Re: Open ports
Christian Seiler wrote: Bill wrote: what uses them and why shouldn't I close them? (I'm assuming there must be a good reason to have wide open ports.) It is debatable whether the old Sun RPC services should be installed by default. I do use and manage NFS but I wouldn't install it by default on any machine not using it. If you are not serving NFS then you don't need it. If you are serving NFS then it will get installed as a matter of course. rpcbind is started from /etc/init.d/rpcbind. If you don't use NFS or NIS at all, you don't need to have that running. To disable it under Wheezy, use: update-rc.d rpcbind disable After that, it won't be started anymore at boot. Instead of disabling it I am of the opinion that it should be removed if it isn't going to be used. If in the future someone were going to set up an NFS server on the system then it can trivially be installed again. So easy to install that removing it instead of disabling it seems like the better way to go in my opinion. One less package that might need a security upgrade at some point. One less package on the disk to manage. Just simplify. # apt-get purge rcpbind Bob signature.asc Description: Digital signature
Open ports
Hi, I'm still running wheezy but noticed a couple of open ports the other day. This is just a simple laptop - no nfs access needed, no need for a networked port mapper, and certainly not a dns server. So why are they there, what uses them and why shouldn't I close them? (I'm assuming there must be a good reason to have wide open ports.) Thanks, b. # netstat -nplt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1904/rpcbind tcp0 0 0.0.0.0:51062 0.0.0.0:* LISTEN 1935/rpc.statd -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/554deeab.8000...@uniserve.com
Re: Open ports
On 05/09/2015 01:25 PM, Bill wrote: I'm still running wheezy but noticed a couple of open ports the other day. This is just a simple laptop - no nfs access needed, no need for a networked port mapper, and certainly not a dns server. So why are they there, Well, Debian's policy for daemons generally is that if they are installed, they are enabled by default. what uses them and why shouldn't I close them? (I'm assuming there must be a good reason to have wide open ports.) # netstat -nplt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1904/rpcbind tcp0 0 0.0.0.0:51062 0.0.0.0:* LISTEN 1935/rpc.statd rpc.statd will be started unless you set NEED_STATD=no in /etc/default/nfs-common. Since you said you don't use NFSv3, you can safely do that. rpcbind is started from /etc/init.d/rpcbind. If you don't use NFS or NIS at all, you don't need to have that running. To disable it under Wheezy, use: update-rc.d rpcbind disable After that, it won't be started anymore at boot. Christian -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/554df48d.9090...@iwakd.de
Re: Other Open Ports
Howdy, On Mon, Jul 23, 2012 at 01:21:55PM -0500, Charles Kroeger wrote: I'm thinking my firewall 'Shorewall' encompasses an extensive enough design to cover any attempts of intrusion that may occur, I do notice notwithstanding, that although ports 0 and 1 are closed, they still show up on test like grc.com's 'shields-up' port scanner. I know that 0 nil is not a port and yet it is a port as 0 is a number in our world and port 1 has its function described, so why would these two ports even show up? On Debian it seems whatever firewall one uses these two ports are always visible and closed, so if port 0 is not a port and and port 1 is always closed, why do they announce themselves if pinged? snip I've been using Shorewall in Debian since Woody and always passed GRC's 'shields-up' port scanner full stealthed. Try these that I set from some hardening doc I read somewhere. root@/deb40a:~ ed /etc/sysctl.conf # Ignore ICMP ping net/ipv4/icmp_echo_ignore_all = 1 net/ipv4/icmp_echo_ignore_broadcasts = 1 net/ipv4/icmp_ignore_bogus_error_responses = 1 G'luck, Mike -- Satisfied user of Linux since 1997. O ascii ribbon campaign - stop html mail - www.asciiribbon.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120724022038.GA1360@playground
Other Open Ports
I'm thinking my firewall 'Shorewall' encompasses an extensive enough design to cover any attempts of intrusion that may occur, I do notice notwithstanding, that although ports 0 and 1 are closed, they still show up on test like grc.com's 'shields-up' port scanner. I know that 0 nil is not a port and yet it is a port as 0 is a number in our world and port 1 has its function described, so why would these two ports even show up? On Debian it seems whatever firewall one uses these two ports are always visible and closed, so if port 0 is not a port and and port 1 is always closed, why do they announce themselves if pinged? -- CK -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/a75j23f11...@mid.individual.net
Re: Other Open Ports
Charles Kroeger wrote: I'm thinking my firewall 'Shorewall' encompasses an extensive enough design to cover any attempts of intrusion that may occur, I do notice notwithstanding, that although ports 0 and 1 are closed, they still show up on test like grc.com's 'shields-up' port scanner. I don't know about about the grc.com scanner but I would trust what nmap tells you. Try probing your system with nmap and see what it says. nmap localhost I know that 0 nil is not a port and yet it is a port as 0 is a number in our world and port 1 has its function described, so why would these two ports even show up? I am skeptical. Probe them explicitly. nmap -p 0-10 localhost On Debian it seems whatever firewall one uses these two ports are always visible and closed, so if port 0 is not a port and and port 1 is always closed, why do they announce themselves if pinged? What does nmap say? :-) Bob signature.asc Description: Digital signature
Re: Other Open Ports
Try probing your system with nmap and see what it says. nmap localhost Thanks for this information, I didn't have nmap installed..however after I did install nmap I received this: /charles# nmap localhost Starting Nmap 6.00 ( http://nmap.org ) at 2012-07-23 22:30 CDT Nmap scan report for localhost (127.0.0.1) Host is up (0.070s latency). Other addresses for localhost (not scanned): 127.0.0.1 Not shown: 995 closed ports PORT STATE SERVICE 25/tcp open smtp 53/tcp open domain 111/tcp open rpcbind 631/tcp open ipp 6566/tcp open sane-port Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds I am skeptical. Probe them explicitly. nmap -p 0-10 localhost charles# nmap -p 0-10 localhost Starting Nmap 6.00 ( http://nmap.org ) at 2012-07-23 22:32 CDT Nmap scan report for localhost (127.0.0.1) Host is up (0.54s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 0/tcp closed unknown 1/tcp closed tcpmux 2/tcp closed compressnet 3/tcp closed compressnet 4/tcp closed unknown 5/tcp closed unknown 6/tcp closed unknown 7/tcp closed echo 8/tcp closed unknown 9/tcp closed discard 10/tcp closed unknown I would think this means that the grc.com port probe tool is correct in reporting port zero and 1 are closed, but I wonder why the other 990 odd do not respond to the probe so appear invisible to the grc.com probe but port zero and port 1 reveal themselves as being closed. If these two ports are closed, why do they even respond to the grc.com ping? It is as if they are waiting for the Open Sesame. -- CK -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/a76km3f70...@mid.individual.net
Re: Other Open Ports
Charles Kroeger wrote: PORT STATE SERVICE 25/tcp open smtp 53/tcp open domain 111/tcp open rpcbind 631/tcp open ipp 6566/tcp open sane-port That seems pretty reasonable. Except if you aren't using NFS and don't need the portmapper (rpcbind) then I would uninstall it. 0/tcp closed unknown 1/tcp closed tcpmux 2/tcp closed compressnet 3/tcp closed compressnet 4/tcp closed unknown 5/tcp closed unknown 6/tcp closed unknown 7/tcp closed echo 8/tcp closed unknown 9/tcp closed discard 10/tcp closed unknown So you definitely know that they are not open to the world. I would think this means that the grc.com port probe tool is correct in reporting port zero and 1 are closed, Yes, but if your firewall is blocking then nmap should show it as filtered. For example here is my system from the outside world. PORT STATESERVICE 0/tcp filtered unknown 1/tcp filtered tcpmux 2/tcp filtered compressnet 3/tcp filtered compressnet 4/tcp filtered unknown 5/tcp filtered unknown 6/tcp filtered unknown 7/tcp filtered echo 8/tcp filtered unknown 9/tcp filtered discard 10/tcp filtered unknown but I wonder why the other 990 odd do not respond to the probe so appear invisible to the grc.com probe but port zero and port 1 reveal themselves as being closed. If these two ports are closed, why do they even respond to the grc.com ping? It is as if they are waiting for the Open Sesame. I did give that advice too quickly. Hitting your local host will bypass the firewall. You would need to probe your system from a different remote system. Do you have another system you can use to poke back at yours from the outside? If not email me privately your IP address and promise not to hold it against me and I will portscan your system from the outside. The difference between closed and filtered as reported by nmap is the difference between reject and drop in firewall rules. If it truly is being reported as closed then the firewall is rejecting the packets and not dropping them. Bob signature.asc Description: Digital signature
Re: securing the system, stopping unnecessary services and closing open ports.
