On Sun, 11 Feb 2001, "David L. Roberts" <[EMAIL PROTECTED]> wrote:
>
> Made me look...
>
> I just noticed a little activity the past few days as well (my
> system is up in M$ most of the time as I'm about the only one who
> runs Linux here) - found these in the logs:
>
> Feb 9 20:46:09 ria in.ftpd[5195]: refused connect from
> p3EE0E44B.dip.t-dialin.net
> .
> .
> .
> Feb 11 13:43:19 ria in.telnetd[1114]: refused connect from
> sarua.uniandes.edu.co
>
> I'm sure if I looked I would see a lot more notes in my BlackIce
> logs. I know - I shoulda had ftp/telnet off and BlackIce ain't
> worth a <deleted>, but... I do have 'em turned off now though,
> and BlackIce is all I currently have (was up to date on all my
> patches though ;)
Well from the above it looks like you are basically denying alot via
tcp_wrappers/tcpd in /etc/hosts.deny (a good value is "ALL : ALL")
BUT, you also gotta block and/or shutdown RPC services. E.g. rpc.nfsd,
rpc.statd, rpc.mountd. We usually think of these as UDP services, but there
are often TCP counterparts. Regardless, they are not protected by
/etc/hosts.deny !!! Run rpcinfo -p to see the list of RPC services you are
exporting (hopefully none).
You either have to shut off the RPC services, or if you need them in a LAN,
you should setup ipchains filtering to limit access to your LAN hosts.
(this is usually done on a firewall, but can be done with a single host)
And there is more to tighten down, but rpc.* is a biggy. That's how Tom's
machine got broken into (rpc.statd access wide open).
Karl
Karl
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
