Are all of these ports necessary?

Discussion in 'Apple' started by Michelle Steiner, May 2, 2012.

  1. I just ran a port scan on my computer. Can any be safely closed? Are any
    dangerous to keep open?

    Port Scan has startedŠ

    Port Scanning host: 127.0.0.1

    Open TCP Port: 88 kerberos
    Open TCP Port: 515 printer
    Open TCP Port: 548 afpovertcp
    Open TCP Port: 631 ipp
    Open TCP Port: 3689 daap
    Open TCP Port: 4488
    Open TCP Port: 5900 rfb
    Open TCP Port: 6258
    Open TCP Port: 8228
    Open TCP Port: 17500
    Open TCP Port: 26164
    Open TCP Port: 56757
    Port Scan has completedŠ

    --
    Tea Party Patriots is to Patriotism as
    People's Democratic Republic is to Democracy.
     
    Michelle Steiner, May 2, 2012
    #1
    1. Advertising

  2. Michelle Steiner

    David Stone Guest

    In article <-september.org>,
    Michelle Steiner <> wrote:

    > I just ran a port scan on my computer. Can any be safely closed? Are any
    > dangerous to keep open?


    Generally, you'd use the built-in firewall to manage your ports. That
    way, you don't have to worry about what port numbers are used by which
    application (it can be a little arcane, to say the least!)

    Under Security > Firewall > Advanced, I currently have "Block all
    incoming connections" selected, which disallows screen and file
    sharing, iTunes sharing, etc.

    IIRC you can also use a setting whereby you are asked to allow services
    as the attempt to connect, but it's been a while since I used that
    (probably not since 10.3)

    >
    > Port Scan has started…
    >
    > Port Scanning host: 127.0.0.1
    >
    > Open TCP Port: 88 kerberos

    The Mac OS uses Kerberos authentication to allow you to connect
    services on different Macs
    <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>
    <http://support.apple.com/kb/TA24992>

    > Open TCP Port: 515 printer
    > Open TCP Port: 548 afpovertcp


    Do you need to share files and devices by AFP? If not, you can simply
    turn that service off, and the firewall should then block the port.

    > Open TCP Port: 631 ipp

    Internet Printing Protocol, including CUPS - do you have printer
    sharing enabled?
    <http://en.wikipedia.org/wiki/Internet_Printing_Protocol>

    > Open TCP Port: 3689 daap

    Digital Audio Access Protocol - are you sharing your iTunes
    library over your local network?
    <http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol>

    > Open TCP Port: 4488

    <https://discussions.apple.com/thread/2708130?start=0&tstart=0>

    > Open TCP Port: 5900 rfb

    <http://en.wikipedia.org/wiki/RFB_protocol>

    > Open TCP Port: 6258

    One Password
    <http://help.agilebits.com/1Password3/outbound_connections.html>


    > Open TCP Port: 8228

    I believe this is used by some web proxy clients? I see references
    to PithHelmet, and ad-blocking plugin for Safari. It probably uses
    the proxy locally to route lookups and requests through its filter.

    I'll stop now!
     
    David Stone, May 2, 2012
    #2
    1. Advertising

  3. Michelle Steiner

    David Ritz Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Wednesday, 02 May 2012 11:36 -0700,
    in article <-september.org>,
    Michelle Steiner <> wrote:

    > I just ran a port scan on my computer. Can any be safely closed?
    > Are any dangerous to keep open?


    > Port Scan has started?
    >
    > Port Scanning host: 127.0.0.1
    >
    > Open TCP Port: 88 kerberos
    > Open TCP Port: 515 printer
    > Open TCP Port: 548 afpovertcp
    > Open TCP Port: 631 ipp
    > Open TCP Port: 3689 daap
    > Open TCP Port: 4488
    > Open TCP Port: 5900 rfb
    > Open TCP Port: 6258
    > Open TCP Port: 8228
    > Open TCP Port: 17500
    > Open TCP Port: 26164
    > Open TCP Port: 56757
    > Port Scan has completed?


    Hi, Michelle,

    Since no one else seems to be asking, is your Mac behind any sort of
    firewall, for example, a firewall enabled router or gateway? If not,
    you probably don't want any of those ports exposed to the outside
    world. If your computer is behind a firewall appliance, none of these
    ports should be problematic, unless you've opened pin-holes for them.

