Hot!Port 2000 and 5060 open by default (How to close)

Author
Palerm0
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/09 04:26:31
  • Status: offline
2017/11/27 06:14:41 (permalink)
0

Port 2000 and 5060 open by default (How to close)

Hi,
A pen test on our outside IP shows us that port 2000 (Cisco Skinny Clients (IP Phones)) and 5060 (Session Initiation Protocol).
We don't need those ports. And our security office wand to close these ports.
We are running on software version: v5.4.5
The configuration change we did to close port 5060:
conf global
config system session-helper
delete 13
end

And for port 2000 we used the following:
conf vdom
(vdom) # edit Firewall
# config voip profile
(profile) # edit default
(default) # config sccp
(sccp) # set status disable
(sccp) # end

 
But unfortunately this did not close the ports.
Does anyone has a suggestion to close these 2 ports.
 
I hope someone can help me. Thanks in advance.
Greetings Palermo
#1

12 Replies Related Threads

    Iescudero
    Silver Member
    • Total Posts : 103
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/01/21 13:34:23
    • Location: Buenos Aires, Argentina
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2017/11/27 06:38:45 (permalink)
    0
    Hi there!
    Maybe with a local-in policy you can achieve this:
     
    config firewall local-in-policy
    edit 1
    set intf wan1
    set srcaddr all
    set dstaddr all
    set action deny
    set service TCP_5060
    set schedule always
    end
     
    http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-firewall-52/Security%20Policies/Local-In%20Policies.htm
     
    Hope it helps!
    #2
    emnoc
    Expert Member
    • Total Posts : 4990
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2017/11/27 06:39:48 (permalink)
    0
    Have you looked at local-in policies but I wonder how & what open test did they do?
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #3
    Palerm0
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/09 04:26:31
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2017/11/27 06:52:27 (permalink)
    0
    @Iescudero I`m gona test this on our test firewall Thanks.
    But still. Fortinet is suggesting the commands i described above to close the helper ports.
    So i don`t understand why the ports are still open.
     
    @emnoc Its just a nmap command from an external machine that does pen tests;
    Discovered open port 2000/tcp on xxx.xxx.xx.xx
    Discovered open port 5060/tcp on xxx.xxx.xx.xx
     
    Thanks for your suggestion
     
    Gr
    Palermo
    #4
    packetpusher
    Silver Member
    • Total Posts : 85
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/07/18 08:44:14
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2017/11/27 13:40:23 (permalink)
    0
    When you perform a network scan of any kind, i.e. netmap <WAN IP of your firewall>, do you get the same result as the pen test?
    #5
    emnoc
    Expert Member
    • Total Posts : 4990
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2017/11/27 16:58:46 (permalink)
    0

    Discovered open port 2000/tcp on xxx.xxx.xx.xx

     
    what is xxx.xxx.xx.xx  the firewall?  a DNAt-VIP?

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #6
    Palerm0
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/09 04:26:31
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2017/11/27 23:58:38 (permalink)
    0
    I Was using the wrong technical name.
    Pen test is for Penetration testing and NMAP is a port range scanner.
    Sorry :-)
     
     
    #7
    Palerm0
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/09 04:26:31
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2017/11/28 00:13:51 (permalink)
    0
    It is an advertised public IP address. via the Firewall to a loadbalancer who also filter on ports
    #8
    Palerm0
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/09 04:26:31
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2017/11/28 22:43:10 (permalink)
    0
    Our environment is split up into multiple customer networks.
    For this specific customer we don't use the firewall feature (so we have a permit any rule).
    the filtering (fire-walling) is done on a other place in the network (for this client specifically).
    And if you scan the ip addresses for this client you`ll find the ports 5060 and 2000 open.
    I find it strange that specific these ports are open and not the other like 22, 25 enz. (These ports are closed at the firewall on the other place in the network). The Fortigate marks these ports as open but at the back of the network they are not open.
     
    So the question is how can i make NMAP scan not see the ports (5060 & 2000) without closing specifically these ports (Other applications use these ports as swell).
    WY do i see these ports open in the first place, never ask for this.
     
    Its a difficult to explane the situation, i hope i made it a bit clear so.
    Thanks in advance
    Greetings Palermo
    #9
    Palerm0
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/09 04:26:31
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2017/12/14 23:43:44 (permalink)
    0
    Hi, I found a solution to my problem.
    the code i used in my initial post did not work with our software version. The support documentation is out-dated. We running on version 5.4.5. 
     
    To disable the SIP helper /  ALG i used the following code
     
    config system settings
    set default-voip-alg-mode kernel-helper-based
    end

    Important is that you need to configure it on all the VDOM`s
     
    A reboot is not necessary, Clearing the sessions worked for us:
    diagnose sys session filter
    diagnose sys session filter dport 5060
    diagnose sys session clear
    diagnose sys session filter dport 2000
    diagnose sys session clear

    It may help others :-)
     
    Greetings
    Palermo
     
    post edited by Palerm0 - 2017/12/14 23:44:48
    #10
    emnoc
    Expert Member
    • Total Posts : 4990
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2017/12/15 07:41:51 (permalink)
    0
    Did you  run a diag to look at active ports
     
    e.g
     diag  ip udp list | grep 13C4
     
    NOTE port numbers are in  HEX value
     
     
    Ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #11
    jweill
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/10/25 08:18:46
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2018/05/30 07:49:45 (permalink)
    0
    I disabled SIP ALG but these ports still show as open on a 60D with firmware 5.6.3
    #12
    marco_d
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/18 04:29:47
    • Status: offline
    Re: Port 2000 and 5060 open by default (How to close) 2018/06/18 04:33:44 (permalink)
    0
    Palerm0
     
    But unfortunately this did not close the ports.
    Does anyone has a suggestion to close these 2 ports.
     
    I hope someone can help me. Thanks in advance.
    Greetings Palermo




    Hello my name is Marco,
    i am looking for a solution for the same problem. But we have some IP weher we use that ports
    so i am looking for a solution to block these ports for speacial ip´s. We are running 5.4.9 on a 240d
     
    Thanks and regards
    Marco
     
    #13
    Jump to:
    © 2018 APG vNext Commercial Version 5.5