Port Question
We're in the process of deploying Lion Server 10.7 with a public facing IP in order to support/manage iPads in the field. The in-house security office ran an automated security scan on the server. The portion summarized below is focuced on open ports. As you can see, a good number of "hits" are from ports the security software couldn't identify. Other hits ID'd the port but not the process. I have identified all of the MEDIUM level ports as required with the exception of port 22. However, while the security staff is eyeballing ports 8088, 137, 138, 311 and 80 (I have raised eyebrows for these), I'm most concerned with their wanting to arbitrarily "close off any/all unnecessary ports". Hence my two questions:
1) Can anyone help me ID Lion Server's "unecessary" ports?
2) How exactly do you turn off Lion Server ports?
Risk Factors: MEDIUM
Port 22: SSH
Port 80: HTTP
Port 311: Serves core server functions
Port 443: Secure sockets or https
Port 8088: Software update service.
Risk Factors: NONE
5268 Service detection Help Request: Risk Factor NONE
Port Unspecified: An HTTP proxy is running on this port.
Port Unspecified: An Web Server is running on this port.
Port Unspecified: An SSH Server is running on this port.
Port Unspecified: The remote service could be identified.
Port Unspecified: The remote service encrypts communications.
Port Unspecified: A web server is running on this port through SSLv3.
Port Unspecified: An SSLv3 server answered on this port.
Port Unspecified: This port supports resuming SSLv3/TLSv1 sessions.
Port Unspecified: This port supports SSLv3/TLSv1.0.
Port Unspecified: A web server is running on this port through TLSv1.
Port Unspecified: A TLSv1 server answered on this port.
Risk Factors UNKNOWN:
Port Unknown: 49177/udp
Port Unknown: 51877/udp
Port 5268: Service Detection HELP Request
Port 53094 Unknown Use
Port 53403 Unknown Use
Port 5352 Unknown Use
Port 54422 Unknown Use Use
Port 58230 Unknown Use
Port 58231 Unknown Use
Port 60449 Unknown Use
Port 60807 Unknown Use
Port 625 Unknown Use
Port 63449 Unknown Use
Port 64224 Unknown Use
Misc
Port Unspecified: The remote web server does not return 404 error codes.
Port Unspecified: A CIFS server is running on this port.
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication
request to ports 139 or 445
Service Detection – Unspecified Port: A vnc server is running on this port.
Service Detection – Unspecified Port: A Web Server is running on this port:
Service Detection – Unspecified Port: A Web Server is running on this port:
Service Detection – Unspecified Port: A Web Server is running on this port:
Apple Port Listing"
Port
TCP or UDP
Service or Protocol Name
RFC
/etc/services
Used by / Additional information
7
TCP/UDP
echo
792
echo
20
TCP
File Transport Protocol (FTP)
959
ftp-data
21
TCP
FTP control
959
ftp
22 RISK MEDIUM
TCP
Secure Shell (SSH)
4250 - 4254
ssh
23
TCP
Telnet
854
telnet
25
TCP
Simple Mail Transfer Protocol (SMTP)
5321
smtp
Mail (for sending email); MobileMe Mail (sending)
53 NO RISK
TCP/UDP
Domain Name System (DNS)
1034
domain
MacDNS, FaceTime
67
UDP
Bootstrap Protocol Server (BootP, bootps)
951
bootps
NetBoot via DHCP
68
UDP
Bootstrap Protocol Client (bootpc)
951
bootpc
NetBoot via DHCP
69
UDP
Trivial File Transfer Protocol (TFTP)
1350
tftp
79
TCP
Finger
1288
finger
80 RISK MEDIUM
TCP
Hypertext Transfer Protocol (HTTP)
2616
http
World Wide Web, MobileMe, QuickTime Installer, iTunes Store and Radio, Software Update, RAID Admin, Backup, iCal calendar publishing, iWeb, WebDAV (iDisk), Final Cut Server, AirPlay, OS X Lion Internet Restore, Profile Manager.
88
TCP
Kerberos
4120
kerberos
106 NO RISK
TCP
Password Server
(Unregistered Use)
3com-tsmux
Mac OS X Server Password Server
110
TCP
Post Office Protocol (POP3)
Authenticated Post Office Protocol (APOP)
1939
pop3
Mail (for receiving email)
111
TCP/UDP
Remote Procedure Call (RPC)
1057, 1831
sunrpc
Portmap (sunrpc)
113
You have to bear in mind there is no hard relationship between a protocol (e.g. 'HTTP', 'HTTPS', etc.) and port number. Any protocol/service can run on just about any port. Sure, there are conventions (HTTP -> 80, SMTP -> 25, etc.), but you are free to override those in your own configuration.
