Solved

HOWTO stop unwanted services running on port 139,138,137 netbios on  Linux

Posted on 2004-05-01
10
1,356 Views
Last Modified: 2010-03-18
I'm trying to stop the services running on my Linux machine. After using the nmap command got following output:

$nmap 1.2.3.4
Port       State       Service
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn

Can anybody tell me? How above services start automatically? B'coz I don't started them.
I want URLs and few tips and commands howto stop such unwanted services like these. What care should one take? THANKS A LOT

0
Comment
Question by:learnbeta
  • 6
  • 4
10 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 10967910
See you other question...

Most likely Samba is being started at boot. On a Linux box that supports chkconfig you can execute 'chkconfig smb off' to stop Samba from starting at boot. It can immediately shutdown with 'service smd stop'.

BTW: 'chkconfig --list' will show all services and the run levels they will start at, if enabled.
0
 

Author Comment

by:learnbeta
ID: 10970532
I have checked and confirmed that samba is not running. That's why I'm too much confused about it. Can you give some clue? Thanks for your response.
0
 

Author Comment

by:learnbeta
ID: 10970538
Is there any command to kill those processes, who are running & listening on those ports?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10972214
Hmm, I just noticed that your question shows that nmap found TCP ports, not UDP ports.  Those ports are also shown in a "filtered" state, not an "open" state. Might this be something related to a local firewall on the system? Also does this system map any external SMB shares?

To find ports managed by Samba you'd need to do a TCP & UDP scan and they would return something like:

praetorian> sudo nmap -sU 10.1.0.1 -p 137-139
 
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on chaos.entrophy-free.net (10.1.0.1):
(The 369 ports scanned but not shown below are in state: closed)
Port       State       Service
137/udp    open        netbios-ns
138/udp    open        netbios-dgm
 praetorian> sudo nmap -sT 10.1.0.1 -p 137-139
 
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on chaos.entrophy-free.net (10.1.0.1):
(The 2 ports scanned but not shown below are in state: closed)
Port       State       Service
139/tcp    open        netbios-ssn
 


0
 

Author Comment

by:learnbeta
ID: 10974923
Okey from security point, Is this thing is insecure to keep following ports open?
How to stop them? Can you tell me how to use "lsof" command to trace exactly which process is doing this thing? How kill/stop that process?
$nmap a.b.c.d -sT -sU -p 137-139
Port       State       Service
137/tcp    filtered    netbios-ns
137/udp    open        netbios-ns
138/tcp    filtered    netbios-dgm
138/udp    open        netbios-dgm
139/tcp    filtered    netbios-ssn
139/udp    open        netbios-ssn


0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 40

Accepted Solution

by:
jlevie earned 225 total points
ID: 10978406
That output from nmap seems to show that Samba is in fact running. Have you checked for the Samba processes ('ps -ef | grep nmbd | grep -v grep' and 'ps -ef | grep nmbd | grep -v grep')?

Are there any SMB (windows) shares mounted?
0
 

Author Comment

by:learnbeta
ID: 10983705
YES SIR, I have already checked both commands:
$ ps -ef | grep smbd | grep -v grep
$ps -ef | grep nmbd | grep -v grep

Is that possible due to some kind of firewall rules? Is this situation is vulnerable from point of security? I'm just anxious to know about those ports- How they started? B'coz just after rebooing system(2 days before), found that they are "ON". Before that there was no listening at all on 137-139 ports. That's why I was asking about it. I must thank you for replies.
Thanks.
0
 

Author Comment

by:learnbeta
ID: 10983715
My OS is RH9.0.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10986162
It is possible that this "false result" is an artifact of the firewall since there aren't an smbd/nmbd processes running.  You can verify that there aren't any processes bound to those port with 'lsof -i udp | grep netbios'

If there aren't any processes bound to the ports, then an artifact of the firewall probably doesn't pose a security risk to this system.
0
 

Author Comment

by:learnbeta
ID: 11002584
After quit lokking here and there. I found & I also agree, that this is definetly a problem of firewall mess. I must thank you.
thanks for nice & patient reponse.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now