    Here are a couple of examples, for your consideration. Both are nmap
    (<http://nmap.org>) 1000 port scans of the same IP address; one from
    inside the firewall and one from outside.

    ======================================================================
    $ /opt/local/bin/nmap -P0 -sT mako.ath.cx

    Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-02 15:57 CDT
    Nmap scan report for mako.ath.cx (75.56.239.73)
    Host is up (0.00072s latency).
    Not shown: 958 closed ports, 32 filtered ports
    PORT STATE SERVICE
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    445/tcp open microsoft-ds
    548/tcp open afp
    587/tcp open submission
    749/tcp open kerberos-adm
    3689/tcp open rendezvous
    5900/tcp open vnc

    Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds
    ======================================================================
    [user]@[host]:~% /usr/bin/nmap -P0 -sT mako.ath.cx

    Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-02 13:06 PDT
    Interesting ports on mako.ath.cx (75.56.239.73):
    Not shown: 996 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    445/tcp filtered microsoft-ds
    50001/tcp filtered unknown

    Nmap done: 1 IP address (1 host up) scanned in 51.90 seconds
    ======================================================================

    While I have many more open ports than shown, only those two ports,
    which I explicitly allow to be accessed, are open to the outside
    world.

    prot port freq # Description
    ssh 22/sctp 0.000000 # Secure Shell Login
    ssh 22/tcp 0.182286 # Secure Shell Login
    ssh 22/udp 0.003905 # Secure Shell Login

    http 80/sctp 0.000000 # World Wide Web HTTP
    http 80/tcp 0.484143 # World Wide Web HTTP
    http 80/udp 0.035767 # World Wide Web HTTP

    - --
    David Ritz <>
    Nothing running a Microsoft Windows operating system should ever be
    allowed to connect directly to the Internet.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.18 (Darwin)
    Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

    iEYEARECAAYFAk+hpjAACgkQUrwpmRoS3ut7kwCcDTHpt+gCGEMb8Tr5/59/ZPu8
    zSMAoIGVA+vOQfGgDPNKTuiLOcooz8rh
    =m+op
    -----END PGP SIGNATURE-----
     
    David Ritz, May 2, 2012
    #3
  4. In article <-september.org>,
    David Stone <> wrote:

    > I'll stop now!


    Thanks. Looks like they're all safe, and no need to turn any of them off.

    --
    Tea Party Patriots is to Patriotism as
    People's Democratic Republic is to Democracy.
     
    Michelle Steiner, May 2, 2012
    #4
  5. In article <>,
    David Ritz <> wrote:

    > Since no one else seems to be asking, is your Mac behind any sort of
    > firewall, for example, a firewall enabled router or gateway?


    The router is a Time Capsule, and I don't think it has a firewall. But it
    does have NAT. Also, I have Stealth Mode enabled.

    > If not, you probably don't want any of those ports exposed to the
    > outside world.


    Why not? Based on other answers I've received, they seem safe.

    I just did a scan of my router's IP address:

    Port Scan has started...

    Port Scanning host: 98.165.113.143

    Open TCP Port: 21 ftp
    Open TCP Port: 53 domain
    Open TCP Port: 554 rtsp
    Open TCP Port: 5009 winfs
    Open TCP Port: 7070 arcp
    Open TCP Port: 10000 ndmp
    Port Scan has completed...

    --
    Tea Party Patriots is to Patriotism as
    People's Democratic Republic is to Democracy.
     
    Michelle Steiner, May 2, 2012
    #5
  6. Michelle Steiner

    David Ritz Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Wednesday, 02 May 2012 15:02 -0700,
    in article <-september.org>,
    Michelle Steiner <> wrote:

    > In article <>,
    > David Ritz <> wrote:


    >> Since no one else seems to be asking, is your Mac behind any sort
    >> of firewall, for example, a firewall enabled router or gateway?


    > The router is a Time Capsule, and I don't think it has a firewall.
    > But it does have NAT. Also, I have Stealth Mode enabled.


    >> If not, you probably don't want any of those ports exposed to the
    >> outside world.


    > Why not? Based on other answers I've received, they seem safe.


    > I just did a scan of my router's IP address:


    > Port Scan has started...
    >
    > Port Scanning host: 98.165.113.143
    >
    > Open TCP Port: 21 ftp
    > Open TCP Port: 53 domain
    > Open TCP Port: 554 rtsp
    > Open TCP Port: 5009 winfs
    > Open TCP Port: 7070 arcp
    > Open TCP Port: 10000 ndmp
    > Port Scan has completed...


