Motherboard Forums


Reply
Thread Tools Display Modes

Are all of these ports necessary?

 
 
Michelle Steiner
Guest
Posts: n/a
 
      05-02-2012, 06:36 PM
I just ran a port scan on my computer. Can any be safely closed? Are any
dangerous to keep open?

Port Scan has startedŠ

Port Scanning host: 127.0.0.1

Open TCP Port: 88 kerberos
Open TCP Port: 515 printer
Open TCP Port: 548 afpovertcp
Open TCP Port: 631 ipp
Open TCP Port: 3689 daap
Open TCP Port: 4488
Open TCP Port: 5900 rfb
Open TCP Port: 6258
Open TCP Port: 8228
Open TCP Port: 17500
Open TCP Port: 26164
Open TCP Port: 56757
Port Scan has completedŠ

--
Tea Party Patriots is to Patriotism as
People's Democratic Republic is to Democracy.
 
Reply With Quote
 
 
 
 
David Stone
Guest
Posts: n/a
 
      05-02-2012, 08:30 PM
In article <(E-Mail Removed)-september.org>,
Michelle Steiner <(E-Mail Removed)> wrote:

> I just ran a port scan on my computer. Can any be safely closed? Are any
> dangerous to keep open?


Generally, you'd use the built-in firewall to manage your ports. That
way, you don't have to worry about what port numbers are used by which
application (it can be a little arcane, to say the least!)

Under Security > Firewall > Advanced, I currently have "Block all
incoming connections" selected, which disallows screen and file
sharing, iTunes sharing, etc.

IIRC you can also use a setting whereby you are asked to allow services
as the attempt to connect, but it's been a while since I used that
(probably not since 10.3)

>
> Port Scan has startedā€¦
>
> Port Scanning host: 127.0.0.1
>
> Open TCP Port: 88 kerberos

The Mac OS uses Kerberos authentication to allow you to connect
services on different Macs
<http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>
<http://support.apple.com/kb/TA24992>

> Open TCP Port: 515 printer
> Open TCP Port: 548 afpovertcp


Do you need to share files and devices by AFP? If not, you can simply
turn that service off, and the firewall should then block the port.

> Open TCP Port: 631 ipp

Internet Printing Protocol, including CUPS - do you have printer
sharing enabled?
<http://en.wikipedia.org/wiki/Internet_Printing_Protocol>

> Open TCP Port: 3689 daap

Digital Audio Access Protocol - are you sharing your iTunes
library over your local network?
<http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol>

> Open TCP Port: 4488

<https://discussions.apple.com/thread/2708130?start=0&tstart=0>

> Open TCP Port: 5900 rfb

<http://en.wikipedia.org/wiki/RFB_protocol>

> Open TCP Port: 6258

One Password
<http://help.agilebits.com/1Password3/outbound_connections.html>


> Open TCP Port: 8228

I believe this is used by some web proxy clients? I see references
to PithHelmet, and ad-blocking plugin for Safari. It probably uses
the proxy locally to route lookups and requests through its filter.

I'll stop now!
 
Reply With Quote
 
 
 
 
David Ritz
Guest
Posts: n/a
 
      05-02-2012, 09:25 PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, 02 May 2012 11:36 -0700,
in article <(E-Mail Removed)-september.org>,
Michelle Steiner <(E-Mail Removed)> wrote:

> I just ran a port scan on my computer. Can any be safely closed?
> Are any dangerous to keep open?


> Port Scan has started?
>
> Port Scanning host: 127.0.0.1
>
> Open TCP Port: 88 kerberos
> Open TCP Port: 515 printer
> Open TCP Port: 548 afpovertcp
> Open TCP Port: 631 ipp
> Open TCP Port: 3689 daap
> Open TCP Port: 4488
> Open TCP Port: 5900 rfb
> Open TCP Port: 6258
> Open TCP Port: 8228
> Open TCP Port: 17500
> Open TCP Port: 26164
> Open TCP Port: 56757
> Port Scan has completed?


Hi, Michelle,

Since no one else seems to be asking, is your Mac behind any sort of
firewall, for example, a firewall enabled router or gateway? If not,
you probably don't want any of those ports exposed to the outside
world. If your computer is behind a firewall appliance, none of these
ports should be problematic, unless you've opened pin-holes for them.

Here are a couple of examples, for your consideration. Both are nmap
(<http://nmap.org>) 1000 port scans of the same IP address; one from
inside the firewall and one from outside.

