What's giving the IP's after the T1?
This is a discussion on What's giving the IP's after the T1? within the Linux Networking forums, part of the Linux Forums category; Here's what's very likely a very stupid question. I will take any flames like a good newbie. Where ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-04-2004
|
|||
|
|||
What's giving the IP's after the T1?
Here's what's very likely a very stupid question. I will take any flames
like a good newbie. Where I work, I did a portscan on our system (from a machine outside the network.) It showed the network to be pingable, and every port closed instead of stealthed and a couple of dangerous ports open! Like Telnet! So I investigated, and from what I can tell, we have a partitioned T1 coming in, to a box sporting the name of our ISP, Nuvox, which then runs to a Netgear switch which then runs to each wall jack. Now each machine has an internal IP (198.x.x.x), but, what's assigning the IP? We're using workgroup, not a domain, and that switch is definitely a swith and not a router or NAT. Does whatever equipment that the T1 line runs to normally do that kind of thing? In any case, my intent is to try to secure the network, but if there's already a firewall/router or sorts already on the system, that might give me more of an idea of what to do. So, any suggestions on how to go about taking the next step? Finding out what's assigning IP's? If it matters, I tried web browsing to the Default Gateway IP (198.10.1.1 or something...not sure of that 2nd octet,) and nothing, but telneting to that address gives me a login prompt. Thanks for any suggestions!! Liam 
|
|
03-04-2004
|
|||
|
|||
|
Re: What's giving the IP's after the T1?
On Thu, 04 Mar 2004 04:28:55 GMT, LRW wrote:
> Here's what's very likely a very stupid question. I will take any flames > like a good newbie. > > Where I work, I did a portscan on our system (from a machine outside the > network.) It showed the network to be pingable, and every port closed > instead of stealthed and a couple of dangerous ports open! Like Telnet! > > So I investigated, and from what I can tell, we have a partitioned T1 coming > in, to a box sporting the name of our ISP, Nuvox, which then runs to a > Netgear switch which then runs to each wall jack. > > Now each machine has an internal IP (198.x.x.x), but, what's assigning the > IP? We're using workgroup, not a domain, and that switch is definitely a > swith and not a router or NAT. Does whatever equipment that the T1 line > runs to normally do that kind of thing? > > In any case, my intent is to try to secure the network, but if there's > already a firewall/router or sorts already on the system, that might give > me more of an idea of what to do. > > So, any suggestions on how to go about taking the next step? Finding out > what's assigning IP's? If it matters, I tried web browsing to the Default > Gateway IP (198.10.1.1 or something...not sure of that 2nd octet,) and > nothing, but telneting to that address gives me a login prompt. > > Thanks for any suggestions!! > Liam Maybe the DSU/CSU the T1 plugs into has an integrated router.
|
|
03-04-2004
|
|||
|
|||
|
Re: What's giving the IP's after the T1?
"LRW" <druid@NOSPAHMcelticbear.com> wrote in message
news:bgy1c.453120$I06.5125577@attbi_s01 > Now each machine has an internal IP (198.x.x.x), but, what's > assigning the IP? We're using workgroup, not a domain, and that > switch is definitely a swith and not a router or NAT. Does whatever > equipment that the T1 line runs to normally do that kind of thing? > > In any case, my intent is to try to secure the network, but if there's > already a firewall/router or sorts already on the system, that might > give me more of an idea of what to do. > > So, any suggestions on how to go about taking the next step? Finding > out what's assigning IP's? If it matters, I tried web browsing to the > Default Gateway IP (198.10.1.1 or something...not sure of that 2nd > octet,) and nothing, but telneting to that address gives me a login > prompt. Using the correct IP/mask as root, e.g.: # nmap -sUS -p67 198.10.1.0/24 | egrep -i "interesting|open|filtered" This will show you what IPs are running dhcpserver. It will also return the machine names if they are resolvable. tony -- use hotmail for any email replies -----= Posted via Newsfeeds.Com, Uncensored Usenet News =----- http://www.newsfeeds.com - The #1 Newsgroup Service in the World! -----== Over 100,000 Newsgroups - 19 Different Servers! =-----
|
|
03-04-2004
|
|||
|
|||
|
Re: What's giving the IP's after the T1?