    While you didn't directly answer my question, there is some sort of
    firewall in operation:

    [user]@[host]:~% nmap 98.165.113.143 -p 21,53,554,5009,7070,10000

    Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-02 15:26 PDT
    Interesting ports on ip98-165-113-143.ph.ph.cox.net (98.165.113.143):
    PORT STATE SERVICE
    21/tcp filtered ftp
    53/tcp filtered domain
    554/tcp filtered rtsp
    5009/tcp filtered airport-admin
    7070/tcp filtered realserver
    10000/tcp filtered snet-sensor-mgmt

    Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds

    That these ports are being filtered, is an indication of a firewall
    appliance. You're still running your port scans from within the
    firewall.

    As it's now been confirmed that you're behind a firewall, you're most
    certainly safe with these ports being open on your computer.

    As to your question of why one doesn't want these ports to be world
    accessible, the answer has to do with whether of not one wants anyone
    in the world to be able to access these ports and their associated
    services. If you answer yes, you may just have flunked your driver's
    license test for the infobahn.

    - --
    David Ritz <>
    "Even a paranoid can have enemies." - Henry Kissinger (b. 1923)

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.18 (Darwin)
    Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

    iEYEARECAAYFAk+huGwACgkQUrwpmRoS3usnoQCg3Jy62vJMtEl3ddBi5N9HyXNu
    tAoAn2O6cdArMNrXU1hIXtt2Vm3YDNee
    =tEnk
    -----END PGP SIGNATURE-----
     
    David Ritz, May 2, 2012
    #6
  7. In article <>,
    David Ritz <> wrote:

    > As to your question of why one doesn't want these ports to be world
    > accessible, the answer has to do with whether of not one wants anyone in
    > the world to be able to access these ports and their associated
    > services. If you answer yes, you may just have flunked your driver's
    > license test for the infobahn.


    But if those ports are blocked, how can there be legitimate access from the
    world?

    --
    Tea Party Patriots is to Patriotism as
    People's Democratic Republic is to Democracy.
     
    Michelle Steiner, May 2, 2012
    #7
  8. Michelle Steiner

    JF Mezei Guest

    Michelle Steiner wrote:

    > But if those ports are blocked, how can there be legitimate access from the
    > world?



    Do you want the world to be able to access your file shares (AFP) from
    china and india ? If not, you get your router to block port 548 but
    leave it running on your mac. This way, the world can't access your AFP
    shares, but other computers in the LAN can.

    If your computer is directly connected to the internet without a router,
    then you have to use the computer's firewall to block those ports or
    disable the service entirely.

    And there are cases where you may wish to enable the port for world
    access. For instance, if you will be out of twon for a while and know
    you will need to access files on your home machine while at hotel, then
    you want to open port 558 and direct it to your home computer while you
    are away. This opens you to attacks but if you close it when you get
    back, you limit the impact.
     
    JF Mezei, May 3, 2012
    #8
  9. In article <4fa1c346$0$1623$c3e8da3$>,
    JF Mezei <> wrote:

    > > But if those ports are blocked, how can there be legitimate access
    > > from the world?

    >
    >
    > Do you want the world to be able to access your file shares (AFP) from
    > china and india ? If not, you get your router to block port 548 but
    > leave it running on your mac. This way, the world can't access your AFP
    > shares, but other computers in the LAN can.


    I have file sharing set only for my public folder, and it's read only
    except for me.

    --
    Tea Party Patriots is to Patriotism as
    People's Democratic Republic is to Democracy.
     
    Michelle Steiner, May 3, 2012
    #9
  10. Michelle Steiner

    David Ritz Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Wednesday, 02 May 2012 15:56 -0700,
    in article <-september.org>,
    Michelle Steiner <> wrote:

    > In article <>,
    > David Ritz <> wrote:


    >> As to your question of why one doesn't want these ports to be world
    >> accessible, the answer has to do with whether of not one wants
    >> anyone in the world to be able to access these ports and their
    >> associated services. If you answer yes, you may just have flunked
    >> your driver's license test for the infobahn.


    > But if those ports are blocked, how can there be legitimate access
    > from the world?