On Mon, Aug 29, 2011 at 02:46:52PM +0200, yudi v wrote: Probably portmap... See if it's installed $ dpkg --get-selections portmap If it is, and it bothers you, it can be removed - check and see if anything uses it:- # apt-get -s remove portmap | less If it's the only package to be removed:- # apt-get --purge remove portmap Check your port:- $ netstat -an | grep 111 Or 'netstat -plant' ... Regards Johann -- Johann SpiesTelefoon: 021-808 4699 Databestuurder / Data manager Sentrum vir Navorsing oor Evaluasie, Wetenskap en Tegnologie Centre for Research on Evaluation, Science and Technology Universiteit Stellenbosch. Preach the word; be instant in season, out of season; reprove, rebuke, exhort with all longsuffering and doctrine. II Timothy 4:2 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110830062848.ga5...@sun.ac.za
Re: securing the system, stopping unnecessary services and closing open ports.
The following packages will be REMOVED: cifs-utils libnfsidmap2 nfs-common nfs-kernel-server samba samba-common samba-common-bin samba-doc smbclient smbfs swat winbind 0 upgraded, 0 newly installed, 12 to remove and 4 not upgraded. Remv smbfs [2:4.5-2] Remv cifs-utils [2:4.5-2] Remv nfs-kernel-server [1:1.2.2-4] Remv nfs-common [1:1.2.2-4] Remv libnfsidmap2 [0.23-2] Remv swat [2:3.5.6~dfsg-3squeeze5] Remv samba [2:3.5.6~dfsg-3squeeze5] Remv winbind [2:3.5.6~dfsg-3squeeze5] Remv smbclient [2:3.5.6~dfsg-3squeeze5] Remv samba-common-bin [2:3.5.6~dfsg-3squeeze5] Remv samba-common [2:3.5.6~dfsg-3squeeze5] Remv samba-doc [2:3.5.6~dfsg-3squeeze5] I purged the above files but still have the following service running. 111/tcp open rpcbind -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
On 29/08/11 18:35, yudi v wrote: snipped I purged the above files but still have� the following service running. 111/tcp open� rpcbind -- Kind regards, Yudi Probably portmap... See if it's installed $ dpkg --get-selections portmap If it is, and it bothers you, it can be removed - check and see if anything uses it:- # apt-get -s remove portmap | less If it's the only package to be removed:- # apt-get --purge remove portmap Check your port:- $ netstat -an | grep 111 SUN RPC is another protocol that uses that port. Cheers -- I've got a bathtub and an imagination, I'm staying indoors this summer. That way I can listen to music that I like. — Bill Hicks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e5b62b5.7030...@gmail.com
Re: securing the system, stopping unnecessary services and closing open ports.
Probably portmap... See if it's installed $ dpkg --get-selections portmap If it is, and it bothers you, it can be removed - check and see if anything uses it:- # apt-get -s remove portmap | less If it's the only package to be removed:- # apt-get --purge remove portmap Check your port:- $ netstat -an | grep 111 Thanks for that info, once again. Much appreciated. -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
I use postpaid mobile broadband and my IP is both the system address and the gateway. There is no NAT with postpaid service, it's only available with prepaid in Australia. Not sure why. Not sure what you mean there I suspect you mean only postpaid allow a static IP address (for some accounts). I use both prepaid and postpaids USB UMTS modems with different ISPs - they all use the same, weird, setup where the remote address is defaulted to (different dogs, same leg action) - perhaps that's the NAT you're referring to?? ie. Could not determine remote IP address: defaulting to 10.64.64.64[*1] eg. ppp0 inet address and p-t-p are different, and the ip I use for remote access is different again (the one shown in http://myip.dk) my system IP for ppp0 is 101.***.***.*** and it's not static. but from what I can remember all postpaid accounts in Australia have 10.***.***.*** addresses and are behind NAT. The only way I could SSH was*by reverse port forwarding. I eventually ended up getting postpaid. That's how it works in Australia. I believe you are not in Aus. See this post for more info. http://forums.whirlpool.net.au/forum-replies.cfm?t=1488078 *** The only things I need are CUPS and SMTP for Zimbra. I will disable the rest. I guess I have to use update.rc-d. you could just remove them eg:- # apt-get --purge remove libnfsidmap2 nfs-common samba if you don't use samba at all (cifs-utils samba samba-common samba-common-bin smbfs) then change samba to samba* I'd suggest using -s instead of --purge first - just in case samba was originally pulled in by another package which you want to keep. Thanks for the info. Will definitely uninstall samba and nfs. -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
On 28/08/11 18:37, yudi v wrote: snipped my system IP for ppp0 is 101.***.***.*** and it's not static. but from what I can remember all postpaid accounts in Australia have 10.***.***.*** addresses and are behind NAT. I've yet to see any (non-SLA business class) USB UMTS modems by any of the major Oz companies pre-paid or post-paid that don't use that arrangement. The only way I could SSH was/by reverse port forwarding. http://myip.dk/ will give you the remote access address. Just ssh to the displayed address. I'd suggest you try - it's easier than just believing everything you read on whirlpool. The signal to noise ratio there can be bad. Exetel have good tech support - Vodaphail don't even know where their towers are - and they wouldn't tell you even if they did know. If you have a static IP plan - the myip.dk displayed address is still the one you remote into to - *not* the ppp0 inet or p-t-p address. I eventually ended up getting postpaid. That's how it works in Australia. I believe you are not in Aus. They've moved Canberra? Why wasn't I told?? See this post for more info. http://forums.whirlpool.net.au/forum-replies.cfm?t=1488078 You mean the ex-vodaphone social networking consultant? NOTE: the person who told you it's not possible to vnc into your machine is wrong too. snipped -- Kind regards, Yudi -- You ever noticed how people who believe in Creationism look really unevolved? You ever noticed that? Eyes real close together, eyebrow ridges, big furry hands and feet. I believe God created me in one day Yeah, looks liked He rushed it. — Bill Hicks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e5a0f41.3050...@gmail.com
Re: securing the system, stopping unnecessary services and closing open ports.
