xx.xx.xx.xx is a public ip address
Code: Select all
Discovered open port 25/tcp on xx.xx.xx.xx
Discovered open port 110/tcp on xx.xx.xx.xx
Discovered open port 119/tcp on xx.xx.xx.xx
Discovered open port 143/tcp on xx.xx.xx.xxNMAP scan results
I am doing testing against one of my routers using nmap. My firewall config adds ports scanners to a drop list and does appear to be dropping packets quickly after the scan is initiated but nmap continues to return these results:
xx.xx.xx.xx is a public ip address
I can telnet to these ports and I have no services running on them. Maybe it's my lack of knowledge, but can they be disabled if not needed on Mikrotik?
xx.xx.xx.xx is a public ip address
Re: NMAP scan results
25? 110? maybe it's some dst-nat?..
Re: NMAP scan results
I wouldn't think so, these are my only NAT rules
Code: Select all
[admin@mt-router] > ip firewall nat pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NAT
chain=srcnat action=masquerade src-address=10.10.10.0/24
out-interface=ether1
1 ;;; VPN
chain=dstnat action=netmap to-addresses=10.10.10.10 to-ports=60000
protocol=udp dst-port=60000
2 ;;; Proxy
chain=dstnat action=redirect to-ports=9090 protocol=tcp dst-port=80 
Re: NMAP scan results
configure firewall in the input chain. nothing is blocked by default. no idea why these ports show up, though
Re: NMAP scan results
I am doing an nmap intense scan and it still returns those 4 ports listed in my first post as being filtered open. I can still telnet into each port also.
Here is the relevant parts of my firewall config:
NAT Rules are in a previous post if you need to refer to them.
Code: Select all
Discovered open port 25/tcp on xx.xx.xx.xx
Discovered open|filtered port 25/tcp on xx.xx.xx.xx (xx.xx.xx.xx) is actually open
Discovered open port 110/tcp on xx.xx.xx.xx
Discovered open|filtered port 110/tcp on xx.xx.xx.xx (xx.xx.xx.xx) is actually open
Discovered open port 119/tcp on xx.xx.xx.xx
Discovered open|filtered port 119/tcp on xx.xx.xx.xx (xx.xx.xx.xx) is actually open
Discovered open port 143/tcp on xx.xx.xx.xx
Discovered open|filtered port 143/tcp on xx.xx.xx.xx (xx.xx.xx.xx) is actually open
Code: Select all
[admin@mt-router] /ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop blocked addresses
chain=input action=drop src-address-list=BlockAddress in-interface=ether1
1 ;;; Allow established connections
chain=input action=accept connection-state=established
2 ;;; Allow related connections
chain=input action=accept connection-state=related
3 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
4 ;;; Accept safe addresses SSH and Winbox
chain=input action=accept protocol=tcp src-address-list=SafeAddress in-interface=ether1 dst-port=8291,39800
5 ;;; Port Knocking
chain=input action=add-src-to-address-list protocol=udp address-list=PortKnock1 address-list-timeout=10s in-interface=ether1 dst-port=1000
6 chain=input action=add-src-to-address-list protocol=tcp src-address-list=PortKnock1 address-list=PortKnock2 address-list-timeout=10s in-interface=ether1
dst-port=2000
7 chain=input action=add-src-to-address-list protocol=udp src-address-list=PortKnock2 address-list=SafeAddress address-list-timeout=15m in-interface=ether>
dst-port=3000
8 ;;; Accept all traffic from the LAN
chain=input action=accept in-interface=!ether1
;;; NEW: DID NOT DROP ANY PACKETS
9 chain=input action=drop protocol=tcp in-interface=ether1 dst-port=25
10 chain=input action=drop protocol=tcp in-interface=ether1 dst-port=110
11 chain=input action=drop protocol=tcp in-interface=ether1 dst-port=119
12 chain=input action=drop protocol=tcp in-interface=ether1 dst-port=143
13 ;;; Drop port scanners
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=BlockAddress address-list-timeout=4w2d in-interface=ether1
