For compliance purposes we must document all listening ports on certain systems, including network management stations.
We run Kiwi Secure Tunnel Server, and in addition to the user defined TCP ports, the application also listens on apparently random high UDP ports.
I need some sort of documentation from the vendor/developer about these listening ports and SolarWinds support suggested I post here.
>> Kiwi Secure Tunnel Server, and in addition to the user defined TCP ports, the application also listens on apparently random high UDP ports.
You lost me there. All of the ports in the Kiwi Secure Tunnel system are configurable. In the Kiwi Secure Tunnel client (the software that receives Syslog messages and forwards them over an SSH link) you configure up to 10 listening ports in the "Properties" dialog. These listen for Syslog traffic, of course, but can be either UDP or TCP. In the Kiwi Secure Tunnel server (the software that takes Kiwi Secure Tunnel client input and emits Syslog traffic) you only configure one listening port, a TCP port that listens for incoming SSH connections.
I copied in a couple of screenshots with default settings below.
Do you have some "netstat -an" or "netstat -anb" output you could share showing additionally bound high UDP ports?
We configured the tunnel server to listen on tcp/222. This first screen shot is of netstat -ano, then filter for 222. the -o switch gives the process id, so the next command filters for that process ID (2120). The last line shows PID 2120 is listening on UDP 52079.
here's netstat -bano, but only the applicable portion - KiwiTSS.exe is the .exe identified.
...and further down the screen, here's the UDP port again.
Thanks for your reply.
I set up a quick test on my machine. As soon as I started to push some Syslog traffic across I saw the same thing:
C:\Users\mynamehere>netstat -ano | find "7116"
TCP 127.0.0.1:2225 0.0.0.0:0 LISTENING 7116
TCP 127.0.0.1:2225 127.0.0.1:55878 ESTABLISHED 7116
UDP 0.0.0.0:65066 *:* 7116
Essentially, I think what Kiwi Secure Tunnel Server is doing is establishing an facility from which it can send outbound UDP-based messages, much like DNS. It looks like it establishes one of these for every UDP Outgoing Port you configure, and they are established at start-up.
From a firewall perspective, as long as you allow UDP packets from the Secure Tunnel Server to your final syslog server, you should be fine. (There's no reason to allow UDP packets to hit the Secure Tunnel Server.)
That makes sense, thank you. We have to document this stuff for compliance reasons, every TCP and UDP listening port. This program isn't the only one that listens on a random, high UDP port, and in almost every case the high UDP port is undocumented and stumps support.
Do you happen to be a developer of the product? I see you are jonathan at solarwinds, so that should be official enough.
>> Do you happen to be a developer of the product? I see you are jonathan at solarwinds, so that should be official enough.
Yes, I work here. Did the orange shirt polo and khaki pants give it away?
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.