"william ross" <[EMAIL PROTECTED]> wrote: > i'm not very up on netstat and its output, so i'd be very glad if > someone could tell me whether to worry or not. i'm puzzled to see a > lot of connections to :81 in the output. most are closed (about 50) > but several appear to be open.
Even if the connections are in an ESTABLISHED state that doesn't mean that someone has gotten access to the admin interface. It just means that they at least attempted to view a page on that port. They could have entered a URL ending in /admin, /siteadmin or /personal on port 80 (those paths redirects to port 81) or they could have entered a path to port 81 directly (less likely to be the case, but more likely to indicate they're doing something malicious). > portsentry is running, and in quite a paranoid state, but i've never > interfered much with (or, indeed, used) the admin interface or port > 81. If you and other users who need access to the admin interface have known IP addresses you could always use ipchains (not installed by default) to limit access to port 81 to users from a list of IPs. I wouldn't be too worried about what you saw though. Just make sure your passwords are strong (especially admin and root) so you're not as easily succeptible to a brute force or dictionary attack. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