In addition, Apple's listing covers the default ports used by the various Apple-provided services and configuration, so yes, you'll find multiple 'HTTPS'-based services listed, but that's not to say they're being used because you might not enable the associated service.
For example, if you don't use JBoss then the 9006/8080/8443 ports might not be used.
So it's up to you to look at the services you're using, to determine which ports they're using, and configure the network accordingly.
If you're only running standard web services then you should only need port 80 (and 443 if you're using HTTPS), although it looks like Profile Manager also uses port 1640.
Similar Messages
-
Another port question - multiple Macs behind the same firewall
I've searched for this issue, but I can't seem to find a topic directly on point. I know how to forward the right points for this to work, but...
I'm coming from outside the network, and I need to control multiple machines that are behind the same firewall. I can't forward a port to more than one machine. How do I control all these machines?To be able to connect to a workstation from outside it's network, the ports that ARD uses must be open on both ends of the connection. ARD uses ports 3293 and 5900 so those must be open.
If your workstations get their addresses from an NAT device rather than being "real", as seems to be the case from your description, the ports also need to be forwarded in the router to the workstation's internal IP address. ARD uses port 3283 for the reporting and updating function, so if your Macs are getting their IP addresses through NAT, since you can only forward a port to a single workstation, you can only get reports, push package/files to etc. for a single workstation.
ARD uses the VNC protocol for observation and control, though, and there are a range of IP addresses for that protocol, starting with 5900. ARD uses 5900 by default, so that port would be forwarded to the first workstation. You would, I believe, need to install VNC servers on the systems (since the ARD client cannot listen on any port other than 5900 while VNC servers can be set for other ports such as 5901, 5902, etc. You would then forward 5901 to the second workstation (and on to 5902, 5903, etc.). You can then use the following information:
Remote Desktop 2: How to specify a port number for a VNC client
to connect.
Hope this helps.
Forum Tip: Since you're new here, you've probably not discovered the Search feature available on every Discussions page, but next time, it might save you time (and everyone else from having to answer the same question multiple times) if you search a couple of ways for a topic before you post a question.
Regards.
Message was edited by: Dave Sawyer -
AS2 over HTTP Send port question.
I have an application that builds and sends flat and EDI files to FTP, FILE, SqlAdapter send ports and now they want AS2 over an HTTP port, I understand the AS2 settings (using party resolution, etc.) what I don't get is how/what exactly is receiving
the message on the other side... They don't have a web service nor a page, I created a site to test but what do I do? Send an edi file to a url????
Bico BielichFrom your question I understand, you have been asked to send message through AS2. Do they also going to receive message through AS2 from their party? Is your question is about how to receive the message through AS2 which you also want to send over AS2?
You can configure
BTSHTTPReceive.dll to receive messages over HTTP and configure the Receive location with AS2 EDI pipeline component to receive messages over AS2 into BizTalk which can be subscribed by your send port filter or Orchestration ( if you have any process
to be applied before sending the message over AS2 send).
Check the Tutorial-3 part of AS2 which illustrate an example which receives an AS2 message through BTSHTTPReceive.dll.
Tutorial 3: AS2 Tutorial
And following references shall help you configure the BTSHTTPReceive.dll:
How to Configure IIS for an HTTP Receive Location
Configuring BTSHTTPReceive.dll to work on IIS 7
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply. -
Essbase1113 IP Address and Port Questions
hello,
everyone, i'm puzzled on a question about essbase.
it'll be so kind if you give me some suggestions.
in our project, we install EMP System 1113 on Win Server2003, but it's in local network. there is no problem when we connect it using client tools in local network environment.
however, we wanna connect the Essbase Server through Internet, we map the server address (such as 10.163.163.163) as an Internet address (such as 111.111.111.111).
we didn't use VPN such tools, and, the address is just a mapping, if we don't map the port, we couldn't connect the essbase server.
here comes the question, how do we map the essbase address and port ? i mean which port should we use, so that we could connect it through Internet ?
thank you so much.
wish to reply.
hawk.The ports that essbase use are outlined at :- http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_install_start_here/ch06s05s01.html
Cheers
John
http://john-goodwin.blogspot.com/ -
This is just a general knowledge question, but the S-video port on my pismo has more than the 4 holes and the rectangle connerctors there are seven holes and its weird. The S-video does work so there is no problems just wondered.
Chismar,
The S-Video port on my powerbook has 7 pin holes for the pins on the S-Video connector, so I guess I am missing something in your question. -
Several instances using same port question
Good Morning,
I am going to have to create several instances on one box using solaris 10 zone technology. Each zone haveing it's own instance. I need to confirm whether or not that all those instances can use one listerner or does each instance need it's own separate port such as 1521, 1522 etc. for it's listener.
