Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Are all of these ports necessary?

86 views
Skip to first unread message
Message has been deleted
Message has been deleted

David Stone

unread,
May 2, 2012, 4:30:37 PM5/2/12
to
In article <michelle-841B89...@news.eternal-september.org>,
Michelle Steiner <mich...@michelle.org> wrote:

> I just ran a port scan on my computer. Can any be safely closed? Are any
> dangerous to keep open?

Generally, you'd use the built-in firewall to manage your ports. That
way, you don't have to worry about what port numbers are used by which
application (it can be a little arcane, to say the least!)

Under Security > Firewall > Advanced, I currently have "Block all
incoming connections" selected, which disallows screen and file
sharing, iTunes sharing, etc.

IIRC you can also use a setting whereby you are asked to allow services
as the attempt to connect, but it's been a while since I used that
(probably not since 10.3)

>
> Port Scan has started…
>
> Port Scanning host: 127.0.0.1
>
> Open TCP Port: 88 kerberos
The Mac OS uses Kerberos authentication to allow you to connect
services on different Macs
<http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>
<http://support.apple.com/kb/TA24992>

> Open TCP Port: 515 printer
> Open TCP Port: 548 afpovertcp

Do you need to share files and devices by AFP? If not, you can simply
turn that service off, and the firewall should then block the port.

> Open TCP Port: 631 ipp
Internet Printing Protocol, including CUPS - do you have printer
sharing enabled?
<http://en.wikipedia.org/wiki/Internet_Printing_Protocol>

> Open TCP Port: 3689 daap
Digital Audio Access Protocol - are you sharing your iTunes
library over your local network?
<http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol>

> Open TCP Port: 4488
<https://discussions.apple.com/thread/2708130?start=0&tstart=0>

> Open TCP Port: 5900 rfb
<http://en.wikipedia.org/wiki/RFB_protocol>

> Open TCP Port: 6258
One Password
<http://help.agilebits.com/1Password3/outbound_connections.html>


> Open TCP Port: 8228
I believe this is used by some web proxy clients? I see references
to PithHelmet, and ad-blocking plugin for Safari. It probably uses
the proxy locally to route lookups and requests through its filter.

I'll stop now!

David Ritz

unread,
May 2, 2012, 5:25:04 PM5/2/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, 02 May 2012 11:36 -0700,
in article <michelle-841B89...@news.eternal-september.org>,
Michelle Steiner <mich...@michelle.org> wrote:

> I just ran a port scan on my computer. Can any be safely closed?
> Are any dangerous to keep open?

> Port Scan has started?
>
> Port Scanning host: 127.0.0.1
>
> Open TCP Port: 88 kerberos
> Open TCP Port: 515 printer
> Open TCP Port: 548 afpovertcp
> Open TCP Port: 631 ipp
> Open TCP Port: 3689 daap
> Open TCP Port: 4488
> Open TCP Port: 5900 rfb
> Open TCP Port: 6258
> Open TCP Port: 8228
> Open TCP Port: 17500
> Open TCP Port: 26164
> Open TCP Port: 56757
> Port Scan has completed?

Hi, Michelle,

Since no one else seems to be asking, is your Mac behind any sort of
firewall, for example, a firewall enabled router or gateway? If not,
you probably don't want any of those ports exposed to the outside
world. If your computer is behind a firewall appliance, none of these
ports should be problematic, unless you've opened pin-holes for them.

Here are a couple of examples, for your consideration. Both are nmap
(<http://nmap.org>) 1000 port scans of the same IP address; one from
inside the firewall and one from outside.

======================================================================
$ /opt/local/bin/nmap -P0 -sT mako.ath.cx

Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-02 15:57 CDT
Nmap scan report for mako.ath.cx (75.56.239.73)
Host is up (0.00072s latency).
Not shown: 958 closed ports, 32 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
445/tcp open microsoft-ds
548/tcp open afp
587/tcp open submission
749/tcp open kerberos-adm
3689/tcp open rendezvous
5900/tcp open vnc

Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds
======================================================================
[user]@[host]:~% /usr/bin/nmap -P0 -sT mako.ath.cx

Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-02 13:06 PDT
Interesting ports on mako.ath.cx (75.56.239.73):
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
445/tcp filtered microsoft-ds
50001/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 51.90 seconds
======================================================================

While I have many more open ports than shown, only those two ports,
which I explicitly allow to be accessed, are open to the outside
world.