================================================== ====================
$ /opt/local/bin/nmap -P0 -sT mako.ath.cx

Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-02 15:57 CDT
Nmap scan report for mako.ath.cx (75.56.239.73)
Host is up (0.00072s latency).
Not shown: 958 closed ports, 32 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
445/tcp open microsoft-ds
548/tcp open afp
587/tcp open submission
749/tcp open kerberos-adm
3689/tcp open rendezvous
5900/tcp open vnc

Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds
================================================== ====================
[user]@[host]:~% /usr/bin/nmap -P0 -sT mako.ath.cx

Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-02 13:06 PDT
Interesting ports on mako.ath.cx (75.56.239.73):
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
445/tcp filtered microsoft-ds
50001/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 51.90 seconds
================================================== ====================

While I have many more open ports than shown, only those two ports,
which I explicitly allow to be accessed, are open to the outside
world.

prot port freq # Description
ssh 22/sctp 0.000000 # Secure Shell Login
ssh 22/tcp 0.182286 # Secure Shell Login
ssh 22/udp 0.003905 # Secure Shell Login

http 80/sctp 0.000000 # World Wide Web HTTP
http 80/tcp 0.484143 # World Wide Web HTTP
http 80/udp 0.035767 # World Wide Web HTTP

- --
David Ritz <(E-Mail Removed)>
Nothing running a Microsoft Windows operating system should ever be
allowed to connect directly to the Internet.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iEYEARECAAYFAk+hpjAACgkQUrwpmRoS3ut7kwCcDTHpt+gCGE Mb8Tr5/59/ZPu8
zSMAoIGVA+vOQfGgDPNKTuiLOcooz8rh
=m+op
-----END PGP SIGNATURE-----
 
Reply With Quote
 
Michelle Steiner
Guest
Posts: n/a
 
      05-02-2012, 09:29 PM
In article <(E-Mail Removed)-september.org>,
David Stone <(E-Mail Removed)> wrote:

> I'll stop now!


Thanks. Looks like they're all safe, and no need to turn any of them off.

--
Tea Party Patriots is to Patriotism as
People's Democratic Republic is to Democracy.
 
Reply With Quote
 
Michelle Steiner
Guest
Posts: n/a
 
      05-02-2012, 10:02 PM
In article <(E-Mail Removed) >,
David Ritz <(E-Mail Removed)> wrote:

> Since no one else seems to be asking, is your Mac behind any sort of
> firewall, for example, a firewall enabled router or gateway?


The router is a Time Capsule, and I don't think it has a firewall. But it
does have NAT. Also, I have Stealth Mode enabled.

> If not, you probably don't want any of those ports exposed to the
> outside world.


Why not? Based on other answers I've received, they seem safe.

I just did a scan of my router's IP address:

Port Scan has started...

Port Scanning host: 98.165.113.143

Open TCP Port: 21 ftp
Open TCP Port: 53 domain
Open TCP Port: 554 rtsp
Open TCP Port: 5009 winfs
Open TCP Port: 7070 arcp
Open TCP Port: 10000 ndmp
Port Scan has completed...

--
Tea Party Patriots is to Patriotism as
People's Democratic Republic is to Democracy.
 
Reply With Quote
 
David Ritz
Guest
Posts: n/a
 
      05-02-2012, 10:42 PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, 02 May 2012 15:02 -0700,
in article <(E-Mail Removed)-september.org>,
Michelle Steiner <(E-Mail Removed)> wrote:

> In article <(E-Mail Removed) >,
> David Ritz <(E-Mail Removed)> wrote:


>> Since no one else seems to be asking, is your Mac behind any sort
>> of firewall, for example, a firewall enabled router or gateway?


> The router is a Time Capsule, and I don't think it has a firewall.
> But it does have NAT. Also, I have Stealth Mode enabled.


>> If not, you probably don't want any of those ports exposed to the
>> outside world.


> Why not? Based on other answers I've received, they seem safe.


> I just did a scan of my router's IP address:


> Port Scan has started...
>
> Port Scanning host: 98.165.113.143
>
> Open TCP Port: 21 ftp
> Open TCP Port: 53 domain
> Open TCP Port: 554 rtsp
> Open TCP Port: 5009 winfs
> Open TCP Port: 7070 arcp
> Open TCP Port: 10000 ndmp
> Port Scan has completed...


While you didn't directly answer my question, there is some sort of
firewall in operation:

[user]@[host]:~% nmap 98.165.113.143 -p 21,53,554,5009,7070,10000

Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-02 15:26 PDT
Interesting ports on ip98-165-113-143.ph.ph.cox.net (98.165.113.143):
PORT STATE SERVICE
21/tcp filtered ftp
53/tcp filtered domain
554/tcp filtered rtsp
5009/tcp filtered airport-admin
7070/tcp filtered realserver
10000/tcp filtered snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds

That these ports are being filtered, is an indication of a firewall
appliance. You're still running your port scans from within the
firewall.