Your opinion and recommendation on this matter will be much appreciated.
regards,
al<br>> Good Morning,
<br>>
<br>> I am going to have to create several instances on one
<br>> box using solaris 10 zone technology. Each zone
<br>> haveing it's own instance. I need to confirm
<br>> whether or not that all those instances can use one
<br>> listerner or does each instance need it's own
<br>> separate port such as 1521, 1522 etc. for it's
<br>> listener.
<br>>
<br>> Your opinion and recommendation on this matter will
<br>> be much appreciated.
<br>>
<br>> regards,
<br>>
<br>> al
<br>
<br>Hi,
<br>
<br>As you are going to be using Solaris Zones would you really want to have one listener for all of the instances?
<br>
<br>Surely the point of using Zones is separation of the environments so why would you want to try and break that by not having separate listeners? If you aren't interested in isolating the environments then Zones seems like an added headache you can do without.
<br>
<br>On the question of ports... each Zone is going to have its own IP address so it really doesn't matter what port you choose. They could all have the same port for their individual listeners or they could all have different ports. Makes no odds really.
<br>
<br>Hope that helps. -
Could someone explain to me the Ethernet wan port menu. I'm having a lot of connection problems with Airplay. It keeps dropping and coming back on.
I checked with my ISP and the signal (cable) is 100% stable so the problem has to be my AE.
If I change the settings to 10Mbps/half Duplex, it seems to work ok for a while. But Automatic is a definite no-no.
Why all those choices, especially half and full duplex and what do they mean in terms of overall performance ?
ThxMy question to you is did this always happen or just started happening with this modem & AirPort base station. What is the exact model of your AirPort? How about the modem?
This has always happened since installation 3 months ago
AE 1143 - Modem is : Motorola SB5101
Is 8 Mbps the maximum rated download speed that your ISP is providing you for Internet service?
Yes
Is 8 Mbps the maximum rated download speed that your ISP is providing you for Internet service?
Speed test (http://www.speedtest.net/)
up: 8.17 - down: 1.02
Changing the WAN Ethernet port speed will do nothing to improve AirPlay's performance.
But it does ! With lower speed = less drop in feed. Or maybe it's just the fact that I change from one to another. -
I just got a new MacPro and just had a stupid question.
I plugged it in and it works -- though, it's currently using en1 not en0
(note I did not have airport installed, so the fact that it's listed as airport was a tad surprizing).
My stupid question is are the ports mapped to a specific interface? eg left is en0 right is en1.
It got annoying when it switched en1 to dhcp vs eno 's imported static ipOne port is en(0) and the other is en(1), although this can change if you had an Airport card. Just switch the cable to the other port or reconfigure the current one to use your static IP address.
-
Hi,
I have two core switches 6500 and Access switches 4500. Both chassis. I need to span ports, but this ports are not in a vlan. I know that there is a limit to span ports that are not in a vlan. Does anyone know which is the limit? Is there a way to make all of them to span?
Thanks!Hi Pablo
As a forum focused on technical documentation, we checked to see if there was a doc that might answer your question.
There is not enough information in your question to for us to pinpoint exactly what you need, but have you looked at, for example, “Configuring SPAN, RSPAN, and ERSPAN” for the Catalyst 6500 (IOS 12.2SX)”?
If this doesn’t help, we’ll refer your question to the appropriate tech support community. They will probably find it helpful to know what operating system (CatOS or IOS) and which release you have, since this determines what SPAN features and restrictions are in effect.
Thanks for posting,
Hilde -
Hello all, Im new to the forum and to Lenovo.
I bought a K330-77273GU last week.
I would like to add another HD and would like to know if the sata ports on the motherboard are 3 Mb/s or 6 Mb/s?
Two ports are red (being used for the current HD and CD drive) and the two spare ports are orange.
Thanks.hey K330_Owner,
From : http://www.lenovo.com/psref/pdf/icbook.pdf
there will be two 3 Gb/s and two 6 Gb/s sata cables.
WW Social Media
Important Note: If you need help, post your question in the forum, and include your system type, model number and OS. Do not post your serial number.
Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
Follow @LenovoForums on Twitter!
Have you checked out the Community Knowledgebase yet?!
How to send a private message? --> Check out this article. -
I have just read that port 4 on the HH3 can take 1,000mbps over the other 3 ports which are 100mb ports.
Well my question would this make anydiffference swapping from ports 1,2,3 to 4 for internet, i herar some people are using this port but what`s the point when no one reaches 100mbps for broadband and would it make any difference latency etc
Regards
GuyIts for future developments of the broadband network and to speed up transfers between your networked devices, it would have made more sense to make them all gige though, as if other devices are using the 100mbps ports then they will still be limited
-
Linksys rv082 Remote management Ports, question?