prot port freq # Description
ssh 22/sctp 0.000000 # Secure Shell Login
ssh 22/tcp 0.182286 # Secure Shell Login
ssh 22/udp 0.003905 # Secure Shell Login

http 80/sctp 0.000000 # World Wide Web HTTP
http 80/tcp 0.484143 # World Wide Web HTTP
http 80/udp 0.035767 # World Wide Web HTTP

- --
David Ritz <dr...@mindspring.com>
Nothing running a Microsoft Windows operating system should ever be
allowed to connect directly to the Internet.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iEYEARECAAYFAk+hpjAACgkQUrwpmRoS3ut7kwCcDTHpt+gCGEMb8Tr5/59/ZPu8
zSMAoIGVA+vOQfGgDPNKTuiLOcooz8rh
=m+op
-----END PGP SIGNATURE-----
Message has been deleted
Message has been deleted

David Ritz

unread,
May 2, 2012, 6:42:51 PM5/2/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, 02 May 2012 15:02 -0700,
in article <michelle-833A87...@news.eternal-september.org>,
Michelle Steiner <mich...@michelle.org> wrote:

> In article <alpine.OSX.2.00.1...@mako.ath.cx>,
> David Ritz <dr...@mindspring.com> wrote:

>> Since no one else seems to be asking, is your Mac behind any sort
>> of firewall, for example, a firewall enabled router or gateway?

> The router is a Time Capsule, and I don't think it has a firewall.
> But it does have NAT. Also, I have Stealth Mode enabled.

>> If not, you probably don't want any of those ports exposed to the
>> outside world.

> Why not? Based on other answers I've received, they seem safe.

> I just did a scan of my router's IP address:

> Port Scan has started...
>
> Port Scanning host: 98.165.113.143
>
> Open TCP Port: 21 ftp
> Open TCP Port: 53 domain
> Open TCP Port: 554 rtsp
> Open TCP Port: 5009 winfs
> Open TCP Port: 7070 arcp
> Open TCP Port: 10000 ndmp
> Port Scan has completed...

While you didn't directly answer my question, there is some sort of
firewall in operation:

[user]@[host]:~% nmap 98.165.113.143 -p 21,53,554,5009,7070,10000

Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-02 15:26 PDT
Interesting ports on ip98-165-113-143.ph.ph.cox.net (98.165.113.143):
PORT STATE SERVICE
21/tcp filtered ftp
53/tcp filtered domain
554/tcp filtered rtsp
5009/tcp filtered airport-admin
7070/tcp filtered realserver
10000/tcp filtered snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds

That these ports are being filtered, is an indication of a firewall
appliance. You're still running your port scans from within the
firewall.

As it's now been confirmed that you're behind a firewall, you're most
certainly safe with these ports being open on your computer.

As to your question of why one doesn't want these ports to be world
accessible, the answer has to do with whether of not one wants anyone
in the world to be able to access these ports and their associated
services. If you answer yes, you may just have flunked your driver's
license test for the infobahn.

- --
David Ritz <dr...@mindspring.com>
"Even a paranoid can have enemies." - Henry Kissinger (b. 1923)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iEYEARECAAYFAk+huGwACgkQUrwpmRoS3usnoQCg3Jy62vJMtEl3ddBi5N9HyXNu
tAoAn2O6cdArMNrXU1hIXtt2Vm3YDNee
=tEnk
-----END PGP SIGNATURE-----
Message has been deleted

JF Mezei

unread,
May 2, 2012, 7:29:09 PM5/2/12
to
Michelle Steiner wrote:

> But if those ports are blocked, how can there be legitimate access from the
> world?


Do you want the world to be able to access your file shares (AFP) from
china and india ? If not, you get your router to block port 548 but
leave it running on your mac. This way, the world can't access your AFP
shares, but other computers in the LAN can.

If your computer is directly connected to the internet without a router,
then you have to use the computer's firewall to block those ports or
disable the service entirely.

And there are cases where you may wish to enable the port for world
access. For instance, if you will be out of twon for a while and know
you will need to access files on your home machine while at hotel, then
you want to open port 558 and direct it to your home computer while you
are away. This opens you to attacks but if you close it when you get
back, you limit the impact.


Message has been deleted
Message has been deleted

David Ritz

unread,
May 2, 2012, 9:23:47 PM5/2/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, 02 May 2012 15:56 -0700,
in article <michelle-6E2348...@news.eternal-september.org>,
Michelle Steiner <mich...@michelle.org> wrote:

> In article <alpine.OSX.2.00.1...@mako.ath.cx>,
> David Ritz <dr...@mindspring.com> wrote:

>> As to your question of why one doesn't want these ports to be world
>> accessible, the answer has to do with whether of not one wants
>> anyone in the world to be able to access these ports and their
>> associated services. If you answer yes, you may just have flunked
>> your driver's license test for the infobahn.

> But if those ports are blocked, how can there be legitimate access
> from the world?

OK. Let's go back to your original post in this thread. I've
narrowed the list of open ports you posted, to those identified by
name in your port scan.

> In article <michelle-841B89...@news.eternal-september.org>,
> Michelle Steiner <mich...@michelle.org> wrote:

>> Open TCP Port: 88 kerberos

kerberos-sec 88/tcp 0.006072 # Kerberos (v5)
kerberos-sec 88/udp 0.013476 # Kerberos (v5)

Do you want everyone on the Internet, whether or not you've authorized
them, to have access to security software and services running on your
Mac?

>> Open TCP Port: 515 printer

printer 515/tcp 0.007214 # spooler (lpd)
printer 515/udp 0.011022 # spooler (lpd)

Do you want everyone on the Internet, whether or not you've authorized
them, to have access to your printer spool and Laser Printer Daemon?

>> Open TCP Port: 548 afpovertcp

afp 548/tcp 0.012395 # AFP over TCP
afp 548/udp 0.000774 # AFP over UDP

Do you want everyone on the Internet, whether or not you've authorized
them, to have access to your Apple Filing Protocol shares and network
services?

>> Open TCP Port: 631 ipp

ipp 631/tcp 0.006160 # Internet Printing Protocol -- for one
implementation see http://www.cups.org (Common UNIX Printing System)
ipp 631/udp 0.450281 # Internet Printing Protocol

Do you want everyone on the Internet, whether or not you've authorized
them, to be able to use your IP connected printer?

>> Open TCP Port: 3689 daap

rendezvous 3689/tcp 0.002283 # Rendezvous Zeroconf (used by
Apple/iTunes)
daap 3689/udp 0.000330 # Digital Audio Access Protocol

Do you want everyone on the Internet, whether or not you've authorized
them, to be able to access your iTunes library? It's only intended
for sharing over a local network.

Here, we need to distinguish between private IP space and public IP
space. Behind your firewall, it appears that you are using services,
locally, which are not accessible to the outside world. That's a good
thing.

I, on the other hand, have _chosen_ to globally open two ports, for
WWW and Secure Shell. The result is, I see as many as several hundred
break-in or exploit attacks on those ports, on any given day. Many of
the sources of these attacks end up in my local ipfw.conf.

Here's an example from yesterday.

$ grep -c sshd.\*61.136.171.198 /var/log/secure.log
104

That indicates 104 intrusion attempts from that single IP address.

$ whois -A 61.136.171.198|iprange2cidr.pl
61.136.128.0/17

The IP address in question is assigned, by APNIC, to CHINANET-HB.
CHINANET-HB uses poorly conceived mail filters, which prevents most
abuse complaints from reaching their NIC designated POC,
<abuse_hb[at]public.wh.hb.cn>.

$ grep 61.136.128.0\/17 /etc/ipfilter/ipfw.conf
add 10050 deny ip from 61.136.128.0/17 to any in

If CHINANET-HB isn't willing to accept reports of network attacks or
other abuse, I'm not willing to allow their IP space to have access to
my property. As a result, I'm currently blocking all of CHINANET-HB.

$ whois -A CHINANET-HB|iprange2cidr.pl
27.16.0.0/12
58.48.0.0/13
59.172.0.0/14
61.136.128.0/17
61.183.0.0/16
61.184.0.0/16
103.22.80.0/22
111.170.0.0/16
111.172.0.0/14
111.176.0.0/13
116.207.0.0/16
116.208.0.0/14
119.96.0.0/13
121.60.0.0/14
171.40.0.0/13
171.80.0.0/14
171.112.0.0/14
202.103.0.0/18
202.110.128.0/18
219.138.0.0/15
219.140.0.0/16
221.232.0.0/14

Right now, I'm composing this message on my world facing box, via SSH,
Secure SHell, while I'm actually depressing the keys on my laptop, in
another room. I could as easily be doing the same, using any Internet
connected computer with an SSH client, from any location in the world.

