I have ghost ports, in particular 5900 for vnc. However, there is no vnc software seen through zypper/yast.
When I grep 5900 in /etc/services, it does find the following:
grep rfb /etc/services
rfb 5900/tcp vnc-server # Remote Framebuffer [Tristan_Richardson] [RFC6143]
rfb 5900/udp vnc-server # Remote Framebuffer [Tristan_Richardson] [RFC6143]
running nmap from another machine returns:
nmap -sS 192.168.181.30
Starting Nmap 4.75 ( http://nmap.org ) at 2013-10-03 20:13 EDT
Interesting ports on prod-lb01.********.com (192.168.181.30):
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
5800/tcp open vnc-http
5900/tcp open vnc
MAC Address: 00:50:56:A5:34:59 (VMWare)
Firewall is off (inside a secure network). I suppose I need to remove rfb, but I cannot find how to remove rfb. Has anyone done this, or have any advice?
Oh, and this is to pass pci compliance…
Thanks
On 10/03/2013 06:24 PM, sysengPS wrote:[color=blue]
I have ghost ports, in particular 5900 for vnc. However, there is no vnc
software seen through zypper/yast.
When I grep 5900 in /etc/services, it does find the following:
grep rfb /etc/services
rfb 5900/tcp vnc-server # Remote Framebuffer
[Tristan_Richardson] [RFC6143]
rfb 5900/udp vnc-server # Remote Framebuffer
[Tristan_Richardson] [RFC6143][/color]
In Yast you should be able to find a setting for ‘Remote Administration’
that is part of Gnome or X or something that is probably causing this.
You can find out for sure which executable has this bound using ‘ss’ or
‘netstat’:
Code:
/usr/sbin/ss -planeto | grep :5900
[color=blue]
running nmap from another machine returns:
nmap -sS 192.168.181.30
Starting Nmap 4.75 ( http://nmap.org ) at 2013-10-03 20:13 EDT
Interesting ports on prod-lb01.********.com (192.168.181.30):
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
5800/tcp open vnc-http
5900/tcp open vnc
MAC Address: 00:50:56:A5:34:59 (VMWare)
Firewall is off (inside a secure network). I suppose I need to remove[/color]
Unless you have a reason to turn it off (I’ve yet to hear a great one,
except on a honeypot) you should leave it enabled. Allowing services is
trivial and adds a lot of protection just in case. Most successful
attacks are from the inside where trust is given to freely and firewalls
protect against anybody, insider or outsider escalating privileges through
a secure network, from doing unexpected things.