[NCSA-discuss] a shameful problem
Robbie Foust
rfoust at duke.edu
Fri Jun 23 00:10:20 EDT 2006
At first glance, there is nothing unusual about the ports you listed
below. Most are for RPC and DCOM (dynamic ports), and SMB. You
might want to open 3389 up in addition to the ports you listed, but I
can't remember if citrix needs that port or not (3389 is RDP/remote
desktop).
Unfortunately your best bet for securing that box is to probably use
ipsec rules. Its not great, but it will be better than nothing.
Just allow the ports you want and drop everything else.
Go to Start->Run and type "mmc" and add the ipsec snap-in, and
configure it there. :-) If you're feeling adventurous, its better to
script it so you'll know exactly what you did.
Hope this helps,
- Robbie
--
Robbie Foust, CISSP, A+
Windows/Netware Tech Lead
OIT/CSI - Duke University
On Jun 22, 2006, at 11:50 PM, Jason Tower wrote:
> ok, i'm ashamed and embarassed to admit it, but i have one windows
> server that i have to administer. it's a citrix server running
> under vmware, and here's the catch: i need to run it with a public
> ip address - no external firewall, no nat.
>
> now, on a real server (read: *nix) i simply turn off all services
> that i don't want, verify with 'netstat -an' that only the ports i
> want listening are actually open, and away i go. on this
> godforsaken windows box running 'netstat -an' yields the following
> (note that it is currently behind a nat device, hence the 10.1.1.11
> ip):
>
> Active Connections
>
> Proto Local Address Foreign Address State
> TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1039 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1043 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1494 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:2512 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:2513 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:27000 0.0.0.0:0 LISTENING
> TCP 10.1.1.11:139 0.0.0.0:0 LISTENING
> TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING
> TCP 127.0.0.1:8009 0.0.0.0:0 LISTENING
> UDP 0.0.0.0:445 *:*
> UDP 0.0.0.0:500 *:*
> UDP 0.0.0.0:1037 *:*
> UDP 0.0.0.0:1041 *:*
> UDP 0.0.0.0:1276 *:*
> UDP 0.0.0.0:1434 *:*
> UDP 0.0.0.0:1604 *:*
> UDP 0.0.0.0:3701 *:*
> UDP 0.0.0.0:3771 *:*
> UDP 0.0.0.0:3820 *:*
> UDP 0.0.0.0:4057 *:*
> UDP 0.0.0.0:4094 *:*
> UDP 0.0.0.0:4309 *:*
> UDP 0.0.0.0:4500 *:*
> UDP 0.0.0.0:4561 *:*
> UDP 0.0.0.0:4615 *:*
> UDP 10.1.1.11:123 *:*
> UDP 10.1.1.11:137 *:*
> UDP 10.1.1.11:138 *:*
> UDP 127.0.0.1:123 *:*
> UDP 127.0.0.1:3768 *:*
> UDP 127.0.0.1:3817 *:*
> UDP 127.0.0.1:4054 *:*
> UDP 127.0.0.1:4091 *:*
> UDP 127.0.0.1:4186 *:*
> UDP 127.0.0.1:4306 *:*
> UDP 127.0.0.1:4487 *:*
> UDP 127.0.0.1:4558 *:*
> UDP 127.0.0.1:4612 *:*
> UDP 127.0.0.1:4651 *:*
>
> holy smegging crap, this is what redmond considers "secure"? the
> only external ports i want open are tcp 80/443 for the citrix web
> interface, and tcp 1494 for citrix itself. presumably i can ignore
> the ports bound to 127.0.0.1 but i don't have a clue about all the
> others, or how to disable them. if anyone can help me prepare this
> box for public ip duty lunch (including beer) is on me.
>
> jason
> _______________________________________________
> ncsa-discussion mailing list
> ncsa-discussion at ncsysadmin.org
> http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
More information about the ncsa-discussion
mailing list