(This assumes that the IP address from which I wish to access the
server, isn't already blocked by my home brew ipfw rules. [ipfw --
BSD IP firewall and traffic shaper control program])

I'm not suggesting that you open holes in your world facing firewall.
Doing so opens a nasty can of worms. For now, you appear to be safely
behind a firewall. That firewall may exist in your cable modem or
gateway, which presumedly places your router and computer(s) safely
behind it.

- --
David Ritz <dr...@mindspring.com>
"(The Internet is) the largest equivalence class in the reflexive
transitive symmetric closure of the relationship `can be reached by
an IP packet form'." - Seth Breidbart


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iEYEARECAAYFAk+h3iUACgkQUrwpmRoS3utu8ACaAxyEutdM0grEMq8LbUw5ppWO
l3UAn2yVfmQEciEEjPr09tCveS/4r4J2
=342t
-----END PGP SIGNATURE-----

Tom Stiller

unread,
May 2, 2012, 10:08:01 PM5/2/12
to
In article <alpine.OSX.2.00.1...@mako.ath.cx>,
David Ritz <dr...@mindspring.com> wrote:

> I, on the other hand, have _chosen_ to globally open two ports, for
> WWW and Secure Shell. The result is, I see as many as several hundred
> break-in or exploit attacks on those ports, on any given day. Many of
> the sources of these attacks end up in my local ipfw.conf.
>
> Here's an example from yesterday.
>
> $ grep -c sshd.\*61.136.171.198 /var/log/secure.log
> 104
>
> That indicates 104 intrusion attempts from that single IP address.

Looks like you could benefit from "fail2ban", a utility to ban IP
addresses that fail to establish a valid SSH connection after three
attempts for a [user configurable] period of time.

--
PRAY, v. To ask that the laws of the universe be annulled in behalf
of a single petitioner confessedly unworthy. -- Ambrose Bierce

JF Mezei

unread,
May 2, 2012, 11:08:38 PM5/2/12
to
An important note:

The list of ports produced by sudo lsof -i4 -P | grep LISTEN lists all
the ports where there is a process (of the TCPIP kernel) ready to accept
incoming call s on that machine.

Many of those are legitimate and if you have multiple machines on your
lan, you wnat those (such as 548 for apple share AFP file transfers).

The trick is to set your router to block everything from the internet
except those few ports where you have a "publicly accessible" services.

For instance, if you run a web server, you block all ports except port 80.

Paul Sture

unread,
May 3, 2012, 3:36:47 AM5/3/12
to
On Wed, 02 May 2012 20:23:47 -0500, David Ritz wrote:


> I, on the other hand, have _chosen_ to globally open two ports, for WWW
> and Secure Shell. The result is, I see as many as several hundred
> break-in or exploit attacks on those ports, on any given day. Many of
> the sources of these attacks end up in my local ipfw.conf.
>
> Here's an example from yesterday.
>
> $ grep -c sshd.\*61.136.171.198 /var/log/secure.log 104
>
> That indicates 104 intrusion attempts from that single IP address.

I have a similar setup, but after listening to my server disk chattering
away for hours on end I moved ssh off port 22 to something much higher,
and blocked port 22 at the router.

This greatly reduced the number of ssh attacks (and made my office a bit
quieter - that server's disks were meant for a server room and were quite
noisy).

--
Paul Sture

David Ritz

unread,
May 3, 2012, 8:53:57 AM5/3/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday, 03 May 2012 09:36 +0200,
in article <f5p979...@news.sture.ch>,
Ah, yes. Security through obscurity can be quite effective.

I'm using sshdfilter:

sshdfilter V1.5.7 ssh brute force attack blocker
http://www.csc.liv.ac.uk/~greg/sshdfilter/

It's available as a preconfigured installer for Mac OS X from
<http://projects.seas.columbia.edu/sshdfilter/>.

Of the 104 attempts noted, almost all were as root. For this simple
reason, root isn't allowed to log in remotely.

I don't have the platter clatter problems you note. About the only
way I'll notice an attack in progress will be a jumping Console icon
in the Dock. In these instances, I'll kill the attack by immediately
dropping the attacker's IP address into ipfw.

- --
David Ritz <dr...@mindspring.com>
Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iEYEARECAAYFAk+if+YACgkQUrwpmRoS3uvhcACffSYbsypPllNJ3NY7RP36XcnK
kNwAniDGlVpT5Ycm7HS9ARcHqg4o5QiW
=oXXh
-----END PGP SIGNATURE-----

David Ritz

unread,
May 3, 2012, 4:17:29 PM5/3/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, 02 May 2012 22:08 -0400,
in article <tom_stiller-EEAD...@news.individual.net>,
Tom Stiller <tom_s...@yahoo.com> wrote:

> Looks like you could benefit from "fail2ban", a utility to ban IP
> addresses that fail to establish a valid SSH connection after three
> attempts for a [user configurable] period of time.

Thanks for the suggestion, Tom. Unfortunately, the Mac OS X installer
package is no longer available.

<http://www.fail2ban.org/wiki/index.php/Downloads>
<quote>
Mac OS X Installer Package is available [25]here (Site not
responding)
[...]
25. http://macenv.lsa.umich.edu/software.php
</quote>

I've downloaded and installed from source. I've also created
/Library/LaunchDaemons/org.fail2ban.plist, so it should fire up when
the box boots.

I done some configuration for the two world facing services. As
fail2ban is primarily written for Linux, it appears to depend heavily
on iptables, which aren't used in the Mac OS.

I'd be interested as to whether you'd be willing to share a sample
jail.conf. This email address works. Replying to this message assures
delivery, as it bypasses my rather draconian SpamAssassin rules.

TIA.

- --
David Ritz <dr...@mindspring.com>
Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iEYEARECAAYFAk+i5+AACgkQUrwpmRoS3uv2GQCeN8Px+qjzCR2KKuYEZC6jx/9p
2zIAmQFHKH50Gd5U2ihE8uiQDLNF1fXn
=mvIo
-----END PGP SIGNATURE-----

Tom Stiller

unread,
May 3, 2012, 5:04:28 PM5/3/12
to
In article <alpine.OSX.2.00.1...@mako.ath.cx>,
David Ritz <dr...@mindspring.com> wrote:

Happy to share but the file is a little long for a usenet reply. I'll
attach it to an email.

Jolly Roger

unread,
May 3, 2012, 6:03:36 PM5/3/12
to
In article <tom_stiller-052E...@news.individual.net>,
Mind shooting me a copy as well? I'm using fail2ban for one thing, but
might use it for others if I had a clear example of how to configure it
for Mac OS X. : )

--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

Tom Stiller

unread,
May 3, 2012, 7:30:00 PM5/3/12
to
In article <jollyroger-76157...@news.individual.net>,
Jolly Roger <jolly...@pobox.com> wrote:

> In article <tom_stiller-052E...@news.individual.net>,
> Tom Stiller <tom_s...@yahoo.com> wrote:
>
> > In article <alpine.OSX.2.00.1...@mako.ath.cx>,
> > David Ritz <dr...@mindspring.com> wrote:
> >
> > >
> > > I'd be interested as to whether you'd be willing to share a sample
> > > jail.conf. This email address works. Replying to this message assures
> > > delivery, as it bypasses my rather draconian SpamAssassin rules.
> > >
> > > TIA.
> >
> >
> > Happy to share but the file is a little long for a usenet reply. I'll
> > attach it to an email.
>
> Mind shooting me a copy as well? I'm using fail2ban for one thing, but
> might use it for others if I had a clear example of how to configure it
> for Mac OS X. : )



On its way.

Jolly Roger

unread,
May 3, 2012, 8:55:41 PM5/3/12
to
In article <tom_stiller-77C8...@news.individual.net>,
Tom Stiller <tom_s...@yahoo.com> wrote:

> In article <jollyroger-76157...@news.individual.net>,
> Jolly Roger <jolly...@pobox.com> wrote:
>
> > In article <tom_stiller-052E...@news.individual.net>,
> > Tom Stiller <tom_s...@yahoo.com> wrote:
> >
> > > In article <alpine.OSX.2.00.1...@mako.ath.cx>,
> > > David Ritz <dr...@mindspring.com> wrote:
> > >
> > > >
> > > > I'd be interested as to whether you'd be willing to share a sample
> > > > jail.conf. This email address works. Replying to this message assures
> > > > delivery, as it bypasses my rather draconian SpamAssassin rules.
> > > >
> > > > TIA.
> > >
> > >
> > > Happy to share but the file is a little long for a usenet reply. I'll
> > > attach it to an email.
> >
> > Mind shooting me a copy as well? I'm using fail2ban for one thing, but
> > might use it for others if I had a clear example of how to configure it
> > for Mac OS X. : )
>
>
>
> On its way.