On Thu, 04 Mar 2004 04:28:55 GMT, LRW <druid@NOSPAHMcelticbear.com>
wrote: >Now each machine has an internal IP (198.x.x.x), but, what's assigning the >IP? Are you sure that they're being assigned? They might have fixed ips. Dan
|
|
03-04-2004
|
|||
|
|||
|
Re: What's giving the IP's after the T1?
Dan wrote:
> On Thu, 04 Mar 2004 04:28:55 GMT, LRW <druid@NOSPAHMcelticbear.com> > wrote: > >>Now each machine has an internal IP (198.x.x.x), but, what's assigning the >>IP? > > Are you sure that they're being assigned? They might have fixed ips. > > Dan Yep. Positive. I help set the computers up and they're using DHCP. =) Liam
|
|
03-04-2004
|
|||
|
|||
|
Re: What's giving the IP's after the T1?
"ynotssor" <"ynotssor"> wrote:
> > Using the correct IP/mask as root, e.g.: > > # nmap -sUS -p67 198.10.1.0/24 | egrep -i "interesting|open|filtered" > > This will show you what IPs are running dhcpserver. It will also return > the machine names if they are resolvable. > From home I tried that using the public IP (I'll do it to the gateway IP from inside the network when I go to work today,) and got the following: PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp open dhcpserver Does that mean that the router which is likely the DSU/CSU a previous post mentioned (I'll have to investigate the meaning of that on the 'net later today,) is acting as a DHCP server? Is what's giving internal IP addresses to the machines inside the network? Wow I need to learn more about networking. Any good books/sites you'd recommend for newbies? Thanks!! Liam
|
|
03-04-2004
|
|||
|
|||
|
Re: What's giving the IP's after the T1?
"ynotssor" <"ynotssor"> wrote in message news:<4046cb29_3@corp.newsgroups.com>...
> Using the correct IP/mask as root, e.g.: > > # nmap -sUS -p67 198.10.1.0/24 | egrep -i "interesting|open|filtered" > > This will show you what IPs are running dhcpserver. It will also return > the machine names if they are resolvable. OK this is interesting, although I'm not sure what it means. I'm pasting the results below. Allow me to babble a moment to see if I'm getting this OK.... Since the default gateway internal IP has an open DHCP port, and the public IP shows the same closed/open tcp/udp, does that mean that the piece of hardware the fractional T1 is plugged into is indeed serving as router/IP assigner (if that's not a redundant statement. I guess not since they're often two different items.) Now, all these other machines with visible port 67's, is that good or bad? I notice that my own PC is not among them. What does this mean, really? Thanks for your help and advice!!! Liam $ nmap -sUS -p67 192.168.1.0/24 Starting nmap 3.50 ( http://www.insecure.org/nmap ) at 2004-03-04 08:50 Central Standard Time Interesting ports on 192.168.1.1: PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp open dhcpserver Interesting ports on SHIPPING (192.168.1.156): PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp closed dhcpserver Interesting ports on SARAH (192.168.1.220): PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp closed dhcpserver Interesting ports on SUE (192.168.1.221): PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp closed dhcpserver Interesting ports on CHIPPER (192.168.1.229): PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp closed dhcpserver Interesting ports on DAVID2 (192.168.1.235): PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp closed dhcpserver Interesting ports on CHRIS (192.168.1.236): PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp closed dhcpserver Interesting ports on 192.168.1.244: PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp closed dhcpserver Interesting ports on BRYAN (192.168.1.245): PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp closed dhcpserver Interesting ports on JERRY (192.168.1.247): PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp closed dhcpserver Host 192.168.1.255 seems to be a subnet broadcast address (returned 1 extra ping s). Still scanning it due to ping response from its own IP. Interesting ports on 192.168.1.255: PORT STATE SERVICE 67/tcp closed dhcpserver 67/udp open dhcpserver Nmap run completed -- 256 IP addresses (11 hosts up) scanned in 21.593 seconds
|
|
03-04-2004
|
|||
|
|||
|
Re: What's giving the IP's after the T1?
