Cisco 1811 - Security - Troubleshoot open ports
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2010 11:08 AM - edited 03-04-2019 09:31 AM
Hi,
after a couple weeks lab practice, today I connected one of my new Cisco 1811 router to an ISP ADSL line.
PPP connect went fine, after that I ran a quick scan using NMAP on the router from the outside.
Here is the result:
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
22/tcp open ssh Cisco SSH 1.25 (protocol 2.0)
1720/tcp filtered H.323/Q.931
Well, I remember I configured SSH and disabled telnet during practice in the lab. But I can't remember I did anything FTP related.
I also read FTP is disabled by default on IOS.
What I'd like to know is: what is "tcpwrapped" on port 21? I don't think it's an FTP service as I wasn't able to connect to it using an FTP client.
Windows and Linux both have onboard utilities to troubleshoot listening ports, are there similar commands for IOS? How can I find out what is listening on a specific port?
What is the recommended way to post running config on this forum? I'd like to keep my posts clear.
Thanks in advance
Sebastian
- Labels:
-
Other Routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2010 11:54 AM
Hi Sebastian,
You may be running a 12.4 IOS in which case you could try the show ip sockets command. Unfortunately, in 12.4(11)T it has been replaced by other commands that do not display open TCP sockets readily (anybody knowing better here PLEASE let us know if there is any way to display open TCP sockets under 12.4(11)T and newer!)
But I'd say that the NMAP probably saw a NATted port. Is it possible to repeat the experiment and have the same results over and over again?
Best regards,
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2010 02:42 AM
Thanks for your reply Peter,
I'm running c181x-advipservicesk9-mz.124-15.T13.bin - "show ip sockets" didn't work for me.
However, I found this command:
hydra#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:22 192.168.7.105:2003 SSH-Server ESTABLIS
Wich is also strange, according to this output I would expect NMAP to display port 23 as open as well.
Yes, the NMAP scan output on the WAN interface is reproducible. I also noticed the scan result is different on the LAN, it only displays port 22 as open (wich is correct). I did not configured any NAT rule for port 21 for the WAN interface. So it must be some default thing.
Best regards,
Sebastian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2010 09:41 AM
I'm gonna bump this now since I still don't know what is listening on port 21 on the WAN interface, and I don't know how to disable it
As a rookie I'm quite suprised that there seems to be no troubleshooting tool for this kind of issue. I mean... even Windows gives you tools for that. Like netstat, findstr, tasklist commands.