- Remote management : I would like to set up Port 8700.
Question ?
8700 Port can not be changed
Check the contents:
Initialization, Check that the default port for the present ecology.Hi winlovepc, I believe you need to contact Cisco for that model since it's a business class VPN router. They will be able to properly help you out with it.
-
K8T Neo-FSR Audio Port Question
I recently purchased and installed a K8T Neo-FSR. So far, I've been very happy with the board, but I do have a question about it's audio capabilities that I thought you folks might be able to assist with. I currently have only three ports to my onboard audio: Line-In, Line-Out, and Microphone. I would like to utilize more than two speakers, but don't know how to go about doing this. I was looking at the S-Bracket (K31-3012001-A11) accessory, but I'm not even sure if it's compatible with my board, (the connector in the PC Club picture doesn't look like it would go into anything I can see on the board). Is there something I can get to add these ports if the S-Bracket PC Club offers is not the solution? I've searched this board and a few others and haven't been able to find anything on this subject. Thanks, in advance, for any help/reccomendations you folks can offer.
...you'll have to refer to the manual for jumper settings to change those three connections to "surround" sound...
...what do you mean by more than two speakers?..my powered speakers (nothing special) have Left, Right and Subwoofer...you can also get a mini-plug to RCA cord and plug into your home stereo (using the green connection on the computer, no jumper modification > line in or auxilliary on the stereo)... -
I have an old PowerMac G5 tower with a GeForce FX 5200 64mb video card. I'd like to add a second monitor to the system, but I'm having troubled identifying what the second port is. It looks like DVI, but has a slightly different, rounder shape. Any idea what it might be? And is it possible to add another monitor on that port?
Here's a photo of it (labeled #1): http://img525.imageshack.us/img525/9233/img0677s.jpg
Thanks!Hi StudioBlue, and a warm welcome to the forums!
The rounder one is an ADC, (Apple Display Connector), you need an ADC Monitor or this ADC<->DVI converter...
http://tinyurl.com/25alxql -
We are using Oracle DB and OAS 10g. OAS is installed on a Windows2K server, with the Infrastructure and Portal instances. We created a new OC4J instance in the Infrastructure, and have deployed an EJB application to this instance. The port assigned for RMI access is 3205.
We are having problems connecting to this port from a remote java client.
From the local server, I can perform a telnet to localhost:3205. Thus, the service should be accessible. However, from a remote machine, the telnet to server:3250 gets a 'connection refused'. This also occurs from the java client attempting to connect to the server and port. It seems that the port is only accessible from the local server.
Is this a configuration issue in OAS, or should remote systems be accessing the EJB application through a different port?
Any suggestions? Thanks in advance.
-- RhondaThere's a special lookup prefix you can use when accesing EJBs in an OracleAS installation from remote clients.
The lookup is of the form opmn:ormi://host/app -- this basically tells the JNDI call to first contact the OPMN service which manages processes in OracleAS to obtain the correct ORMI port for the OC4J process.
OPMN manages the processes in an OracleAS environment, and dynamically allocates ports so they don't conflict with one-another.
You can hardcode the ORMI port settings, see:
http://download-west.oracle.com/docs/cd/B14099_04/web.1012/b14012/ormi.htm#i1084416
But if you let OPMN provide them at runtime, it'll help you in cases where you have more than one OC4J process running on the server as it will avoid the port conflicts for you automatically.
The J2EE Services Guide has more info about this. See http://download-west.oracle.com/docs/cd/B14099_04/web.1012/b14012/ormi.htm#i1085120
-steve-
Maybe you are looking for
-
Hi can anyone help with a mac that had magnet put on it. I turned it on and then off but a white screen appears with a file with a question mark on it?
-
How can i load a specific CSS style sheet for Safari?
Okay, So I have some structure issues when viewing my website on Safari compared to Firefox. Is there a way to put a code in the <head> tag to load a specific CSS style sheet for Safari like you can do with IE? Thanks.
-
Gr based iv and variance block
Dear Forum, If gr based iv no flag and over tolerance, if there is difference in quantity or price, the posting will post to price difference. Now my question is will variance cause block when gr based iv not flagged? 1) GR based iv NOT ticked. varia
-
SQL Develper 3.0.04.34 doesn't start
Hello, I have downloaded SQL Develper 3.0.04.34 and unzipped in an empty folder. But, when I double clik on sqldeveloper.exe, nothing happens. The application doesn't start, I don't get an error message and in the task manager, no process is shown. I
-
Library source file path is wrong
I have created a fla to hold all the graphic elements of a project. When I add one of these elements to a different fla I set it to update on publish so if I make a change to the original it applies automatically. The problem is when I tell it to upd