http://myip.dk/ will give you the remote access address. Just ssh to the displayed address. I'd suggest you try - it's easier than just believing everything you read on whirlpool. The signal to noise ratio there can be bad. Exetel have good tech support - Vodaphail don't even know where their towers are - and they wouldn't tell you even if they did know. If you have a static IP plan - the myip.dk displayed address is still the one you remote into to - *not* the ppp0 inet or p-t-p address. Thanks for sharing that info. They've moved Canberra? Why wasn't I told?? It's back where it should be now. No need to panic mate. -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
# apt-get --purge remove libnfsidmap2 nfs-common samba if you don't use samba at all (cifs-utils samba samba-common samba-common-bin smbfs) then change samba to samba* I'd suggest using -s instead of --purge first - just in case samba was originally pulled in by another package which you want to keep. these are the files that will be uninstalled. I cannot see anything in there that I am using: The following packages will be REMOVED: cifs-utils libnfsidmap2 nfs-common nfs-kernel-server samba samba-common samba-common-bin samba-doc smbclient smbfs swat winbind 0 upgraded, 0 newly installed, 12 to remove and 4 not upgraded. Remv smbfs [2:4.5-2] Remv cifs-utils [2:4.5-2] Remv nfs-kernel-server [1:1.2.2-4] Remv nfs-common [1:1.2.2-4] Remv libnfsidmap2 [0.23-2] Remv swat [2:3.5.6~dfsg-3squeeze5] Remv samba [2:3.5.6~dfsg-3squeeze5] Remv winbind [2:3.5.6~dfsg-3squeeze5] Remv smbclient [2:3.5.6~dfsg-3squeeze5] Remv samba-common-bin [2:3.5.6~dfsg-3squeeze5] Remv samba-common [2:3.5.6~dfsg-3squeeze5] Remv samba-doc [2:3.5.6~dfsg-3squeeze5] -- Kind regards, Yudi
securing the system, stopping unnecessary services and closing open ports.
Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. it even had SSH listening on 22, changed the port # and also changed PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output: also installed gufw and set it to deny as default. root@computer:/home/user# grep -ir Failed password /var/log/* /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2 /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2 root@computer:/home/user# grep -ir BREAK-IN /var/log/* /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT! how can I find out if this system has been compromised? what are the steps I need to take to secure it? -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
Ports 139, 445 and 901 are samba running. Port 631 is cups, your printer driver. 111 and 2049 are for NFS. If you don't need them, you should be able to turn them off...If you do need it, then you should be able to firewall it, using iptables to limit access to the hosts or subnets you need. On Sat, Aug 27, 2011 at 11:05 AM, yudi v yudi@gmail.com wrote: Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. it even had SSH listening on 22, changed the port # and also changed PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output: also installed gufw and set it to deny as default. root@computer:/home/user# grep -ir Failed password /var/log/* /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2 /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2 root@computer:/home/user# grep -ir BREAK-IN /var/log/* /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT! how can I find out if this system has been compromised? If you are looking for ssh attempts, you shoud peruse /var/log/auth.log and look for unusual logins. The ones like you mention above are failed. You could run fail2ban or another one that watches your ssh port and in the event of too many failed attempts, can block the IP through iptables. Be careful, because if someone spoofs the address, then you could block some site that you need to access. Another idea would be to run a Host-based Intrusion Detection System (HIDS). Tripwire is a classic example, as it does md5sums of critical files and you run it against your machine looking for changes. However, I have come to prefer OSSEC (http://ossec.net), which does md5summing in the background: OSSEC HIDS Notification. 2011 Aug 25 07:25:59 Received From: (013hornet) 192.168.224.13-syscheck Rule: 550 fired (level 7) - Integrity checksum changed. Portion of the log(s): Integrity checksum changed for: '/etc/sudoers' Size changed from '552' to '692' Old md5sum was: 'fc78e5599202f204e48df73a15e81533' New md5sum is : '377364efbaefe7138d3fe4081d98b592' Old sha1sum was: '9053767a81a35ded809dd7269d984589a8f09d13' New sha1sum is : '6bcc831d9407626328 callto:9407626328 651b68dc73763472b11374' but also watches your logs for events: OSSEC HIDS Notification. 2011 Aug 25 06:43:57 Received From: (056worf) 192.168.224.56-/var/log/auth.log Rule: 40101 fired (level 12) - System user successfully logged to the system. Portion of the log(s): Aug 25 06:43:56 worf su[9338]: + ??? root:nobody Having said all of that, if you suspect your machine was compromised (the failed logins messages in the logs only indicate that you had some failed attempts), nuke it and rebuild. After you rebuild, set up iptables, ossec, run nmap or nessus on it and put it back in service. Regards, --b what are the steps I need to take to secure it? -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
On Sun, 28 Aug 2011 01:05:47 +1000 yudi v yudi@gmail.com wrote: Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. An email *client* needs no ports open, assuming the firewall is a stateful one, as pretty well all are. Nothing connects to it, it connects to other servers as needed. 139, 445 and 901 suggest you are running samba, which is not normally necessary on a desktop machine, unless you are making network shares available from it. If that's not what you intend, remove or disable samba. If you need to connect to Windows shares on the same subnet, install smbclient. If you use shares between subnets, you may need the full samba for its nmbd component, which can use WINS servers or even be one. ipp is CUPS, the network printing server, and you know whether you need that. RPCbind is needed with nfs. I wouldn't have thought you'd need that, as it's the *nix network filing system, and you wouldn't be using that by accident. it even had SSH listening on 22, changed the port # and also changed PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output: also installed gufw and set it to deny as default. root@computer:/home/user# grep -ir Failed password /var/log/* /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2 /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2 root@computer:/home/user# grep -ir BREAK-IN /var/log/* /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT! how can I find out if this system has been compromised? You can try chkrootkit and rkhunter, but the latter at least works better if it has scanned the system in a known clean state. Neither are automatic: you either run them manually or use a cron job. Booting from a live CD will allow you to compare ps and other normally-compromised binaries with the correct hashes as shown by whatever repository you use. The bottom line is that you cannot be completely sure, but if ps hasn't been touched you are probably OK. what are the steps I need to take to secure it? As you say, deny root logins, but I would strongly recommend dropping passwords altogether and using keys. If you connect from Windows, you will already know about puTTY, which generates its own keypairs and (currently I believe) can't use *nix-generated keys. The change of port number is often denigrated as 'security by obscurity', but then what else is a digital certificate? If running ssh on an obscure port prevents pretty much all automated password brute-forcing (and it does) then you're better off than many other people have been. What Internet connection do you have, and what is forwarded? If you are only forwarding ssh from a stateful packet filtering NAT router, then you already have quite a lot of protection to other services, but I'd still use at least a second line of filtering, as you have now done. The gufw application and several other 'firewalls' are front ends to iptables/netfilter, the actual packet filter. Use netstat to check what services you have listening, and on which interfaces. Most services can be configured to listen only to some interfaces, and many only need to use localhost, so they can be closed off from outside access. The open ports you need depend on what local networking you do. There's more, of course, but it's a lifetime study. Others will no doubt offer more suggestions. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110827171616.293b2...@jretrading.com
Re: securing the system, stopping unnecessary services and closing open ports.