    OK. Let's go back to your original post in this thread. I've
    narrowed the list of open ports you posted, to those identified by
    name in your port scan.

    > In article <-september.org>,
    > Michelle Steiner <> wrote:


    >> Open TCP Port: 88 kerberos


    kerberos-sec 88/tcp 0.006072 # Kerberos (v5)
    kerberos-sec 88/udp 0.013476 # Kerberos (v5)

    Do you want everyone on the Internet, whether or not you've authorized
    them, to have access to security software and services running on your
    Mac?

    >> Open TCP Port: 515 printer


    printer 515/tcp 0.007214 # spooler (lpd)
    printer 515/udp 0.011022 # spooler (lpd)

    Do you want everyone on the Internet, whether or not you've authorized
    them, to have access to your printer spool and Laser Printer Daemon?

    >> Open TCP Port: 548 afpovertcp


    afp 548/tcp 0.012395 # AFP over TCP
    afp 548/udp 0.000774 # AFP over UDP

    Do you want everyone on the Internet, whether or not you've authorized
    them, to have access to your Apple Filing Protocol shares and network
    services?

    >> Open TCP Port: 631 ipp


    ipp 631/tcp 0.006160 # Internet Printing Protocol -- for one
    implementation see http://www.cups.org (Common UNIX Printing System)
    ipp 631/udp 0.450281 # Internet Printing Protocol

    Do you want everyone on the Internet, whether or not you've authorized
    them, to be able to use your IP connected printer?

    >> Open TCP Port: 3689 daap


    rendezvous 3689/tcp 0.002283 # Rendezvous Zeroconf (used by
    Apple/iTunes)
    daap 3689/udp 0.000330 # Digital Audio Access Protocol

    Do you want everyone on the Internet, whether or not you've authorized
    them, to be able to access your iTunes library? It's only intended
    for sharing over a local network.

    Here, we need to distinguish between private IP space and public IP
    space. Behind your firewall, it appears that you are using services,
    locally, which are not accessible to the outside world. That's a good
    thing.

    I, on the other hand, have _chosen_ to globally open two ports, for
    WWW and Secure Shell. The result is, I see as many as several hundred
    break-in or exploit attacks on those ports, on any given day. Many of
    the sources of these attacks end up in my local ipfw.conf.

    Here's an example from yesterday.

    $ grep -c sshd.\*61.136.171.198 /var/log/secure.log
    104

    That indicates 104 intrusion attempts from that single IP address.

    $ whois -A 61.136.171.198|iprange2cidr.pl
    61.136.128.0/17

    The IP address in question is assigned, by APNIC, to CHINANET-HB.
    CHINANET-HB uses poorly conceived mail filters, which prevents most
    abuse complaints from reaching their NIC designated POC,
    <abuse_hb[at]public.wh.hb.cn>.

    $ grep 61.136.128.0\/17 /etc/ipfilter/ipfw.conf
    add 10050 deny ip from 61.136.128.0/17 to any in

    If CHINANET-HB isn't willing to accept reports of network attacks or
    other abuse, I'm not willing to allow their IP space to have access to
    my property. As a result, I'm currently blocking all of CHINANET-HB.

    $ whois -A CHINANET-HB|iprange2cidr.pl
    27.16.0.0/12
    58.48.0.0/13
    59.172.0.0/14
    61.136.128.0/17
    61.183.0.0/16
    61.184.0.0/16
    103.22.80.0/22
    111.170.0.0/16
    111.172.0.0/14
    111.176.0.0/13
    116.207.0.0/16
    116.208.0.0/14
    119.96.0.0/13
    121.60.0.0/14
    171.40.0.0/13
    171.80.0.0/14
    171.112.0.0/14
    202.103.0.0/18
    202.110.128.0/18
    219.138.0.0/15
    219.140.0.0/16
    221.232.0.0/14

    Right now, I'm composing this message on my world facing box, via SSH,
    Secure SHell, while I'm actually depressing the keys on my laptop, in
    another room. I could as easily be doing the same, using any Internet
    connected computer with an SSH client, from any location in the world.

    (This assumes that the IP address from which I wish to access the
    server, isn't already blocked by my home brew ipfw rules. [ipfw --
    BSD IP firewall and traffic shaper control program])

    I'm not suggesting that you open holes in your world facing firewall.
    Doing so opens a nasty can of worms. For now, you appear to be safely
    behind a firewall. That firewall may exist in your cable modem or
    gateway, which presumedly places your router and computer(s) safely
    behind it.

