Open ports

l33tname · Apr 20, 2015

I checked with nmap that no services are running unintentionally, and I found this:

Code:

135/udp open|filtered msrpc
136/udp open|filtered profile
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
445/udp open|filtered microsoft-ds

For what exactly do I need this things? (There is no samba server running)
And I guess since I don't need them, how can I disable it?

kpa · Apr 20, 2015

How did you run security/nmap? Those are UDP ports and depending on how you're testing for "open ports" you'll get different results. One interpretation is that it's now possible to send UDP traffic from your host to the listed ports on other hosts and therefor they are "open but only in outgoing direction.

stig · Apr 20, 2015

Do you have a firewall running?

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

SirDice · Apr 21, 2015

There's no handshake as with TCP so it's very hard to find out if an UDP port is actually open or not. Interpreting nmap results requires some skill.

nmap(1):

Code:

           Upon hitting a closed port on the target machine, the UDP probe
           should elicit an ICMP port unreachable packet in return. This
           signifies to Nmap that the machine is up and available. Many other
           types of ICMP errors, such as host/network unreachables or TTL
           exceeded are indicative of a down or unreachable host. A lack of
           response is also interpreted this way. If an open port is reached,
           most services simply ignore the empty packet and fail to return any
           response. This is why the default probe port is 40125, which is
           highly unlikely to be in use. A few services, such as the Character
           Generator (chargen) protocol, will respond to an empty UDP packet,
           and thus disclose to Nmap that the machine is available.

l33tname · Apr 24, 2015

Hey thanks for all your answers.

I checked from outside with this two queries:
sudo nmap -sT remote_host
sudo nmap -sU remote_host

So this means this port is only a false positive?

SirDice · Apr 24, 2015

Simply check on the machine itself with sockstat -l46. That will show you which ports have been opened (both TCP and UDP) and by which process. Besides that it's always a good idea to enable a firewall and only allow access from the internet to the things you need. Even if you accidentally enable a service the firewall will prevent any access.

Open ports

l33tname

kpa

stig

SirDice

Administrator

l33tname

SirDice

Administrator