On 8/27/2011 11:38 AM, Brad Alexander wrote: Ports 139, 445 and 901 are samba running. Port 631 is cups, your printer driver. 111 and 2049 are for NFS. If you don't need them, you should be able to turn them off...If you do need it, then you should be able to firewall it, using iptables to limit access to the hosts or subnets you need. On Sat, Aug 27, 2011 at 11:05 AM, yudi v yudi@gmail.com mailto:yudi@gmail.com wrote: Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. it even had SSH listening on 22, changed the port # and also changed PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output: also installed gufw and set it to deny as default. root@computer:/home/user# grep -ir Failed password /var/log/* /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2 /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2 root@computer:/home/user# grep -ir BREAK-IN /var/log/* /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co http://corporat190-24225223.sta.etb.net.co [190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT! how can I find out if this system has been compromised? If you are looking for ssh attempts, you shoud peruse /var/log/auth.log and look for unusual logins. The ones like you mention above are failed. You could run fail2ban or another one that watches your ssh port and in the event of too many failed attempts, can block the IP through iptables. Be careful, because if someone spoofs the address, then you could block some site that you need to access. Another idea would be to run a Host-based Intrusion Detection System (HIDS). Tripwire is a classic example, as it does md5sums of critical files and you run it against your machine looking for changes. However, I have come to prefer OSSEC (http://ossec.net), which does md5summing in the background: OSSEC HIDS Notification. 2011 Aug 25 07:25:59 Received From: (013hornet) 192.168.224.13-syscheck Rule: 550 fired (level 7) - Integrity checksum changed. Portion of the log(s): Integrity checksum changed for: '/etc/sudoers' Size changed from '552' to '692' Old md5sum was: 'fc78e5599202f204e48df73a15e81533' New md5sum is : '377364efbaefe7138d3fe4081d98b592' Old sha1sum was: '9053767a81a35ded809dd7269d984589a8f09d13' New sha1sum is : '6bcc831d9407626328 callto:9407626328651b68dc73763472b11374' but also watches your logs for events: OSSEC HIDS Notification. 2011 Aug 25 06:43:57 Received From: (056worf) 192.168.224.56-/var/log/auth.log Rule: 40101 fired (level 12) - System user successfully logged to the system. Portion of the log(s): Aug 25 06:43:56 worf su[9338]: + ??? root:nobody Having said all of that, if you suspect your machine was compromised (the failed logins messages in the logs only indicate that you had some failed attempts), nuke it and rebuild. After you rebuild, set up iptables, ossec, run nmap or nessus on it and put it back in service. Regards, --b what are the steps I need to take to secure it? -- Kind regards, Yudi If you need to actively scan for a rootkit, you can check out rkhunter , ckrootkit or sleuthkit, just to name a few. If you want to get creative with tools, my gentoo box has this in app-forensic: afflib air chkrootkit examiner galleta lynis magicrescue metadata.xml ovaldi rdd rkhunter sleuthkit zzuf aideautopsy cmospwd foremost libewf mac-robber memdump openscap pasco rifiuti scalpel yasat You can try some of these if you want, but I've only used the three I initially mentioned. -- Chris Brennan -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) 0xD5B20C0C.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: securing the system, stopping unnecessary services and closing open ports.
On Sun 28 Aug 2011 at 01:05:47 +1000, yudi v wrote: Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. If the smtp server is exim4 it only accepts local mail with its default settings. No problem there. CUPS (port 631) in its default install will only print from the the local machine. No problem here either. Incidentally, the services are open because they are running. That is the meaning of 'open'. They running because you have installed them. it even had SSH listening on 22, changed the port # and also changed Never! sshd on port 22. Whatever next? PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output: There is no need to but if you feel better after doing it also installed gufw and set it to deny as default. You did get desparate, didn't you? Was this before or after reading the documentation for the services you installed? root@computer:/home/user# grep -ir Failed password /var/log/* /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2 /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2 root@computer:/home/user# grep -ir BREAK-IN /var/log/* /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT! Is your root password something really easy, like password5 or is (say) 12+ characters? Do you have a user 'admin'? What is there to be worried about. how can I find out if this system has been compromised? There is no evidence here that it has been. what are the steps I need to take to secure it? Don't install services you don't need. Configure those you want safely. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110827182145.GF4474@desktop
Re: securing the system, stopping unnecessary services and closing open ports.
On Sat 27 Aug 2011 at 17:16:16 +0100, Joe wrote: On Sun, 28 Aug 2011 01:05:47 +1000 yudi v yudi@gmail.com wrote: how can I find out if this system has been compromised? You can try chkrootkit and rkhunter, but the latter at least works A natural history expedition searching for unicorns and dodos would have as much success as these two programs are likely to have. what are the steps I need to take to secure it? As you say, deny root logins, but I would strongly recommend dropping passwords altogether and using keys. If you connect from Windows, you Keys and passwords each have their place. One is not inherently more secure than the other. (currently I believe) can't use *nix-generated keys. The change of port number is often denigrated as 'security by obscurity', but then what else is a digital certificate? If running ssh on an obscure port prevents pretty much all automated password brute-forcing (and it does) then you're better off than many other people have been. You are most probably correct. On a higher port number sshd will experience fewer probes. But it was secure on port 22 anyway, so there doesn't seem much point in moving it in that regard. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110827184308.GG4474@desktop
Re: securing the system, stopping unnecessary services and closing open ports.
On 08/27/2011 02:43 PM, Brian wrote: A natural history expedition searching for unicorns and dodos would have as much success as these two programs are likely to have. I was once on a natural history expedition. We found no unicorns, but we did find dodos. We weren't looking for them, but we did find them -- one night while we were looking at each other around the camp fire. And I like playing with chkrootkit and rkhunter. It gives me something to do in those moments when I miss fiddling with the vast array of anti-malware programs I used to use in Windows. 8-D -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e5941f6.10...@comcast.net
Re: securing the system, stopping unnecessary services and closing open ports.
Hi, ipp is CUPS, the network printing server, and you know whether you need that. Now that you mention it... I also see cups listening on all devices: $ sudo netstat -nlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp0 0 0.0.0.0:631 0.0.0.0:* 1646/cupsd I need CUPS for printing, but my laptop is for sure not a printing server, so no open port is necessary. cups.dconf contains this # Only listen for connections from the local machine. Listen localhost:631 However, as you can see, it still opens the port on all interfaces. Is that a bug, or is the configuration incorrect? Kind regards, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201108272128.42920.ralfjun...@gmx.de
Re: securing the system, stopping unnecessary services and closing open ports.
On Sat, Aug 27, 2011 at 5:05 PM, yudi v yudi@gmail.com wrote: Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs Which nmap command did you use? What happens when you do a 'Common Ports' scan with Shields up ( https://www.grc.com/x/ne.dll?bh0bkyd2 )? What kind of internet connection and modem do you have?
Re: securing the system, stopping unnecessary services and closing open ports.