    - --
    David Ritz <>
    "(The Internet is) the largest equivalence class in the reflexive
    transitive symmetric closure of the relationship `can be reached by
    an IP packet form'." - Seth Breidbart


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.18 (Darwin)
    Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

    iEYEARECAAYFAk+h3iUACgkQUrwpmRoS3utu8ACaAxyEutdM0grEMq8LbUw5ppWO
    l3UAn2yVfmQEciEEjPr09tCveS/4r4J2
    =342t
    -----END PGP SIGNATURE-----
     
    David Ritz, May 3, 2012
    #10
  11. Michelle Steiner

    Tom Stiller Guest

    In article <>,
    David Ritz <> wrote:

    > I, on the other hand, have _chosen_ to globally open two ports, for
    > WWW and Secure Shell. The result is, I see as many as several hundred
    > break-in or exploit attacks on those ports, on any given day. Many of
    > the sources of these attacks end up in my local ipfw.conf.
    >
    > Here's an example from yesterday.
    >
    > $ grep -c sshd.\*61.136.171.198 /var/log/secure.log
    > 104
    >
    > That indicates 104 intrusion attempts from that single IP address.


    Looks like you could benefit from "fail2ban", a utility to ban IP
    addresses that fail to establish a valid SSH connection after three
    attempts for a [user configurable] period of time.

    --
    PRAY, v. To ask that the laws of the universe be annulled in behalf
    of a single petitioner confessedly unworthy. -- Ambrose Bierce
     
    Tom Stiller, May 3, 2012
    #11
  12. Michelle Steiner

    JF Mezei Guest

    An important note:

    The list of ports produced by sudo lsof -i4 -P | grep LISTEN lists all
    the ports where there is a process (of the TCPIP kernel) ready to accept
    incoming call s on that machine.

    Many of those are legitimate and if you have multiple machines on your
    lan, you wnat those (such as 548 for apple share AFP file transfers).

    The trick is to set your router to block everything from the internet
    except those few ports where you have a "publicly accessible" services.

    For instance, if you run a web server, you block all ports except port 80.
     
    JF Mezei, May 3, 2012
    #12
  13. Michelle Steiner

    Paul Sture Guest

    On Wed, 02 May 2012 20:23:47 -0500, David Ritz wrote:


    > I, on the other hand, have _chosen_ to globally open two ports, for WWW
    > and Secure Shell. The result is, I see as many as several hundred
    > break-in or exploit attacks on those ports, on any given day. Many of
    > the sources of these attacks end up in my local ipfw.conf.
    >
    > Here's an example from yesterday.
    >
    > $ grep -c sshd.\*61.136.171.198 /var/log/secure.log 104
    >
    > That indicates 104 intrusion attempts from that single IP address.


    I have a similar setup, but after listening to my server disk chattering
    away for hours on end I moved ssh off port 22 to something much higher,
    and blocked port 22 at the router.

    This greatly reduced the number of ssh attacks (and made my office a bit
    quieter - that server's disks were meant for a server room and were quite
    noisy).

    --
    Paul Sture
     
    Paul Sture, May 3, 2012
    #13
  14. Michelle Steiner

    David Ritz Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Thursday, 03 May 2012 09:36 +0200,
    in article <>,
    Paul Sture <> wrote:

    > On Wed, 02 May 2012 20:23:47 -0500, David Ritz wrote:


    >> I, on the other hand, have _chosen_ to globally open two ports, for
    >> WWW and Secure Shell. The result is, I see as many as several
    >> hundred break-in or exploit attacks on those ports, on any given
    >> day. Many of the sources of these attacks end up in my local
    >> ipfw.conf.


    >> Here's an example from yesterday.


    >> $ grep -c sshd.\*61.136.171.198 /var/log/secure.log 104


    >> That indicates 104 intrusion attempts from that single IP address.


    > I have a similar setup, but after listening to my server disk
    > chattering away for hours on end I moved ssh off port 22 to
    > something much higher, and blocked port 22 at the router.


    > This greatly reduced the number of ssh attacks (and made my office a
    > bit quieter - that server's disks were meant for a server room and
    > were quite noisy).


    Ah, yes. Security through obscurity can be quite effective.