Muchas gracias!

David Ritz

unread,
May 3, 2012, 9:30:14 PM5/3/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday, 03 May 2012 17:55 -0700,
in article <jollyroger-E3320...@news.individual.net>,
Jolly Roger <jolly...@pobox.com> wrote:

> Muchas gracias!

<AOL></AOL>

- --
David Ritz <dr...@mindspring.com>
Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iEYEARECAAYFAk+jMSgACgkQUrwpmRoS3uskGgCgpFsjwCzh4l0slsZyC4aGXJzY
mEEAoPottJAoEl71EnvVDKl1riOO+yMW
=0F7g
-----END PGP SIGNATURE-----

Kevin McMurtrie

unread,
May 4, 2012, 3:12:28 AM5/4/12
to
> I just ran a port scan on my computer. Can any be safely closed? Are any
> dangerous to keep open?
>
> Port Scan has startedŠ
>
> Port Scanning host: 127.0.0.1
>
> Open TCP Port: 88 kerberos
> Open TCP Port: 515 printer
> Open TCP Port: 548 afpovertcp
> Open TCP Port: 631 ipp
> Open TCP Port: 3689 daap
> Open TCP Port: 4488
> Open TCP Port: 5900 rfb
> Open TCP Port: 6258
> Open TCP Port: 8228
> Open TCP Port: 17500
> Open TCP Port: 26164
> Open TCP Port: 56757
> Port Scan has completedŠ

It depends on what IP address they're listening on. 127.XX.XX.XX and
::1 are strictly for local traffic (localhost) so that processes can
send messages to each other using existing TCP/IP APIs. Those higher
numbered ports look like processes talking to each other on a localhost
address.

88 is an authentication server used by MacOS
515 and 631 are printer sharing
548 is Apple file sharing
3689 is iTunes sharing
5900 is VNC

Run the scan on your public IP address. If you don't have a public IP
address due to NAT to a LAN, then there's not much to worry about as
long as your LAN doesn't have unsecured WiFi on it.
--
I will not see posts from Google because I must filter them as spam

Paul Sture

unread,
May 4, 2012, 8:39:11 AM5/4/12
to
On Thu, 03 May 2012 15:03:36 -0700, Jolly Roger wrote:

> Mind shooting me a copy as well? I'm using fail2ban for one thing, but
> might use it for others if I had a clear example of how to configure it
> for Mac OS X. : )

Same here please.

I can host it for folks if there's the demand, subject to copyright etc.

--
Paul Sture

Jolly Roger

unread,
May 4, 2012, 9:11:00 AM5/4/12
to
In article <f8vc79-...@news.sture.ch>, Paul Sture <pa...@sture.ch>
wrote:
If you do host it, I'd love a link to it. : ) I'm still waiting for the
email message from Tom. This email address monitored by a rather hungry
spam filter; while I don't see anything in my temporary holding area on
pobox.com, I have to wonder if the message somehow was already gobbled
up.

Tom Stiller

unread,
May 4, 2012, 10:46:40 AM5/4/12
to
In article <jollyroger-78DB0...@news.individual.net>,
Jolly Roger <jolly...@pobox.com> wrote:

> In article <f8vc79-...@news.sture.ch>, Paul Sture <pa...@sture.ch>
> wrote:
>
> > On Thu, 03 May 2012 15:03:36 -0700, Jolly Roger wrote:
> >
> > > Mind shooting me a copy as well? I'm using fail2ban for one thing, but
> > > might use it for others if I had a clear example of how to configure it
> > > for Mac OS X. : )
> >
> > Same here please.
> >
> > I can host it for folks if there's the demand, subject to copyright etc.
>
> If you do host it, I'd love a link to it. : ) I'm still waiting for the
> email message from Tom. This email address monitored by a rather hungry
> spam filter; while I don't see anything in my temporary holding area on
> pobox.com, I have to wonder if the message somehow was already gobbled
> up.

I sent two email messages. The first was a screw-up and the second
contained the attachments.

I also sent copies to pa...@sture.ch.

