[SOLVED] nmap scanner

rafdre · 2024-02-04 20:07:32

Hi all,
I have a question regarding nmap.

I installed archlinux on machine which will be used as router.
Initially I also installed openssh (which comes with Firefox). I removed this completely.

When I check from outside which ports are open I get weird response (XX below is to hide the real IP and of course is not part of the response).

[root@asus rafal]# nmap -Pn XX.XXX.XXX.XXX
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-04 20:54 UTC
Nmap scan report for 0XXXXXXXXXXX.warszawa.vectranet.pl (XX.XXX.XXX.XXX)
Host is up (0.015s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE  SERVICE
22/tcp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 8.26 seconds

My question is:
why this port is listed? Is closed - ok....but why listed?

Why not 80, 443 or anything else, but this '22' ?

Could this be that its from router provided by my internet provider?
I need to use router from them, but it is in bridge mode. And I do have two devices connected to them (both get different public IP).

Last edited by rafdre (2024-02-06 21:16:10)

seth · 2024-02-04 21:20:59

Because it still responds: https://man.archlinux.org/man/extra/nma … ING_BASICS

rafdre · 2024-02-05 19:38:22

hello Seth,
thanks for your response.

I see there is no reason to be concern about it.

I am considering what will be most safe set up for such device.
I was thinking to enable there SSH but allow it only for local connections. I somehow need to manage that device (i.e.check logs).
I have dual boot with pfsense , since I still consider both: pfsense or own setup (archlinux). at the moment I am in favor of using ArchLinux as this will be more flexible (though more time consuming to set up).

Talking about security of SSH, what will be technical difference between those two approaches?
1) I add proper entries in /etc/hosts.deny and /etc/hosts.allow
2) I configure firewall to reject all what comes from outside of the network.

Please correct me if I am wrong:
first thing which system checks will be firewall setting and in case firewall will allow connection to ssh, ssh daemon will check entries in /etc/hosts.deny and /etc/hosts.allow.
Is it correct?

I think this shall give me extra security.
In case firewall will stop (for whatever reason) - sshd daemon will still consider what is allowed and what is not.

Am I correct?

seth · 2024-02-05 20:55:47

First of all, are you behind a NAT'ing router? Do you have a routable IPv6 address?
If you're and you don't, the host cannot be reached directly from the WAN anyway, leaving aside that the IP you where testing might very well belong to a CGNAT (ie. IPv4 NAT by your ISP, you cannot even ping your own router/modem)

On a potentially WAN facing host, https://wiki.archlinux.org/title/OpenSSH#Protection is mandatory - regardless whether you want to control traffic via iptables/nftables (or a higher level implementation like ufw or firewalld) what is a seriously good idea on a WAN facing service and necessary if you want to create an effective LAN environment.
Security measure are not "either, or", but "yes, please" - like Ogres, good security practices have layers of protection.

hosts.deny/allow are deprecated useless dead and rotten away

rafdre · 2024-02-06 20:29:05

This device will not be behind NAT.
The purpose will be to be first device in the private network (and filter/block some content - mainly parental control).
Ok. Second device- if we consider device provided by ISP, but I always ask them to switch to bridge mode. The providers always force me to have their device (can be used as wifi router), but since I cannot control them - I always put something after this (my personal router).
In other words - my device will be accessible from internet (public IP).
I usually serve only web server (port 80+443) so later I will add them (forwarding to the device which is my webserver). SSH I consider only for local access to manage the device.

I set there net.ipv4.ip_forward = 1 - if this was your question.

all similar to what is described here https://heywoodlh.io/arch-linux-router/ with difference than I do use firewalld which is using nftables.

Regarding hosts.deny/allow is very interesting what you wrote. I was not aware of it.
See article from 2022 https://linuxconfig.org/hosts-deny-form … e-on-linux

seth · 2024-02-06 20:51:11

Closing Thoughts
In this tutorial, we saw how to format the hosts.deny with various filtering rules on a Linux system. This can be an effective way to filter traffic for TCP wrapped services, although it has fallen out of common use with the rise of the powerful iptables/nftables firewall built into the Linux kernel.

my device will be accessible from internet (public IP)

Some netfilter configuration is mandatory, whether through iptables, nftables or higher level tools is up to you - on the kernel level it's all the same.
You still want to limit the services w/ their individual configuration (Ogres…)

In an ideal world, you do NOT run any service on the system that provides the firewall, but behind it. You can eg. also use virtual machines to achieve that (to some extent)
However, having a proper netfilter implementation at all is ~85% of the way (number totally made up)

To be clear:

my personal router

This is the arch system? If this is some TP-Link/D-Link/brand here switch/router/stuff combo, it'll likely do NAT and ftr and inb4 somebody freaks out:
NAT doesn't equal a firewall, it's just that those routers typically do that on the fly and deny all cold inbound traffic by default.

---
https://wiki.archlinux.org/title/Parental_control
https://wiki.archlinux.org/title/Fail2ban # in case you ever want to have the sshd WAN facing
https://wiki.archlinux.org/title/Iptables # Netfilter still redirects there, this isn't to indicate preference

rafdre · 2024-02-06 21:15:23

when I write 'my personal router' I mean something like this:
https://pl.aliexpress.com/item/10050059 … ry_from%3A

On such machine I successfully installed ArchLinux and pfSense in dual boot. Now I play with both.
ArchLinux gives me more flexibility and I can learn more. pfSense is more like 'ready to use'.

I think I have answer to my question and topic can be closed.
thanks for your help.

Arch Linux

#1 2024-02-04 20:07:32

[SOLVED] nmap scanner

#2 2024-02-04 21:20:59

Re: [SOLVED] nmap scanner

#3 2024-02-05 19:38:22

Re: [SOLVED] nmap scanner

#4 2024-02-05 20:55:47

Re: [SOLVED] nmap scanner

#5 2024-02-06 20:29:05

Re: [SOLVED] nmap scanner

#6 2024-02-06 20:51:11

Re: [SOLVED] nmap scanner

#7 2024-02-06 21:15:23

Re: [SOLVED] nmap scanner

Board footer