    I'm using sshdfilter:

    sshdfilter V1.5.7 ssh brute force attack blocker
    http://www.csc.liv.ac.uk/~greg/sshdfilter/

    It's available as a preconfigured installer for Mac OS X from
    <http://projects.seas.columbia.edu/sshdfilter/>.

    Of the 104 attempts noted, almost all were as root. For this simple
    reason, root isn't allowed to log in remotely.

    I don't have the platter clatter problems you note. About the only
    way I'll notice an attack in progress will be a jumping Console icon
    in the Dock. In these instances, I'll kill the attack by immediately
    dropping the attacker's IP address into ipfw.

    - --
    David Ritz <>
    Be kind to animals; kiss a shark.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.18 (Darwin)
    Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

    iEYEARECAAYFAk+if+YACgkQUrwpmRoS3uvhcACffSYbsypPllNJ3NY7RP36XcnK
    kNwAniDGlVpT5Ycm7HS9ARcHqg4o5QiW
    =oXXh
    -----END PGP SIGNATURE-----
     
    David Ritz, May 3, 2012
    #14
  15. Michelle Steiner

    David Ritz Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Wednesday, 02 May 2012 22:08 -0400,
    in article <>,
    Tom Stiller <> wrote:

    > Looks like you could benefit from "fail2ban", a utility to ban IP
    > addresses that fail to establish a valid SSH connection after three
    > attempts for a [user configurable] period of time.


    Thanks for the suggestion, Tom. Unfortunately, the Mac OS X installer
    package is no longer available.

    <http://www.fail2ban.org/wiki/index.php/Downloads>
    <quote>
    Mac OS X Installer Package is available [25]here (Site not
    responding)
    [...]
    25. http://macenv.lsa.umich.edu/software.php
    </quote>

    I've downloaded and installed from source. I've also created
    /Library/LaunchDaemons/org.fail2ban.plist, so it should fire up when
    the box boots.

    I done some configuration for the two world facing services. As
    fail2ban is primarily written for Linux, it appears to depend heavily
    on iptables, which aren't used in the Mac OS.

    I'd be interested as to whether you'd be willing to share a sample
    jail.conf. This email address works. Replying to this message assures
    delivery, as it bypasses my rather draconian SpamAssassin rules.

    TIA.

    - --
    David Ritz <>
    Be kind to animals; kiss a shark.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.18 (Darwin)
    Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

    iEYEARECAAYFAk+i5+AACgkQUrwpmRoS3uv2GQCeN8Px+qjzCR2KKuYEZC6jx/9p
    2zIAmQFHKH50Gd5U2ihE8uiQDLNF1fXn
    =mvIo
    -----END PGP SIGNATURE-----
     
    David Ritz, May 3, 2012
    #15
  16. Michelle Steiner

    Tom Stiller Guest

    In article <>,
    David Ritz <> wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > On Wednesday, 02 May 2012 22:08 -0400,
    > in article <>,
    > Tom Stiller <> wrote:
    >
    > > Looks like you could benefit from "fail2ban", a utility to ban IP
    > > addresses that fail to establish a valid SSH connection after three
    > > attempts for a [user configurable] period of time.

    >
    > Thanks for the suggestion, Tom. Unfortunately, the Mac OS X installer
    > package is no longer available.
    >
    > <http://www.fail2ban.org/wiki/index.php/Downloads>
    > <quote>
    > Mac OS X Installer Package is available [25]here (Site not
    > responding)
    > [...]
    > 25. http://macenv.lsa.umich.edu/software.php
    > </quote>
    >
    > I've downloaded and installed from source. I've also created
    > /Library/LaunchDaemons/org.fail2ban.plist, so it should fire up when
    > the box boots.
    >
    > I done some configuration for the two world facing services. As
    > fail2ban is primarily written for Linux, it appears to depend heavily
    > on iptables, which aren't used in the Mac OS.
    >
    > I'd be interested as to whether you'd be willing to share a sample
    > jail.conf. This email address works. Replying to this message assures
    > delivery, as it bypasses my rather draconian SpamAssassin rules.
    >
    > TIA.



    Happy to share but the file is a little long for a usenet reply. I'll
    attach it to an email.