Just to clarify my post. This is a new install and I was a bit careless while installing. It has no data on it. I was more concerned with LUKS+LVM working at install. I did not realize I selected to install SSH, I do not use Samba or NFS not sure how those got installed. Again it might have been an oversight. On my other system I have SSH setup with fail2ban, and only using pub keys. I was going to setup same config on this system but got sidetracked. I use postpaid mobile broadband and my IP is both the system address and the gateway. There is no NAT with postpaid service, it's only available with prepaid in Australia. Not sure why. The only things I need are CUPS and SMTP for Zimbra. I will disable the rest. I guess I have to use update.rc-d. There's lot of info here I haven't heard about before. I will go through it and post back. -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
On 28/08/11 11:39, yudi v wrote: Just to clarify my post. This is a new install and I was a bit careless while installing. It has no data on it. I was more concerned with LUKS+LVM working at install. I did not realize I selected to install SSH, I do not use Samba or NFS not sure how those got installed. With KDE by default you get libnfsidmap and nfs-common. Samba (server) is not installed by default - though something else may have pulled it in. One boxen that don't use them - I just remove and purge nfs and samba (likewise ssh). Again it might have been an oversight. On my other system I have SSH setup with fail2ban, and only using pub keys. I was going to setup same config on this system but got sidetracked. I use postpaid mobile broadband and my IP is both the system address and the gateway. There is no NAT with postpaid service, it's only available with prepaid in Australia. Not sure why. Not sure what you mean there I suspect you mean only postpaid allow a static IP address (for some accounts). I use both prepaid and postpaids USB UMTS modems with different ISPs - they all use the same, weird, setup where the remote address is defaulted to (different dogs, same leg action) - perhaps that's the NAT you're referring to?? ie. Could not determine remote IP address: defaulting to 10.64.64.64[*1] eg. ppp0 inet address and p-t-p are different, and the ip I use for remote access is different again (the one shown in http://myip.dk) The only things I need are CUPS and SMTP for Zimbra. I will disable the rest. I guess I have to use update.rc-d. you could just remove them eg:- # apt-get --purge remove libnfsidmap2 nfs-common samba if you don't use samba at all (cifs-utils samba samba-common samba-common-bin smbfs) then change samba to samba* I'd suggest using -s instead of --purge first - just in case samba was originally pulled in by another package which you want to keep. There's lot of info here I haven't heard about before. I will go through it and post back. -- Kind regards, Yudi NOTE: just because a port is open doesn't necessarily mean it's accepting connections. Cheers [*1] PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED -- You ever noticed how people who believe in Creationism look really unevolved? You ever noticed that? Eyes real close together, eyebrow ridges, big furry hands and feet. I believe God created me in one day Yeah, looks liked He rushed it. — Bill Hicks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e59b23a.8010...@gmail.com
Re: howto check open ports ?
try command nmap ip_address On Thu, 2006-02-23 at 00:12 +, Oliver Lupton wrote: On Wed, 22 Feb 2006 17:31:49 -0500 Stephen R Laniel [EMAIL PROTECTED] wrote: On Wed, Feb 22, 2006 at 10:26:05PM +, Oliver Lupton wrote: My router/firewall blocks all ports, including those over 1023 (1024?) I assume you mean that your router *can*, not that it necessarily does. It seems like it would be awfully inconvenient to block all such ports, given that programs often need to open connections to non-privileged ports. E.g., see below for all the ports that netstat reveals have connections currently open. Sorry, maybe I phrased myself badly. I, and I think the original poster is in the same situation, have my own box behind a separate router, that router is firewalling incoming traffic (WAN - Me) and in my case then it does block *all* ports except ones specifically allowed by the router admin (in this case, me). The netstat output you show is, I believe, showing the local ends of any outgoing requests you have open, which are not blocked by the router. `netstat -l` shows a, what I think is a more relavent, list of ports your machine is listening on for incoming connections. Cheers, -ol -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: howto check open ports ?
nmap is all you need. The manpage will tell you everything about it you need to know. If you can't find an open port then you may want to consider running an ssh tunnel (man ssh and look for -R and -L options). Even worse running TCP/IP over your ssh connection with a pppd and Magosányi Árpád's pty-redir program. Mind you, I can guanentee that your University IT dept will be justifiably pissed if you setup a VPN between your home network and their LAN. -Peter On Wed, Feb 22, 2006 at 01:59:41PM -0800, Paul Johnson wrote: On Wednesday 22 February 2006 13:18, Mehmet Fatih Akbulut wrote: hi all, i am now behind a firewall [at dormitory], and i want to check open ports. is there a handy program that does this job for me ;) nmap will do it if you know your IP address and can run nmap from another network. BTW, attempting to breach your university's security measure probably violates your terms of enrollment and can get you kicked out of college or evicted from your dorm. Just something to keep in mind. -- Paul Johnson Email and IM (XMPP Google Talk): [EMAIL PROTECTED] Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: howto check open ports ?
Oliver Lupton wrote:
On Wed, 22 Feb 2006 17:31:49 -0500
Stephen R Laniel [EMAIL PROTECTED] wrote:
On Wed, Feb 22, 2006 at 10:26:05PM +, Oliver Lupton wrote:
My router/firewall blocks all ports, including those over 1023 (1024?)
I assume you mean that your router *can*, not that it
necessarily does. It seems like it would be awfully
inconvenient to block all such ports, given that programs
often need to open connections to non-privileged ports.
E.g., see below for all the ports that netstat reveals have
connections currently open.
Sorry, maybe I phrased myself badly.
I, and I think the original poster is in the same situation, have my
own box behind a separate router, that router is firewalling incoming
traffic (WAN - Me) and in my case then it does block *all* ports except
ones specifically allowed by the router admin (in this case, me).
My setup is similar. I have a router with only one computer on the
LAN side, and one ADSL modem on the WAN side. I have mine stealth
on all ports except the e-mail challenge port, which is closed.
Mike
--
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
howto check open ports ?
hi all,i am now behind a firewall [at dormitory], and i want to check open ports. is there a handy program that does this job for me ;)want to find an open port for apache to run. because 80. port blocked to people outside the dorm. i both need an openport seeker program and info if apache will work let's say i change its port from 80 to 5055 [assuming this port is open] ?many thanks in advance.Cheers,MFA
Re: howto check open ports ?
On Wed, Feb 22, 2006 at 11:18:41PM +0200, Mehmet Fatih Akbulut wrote: i am now behind a firewall [at dormitory], and i want to check open ports. is there a handy program that does this job for me ;) want to find an open port for apache to run. because 80. port blocked to people outside the dorm. i both need an openport seeker program and info if apache will work let's say i change its port from 80 to 5055 [assuming this port is open] ? many thanks in advance. Any ports above 1023, I believe, are unprivileged. Quite often people set Apache to work over port 8080; almost no one blocks ports that high. You could also use nmap to scan ports. But nmap is only going to scan privileged ports to see which ones are open; it's not going to tell you that ports 8080 and above are open, because they always are. -- Stephen R. Laniel [EMAIL PROTECTED] +(617) 308-5571 http://laniels.org/ PGP key: http://laniels.org/slaniel.key signature.asc Description: Digital signature
Re: howto check open ports ?
On Wed, Feb 22, 2006 at 10:26:05PM +, Oliver Lupton wrote: My router/firewall blocks all ports, including those over 1023 (1024?) I assume you mean that your router *can*, not that it necessarily does. It seems like it would be awfully inconvenient to block all such ports, given that programs often need to open connections to non-privileged ports. E.g., see below for all the ports that netstat reveals have connections currently open. 2252 2733 5973 10892 18810 21097 21622 22184 23816 32779 37380 45559 46174 46175 46176 46177 46178 46179 46180 46181 46182 46183 47950 48946 50271 50579 52343 52382 52426 52462 52481 52482 53166 53494 56174 56241 57329 6 61464 62586 -- Stephen R. Laniel [EMAIL PROTECTED] +(617) 308-5571 http://laniels.org/ PGP key: http://laniels.org/slaniel.key signature.asc Description: Digital signature
Re: howto check open ports ?