Jolly Roger

unread,
May 4, 2012, 12:37:36 PM5/4/12
to
In article <tom_stiller-5960...@news.individual.net>,
Tom Stiller <tom_s...@yahoo.com> wrote:

> In article <jollyroger-78DB0...@news.individual.net>,
> Jolly Roger <jolly...@pobox.com> wrote:
>
> > In article <f8vc79-...@news.sture.ch>, Paul Sture <pa...@sture.ch>
> > wrote:
> >
> > > On Thu, 03 May 2012 15:03:36 -0700, Jolly Roger wrote:
> > >
> > > > Mind shooting me a copy as well? I'm using fail2ban for one thing, but
> > > > might use it for others if I had a clear example of how to configure it
> > > > for Mac OS X. : )
> > >
> > > Same here please.
> > >
> > > I can host it for folks if there's the demand, subject to copyright etc.
> >
> > If you do host it, I'd love a link to it. : ) I'm still waiting for the
> > email message from Tom. This email address monitored by a rather hungry
> > spam filter; while I don't see anything in my temporary holding area on
> > pobox.com, I have to wonder if the message somehow was already gobbled
> > up.
>
> I sent two email messages. The first was a screw-up and the second
> contained the attachments.
>
> I also sent copies to pa...@sture.ch.

Very strange. You sent one to jolly...@pobox.com, I take it? Nothing
is showing up here. What was the subject of the message? I've received
messages from you before (from your GMail address); so I know I *can*
receive them from you...

Tom Stiller

unread,
May 4, 2012, 1:12:02 PM5/4/12
to
In article <jollyroger-52044...@news.individual.net>,
Yes, I sent separate messages to each of those two addresses.

I just sent a second message with copies to each of you. Let's see what
happens to that.

Paul Sture

unread,
May 4, 2012, 1:08:46 PM5/4/12
to
On Fri, 04 May 2012 10:46:40 -0400, Tom Stiller wrote:

> In article <jollyroger-78DB0...@news.individual.net>,
> Jolly Roger <jolly...@pobox.com> wrote:
>
>> In article <f8vc79-...@news.sture.ch>, Paul Sture <pa...@sture.ch>
>> wrote:
>>
>> > On Thu, 03 May 2012 15:03:36 -0700, Jolly Roger wrote:
>> >
>> > > Mind shooting me a copy as well? I'm using fail2ban for one thing,
>> > > but might use it for others if I had a clear example of how to
>> > > configure it for Mac OS X. : )
>> >
>> > Same here please.
>> >
>> > I can host it for folks if there's the demand, subject to copyright
>> > etc.
>>
>> If you do host it, I'd love a link to it. : ) I'm still waiting for
>> the email message from Tom. This email address monitored by a rather
>> hungry spam filter; while I don't see anything in my temporary holding
>> area on pobox.com, I have to wonder if the message somehow was already
>> gobbled up.
>
> I sent two email messages. The first was a screw-up and the second
> contained the attachments.
>
> I also sent copies to pa...@sture.ch.

Yes, I have them thanks Tom.

What format would folks prefer to see for downloads? .txt may be the
safest for those looking from non-OS X browsers. Or .zip?

But first I have to eat :-)



--
Paul Sture

Jolly Roger

unread,
May 4, 2012, 1:43:20 PM5/4/12
to
In article <u1fd79-...@news.sture.ch>, Paul Sture <pa...@sture.ch>
WHatever you think is best is fine with me. Thanks for doing this! : )

Jolly Roger

unread,
May 4, 2012, 1:49:45 PM5/4/12
to
In article <tom_stiller-3832...@news.individual.net>,
It's a mystery. Maybe my host is deleting them before I have a chance to
receive them. I'll just grab them from Paul. Thanks for trying!

Tom Stiller

unread,
May 4, 2012, 2:13:02 PM5/4/12
to
In article <jollyroger-51DFE...@news.individual.net>,
Jolly Roger <jolly...@pobox.com> wrote:

> In article <tom_stiller-3832...@news.individual.net>,
> Tom Stiller <tom_s...@yahoo.com> wrote:
>
> > In article <jollyroger-52044...@news.individual.net>,
> > Jolly Roger <jolly...@pobox.com> wrote:
> >


[snip]

> > > Very strange. You sent one to jolly...@pobox.com, I take it? Nothing
> > > is showing up here. What was the subject of the message? I've received
> > > messages from you before (from your GMail address); so I know I *can*
> > > receive them from you...
> >
> > Yes, I sent separate messages to each of those two addresses.
> >
> > I just sent a second message with copies to each of you. Let's see what
> > happens to that.
>
> It's a mystery. Maybe my host is deleting them before I have a chance to
> receive them. I'll just grab them from Paul. Thanks for trying!

