On Fri, 2002-11-01 at 12:53, Bill Beauchemin wrote: > I went and applied evry single security patch that mandrake had using > MasndrakeUpdate and remembered I had Snort running. I found a huge > portscan.log file and tooka look to find that the day before my system > was hacked it was portscaned by one ip from Roadrunner. I sent them a > nice email but my questionsis. What if anything can I do about all these > portscans? Is there somewhere I can email to have these assholes delt > with? >
First I claim to be no expert on the subject but these are my experiences trying to make my standalone setup stealth. Using Windows has made me into a very paranoid user. Do note your mileage may vary. Mandrake does *not* configure Shorewall for stealth connection nor does tinyfirewall have an option for standalone stealth mode. (this statement is justified below). Oh, those options *open* server ports are only necessary if you actually have the corresponding server running. X server port 6000 is usually open by default unless you change it in the security settings. Lower security option leave it open and more annoying will *open* it again on resets unless told to do otherwise. CUPS usually has external port access too by default - editing CUPS config file to only accept local connections will stop that. I reported tinyfirewall's shortcomings to the cooker but it was ignored. I highly recommend "easy-to-use" Mandrake should add to a standalone stealth option to tinyfirewall and ask during installation if it the setup is going to be a standalone or server. My advice is *always* run nmap to make sure nothing is open that you don't want open. Also run it again when you make any changes that may effect ports. You will be surprised when close port are open again. Anyway the the magic line to edit or add to /etc/shorewall/rules DROP net fw all It will complain it should be a policy but when I made it a policy it did not give complete stealth results as explained below. That is, as a policy it does not give the same results as when it is a rule. I do not know but the above does work. I initially did a test using this site. http://scan.sygate.com/quickscan.html and ports 80, 113, 135 were open, and most ports were closed not blocked. Tinyfirewall was no use. Not sure why but this is Shorewall's default behavior. After adding the above line all scanned ports are blocked and it does not affect ftp, pop, web access. The ICMP port is a security option if I am not mistaken. I found out about ports being open by default, by using this site http://www.linux-sec.net/Audit/nmap.test.gwif.html which will do an external nmap scan. Or you could use another computer. This way you will see what an external computer sees. With open ports nmap does a very good job at reporting the version of linux you are using. Now it either reports nothing or the browser times out. Does anyone know how to get nmap or another scanner to report on closed/non-existent ports? I would like to find a way to have a black/white test for stealth setup. Well those are my experiences, again your mileage may vary. Gabriel
signature.asc
Description: This is a digitally signed message part
