Visit Open-E website
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: SMB/NetBIOS active on iSCSI-R3?

  1. #1

    Default SMB/NetBIOS active on iSCSI-R3?

    I just noticed that on my iSCSI-R3 box that there are a ton of ports open that I have no need for. Is there any way to disable stuff like NetBIOS, SMB file sharing, POP3/IMAP, etc? The list below shows all the stuff that is turned on by default (and I can't see anything in the web UI to turn it off)...

    Thanks

    Craig

    Round Trip Time (RTT): <10 ms
    Time To Live (TTL): 64
    DNS name: iscsi.xxx..xxx
    NetBios names (5) ISCSI <00> UNIQUE - Workstation service
    ISCSI <03> UNIQUE - Messenger service
    ISCSI <20> UNIQUE - File server service
    WORKGROUP <1E> GROUP - Browser Service Elections
    WORKGROUP <00> GROUP - Domain name

    User: ISCSI
    MAC: xx:xx:xx:xx:xx:xx
    Comment: iSCSI
    Platform: 500
    Version: 4.9
    Roles: (7) LAN Manager workstation
    LAN Manager server
    Server sharing print queue
    Unix server
    Windows NT/Windows 2000/Windows XP workstation or server
    Windows NT/Windows 2000 server that is not a domain controller
    DFS Server

    Remote Supports Supported Remote Administration Protocol
    Supported Remote Procedure Call
    Supported Security Account Manager

    Remote Time of Day Time of Day: 04/09/2007 8:56:10 AM
    System loaded: 04/09/2007 2:56:10 AM
    Time Zone: -120 minutes from the Greenwich Mean Time (GMT) zone

    Users (0)
    Password policy Minimum password length: 5
    Maximum password age:
    Minimum password age: none
    Force logoff: 4294967295 sec
    Password history: 0
    Time before it is automatically unlocked: 1800 sec
    Time between any two failed logon: 0 sec
    Number of invalid password : 0

    Shared ressources (2) ADMIN$
    IPC$

    Opened files (1) \PIPE\srvsvc User: guest
    Permission:


    TCP ports (18) 25 smtp => Simple Mail Transfer Protocol
    80 http => World Wide Web HTTP HEAD / HTTP/1.0
    110 pop3 => Post Office Protocol - Version 3
    119 nntp => Network News Transfer Protocol
    139 netbios-ssn => NetBios Session Service
    143 imap4 => Interactive Mail Access Protocol v4
    389 ldap => Light Directory Access Protocol
    443 https => Http protocol over TLS/SSL
    445 microsoft-ds => Microsoft-DS
    993 imaps => Imap4 protocol over TLS/SSL
    995 pop3s => Pop3 protocol over TLS/SSL
    1080 socks => Socks 4/5
    3128 proxy => HTTP(S) Proxy
    6666 irc => Mirc
    6667 irc => Mirc
    6668 irc => Mirc
    6669 irc => Mirc
    8080 http => HTTP Alternate (see port 80)

  2. #2

    Default LDAP open to anonmyous access as well

    Also just noticed that the LDAP server that's open on the iSCSI box supports anonymous bind so you can connect without any credentials...

    Craig

  3. #3

    Default

    Craig,

    I know this has been a concern for many recently and our Research and Development Department will look into this and disable these ports, but this will take time or next releases (not sure which one). I know this is not the answer you want to here but in the mean time try using a Router/Firewall to block these ports (outside and & inside). This is a problem being a Storage system that we will have to look into.
    All the best,

    Todd Maxwell


    Follow the red "E"
    Facebook | Twitter | YouTube

  4. #4

    Default

    Thanks Todd. Glad to hear that its on the to-do list and hopefully it will be along shortly. For us the iSCSI box isn't internet accessible, but having all the unused ports open, and particularily that anonymous LDAP bind runs afoul of corporate security policy so I can't get it put onto a production network segment until that is resolved.

    An ideal resolution for this kind of thing moving forward would be to allow administrator ssh access to a shell as this stuff wouldn't be hard to turn off with a couple of .conf file changes. This is the approach the VMware guys take with their service console...

    Craig

  5. #5

    Default

    Craig,

    Can you send the log file to support@open-e.com on the subject line please enter
    RefID#10004850 for the ticket that we have created for you.

    Thanks!
    All the best,

    Todd Maxwell


    Follow the red "E"
    Facebook | Twitter | YouTube

  6. #6

    Default

    Hi Todd. Which log file do you want me to send to support? The portscan that I posted or something from the Open-E box?

    Craig

  7. #7

    Default

    Just send the whole log file.
    All the best,

    Todd Maxwell


    Follow the red "E"
    Facebook | Twitter | YouTube

  8. #8

    Default

    im a minimalist which is why i bought open-e ISCSI. but instead i get all the bloat of DSS without the functionality.

    dont you think that removing these un-needed services may help the performance and stability of the system?

    looks like open-e is also using the default debian etch kernel?

  9. #9

    Default

    Not sure what the complaint is DSS or iSCSI-R3? What are the un-needed services you are referring to - need details? Then we can ask others what their opinions are as well. We are looking into giving more control to the user on some of these services but at a later date. And yes we are using debian etch, this is easy to identify with the logs. What distros have you developed or have tested with results? Need more details to support the use of your discussion.
    All the best,

    Todd Maxwell


    Follow the red "E"
    Facebook | Twitter | YouTube

  10. #10

    Default

    Quote Originally Posted by To-M
    Not sure what the complaint is DSS or iSCSI-R3? What are the un-needed services you are referring to - need details? Then we can ask others what their opinions are as well. We are looking into giving more control to the user on some of these services but at a later date. And yes we are using debian etch, this is easy to identify with the logs. What distros have you developed or have tested with results? Need more details to support the use of your discussion.
    heres my nessus summary, if you want the actual report let me know:

    unknown (842/tcp)
    https (443/tcp)
    vampire (6669/tcp)
    unknown (25456/tcp)
    irc-serv (6666/tcp)
    unknown (4702/tcp)
    unknown (11798/tcp)
    vocaltec-gold
    unknown (25457/tcp)
    ircd (6667/tcp)
    netbios-ssn (139/tcp)
    sunrpc (111/tcp)
    http (80/tcp)
    iscsi-target (3260/tcp)
    microsoft-ds (445/tcp)
    ldap (389/tcp)
    irc (6668/tcp)
    prosiak (22222/tcp)
    cddbp (888/tcp)
    sunrpc (111/udp)
    unknown (840/udp)
    netbios-ns (137/udp)
    ntp (123/udp)

    Thats the open ports on a iscsi-r3 box. The only things I'm expecting are 3260 and 22222!

    possible that Xinetd is enabled? why would I see IRC!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •