Avatar of breadsbox
breadsbox
Flag for United States of America asked on

IPsec / Open Ports

Hello Experts!

Recently I had an "acquaintance" of mine help me set up my virtual private server which I am hosting at 1and 1.com to run my websites.

I think that he set up some type of back door or left some ports open for himself to come back in and access my information.  You just know when people are acting shading.

He said that he doesn't like to use Windows Firewall and used some standard IPsec settings that work best for him.

when I run a port scanner is saw these ports open
Open Port 21 is open  
Open Port 25 is open
Open Port 80 is open
Open Port 135 is open
Open Port 139 is open
Open Port 3389 is open
 image of IPsec
When I was reading up the open ports I saw that hackers like ports 135 and 139.

Can you please tell me if there is a way for me to see if he's been logging on or downloading info from my server. Maybe through the event log?

And should any of these ports be closed , if so how ?

Thanks in advance for your help.
Windows Server 2008

Avatar of undefined
Last Comment
DigitalTechy

8/22/2022 - Mon
DigitalTechy

You can check Event Viewer to see if he has logged in.  Does he have his own user account?  I'd suggest first changing the passwords for the user accounts on the machine, therefore if he has Remote Desktop setup his credentials won't work.  You can change the permits to blocks within the screenshot you have up there or you can use Windows Firewall to lock down those ports as well.  To open Event Viewer or Windows Firewall just type the keywords, 'Event' or 'Firewall' in the windows start menu search bar.  

First off, I think we are missing some of the details.  Is this server at your home and hosts the websites which get pointed to domain names that are hosted at 1and1?  Do you ever use remote desktop to get into your computer?  If not, port 3389 can be locked down.  If this server is at your home do you have a router/firewall that he also configured to perform some port forwarding?  

If you don't you should really look into getting one as they are cheap and if you are hosting a webserver yourself it's really needed even for just your home network.
breadsbox

ASKER
Thank you for your response DigitalTechy,

This is a virtual private server from 1 and 1.com which I use to host my web sites.

I do use Remote Desktop to access the server.

I have changed the user info but I am concerned that there may be some type of back door in use via the ports 135 or 139.

any thoughts on those 2 ports?
Greg Hejl

if this is a standalone server then port 135 (RPC Locator for domain and other windows services) and 139 (Netbios Session control) can be closed for the network type in windows firewall (public, private, domain)

if the server is part of a domain these ports should be open for your domain network and these ports should be blocked at your firewall.

use windows advanced firewall settings to determine what ports are open in what network type.

good luck.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
DigitalTechy

Just like Greg said, if you don't use them in conjunction with any other domain connected computers then you can close them and block them via the advanced firewall.  If you do have other virtual private servers/computers you can change the network type to private/domain depending on how you have it configured.

Really 135 and 139 are not ports you want opened to the public so those need to be locked down regardless, they are for internal domain services.  Just turn those off for public networks on the firewall.  Also, if you are worried about him getting access I'd make sure you change the user account as he wouldn't need a backdoor or trojan to exploit a vulnerability via 135 or 139, rather he'd just RDP into your machine.  You could also lock down the Remote Desktop Connection via your IP address for an added layer of security.  
breadsbox

ASKER
Thanks for your reply DigitalTechy,

Can you tell me how to close those ports to the public.
I am unsure how to do this.
ASKER CERTIFIED SOLUTION
DigitalTechy

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question