    --
    PRAY, v. To ask that the laws of the universe be annulled in behalf
    of a single petitioner confessedly unworthy. -- Ambrose Bierce
     
    Tom Stiller, May 3, 2012
    #16
  17. Michelle Steiner

    Tom Stiller Guest

    In article <>,
    Jolly Roger <> wrote:

    > In article <>,
    > Tom Stiller <> wrote:
    >
    > > In article <>,
    > > David Ritz <> wrote:
    > >
    > > >
    > > > I'd be interested as to whether you'd be willing to share a sample
    > > > jail.conf. This email address works. Replying to this message assures
    > > > delivery, as it bypasses my rather draconian SpamAssassin rules.
    > > >
    > > > TIA.

    > >
    > >
    > > Happy to share but the file is a little long for a usenet reply. I'll
    > > attach it to an email.

    >
    > Mind shooting me a copy as well? I'm using fail2ban for one thing, but
    > might use it for others if I had a clear example of how to configure it
    > for Mac OS X. : )




    On its way.

    --
    PRAY, v. To ask that the laws of the universe be annulled in behalf
    of a single petitioner confessedly unworthy. -- Ambrose Bierce
     
    Tom Stiller, May 4, 2012
    #17
  18. Michelle Steiner

    David Ritz Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Thursday, 03 May 2012 17:55 -0700,
    in article <>,
    Jolly Roger <> wrote:

    > Muchas gracias!


    <AOL></AOL>

    - --
    David Ritz <>
    Be kind to animals; kiss a shark.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.18 (Darwin)
    Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

    iEYEARECAAYFAk+jMSgACgkQUrwpmRoS3uskGgCgpFsjwCzh4l0slsZyC4aGXJzY
    mEEAoPottJAoEl71EnvVDKl1riOO+yMW
    =0F7g
    -----END PGP SIGNATURE-----
     
    David Ritz, May 4, 2012
    #18
  19. In article <-september.org>,
    Michelle Steiner <> wrote:

    > I just ran a port scan on my computer. Can any be safely closed? Are any
    > dangerous to keep open?
    >
    > Port Scan has startedŠ
    >
    > Port Scanning host: 127.0.0.1
    >
    > Open TCP Port: 88 kerberos
    > Open TCP Port: 515 printer
    > Open TCP Port: 548 afpovertcp
    > Open TCP Port: 631 ipp
    > Open TCP Port: 3689 daap
    > Open TCP Port: 4488
    > Open TCP Port: 5900 rfb
    > Open TCP Port: 6258
    > Open TCP Port: 8228
    > Open TCP Port: 17500
    > Open TCP Port: 26164
    > Open TCP Port: 56757
    > Port Scan has completedŠ


    It depends on what IP address they're listening on. 127.XX.XX.XX and
    ::1 are strictly for local traffic (localhost) so that processes can
    send messages to each other using existing TCP/IP APIs. Those higher
    numbered ports look like processes talking to each other on a localhost
    address.

    88 is an authentication server used by MacOS
    515 and 631 are printer sharing
    548 is Apple file sharing
    3689 is iTunes sharing
    5900 is VNC

    Run the scan on your public IP address. If you don't have a public IP
    address due to NAT to a LAN, then there's not much to worry about as
    long as your LAN doesn't have unsecured WiFi on it.
    --
    I will not see posts from Google because I must filter them as spam
     
    Kevin McMurtrie, May 4, 2012
    #19
  20. Michelle Steiner

    Paul Sture Guest

    On Thu, 03 May 2012 15:03:36 -0700, Jolly Roger wrote:

    > Mind shooting me a copy as well? I'm using fail2ban for one thing, but
    > might use it for others if I had a clear example of how to configure it
    > for Mac OS X. : )


    Same here please.

    I can host it for folks if there's the demand, subject to copyright etc.

    --
    Paul Sture
     
    Paul Sture, May 4, 2012
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Smith
    Replies:
    20
    Views:
    939
    NUNIA
    Jul 10, 2003
  2. Thomas Jerkins
    Replies:
    0
    Views:
    723
    Thomas Jerkins
    Dec 14, 2003
  3. Zentraleinheit

    Are These Files Necessary?

    Zentraleinheit, Dec 14, 2005, in forum: ATI
    Replies:
    4
    Views:
    223
    Bill Kraski
    Dec 18, 2005
  4. bookshi
    Replies:
    2
    Views:
    318
    Inquirer
    Aug 15, 2006
  5. Replies:
    5
    Views:
    478
    Andywi
    Dec 24, 2005
Loading...

Share This Page