OK, I tracked it back, and discovered from some box that looks like
the phone company's, a cable enters a "Adtran Total Access 608" device before going to the switch. A little Web searching, and found that it's a DSL router(?) (I was told we had a partitioned T1 line. Is that what ADSL is?) The good and bad news is that the manufacturer's product manual PDF online doesn't seem to include a default password for the telnet access. Good because that means if it hasn't been changed, some yahoo can't gain access from just doing a Web search. =) Bad because I can't get in it to do things like packet filtering and closing ports. So, what do you think? I think it's unwise and unsafe to leave it like it is with an open telnet and 2000 port, and everything else "closed" instead of "stealthed". Or, is it no big deal? Thanks for any advice!! Liam
|
|
03-04-2004
|
|||
|
|||
|
Re: What's giving the IP's after the T1?
On Thursday 04 March 2004 1:46 pm, LRW uttered these immortal words:
> Wow I need to learn more about networking. Any good books/sites you'd > recommend for newbies? I found O'Reilly's "TCP/IP Network Administration" (UNIX version) to be very good to start with. -- Andy.
|
|
03-04-2004
|
|||
|
|||
|
Re: What's giving the IP's after the T1?
"LRW" <deja@celticbear.com> quoted and wrote:
> From home I tried that using the public IP (I'll do it to the gateway > IP from inside the network when I go to work today,) and got the > following: > > PORT STATE SERVICE > 67/tcp closed dhcpserver > 67/udp open dhcpserver > > Does that mean that the router which is likely the DSU/CSU a previous > post mentioned (I'll have to investigate the meaning of that on the > 'net later today,) is acting as a DHCP server? Is what's giving > internal IP addresses to the machines inside the network? If that's the public IP, it shouldn't be running a dhcpserver, but the results merely indicate that the port is open. The -p67,68 option to nmap will show that it's also got a port open as dhcpclient, so that it's getting the public IP from your ISP's dhcpserver. To really see what's going on, use the "-sV" option. See the nmap man page for more information. > OK this is interesting, although I'm not sure what it means. I'm > pasting the results below. > Allow me to babble a moment to see if I'm getting this OK.... > Since the default gateway internal IP has an open DHCP port, and the > public IP shows the same closed/open tcp/udp, does that mean that the > piece of hardware the fractional T1 is plugged into is indeed serving > as router/IP assigner (if that's not a redundant statement. I guess > not since they're often two different items.) [ relocated ] > Interesting ports on 192.168.1.1: > PORT STATE SERVICE > 67/tcp closed dhcpserver > 67/udp open dhcpserver .... > Host 192.168.1.255 seems to be a subnet broadcast address (returned 1 > extra pings). Still scanning it due to ping response from its own IP. > Interesting ports on 192.168.1.255: > PORT STATE SERVICE > 67/tcp closed dhcpserver > 67/udp open dhcpserver The interface 192.168.1.1 is in all likelihood the source of your DHCP addressing since it's the only host address with a positive response. The ..255 is a broadcast address, so it's the same response (logical OR of all polled addresses) as the other. The fact that 192.168.1.1 is the only box on the subnet returning an open port 67 is definitive; that's where your LAN DHCP addresses are coming from, at least for all machines on the subnet that are configured as DHCP clients. Again, "-sV" will be helpful. > Now, all these other machines with visible port 67's, is that good or > bad? I notice that my own PC is not among them. What does this mean, > really? > Interesting ports on SHIPPING (192.168.1.156): > PORT STATE SERVICE > 67/tcp closed dhcpserver > 67/udp closed dhcpserver It means that nmap polled the port and got no response. You would get the same "closed" result from any port that nmap polled that had no client/server process running. As an educational exercise, simply run "nmap -sV -sSU 192.168.0.0/24" and see the results for each machine. Someday when you have the time and wish to really start understanding your network, use the "-p1-65535" to see everything on each machine. You'll probably want to redirect the output to a file for later review. In the list of polled IPs, you say that your "own PC is not among them"; does that include 192.168.1.244 for which there is no name resolution? tony -- use hotmail for any email replies -----= Posted via Newsfeeds.Com, Uncensored Usenet News =----- http://www.newsfeeds.com - The #1 Newsgroup Service in the World! -----== Over 100,000 Newsgroups - 19 Different Servers! =-----
|
Linear Mode