On Wed, 22 Feb 2006 16:24:54 -0500 Stephen R Laniel [EMAIL PROTECTED] wrote: it's not going to tell you that ports 8080 and above are open, because they always are. My router/firewall blocks all ports, including those over 1023 (1024?) Cheers, -ol -- I will live forever, or die trying. signature.asc Description: PGP signature
Re: howto check open ports ?
On Wednesday 22 February 2006 13:18, Mehmet Fatih Akbulut wrote: hi all, i am now behind a firewall [at dormitory], and i want to check open ports. is there a handy program that does this job for me ;) nmap will do it if you know your IP address and can run nmap from another network. BTW, attempting to breach your university's security measure probably violates your terms of enrollment and can get you kicked out of college or evicted from your dorm. Just something to keep in mind. -- Paul Johnson Email and IM (XMPP Google Talk): [EMAIL PROTECTED] Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: howto check open ports ?
On Wed, 2006-02-22 at 16:24 -0500, Stephen R Laniel wrote: On Wed, Feb 22, 2006 at 11:18:41PM +0200, Mehmet Fatih Akbulut wrote: i am now behind a firewall [at dormitory], and i want to check open ports. is there a handy program that does this job for me ;) want to find an open port for apache to run. because 80. port blocked to people outside the dorm. i both need an openport seeker program and info if apache will work let's say i change its port from 80 to 5055 [assuming this port is open] ? many thanks in advance. Any ports above 1023, I believe, are unprivileged. Quite often people set Apache to work over port 8080; almost no one blocks ports that high. You could also use nmap to scan ports. But nmap is only going to scan privileged ports to see which ones are open; it's not going to tell you that ports 8080 and above are open, because they always are. I believe this info is quite incorrect. I use nmap often, and it scans quite high (for instance, 3389, RDP is detected just fine). If port 8080 is open by default depens on how your firewall is configured. If you follow the approach: ACCEPT ALL and deny what I don't want, it is possible that it is still open. The right way is: DENY ALL and allow what I need/want. To be able to run apache through a firewall though means that the network can't be NAT-ed, because then you'd need a mapping that tells the firewall to forward traffic for port x to IP y. If the firewall only protects your host directly, then an open port would suffice to make apache accessible. What you mean by privileged ports are ports that can only be opened with sufficient rights. For instance, a normal user would not be able to run apache on port 80, but root can. Just for the record, below is nmap output on port 8080 on my router at home: PORT STATESERVICE 8080/tcp filtered http-proxy filtered means that it is stopped by something. If there is nothing listening on that port it would be closed and if there is something listening it would be open! If I made a mistake anywhere, feel free to correct me! Philippe De Ryck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: howto check open ports ?
On Wed, 22 Feb 2006 17:31:49 -0500 Stephen R Laniel [EMAIL PROTECTED] wrote: On Wed, Feb 22, 2006 at 10:26:05PM +, Oliver Lupton wrote: My router/firewall blocks all ports, including those over 1023 (1024?) I assume you mean that your router *can*, not that it necessarily does. It seems like it would be awfully inconvenient to block all such ports, given that programs often need to open connections to non-privileged ports. E.g., see below for all the ports that netstat reveals have connections currently open. Sorry, maybe I phrased myself badly. I, and I think the original poster is in the same situation, have my own box behind a separate router, that router is firewalling incoming traffic (WAN - Me) and in my case then it does block *all* ports except ones specifically allowed by the router admin (in this case, me). The netstat output you show is, I believe, showing the local ends of any outgoing requests you have open, which are not blocked by the router. `netstat -l` shows a, what I think is a more relavent, list of ports your machine is listening on for incoming connections. Cheers, -ol -- I will live forever, or die trying. signature.asc Description: PGP signature
Re: Open ports in Debian
Hi Rutger, PORTSTATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 903/tcp open iss-console-mgr Before starting nmap, use netstat. You can find out which program uses which port with netstat -tulpen for your internet connected box, leave just the port open that you really need. E.g. ssh (port 22) for remote administration, web-server (port 80), etc.. Maybe it tells that inetd has ports 111 and 113 open. Just stop inetd and see, that all the needed functionality is still given. If yes, remove the related inetd packet or remove the startup scripts with update-rc.d -f name-of-startup-script remove For your port 25 mailserver: If you just need to send emails (with queueing), try configure it to listen on localhost only. ssh: you can configure the ssh daemon to listen on port x instead of 22. This 'hides' it a bit (ok, a lot) - typical port scans just check the typical ports. You should still use a random password with more than 8 chars. http: there is much documentation about securing webservers (e.g. apache). You can check your webserver configuartion for security holes with a program called 'nikto' (from remote). As a thing of favour, you can set up a firewall with iptables. You should also keep your software upto-date. Of course there still is the chance to be hacked. It might help to install chkrootkit and rkhunter which regularly check for infected files. After all I am not an admin nor a security expert. These guys would have tons of other hints and advices. There are also some howtos about securing a box. Have fun, Tim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Open ports in Debian
Hello, I administer a debian installation that is connected to the Internet. When I run nmap, I found the following: Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-23 00:29 CET Interesting ports on xx (The 1657 ports scanned but not shown below are in state: closed) PORTSTATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 903/tcp open iss-console-mgr 22,25,80 that are the ones I understand. But what are the other ones? Is it harmful to have them open? I run Debian Stable and apt-get upgrade tells me I am up-to-date. regards, Rutger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Open ports in Debian
On Wed, 23 Nov 2005 00:54:13 +0100 Rutger Wessels [EMAIL PROTECTED] wrote: 113/tcp open auth That's an 'ident' daemon I believe. _very_ primitive security, some braindead IRC networks require it to be running and doubtlessly other things will require it too. HTH -ol -- I will live forever, or die trying. pgpSDlq76k8TF.pgp Description: PGP signature
Re: Open ports in Debian
On 00:54 Wed 23 Nov , Rutger Wessels wrote: Hello, I administer a debian installation that is connected to the Internet. When I run nmap, I found the following: Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-23 00:29 CET Interesting ports on xx (The 1657 ports scanned but not shown below are in state: closed) PORTSTATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 903/tcp open iss-console-mgr 22,25,80 that are the ones I understand. But what are the other ones? Is it harmful to have them open? You can grep 113 /etc/services and find many services. Also you scanned 1657 ports with nmap. To scan more add the ports option: -p 20-65535 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Open ports in Debian
port 111 will be used by rpc processes like NIS and NFS. port 113 is identd, used to identify the owner of a connection. port 903... I'm not sure. If you box is up on the world. I would suggest making a iptables(or equivilent) script that will block all but the wanted ports. IE, having these ports open can be harmfull. I leave these things open on my internal network, but on my public webserver I only open what I need and deny everything else. On Wed, 2005-11-23 at 00:54 +0100, Rutger Wessels wrote: Hello, I administer a debian installation that is connected to the Internet. When I run nmap, I found the following: Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-23 00:29 CET Interesting ports on xx (The 1657 ports scanned but not shown below are in state: closed) PORTSTATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 903/tcp open iss-console-mgr 22,25,80 that are the ones I understand. But what are the other ones? Is it harmful to have them open? I run Debian Stable and apt-get upgrade tells me I am up-to-date. regards, Rutger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Thu, 19 Aug 2004 19:44:06 -0600, Dana J. Laude [EMAIL PROTECTED] wrote: Or better yet, Jon should checkout the following link: http://www.debian.org/doc/user-manuals#securing The harden-doc is outdated except on unstable, so you're better off reading the online version at the above page. Thanks - that is a good guide. -- Jon Dowland [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Tuesday 21 September 2004 11:57, Tom Allison wrote: [EMAIL PROTECTED] wrote: If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. Query how? Based on what rules it an outgoing connection allowed/disallowed? There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) the commercial firewall products can't detect such attempts to phone home. In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework - but I have asked here and there and thus far no one seems to know. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. Using 'policy drop' for outgoing traffic, and then explicitly allowing certain traffic would do what you want, if I understand your question correctly. Try using something like firehol (firehol.sf.net), where it's really easy and convinient to define rules. (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) There's several aspects of this that you have overlooked regarding just the basics of iptables and the state of TCP/IP today. First, iptables can be configured such that filtered port traffic can be directed into userspace wherein you can do anything you would like to with them, including adding rules to permit their traffic. The methods by which you could query outgoing traffic is numerous with or without iptables. But more importantly you have to understand that you cannot block and query all traffic going out from your computer. If you did that, you would block FTP for the majority of environments. Namely, passive mode FTP which was popularized by Microsoft. Prior to this everyone had the notion of connection through the control and data ports which were traceable and identifiable. Passive mode FTP allows you to make a high port connection to another high port connection. Both of these port numbers are not defined until the connection is attempted. This connection cannot be filtered in iptables because you have to create a high-port to high-port connection ACCEPT rule in order for passive mode to work. [ snip ] Why not just use connection tracking? Load the ip_conntrack_ftp module and create proper iptables rules. Iptables will then be able to recognize the high-port connection as RELATED to the original connection to port 21. B/R, -- Frederik Dannemare | mailto:[EMAIL PROTECTED] http://qa.debian.org/developer.php?login=Frederik+Dannemare http://frederik.dannemare.net | http://www.linuxworlddomination.dk Key fingerprint: BB7B 078A 0DBF 7663 180A F84A 2D25 FAD5 9C4E B5A8 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Tuesday 21 September 2004 04:57, Tom Allison wrote: At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) Well, there isn't any easy way i know of to do this on linux, however, it really is a case of a solution in search of a problem. This sort of thing really isn't an issue with free software, or really with any properly designed system. -- _ _ _ _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( t | i | m | @ | i | t | . | k | p | t | . | c | c ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ GPG key fingerprint = 1DEE CD9B 4808 F608 FBBF DC21 2807 D7D3 09CA 85BF -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
Tom Allison wrote: More importantly today is to understand how 99.9% of the virus and malware is transmitted today. It's not through unfiltered ports and such as described in your original email, but through the email mechanism (or http) itself. And while I don't have any hard numbers at my desk to support the 99.9% claim, I don't believe it to be too far off the mark. My machine at home receives some kind of port scan on average about every three seconds. That's a lot higher rate than it receives spam. Am I the 0.1%? Cheers, Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Wednesday September 22 at 02:36pm Dave Howorth [EMAIL PROTECTED] wrote: Tom Allison wrote: More importantly today is to understand how 99.9% of the virus and malware is transmitted today. It's not through unfiltered ports and such as described in your original email, but through the email mechanism (or http) itself. And while I don't have any hard numbers at my desk to support the 99.9% claim, I don't believe it to be too far off the mark. My machine at home receives some kind of port scan on average about every three seconds. That's a lot higher rate than it receives spam. Am I the 0.1%? Port scan != virus/malware -- -johann koenig Now Playing: Project 86 - Rebuttal : Safety First Today is Setting Orange, the 46th day of Bureaucracy in the YOLD 3170 My public pgp key: http://mental-graffiti.com/pgp/ pgpt5gaMN2bX2.pgp Description: PGP signature
Re: All these open ports
[EMAIL PROTECTED] wrote: If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) the commercial firewall products can't detect such attempts to phone home. In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework - but I have asked here and there and thus far no one seems to know. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) There's several aspects of this that you have overlooked regarding just the basics of iptables and the state of TCP/IP today. First, iptables can be configured such that filtered port traffic can be directed into userspace wherein you can do anything you would like to with them, including adding rules to permit their traffic. The methods by which you could query outgoing traffic is numerous with or without iptables. But more importantly you have to understand that you cannot block and query all traffic going out from your computer. If you did that, you would block FTP for the majority of environments. Namely, passive mode FTP which was popularized by Microsoft. Prior to this everyone had the notion of connection through the control and data ports which were traceable and identifiable. Passive mode FTP allows you to make a high port connection to another high port connection. Both of these port numbers are not defined until the connection is attempted. This connection cannot be filtered in iptables because you have to create a high-port to high-port connection ACCEPT rule in order for passive mode to work. This iptables rule will allow anything to connect so you get into a lot of problems with being able to connect trojans or virus in the same manner. More importantly today is to understand how 99.9% of the virus and malware is transmitted today. It's not through unfiltered ports and such as described in your original email, but through the email mechanism (or http) itself. And while I don't have any hard numbers at my desk to support the 99.9% claim, I don't believe it to be too far off the mark. If you want to block a vast majority of the virus problems on the internet today then email should be configured to not execute anything when it receives a message and the MSIE browser should be fixed so that I cannot send an EXE file with a TEXT/HTML description, allowing your browser to download it as HTML and then the file explorer portion of the browser functionality to execute the EXE file based on name extension. These are fundamental mistakes in software design that would never have been allowed if intelligent people where in charge. While I deeply loathe MSFT for more good reasons than I can publish in a day, I think these security problems are evidence of Marketing superceding the Engineering forces in the company, resulting in some really stupid things being done for some eye-candy reasons. Engineering isn't stupid, they're just asked to do some really stupid things. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
So what are exactly are you worried about? A program uploading sensitive data to a random server? Well the easiest way for a program to do that is to invoke sendmail to e-mail the information to the server. In which case the program never attempts to open a port, your m-t-a does. Your m-t-a opening a port is the most normal thing in the world. Or if for some reason you don't have your m-t-a properly configured, it could invoke ssh or lynx or ... You're right; there are as many opportunities for paranoia WRT what on my system could phone home in which manner. I think for Linux to be secured against that sort of thing, there would have to be a kernel hook that logged PIDs of processes that got spawned, and then watched to see if that PID attempted an outgoing access of some sort. (I'm not volunteering to write *that*...). I've similarly wondered if the Gatesware equivalents (the personal firewalls) are capable of detecting outgoing accesses by things that aren't invoked by the user... probably not, and the corresponding vulnerability is probably there for Windoze systems as well, as I mentioned earlier... The thing is, that sort of malicious code could be embedded in anything you install. The only thing protecting you is the traceability of the code and concomitant liability of the perpetrator to prosecution. Otherwise half the frustrated geeks in the world would be embedding their little projects in their employer's products. I don't know about you, but that sort of protection doesn't make me feel secure in general - I want some sort of process monitoring that can detect outgoing communication attempts. The fact that it hasn't happened yet, doesn't reduce my paranoia one bit. Moreover, the attitude of Linux people that they're somehow immune because of the limited distribution of Linux compared to the Gatesware installed base, is just whistling in the dark, cum laude. From the responses I get in general, the general attitude seems to be to shrug it off because no one can do anything about it. Again, you're right, though, that I'm too narrowly focused WRT the real issue. Maybe this discussion really belongs on a linux security list... Thanks for your input - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: All these open ports