As it's now been confirmed that you're behind a firewall, you're most
certainly safe with these ports being open on your computer.

As to your question of why one doesn't want these ports to be world
accessible, the answer has to do with whether of not one wants anyone
in the world to be able to access these ports and their associated
services. If you answer yes, you may just have flunked your driver's
license test for the infobahn.

- --
David Ritz <(E-Mail Removed)>
"Even a paranoid can have enemies." - Henry Kissinger (b. 1923)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iEYEARECAAYFAk+huGwACgkQUrwpmRoS3usnoQCg3Jy62vJMtE l3ddBi5N9HyXNu
tAoAn2O6cdArMNrXU1hIXtt2Vm3YDNee
=tEnk
-----END PGP SIGNATURE-----
 
Reply With Quote
 
Michelle Steiner
Guest
Posts: n/a
 
      05-02-2012, 10:56 PM
In article <(E-Mail Removed) >,
David Ritz <(E-Mail Removed)> wrote:

> As to your question of why one doesn't want these ports to be world
> accessible, the answer has to do with whether of not one wants anyone in
> the world to be able to access these ports and their associated
> services. If you answer yes, you may just have flunked your driver's
> license test for the infobahn.


But if those ports are blocked, how can there be legitimate access from the
world?

--
Tea Party Patriots is to Patriotism as
People's Democratic Republic is to Democracy.
 
Reply With Quote
 
JF Mezei
Guest
Posts: n/a
 
      05-02-2012, 11:29 PM
Michelle Steiner wrote:

> But if those ports are blocked, how can there be legitimate access from the
> world?



Do you want the world to be able to access your file shares (AFP) from
china and india ? If not, you get your router to block port 548 but
leave it running on your mac. This way, the world can't access your AFP
shares, but other computers in the LAN can.

If your computer is directly connected to the internet without a router,
then you have to use the computer's firewall to block those ports or
disable the service entirely.

And there are cases where you may wish to enable the port for world
access. For instance, if you will be out of twon for a while and know
you will need to access files on your home machine while at hotel, then
you want to open port 558 and direct it to your home computer while you
are away. This opens you to attacks but if you close it when you get
back, you limit the impact.


 
Reply With Quote
 
Michelle Steiner
Guest
Posts: n/a
 
      05-03-2012, 12:24 AM
In article <4fa1c346$0$1623$c3e8da3$(E-Mail Removed) m>,
JF Mezei <(E-Mail Removed)> wrote:

> > But if those ports are blocked, how can there be legitimate access
> > from the world?

>
>
> Do you want the world to be able to access your file shares (AFP) from
> china and india ? If not, you get your router to block port 548 but
> leave it running on your mac. This way, the world can't access your AFP
> shares, but other computers in the LAN can.


I have file sharing set only for my public folder, and it's read only
except for me.

--
Tea Party Patriots is to Patriotism as
People's Democratic Republic is to Democracy.
 
Reply With Quote
 
David Ritz
Guest
Posts: n/a
 
      05-03-2012, 01:23 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, 02 May 2012 15:56 -0700,
in article <(E-Mail Removed)-september.org>,
Michelle Steiner <(E-Mail Removed)> wrote:

> In article <(E-Mail Removed) >,
> David Ritz <(E-Mail Removed)> wrote:


>> As to your question of why one doesn't want these ports to be world
>> accessible, the answer has to do with whether of not one wants
>> anyone in the world to be able to access these ports and their
>> associated services. If you answer yes, you may just have flunked
>> your driver's license test for the infobahn.


> But if those ports are blocked, how can there be legitimate access
> from the world?


OK. Let's go back to your original post in this thread. I've
narrowed the list of open ports you posted, to those identified by
name in your port scan.

> In article <(E-Mail Removed)-september.org>,
> Michelle Steiner <(E-Mail Removed)> wrote:


>> Open TCP Port: 88 kerberos


kerberos-sec 88/tcp 0.006072 # Kerberos (v5)
kerberos-sec 88/udp 0.013476 # Kerberos (v5)

Do you want everyone on the Internet, whether or not you've authorized
them, to have access to security software and services running on your
Mac?

>> Open TCP Port: 515 printer


printer 515/tcp 0.007214 # spooler (lpd)
printer 515/udp 0.011022 # spooler (lpd)

Do you want everyone on the Internet, whether or not you've authorized
them, to have access to your printer spool and Laser Printer Daemon?

>> Open TCP Port: 548 afpovertcp


afp 548/tcp 0.012395 # AFP over TCP
afp 548/udp 0.000774 # AFP over UDP

Do you want everyone on the Internet, whether or not you've authorized
them, to have access to your Apple Filing Protocol shares and network
services?

