Hi team,
Can I have (hopefully a quick) IGEL OS security-related question?
Our Infosec team is using Rapid7 Vulnerability Scanner to ensure the clients don’t have known bugs.
What they see on our test IGEL OS clients are the open ports and services below:
ICMP timestamp response (generic-icmp-timestamp)
TCP timestamp response (generic-tcp-timestamp)
The RPC Portmapper – 111/tcp open rpcbind / 111/udp open rpcbind
Their questions are:
1. Can we get some information on what these are used for?
2. Can we close these ports & stop the services or they are required by the IGEL OS?
Thanks a lot for the help!
RPCBIND on port 111 — Is standard.
www.rapid7.com/db/vulnerabilities/RPC-PORTMAPPER-0001/
www.rapid7.com/db/vulnerabilities/generic-icmp-timestamp/
All of these are needed by IGEL. Would with security to file an exception for IGEL devices.
Also, here is link to IGEL Ports
kb.igel.com/endpointmgmt-6.07/en/ums-communication-ports-43105860.html
thanks a lot @member
Hi @member, I can not see icmp timestamp or rcpbind in the list. What are they used for? Maybe for discover? It would be interesing some way to block them for all input ips except for some of them. An Igel in a hostile external network should not show any open service.
@member and @member If needed, work with your network and security leads to craft the iptables commands that can be added to profile to DROP for IPs not included in IGEL backend servers.
Here is a simple example….
Run the following on IGEL endpoint:
iptables -A INPUT -p icmp –icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp –icmp-type timestamp-reply -j DROP
Now try to to ping from another device with nping:
nping –icmp –icmp-type time 192.168.1.159
Here is what you get before issuing iptables commands.
sudo nping –icmp –icmp-type time 192.168.1.159
Starting Nping 0.7.91 ( nmap.org/nping ) at 2021-05-31 12:25 CDT
SENT (0.0173s) ICMP [192.168.1.14 > 192.168.1.159 Timestamp request (type=13/code=0) id=597 seq=1 orig=0 recv=0 trans=0] IP [ttl=64 id=32212 iplen=40 ]
RCVD (0.0284s) ICMP [192.168.1.159 > 192.168.1.14 Timestamp reply (type=14/code=0) id=597 seq=1 orig=0 recv=62714243 trans=62714243] IP [ttl=64 id=26327 iplen=40 ]
SENT (1.0177s) ICMP [192.168.1.14 > 192.168.1.159 Timestamp request (type=13/code=0) id=597 seq=2 orig=0 recv=0 trans=0] IP [ttl=64 id=32212 iplen=40 ]
RCVD (1.0204s) ICMP [192.168.1.159 > 192.168.1.14 Timestamp reply (type=14/code=0) id=597 seq=2 orig=0 recv=62715235 trans=62715235] IP [ttl=64 id=26407 iplen=40 ]
SENT (2.0185s) ICMP [192.168.1.14 > 192.168.1.159 Timestamp request (type=13/code=0) id=597 seq=3 orig=0 recv=0 trans=0] IP [ttl=64 id=32212 iplen=40 ]
RCVD (2.0215s) ICMP [192.168.1.159 > 192.168.1.14 Timestamp reply (type=14/code=0) id=597 seq=3 orig=0 recv=62716236 trans=62716236] IP [ttl=64 id=26476 iplen=40 ]
SENT (3.0196s) ICMP [192.168.1.14 > 192.168.1.159 Timestamp request (type=13/code=0) id=597 seq=4 orig=0 recv=0 trans=0] IP [ttl=64 id=32212 iplen=40 ]
RCVD (3.0284s) ICMP [192.168.1.159 > 192.168.1.14 Timestamp reply (type=14/code=0) id=597 seq=4 orig=0 recv=62717243 trans=62717243] IP [ttl=64 id=26572 iplen=40 ]
SENT (4.0206s) ICMP [192.168.1.14 > 192.168.1.159 Timestamp request (type=13/code=0) id=597 seq=5 orig=0 recv=0 trans=0] IP [ttl=64 id=32212 iplen=40 ]
RCVD (4.0234s) ICMP [192.168.1.159 > 192.168.1.14 Timestamp reply (type=14/code=0) id=597 seq=5 orig=0 recv=62718238 trans=62718238] IP [ttl=64 id=26594 iplen=40 ]
Max rtt: 10.754ms | Min rtt: 2.630ms | Avg rtt: 5.585ms
Raw packets sent: 5 (200B) | Rcvd: 5 (230B) | Lost: 0 (0.00%)
Nping done: 1 IP address pinged in 4.02 seconds
Here is what you get after issuing iptables commands.
sudo nping –icmp –icmp-type time 192.168.1.159
Starting Nping 0.7.91 ( nmap.org/nping ) at 2021-05-31 12:27 CDT
SENT (0.0197s) ICMP [192.168.1.14 > 192.168.1.159 Timestamp request (type=13/code=0) id=32751 seq=1 orig=0 recv=0 trans=0] IP [ttl=64 id=47911 iplen=40 ]
SENT (1.0228s) ICMP [192.168.1.14 > 192.168.1.159 Timestamp request (type=13/code=0) id=32751 seq=2 orig=0 recv=0 trans=0] IP [ttl=64 id=47911 iplen=40 ]
SENT (2.0232s) ICMP [192.168.1.14 > 192.168.1.159 Timestamp request (type=13/code=0) id=32751 seq=3 orig=0 recv=0 trans=0] IP [ttl=64 id=47911 iplen=40 ]
SENT (3.0235s) ICMP [192.168.1.14 > 192.168.1.159 Timestamp request (type=13/code=0) id=32751 seq=4 orig=0 recv=0 trans=0] IP [ttl=64 id=47911 iplen=40 ]
SENT (4.0267s) ICMP [192.168.1.14 > 192.168.1.159 Timestamp request (type=13/code=0) id=32751 seq=5 orig=0 recv=0 trans=0] IP [ttl=64 id=47911 iplen=40 ]
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 5 (200B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping done: 1 IP address pinged in 5.03 seconds
Thank you @member! But, why not stop the service? With that rule no client can access anyway
It was just an example… What I said was…
If needed, work with your network and security leads to craft the iptables commands that can be added to profile to DROP for IPs not included in IGEL backend servers.
Ok Ron, thanks again!
Continue reading and comment on the thread ‘ IGEL OS security-related question based on Rapid7 Vulnerability Scanner results’. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?
Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.Submit a question, or Join Today!