I just noticed that on my iSCSI-R3 box that there are a ton of ports open that I have no need for. Is there any way to disable stuff like NetBIOS, SMB file sharing, POP3/IMAP, etc? The list below shows all the stuff that is turned on by default (and I can't see anything in the web UI to turn it off)...
Thanks
Craig
Round Trip Time (RTT): <10 ms
Time To Live (TTL): 64
DNS name: iscsi.xxx..xxx
NetBios names (5) ISCSI <00> UNIQUE - Workstation service
ISCSI <03> UNIQUE - Messenger service
ISCSI <20> UNIQUE - File server service
WORKGROUP <1E> GROUP - Browser Service Elections
WORKGROUP <00> GROUP - Domain name
User: ISCSI
MAC: xx:xx:xx:xx:xx:xx
Comment: iSCSI
Platform: 500
Version: 4.9
Roles: (7) LAN Manager workstation
LAN Manager server
Server sharing print queue
Unix server
Windows NT/Windows 2000/Windows XP workstation or server
Windows NT/Windows 2000 server that is not a domain controller
DFS Server
Remote Time of Day Time of Day: 04/09/2007 8:56:10 AM
System loaded: 04/09/2007 2:56:10 AM
Time Zone: -120 minutes from the Greenwich Mean Time (GMT) zone
Users (0)
Password policy Minimum password length: 5
Maximum password age:
Minimum password age: none
Force logoff: 4294967295 sec
Password history: 0
Time before it is automatically unlocked: 1800 sec
Time between any two failed logon: 0 sec
Number of invalid password : 0
Shared ressources (2) ADMIN$
IPC$
Opened files (1) \PIPE\srvsvc User: guest
Permission:
TCP ports (18) 25 smtp => Simple Mail Transfer Protocol
80 http => World Wide Web HTTP HEAD / HTTP/1.0
110 pop3 => Post Office Protocol - Version 3
119 nntp => Network News Transfer Protocol
139 netbios-ssn => NetBios Session Service
143 imap4 => Interactive Mail Access Protocol v4
389 ldap => Light Directory Access Protocol
443 https => Http protocol over TLS/SSL
445 microsoft-ds => Microsoft-DS
993 imaps => Imap4 protocol over TLS/SSL
995 pop3s => Pop3 protocol over TLS/SSL
1080 socks => Socks 4/5
3128 proxy => HTTP(S) Proxy
6666 irc => Mirc
6667 irc => Mirc
6668 irc => Mirc
6669 irc => Mirc
8080 http => HTTP Alternate (see port 80)
I know this has been a concern for many recently and our Research and Development Department will look into this and disable these ports, but this will take time or next releases (not sure which one). I know this is not the answer you want to here but in the mean time try using a Router/Firewall to block these ports (outside and & inside). This is a problem being a Storage system that we will have to look into.
Thanks Todd. Glad to hear that its on the to-do list and hopefully it will be along shortly. For us the iSCSI box isn't internet accessible, but having all the unused ports open, and particularily that anonymous LDAP bind runs afoul of corporate security policy so I can't get it put onto a production network segment until that is resolved.
An ideal resolution for this kind of thing moving forward would be to allow administrator ssh access to a shell as this stuff wouldn't be hard to turn off with a couple of .conf file changes. This is the approach the VMware guys take with their service console...
SMB/NetBIOS active on iSCSI-R3?
Reply With Quote