>> Open TCP Port: 631 ipp


ipp 631/tcp 0.006160 # Internet Printing Protocol -- for one
implementation see http://www.cups.org (Common UNIX Printing System)
ipp 631/udp 0.450281 # Internet Printing Protocol

Do you want everyone on the Internet, whether or not you've authorized
them, to be able to use your IP connected printer?

>> Open TCP Port: 3689 daap


rendezvous 3689/tcp 0.002283 # Rendezvous Zeroconf (used by
Apple/iTunes)
daap 3689/udp 0.000330 # Digital Audio Access Protocol

Do you want everyone on the Internet, whether or not you've authorized
them, to be able to access your iTunes library? It's only intended
for sharing over a local network.

Here, we need to distinguish between private IP space and public IP
space. Behind your firewall, it appears that you are using services,
locally, which are not accessible to the outside world. That's a good
thing.

I, on the other hand, have _chosen_ to globally open two ports, for
WWW and Secure Shell. The result is, I see as many as several hundred
break-in or exploit attacks on those ports, on any given day. Many of
the sources of these attacks end up in my local ipfw.conf.

Here's an example from yesterday.

$ grep -c sshd.\*61.136.171.198 /var/log/secure.log
104

That indicates 104 intrusion attempts from that single IP address.

$ whois -A 61.136.171.198|iprange2cidr.pl
61.136.128.0/17

The IP address in question is assigned, by APNIC, to CHINANET-HB.
CHINANET-HB uses poorly conceived mail filters, which prevents most
abuse complaints from reaching their NIC designated POC,
<abuse_hb[at]public.wh.hb.cn>.

$ grep 61.136.128.0\/17 /etc/ipfilter/ipfw.conf
add 10050 deny ip from 61.136.128.0/17 to any in

If CHINANET-HB isn't willing to accept reports of network attacks or
other abuse, I'm not willing to allow their IP space to have access to
my property. As a result, I'm currently blocking all of CHINANET-HB.

$ whois -A CHINANET-HB|iprange2cidr.pl
27.16.0.0/12
58.48.0.0/13
59.172.0.0/14
61.136.128.0/17
61.183.0.0/16
61.184.0.0/16
103.22.80.0/22
111.170.0.0/16
111.172.0.0/14
111.176.0.0/13
116.207.0.0/16
116.208.0.0/14
119.96.0.0/13
121.60.0.0/14
171.40.0.0/13
171.80.0.0/14
171.112.0.0/14
202.103.0.0/18
202.110.128.0/18
219.138.0.0/15
219.140.0.0/16
221.232.0.0/14

Right now, I'm composing this message on my world facing box, via SSH,
Secure SHell, while I'm actually depressing the keys on my laptop, in
another room. I could as easily be doing the same, using any Internet
connected computer with an SSH client, from any location in the world.

(This assumes that the IP address from which I wish to access the
server, isn't already blocked by my home brew ipfw rules. [ipfw --
BSD IP firewall and traffic shaper control program])

I'm not suggesting that you open holes in your world facing firewall.
Doing so opens a nasty can of worms. For now, you appear to be safely
behind a firewall. That firewall may exist in your cable modem or
gateway, which presumedly places your router and computer(s) safely
behind it.

- --
David Ritz <(E-Mail Removed)>
"(The Internet is) the largest equivalence class in the reflexive
transitive symmetric closure of the relationship `can be reached by
an IP packet form'." - Seth Breidbart


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iEYEARECAAYFAk+h3iUACgkQUrwpmRoS3utu8ACaAxyEutdM0g rEMq8LbUw5ppWO
l3UAn2yVfmQEciEEjPr09tCveS/4r4J2
=342t
-----END PGP SIGNATURE-----
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How much are these worth, or rather, how much would you pay for these laptops? bookshi Laptops 2 08-14-2006 11:16 PM
Microsoft Speech Recognition repeating error "all all all all all all" kenrosen@gmail.com Tablet PC 5 12-24-2005 01:29 AM
ATI All In Wonder 8500DV problems: I cannot get this card to work in Windows2000,except if I turn the acceleration all the way off.I have tried everything. It will work for about 10-20 minutes,and then all the text just goes berzerk.Looks kinda like TheWalrus ATI 3 11-08-2004 07:55 PM
USB port adapter -> Multi USB ports existing ? Extending number of USB ports possible ? Thomas Jerkins PC Hardware 0 12-14-2003 10:17 AM
All these complaints - why no one else? John Smith Dell 20 07-10-2003 06:05 AM


All times are GMT. The time now is 03:55 PM.


Welcome!
Welcome to Motherboard Point
 

Advertisment