Hi all,
Sorry for this somewhat vague and long mail.
Had some free time and got round to downloading and running "saint" which
supposedly is similair to satan and ran tests on my home-standalone-mandrake
7.2-kernel2.4 -single user (2 logins -root + username) linux box. Connects to
the net on a dial-up for browsing + LIH mail ;-) simple set up really.
The results were not really likeable and have left me confused on the
security front. I have some fears on the back-door comments and evidence of
penetration. (see below)
My queries are
how seriously should I take "Saint"?
How can I track and eliminate backdoors
How can i disable all remote connectivity into my machine except to
facilitate mail and web browsing?
Will Bastille scripts help?
Anyone else try this? feedbacks? PS: link to saint - www.wdsi.com
Thanks for your time and thoughts
Ashwin
Extract of Saint's output:
------------------------------------------------------
Evidence of Penetration (ashwin says - scary bit)
localhost.localdomain: Possible mstream handler detected
localhost.localdomain: Possible shaft handler detected
localhost.localdomain: Possible stacheldraht handler detected
localhost.localdomain: Possible trinoo master detected
Possible Vulnerabilities (ashwin says - scary bit)
localhost.localdomain: Possible backdoor: 9704/TCP
localhost.localdomain: Possible backdoor: ingreslock
localhost.localdomain: Possible vulnerability in Big Brother (bbd) (CVE
2000-0639)
localhost.localdomain: Gauntlet or WebShield cyberdaemon may be vulnerable
(CVE 2000-0437)
localhost.localdomain: DNS may be vulnerable localhost.localdomain:
Possible buffer overflow in UnixWare i2odialogd (CVE 2000-0026)
localhost.localdomain: Is your Kerberos secure? (CVE 2000-0389 2000-0390
2000-0391)
localhost.localdomain: possible vulnerability in Linux lpd
localhost.localdomain: Possible vulnerability in HP Omniback (CVE 2000-0179)
localhost.localdomain: Possible vulnerability in Openview Node Manager (CVE
2000-0558)
localhost.localdomain: SGI Performance Copilot may be vulnerable
localhost.localdomain: SMTP may be a mail relay localhost.localdomain:
Possible vulnerability in Microsoft Terminal Server ( ashwin says duhhhhh??)
Limit Internet Access ?
localhost.localdomain: rlogin is enabled
localhost.localdomain: pop receives password in clear
localhost.localdomain: rexec is enabled and could help attacker
-----------------------------------------------------
----------------------------------------------
An alpha version of a web based tool to manage
your subscription with this mailing list is at
http://lists.linux-india.org/cgi-bin/mj_wwwusr
