0

Im trying to lock down an Ubuntu server and ran nmap -T4 against my server. Everything looks right except that it shows port 3128 open but I dont run a squid server or anything else I know of on that port.

PORT     STATE SERVICE
80/tcp   open  http
3128/tcp open  squid-http

So I have 2 questions:

  1. When I run netstat -tlnp I get nothing that shows port 3128. When I telnet to that port from another machine on my local lan it responds!? What is running and why cant I find it?

  2. I have iptables setup to bare minimum, but I cant seem to close port 3128 from telnet in question 1?

Can anyone tell me whats going on with port 3128? Is it something to do with the linksys router thats responding and not the computer itself? Ive googled this and havent been able to find an answer.

Thanks in advance

Tim
  • 203
  • 1
  • 9
  • 1) If you disconnect the Ubuntu server from the network altogether, do you still get a response? 2) The LinkSys router suggests that your question is off-topic for Server Fault and probably belongs on [su]. – 200_success Dec 13 '14 at 08:00
  • 1
    try sending an HTTP request from your telnet connection (e.g. type `HEAD / HTTP/1.0` and press return twice) and see if there is any answer... if there is an actual squid or something similar, it might identify itself in the response headers. at the same time, I'd run a tcpdump on port 3128 on your server to see if it is actually receiving any packets form that connection. – Ale Dec 13 '14 at 09:06

2 Answers2

2

Try

fuser -n tcp 3128

Which will give you the Process ID's associated with the port, then you can use, for example

ps waux | grep "[pid]"

to get the associated process. (There are probably more elegant ways to do the second step, but it works for me !)

davidgo
  • 6,222
  • 3
  • 23
  • 41
0

After trying your suggestions Ive come to the conclusion that the router is answering my telnet, not the box.

Tried sending the HEAD and it just came back with 'Connection closed by foreign host.'

Ran 'fuser' command above, showed nothing.

Disconnected the network cable and tried telnet again and it still answers, so I have to assume its the router.

As a sidenote, if it is the router, Im wondering if that's a security concern or not...Ill have to look into that.

Thanks everyone!

Tim
  • 203
  • 1
  • 9
  • if you have port 3128 open on your router and you don't know why, I would recommend you to investigate the issue. home routers generally don't have this port open. and these days, you can get malware even on home routers... so double check, just to be sure. – Ale Dec 13 '14 at 18:05
  • Thank you, yes I agree. I see quite a few router hack attempts in my log files. Im going to try to setup DD-WRT on my router. Unfortunately linksys no longer supports my rev number. I see no reason for that port to be open after going through my entire linksys GUI, so Im going to assume its been somehow hacked. – Tim Dec 14 '14 at 22:30