Cisco 1811 - Security - Troubleshoot open ports

Unanswered Question
Aug 23rd, 2010
User Badges:

Hi,


after a couple weeks lab practice, today I connected one of my new Cisco 1811 router to an ISP ADSL line.

PPP connect went fine, after that I ran a quick scan using NMAP on the router from the outside.


Here is the result:


PORT     STATE    SERVICE     VERSION

21/tcp   open     tcpwrapped

22/tcp   open     ssh         Cisco SSH 1.25 (protocol 2.0)

1720/tcp filtered H.323/Q.931


Well, I remember I configured SSH and disabled telnet during practice in the lab. But I can't remember I did anything FTP related.

I also read FTP is disabled by default on IOS.


What I'd like to know is: what is "tcpwrapped" on port 21? I don't think it's an FTP service as I wasn't able to connect to it using an FTP client.

Windows and Linux both have onboard utilities to troubleshoot listening ports, are there similar commands for IOS? How can I find out what is listening on a specific port?


What is the recommended way to post running config on this forum? I'd like to keep my posts clear.


Thanks in advance

Sebastian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Mon, 08/23/2010 - 11:54
User Badges:
  • Cisco Employee,

Hi Sebastian,


You may be running a 12.4 IOS in which case you could try the show ip sockets command. Unfortunately, in 12.4(11)T it has been replaced by other commands that do not display open TCP sockets readily (anybody knowing better here PLEASE let us know if there is any way to display open TCP sockets under 12.4(11)T and newer!)


But I'd say that the NMAP probably saw a NATted port. Is it possible to repeat the experiment and have the same results over and over again?


Best regards,

Peter

OSJF2009SDL Tue, 08/24/2010 - 02:42
User Badges:

Thanks for your reply Peter,


I'm running c181x-advipservicesk9-mz.124-15.T13.bin - "show ip sockets" didn't work for me.


However, I found this command:


hydra#show control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
tcp                 *:22                  *:0               SSH-Server   LISTEN
tcp                 *:23                  *:0                   Telnet   LISTEN
tcp                 *:22   192.168.7.105:2003               SSH-Server ESTABLIS


Wich is also strange, according to this output I would expect NMAP to display port 23 as open as well.


Yes, the NMAP scan output  on the WAN interface is reproducible. I also noticed  the scan result is different on the LAN, it only displays port 22 as open (wich is correct). I did not configured any NAT rule for port 21 for the WAN interface. So it must be some default thing.


Best regards,

Sebastian

OSJF2009SDL Fri, 08/27/2010 - 09:41
User Badges:

I'm gonna bump this now since I still don't know what is listening on port 21 on the WAN interface, and I don't know how to disable it


As a rookie I'm quite suprised that there seems to be no troubleshooting tool for this kind of issue. I mean... even Windows gives you tools for that. Like netstat, findstr, tasklist commands.

Actions

This Discussion