I got the following output from "netstat -elpn" on my firewall (kernel 2.4.2,
iptables).
/-(root@cerberus)-(166/ttyS0)-(17:56:42:Friday Apr 20)-
\-(/var/log)-
ROOT : netstat -elpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User
Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0
1229 427/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0
1542 487/sendmail: accep
udp 0 0 0.0.0.0:1112 0.0.0.0:* 0
127022 16024/send-mail
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 125202 15009/pump
/var/run/pump.sock
What's up with the send-mail process listening on port 1112 ? That looks really bad to
me. A few seconds later the process is gone. Further netstat command only show sshd
and sendmail.
Then I did a "find / -inum 127022" but there is no file with that inode. Uh oh. That
can't be good either. The firewall runs an old redhat 6.2 install (haven't converted
everything to debian, but I'm working on it!) with most everything turned off, as seen
from the netstat output.
My iptables rules log and then drop everything by default, with ssh and mail rerouted
to a server on the internal LAN using NAT. The following lines show up in my logfiles
( "UNKNOWN CONNECTION ATTEMPT" is a prefix added by my iptables rule).
Apr 20 17:41:28 cerberus kernel: UNKNOWN CONNECTION ATTEMPT IN=eth0 OUT= MAC=[snip]
SRC=24.92.226.174 DST=66.66.82.158 LEN=69 TOS=0x00 PREC=0x00 TTL=247 ID=27145 DF
PROTO=UDP SPT=53 DPT=1112 LEN=49
Apr 20 17:41:45 cerberus kernel: UNKNOWN CONNECTION ATTEMPT IN=eth0 OUT= MAC=[snip]
SRC=24.92.226.13 DST=66.66.82.158 LEN=69 TOS=0x00 PREC=0x00 TTL=247 ID=7141 DF
PROTO=UDP SPT=53 DPT=1112 LEN=49
The SRC= addresses in the above are valid RoadRunner DNS servers. They are the ones I
use.
--
Jonathan Freiermuth
[EMAIL PROTECTED]
PGP signature
