We have number of SRX routers that have flagged up issues with port scan was done via nmap. Number of TCP and UDP ports were showing as open so I would like to know what ports out of box come open on these SRXs. Is there any command to check which ports are open (not which services are using ports) out of box when these SRX's are intiially configured. Rather than using : show system connections | no-more which lists services opening ports?
Secondly we tried below template to lock them down however still ports like ntp, snmp are showing as allowed. I know we only allowed ssh for a specific IPs but what would be the best approach to lock these units down to specific ssh port only. Also we use BGP on these units too so will TCP 179 needs unblocking too.
set firewall family inet filter local_inbound term allow_admin_ssh from source-prefix-list admin_ssh_clients
set firewall family inet filter local_inbound term allow_admin_ssh from protocol tcp
set firewall family inet filter local_inbound term allow_admin_ssh from destination-port 22
set interfaces lo0 unit 0 family inet filter input local_inbound
set policy-options prefix-list admin_ssh_clients out office IP/32
set policy-options prefix-list admin_ssh_clients CPE WAN IP range /31
set firewall family inet filter local_inbound term block_other_telnet from protocol tcp
set firewall family inet filter local_inbound term block_other_telnet from destination-port 23
set firewall family inet filter local_inbound term block_other_telnet then discard
set firewall family inet filter local_inbound term allow_admin_ssh from source-prefix-list admin_ssh_clients
set firewall family inet filter local_inbound term allow_admin_ssh from protocol tcp
set firewall family inet filter local_inbound term allow_admin_ssh from destination-port 22
set firewall family inet filter local_inbound term block_other_ssh from protocol tcp
set firewall family inet filter local_inbound term block_other_ssh from destination-port 22
set firewall family inet filter local_inbound term block_other_ssh then discard
set firewall family inet filter local_inbound term accept then accept
Nmap port scan has flagged up following with TCP scan but we know number of UDP ports are also OPEN.
Not shown: 64737 filtered ports, 794 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey:
179/tcp open bgp (connection rejected)
2000/tcp open cisco-sccp?
5060/tcp open tcpwrapped