14 chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=BlockAddress address-list-timeout=4w2d
in-interface=ether1
15 chain=input action=log tcp-flags=syn protocol=tcp src-address-list=!SafeAddress in-interface=ether1 log-prefix="SYN:"
16 chain=input action=add-src-to-address-list tcp-flags=ack connection-state=new protocol=tcp address-list=BlockAddress address-list-timeout=4w2d
in-interface=ether1
17 chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=BlockAddress address-list-timeout=4w2d in-interface=ether1
18 chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=BlockAddress address-list-timeout=4w2d in-interface=ether1
19 chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg protocol=tcp address-list=BlockAddress address-list-timeout=4w2d in-interface=ether1
20 chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=BlockAddress address-list-timeout=4w2d
in-interface=ether1
21 chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=BlockAddress address-list-timeout=4w2d
in-interface=ether1
22 X ;;; Allow WAN ping
chain=input action=accept protocol=icmp in-interface=ether1 limit=5,5
23 ;;; Drop everything else
chain=input action=drop in-interface=ether1
24 ;;; Drop spam machines
chain=forward action=drop src-address-list=SpamAddress
25 chain=forward action=add-src-to-address-list protocol=tcp address-list=SpamAddress address-list-timeout=0s dst-port=25 connection-limit=25,32 limit=50,5
Code: Select all
[admin@mt-router] /ip firewall> address-list pr
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 ;;; Known addresses
SafeAddress xx.xx.xx.xx
1 ;;; Banned addresses
BlockAddress 0.0.0.0/7
2 BlockAddress 2.0.0.0/8
3 BlockAddress 5.0.0.0/8
4 BlockAddress 10.0.0.0/8
5 BlockAddress 14.0.0.0/8
6 BlockAddress 23.0.0.0/8
7 BlockAddress 27.0.0.0/8
8 BlockAddress 31.0.0.0/8
9 BlockAddress 36.0.0.0/7
10 BlockAddress 39.0.0.0/8
11 BlockAddress 42.0.0.0/8
12 BlockAddress 46.0.0.0/8
13 BlockAddress 49.0.0.0/8
14 BlockAddress 50.0.0.0/8
15 BlockAddress 100.0.0.0/6
16 BlockAddress 104.0.0.0/6
17 BlockAddress 109.0.0.0/8
18 BlockAddress 127.0.0.0/8
19 BlockAddress 169.254.0.0/16
20 BlockAddress 172.16.0.0/12
21 BlockAddress 175.0.0.0/8
22 BlockAddress 176.0.0.0/5
23 BlockAddress 185.0.0.0/8
24 BlockAddress 192.0.2.0/24
25 BlockAddress 192.168.0.0/16
26 BlockAddress 198.18.0.0/15
27 BlockAddress 223.0.0.0/8
28 BlockAddress 224.0.0.0/3
Code: Select all
[clydeherd@MikroTik] /ip service> pr
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 X telnet 23000 0.0.0.0/0
1 X ftp 21000 0.0.0.0/0
2 X www 28000 0.0.0.0/0
3 ssh 39800 0.0.0.0/0
4 X www-ssl 443 0.0.0.0/0 none
5 X api 8728 0.0.0.0/0
6 winbox 8291 0.0.0.0/0
Re: NMAP scan results
I believe that there was a bug in some NMAP version that caused it to report some ports on any device, even if they actually were not open ... 
Re: NMAP scan results
Thanks normis,
but I can actually telnet into those ports, even from addresses on my BlockList. No services are running on these ports that I have, but it still seems quite strange.
but I can actually telnet into those ports, even from addresses on my BlockList. No services are running on these ports that I have, but it still seems quite strange.
Re: NMAP scan results
add top filter rule 'chain=input dst-port=25 action=drop' and see whether you can telnet to port 25 =) if you can - so I believe it's some kind of dst-NAT and you connect not to your router %)
-
-
NetworkPro
Forum Guru
- Posts: 1376
- Joined:
- Location: bit.ly/the-qos
- Contact:
Re: NMAP scan results
Win32 ? Firewall in between, like bound to Ethernet adapter? Unbind, try again.
Who is online
Users browsing this forum: anwarkollam, Techsystem and 23 guests