
--
Thomas O.

This area is designed to become quite warm during normal operation.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

cfarinella@gmail.com wrote:
> I have 4 Slackware machines running as web servers. Nmap results on
> one of them show the following:
>
> PORT STATE SERVICE
> 135/tcp filtered msrpc
> 137/tcp filtered netbios-ns
> 138/tcp filtered netbios-dgm
> 139/tcp filtered netbios-ssn
> 445/tcp filtered microsoft-ds

For the above 5 ports, you'll have to either
a) shut down Samba, or
b) config Samba so that it doesn't talk to your public IP, or
c) install netfilter rules to deny outside access to these ports

> 4444/tcp filtered krb524

I don't recognize this one, but my guess is that it is kerberos. In any case,
you have the same sort of choices:
a) shut down the server that supplies that service, or
b) config the server so that it doesn't talk to your public IP, or
c) install netfilter rules to deny outside access to these ports

> Is something running that opens these ports?

Yes. ports don't open by themselves - there has to be a service running that
specifically opens the ports. You can use netstat to look at which ports are
open, and who opened them. For instance...

root@merlin:~# netstat -n -a -p
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:994 0.0.0.0:* LISTEN
2932/rpc.statd
tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN
2896/inetd
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN
2896/inetd
....

> I can't find anything
> that would do this and as I say it's only on one machine, I thought I
> had them all set up the same. How can I close these ports?

See above

- --
Lew Pitcher
IT Specialist, Enterprise Data Systems,
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed are my own, not my employers')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFDYO+wagVFX4UWr64RAv7BAKDZyNZ0jRaC1PCVkHTi4c i0615h8wCgropA
0sw3IRAnmHAHTj2a1fGHO5s=
=8Zpl
-----END PGP SIGNATURE-----

You're right, this is something on my ISP's firewall and not my
machine. I jumped the gun a little on the question. Thanks to all for
the help.

--charlie

* cfarinella <cfarinella@gmail.com> writes:

> You're right, this is something on my ISP's firewall and not my
> machine.

Who's right? About what? What is on your ISP's firewall?

This is Usenet, not a web forum (though it is also bastardised on
several web sites). You cannot know whether the reader can see or
has seen the previous posts, or, if they have been seen, whether the
reader remembers what they were about.

_Always_ include context, trimming the parts that aren't relevant to
your follow-up.

When using groups.google.com to reply to a Usenet article (better to use
a real newsreader), click on "show options" at the top of the article,
then click on the "Reply" at the bottom of the article headers. This
will quote the previous message in the accepted manner.


--
|---<Steve Youngs>---------------<GnuPG KeyID: A94B3003>---|
| Genius - Is the ability to reduce |
| the complicated to the simple |
|----------------------------------<steve@youngs.au.com>---|

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please dont post without quoting something from the parent. Without
any quoting for context it's difficult for some one to come behind and
know what you are replying to. If you find this too difficult with
google groups, your ISP likely runs a news server offering this and
other groups. If not, news.individual.net has very cheap yearly
subscriptions. Either way, you'd also get to use a real news reader
instead of some bastardized web interface to usenet.

In alt.os.linux.slackware, cfarinella@gmail.com dared to utter,
> You're right, this is something on my ISP's firewall and not my
> machine.

In the future you can check this by running tcpdump on the target
machine, then using telnet, nmap, or nc to send a packet to that
particular port. Even if a firewall on the target machine disallows
the packet, tcpdump will display it, letting you know that it was
received. If the packet is never received, you can be reasonably sure
that it was blocked by an ISP along the way.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFDYUKUzLTO1iU1uO4RAvMwAKCMohyhkuLG+szrDlz2mN 8Nwgg/pQCgxVHE
J441BVPZKDfwgvU+CybAkOg=
=pnnv
-----END PGP SIGNATURE-----

+Alan Hicks+ wrote:

pgp trash troll delete

Nobody wants to see the pgp trash you have embedded in the content and
sig of your message. Usenet requires that you include pgp indications
in the X-Headers of your message.

Thank you for your consideration.

cordially, as always,

rm