Your network toolbox should contain a port scanner, a handy tool that scans a target host looking for active ports. Among its many uses,the Chesapeake Port Scanner will allow you to validate your access list configurations. Simply start the scan of a target host on the remote side of your filtering router and you can see what services are available.
Access List Validation
For example, a quick scan of your
web server from outside your network shows you what a possible hacker might
see in Output 1.
Since this is a web server, only port 80 (www) should be allowed through. A quick rewrite of your access list will prevent the other ports from becoming available to hackers.
Output 1
Starting Scan.
Target Host: www.yourcompany.com
TCP Port :7 (echo)
TCP Port :9 (discard)
TCP Port :13 (daytime)
TCP Port :19 (chargen)
TCP Port :21 (ftp)
TCP Port :23 (telnet)
TCP Port :25 (smtp)
TCP Port :37 (time)
TCP Port :53 (domain)
TCP Port :79 (finger)
TCP Port :80 (www)
TCP Port :110 (pop)
TCP Port :111 (sunrpc)
Finished.
! Let outgoing TCP connections back in
! 10.99.0.1 is the web server ip address
access-list 110 permit tcp any 10.99.0.1 established
! Permit The WWW
access-list 110 permit tcp any 10.99.0.1 eq www
! Just deny everything else
access-list 110 deny ip any 10.99.0.1
Trying that scan again to verify the access list operation:
Starting Scan.
Target Host: www.yourcompany.com
TCP Port :80 (www)
Finished.
Scanning New Systems
Another use for the port scanner is the testing of newly installed systems
and servers. Scanning a new server shows all active ports. This is equally
important item on Unix and WindowsNT. A new system might have services
active that have not been configured properly or have been overlooked.
How it Works Normally, a scanner might wait for a response from a port before moving to the next port, effectively slowing the scan. Our multithreaded scanner takes a range of ports and divides them among a series of threads, performing faster by attempting to scan as many ports as possible each second.The Scanner takes the range of ports given by the user. The default range is 1 to 65535, the highest possible port on a machine. The port range is then divided among the number of threads you have assigned. The default is 10 threads. The polling speed increases with the number of parallel threads. After the threads are assigned a port address space, they are instructed to begin polling. A TCP connection is attempted at every port and the determination is made if the target host is listening for connections on that port.
On UNIX machines the port scanning is very fast, but on Windows 95TM and Windows NTTM we find that each port takes about a half second to poll. This is probably an issue with the implementation in JavaTM Virtual Machine for PCs. Starting up the maximum number of threads will help the scan to go as quickly as possible. Any active port is a always a possible hacker penetration point. Try it yourself by telneting to any ports that our scanner reports. At the command line (UNIX, Win95 and NT) use the following syntax:
telnet mycompany.com25
What you might see:
220 ESMTP mycompany.com Sendmail 8.8.6/8.7.3; Wed, 27 Aug 1997 13:45:10 - 0400 (EDT)
This example shows Sendmail responding to our telnet connection (port 25 is SMTP port.) Depending on the port you choose, you will receive different replies. This is a valuable method of checking your software versions against CERT advisories. Use the information gathered by the port scanner to improve security at your site.
Running the Chesapeake Port Scanner
The Chesapeake Port Scanner has the capability of executing from the command line or within the GUI interface. Use the following command to start the Port Scanner with the GUI interface:
java portscan
A window will appear as in Figure 1. When the window comes up, enter a host in the hostname field. The start port is the where the scan will begin, and the end port is where it will finish scanning. Enter the number of threads you want to run, 20 is the default. Once ready, click on the "Start Scan" to begin the system scan. You can stop any scan by simply clicking the Cancel button. The results will be displayed in the text window.
To start the Port Scanner from the command line (see Figure 2):
java portscan 127.0.0.1 -s 1 -e 200 -t 20
Whenever you use the command line options, the Port Scanner will start without the GUI. The -h(elp) flag will give the usage, and the -v(erbose) flag prints each port and if it is active or not. The remaining ones correspond to the same options as in the GUI. The command line options are as follows:
portscan
Hostname is the host you are scanning
- s the Starting Port to begin scanning
- e the Ending Port to end the scan
- t the number of threads you want to
start (1-20)
- v sets the verbose flag on
- h this message
Availability
You can obtain a FREE copy of the Chesapeake Port Scanner from our Web
site, www.ccci.com. Look for an announcement on our home page. There, you
will find the documentation in HTML format and a registration form to fill
out to receive your own copy. The installation instructions are detailed in
the Web pages. New versions will be posted as they become available and
will be announced in future issues of The Network Monitor.