Strange. I had no idea there would be this much interest. Since I only
passed on the configuration files originally requested, maybe a link to
the official website as well:

<http://www.fail2ban.org/wiki/index.php/Main_Page>

Jolly Roger

unread,
May 4, 2012, 6:08:33 PM5/4/12
to
In article <tom_stiller-6592...@news.individual.net>,
Tom Stiller <tom_s...@yahoo.com> wrote:

> In article <jollyroger-51DFE...@news.individual.net>,
> Jolly Roger <jolly...@pobox.com> wrote:
>
> > In article <tom_stiller-3832...@news.individual.net>,
> > Tom Stiller <tom_s...@yahoo.com> wrote:
> >
> > > In article <jollyroger-52044...@news.individual.net>,
> > > Jolly Roger <jolly...@pobox.com> wrote:
> > >
>
>
> [snip]
>
> > > > Very strange. You sent one to jolly...@pobox.com, I take it? Nothing
> > > > is showing up here. What was the subject of the message? I've received
> > > > messages from you before (from your GMail address); so I know I *can*
> > > > receive them from you...
> > >
> > > Yes, I sent separate messages to each of those two addresses.
> > >
> > > I just sent a second message with copies to each of you. Let's see what
> > > happens to that.
> >
> > It's a mystery. Maybe my host is deleting them before I have a chance to
> > receive them. I'll just grab them from Paul. Thanks for trying!
>
> Strange. I had no idea there would be this much interest. Since I only
> passed on the configuration files originally requested, maybe a link to
> the official website as well:
>
> <http://www.fail2ban.org/wiki/index.php/Main_Page>

I've browsed the docs and default configs, but since they are very
Linux-biased, I eventually stopped to do more important things before I
figured out how to do configurations that would work in Mac OS X.

Matt Broughton

unread,
May 4, 2012, 8:30:01 PM5/4/12
to
In article <4fa3815c$0$16187$742e...@news.sonic.net>,
Port 631 is for any printing to take place. No open port 631 on
localhost means no printing. Add port 515 for printer sharing.

--
Matt Broughton
Only relatives are absolute.

Paul Sture

unread,
May 5, 2012, 7:06:23 AM5/5/12
to
Now up:

<http://sture.ch/downloads/fail2ban.tgz>
<http://sture.ch/downloads/fail2ban.zip>

As a general note to everyone, this stuff is not for the faint of heart,
and if you are uncomfortable with Terminal it is probably not for you.

I would also recommend that anyone downloading these files extract
them use the appropriate command line utilies. Double clicking in
Finder has the unfortunate habit of trying to execute stuff it
finds in an archive, which in most cases is not what you want to do.

tar -xzf fail2ban.tgz

or:

unzip fail2ban.zip


Many thanks to Tom Stiller for allowing me to publish this.

--
Paul Sture

Tom Stiller

unread,
May 5, 2012, 9:36:18 AM5/5/12
to
In article <f6ef79-...@news.sture.ch>, Paul Sture <pa...@sture.ch>
wrote:

> Now up:
>
> <http://sture.ch/downloads/fail2ban.tgz>
> <http://sture.ch/downloads/fail2ban.zip>
>
> As a general note to everyone, this stuff is not for the faint of heart,
> and if you are uncomfortable with Terminal it is probably not for you.

What he said!


> I would also recommend that anyone downloading these files extract
> them use the appropriate command line utilies. Double clicking in
> Finder has the unfortunate habit of trying to execute stuff it
> finds in an archive, which in most cases is not what you want to do.
>
> tar -xzf fail2ban.tgz
>
> or:
>
> unzip fail2ban.zip
>
>
> Many thanks to Tom Stiller for allowing me to publish this.
Hope others find it as useful as I have.

Jolly Roger

unread,
May 5, 2012, 9:58:45 AM5/5/12
to
In article <f6ef79-...@news.sture.ch>, Paul Sture <pa...@sture.ch>
wrote:

> Many thanks to Tom Stiller for allowing me to publish this.

Many thanks to both of you for publishing it!
0 new messages