From what I recall of a discussion over SP2 for XP with a MS rep, thier firewall should have a lots of fun trying to figure out what is legit outgoing and what is not ;0 regards Thing -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, 26 August 2004 9:07 a.m. To: [EMAIL PROTECTED] Subject: Re: All these open ports So what are exactly are you worried about? A program uploading sensitive data to a random server? Well the easiest way for a program to do that is to invoke sendmail to e-mail the information to the server. In which case the program never attempts to open a port, your m-t-a does. Your m-t-a opening a port is the most normal thing in the world. Or if for some reason you don't have your m-t-a properly configured, it could invoke ssh or lynx or ... You're right; there are as many opportunities for paranoia WRT what on my system could phone home in which manner. I think for Linux to be secured against that sort of thing, there would have to be a kernel hook that logged PIDs of processes that got spawned, and then watched to see if that PID attempted an outgoing access of some sort. (I'm not volunteering to write *that*...). I've similarly wondered if the Gatesware equivalents (the personal firewalls) are capable of detecting outgoing accesses by things that aren't invoked by the user... probably not, and the corresponding vulnerability is probably there for Windoze systems as well, as I mentioned earlier... The thing is, that sort of malicious code could be embedded in anything you install. The only thing protecting you is the traceability of the code and concomitant liability of the perpetrator to prosecution. Otherwise half the frustrated geeks in the world would be embedding their little projects in their employer's products. I don't know about you, but that sort of protection doesn't make me feel secure in general - I want some sort of process monitoring that can detect outgoing communication attempts. The fact that it hasn't happened yet, doesn't reduce my paranoia one bit. Moreover, the attitude of Linux people that they're somehow immune because of the limited distribution of Linux compared to the Gatesware installed base, is just whistling in the dark, cum laude. From the responses I get in general, the general attitude seems to be to shrug it off because no one can do anything about it. Again, you're right, though, that I'm too narrowly focused WRT the real issue. Maybe this discussion really belongs on a linux security list... Thanks for your input - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Mon, 23 Aug 2004 13:05:00 +0800, Katipo [EMAIL PROTECTED] said: In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework Even firestarter provides some degree of configurability in this respect. It will block ports on an individual basis, if you can identify them as needing to be blocked - but AFAIK the iptables script it sets up, defaults to forwarding all requests from internal processes. (If I'm wrong about that, or if there is some way to get it even to flag outgoing access attempts by newly spawned processes, I'd like to know about it...) Asking in the right place helps. A number of people here would have the answers you're looking for, but Debian has a firewall list. Yes - I asked about that earlier. I posted to the firewall list earlier, in fact, and got no response at all. Additionally, there is a lot of traffic on here other than my own, WRT firewall and iptables subjects. I'll cross-post this to the firewall list, but I'm really getting the impression it doesn't get used much... maybe I'm wrong, but I'm signed up on it and don't see as much traffic on there as I do about firewall on the users list. Itt might be an idea to check out apps like tinyhoneypot amongst others, also. Thanks... I'll do that - it sounds like there's at least one area I haven't explored yet... (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) Failing that, go run windows. Why, thank you. I needed that. (But not to worry, I'm on my way out of Billyworld permanently, one way or the other, difficulties notwithsatanding...) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
[EMAIL PROTECTED] wrote: On Mon, 23 Aug 2004 13:05:00 +0800, Katipo [EMAIL PROTECTED] said: In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework Even firestarter provides some degree of configurability in this respect. It will block ports on an individual basis, if you can identify them as needing to be blocked - but AFAIK the iptables script it sets up, defaults to forwarding all requests from internal processes. (If I'm wrong about that, or if there is some way to get it even to flag outgoing access attempts by newly spawned processes, I'd like to know about it...) Asking in the right place helps. A number of people here would have the answers you're looking for, but Debian has a firewall list. Yes - I asked about that earlier. I posted to the firewall list earlier, in fact, and got no response at all. Additionally, there is a lot of traffic on here other than my own, WRT firewall and iptables subjects. I'll cross-post this to the firewall list, but I'm really getting the impression it doesn't get used much... maybe I'm wrong, but I'm signed up on it and don't see as much traffic on there as I do about firewall on the users list. Itt might be an idea to check out apps like tinyhoneypot amongst others, also. Thanks... I'll do that - it sounds like there's at least one area I haven't explored yet... (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) Failing that, go run windows. Why, thank you. I needed that. (But not to worry, I'm on my way out of Billyworld permanently, one way or the other, difficulties notwithsatanding...) For a fast but supposed secure FW, can't you use 'ShieldUP' from the site : http://www.grc.com/ ? It close all the ports under nux and win-sheet too :(! and is documented : ) ! If it may have help :) ? Sheers Mi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
ShieldsUP! isn't a firewall, it's just a service which port scans you and tells you the results. Mezig said: [EMAIL PROTECTED] wrote: For a fast but supposed secure FW, can't you use 'ShieldUP' from the site : http://www.grc.com/ ? It close all the ports under nux and win-sheet too :(! and is documented : ) ! If it may have help :) ? Sheers Mi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Robert Vangel * RedFlag LANfest Network Services Management -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
[EMAIL PROTECTED] wrote: If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) the commercial firewall products can't detect such attempts to phone home. In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework - but I have asked here and there and thus far no one seems to know. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. So what are exactly are you worried about? A program uploading sensitive data to a random server? Well the easiest way for a program to do that is to invoke sendmail to e-mail the information to the server. In which case the program never attempts to open a port, your m-t-a does. Your m-t-a opening a port is the most normal thing in the world. Or if for some reason you don't have your m-t-a properly configured, it could invoke ssh or lynx or ... signature.asc Description: OpenPGP digital signature
Re: All these open ports
If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) the commercial firewall products can't detect such attempts to phone home. In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework - but I have asked here and there and thus far no one seems to know. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall packages (was: All these open ports)
You could get something close to Zone Alarm (minus the application permissions stuff) with a very short iptables script which set the policies for INPUT and FORWARD to DROP, and OUTPUT to ACCEPT, and adding a couple of rules for allowing related and established connections on the INPUT chain. I'm sure there are basic HOWTOs on this floating around - google for something like iptables introduction and you should find some good hits. Actually, that's sort of what the firestarter (and probably the other firewall packages?) does - it generates a control script with a bunch of iptables entries. And, you're right, there are plenty of sample scripts, etc. available. But thus far, it's the application permissions (and some of the logging) that escapes me. The problem is, I'm lazy and would rather find something already implemented, if possible. But if no such thing exists, I'll eventually hack something together. (Which defines the real issue: how do I prove that no such thing exists? Didn't Aristotle have something to say about that??) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
[EMAIL PROTECTED] wrote: If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. snip In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework Even firestarter provides some degree of configurability in this respect. - but I have asked here and there and thus far no one seems to know. Asking in the right place helps. A number of people here would have the answers you're looking for, but Debian has a firewall list. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. With Debian you can configure for literally any eventuality. Itt might be an idea to check out apps like tinyhoneypot amongst others, also. (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) Failing that, go run windows. Regards, David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
Jon Dowland wrote: On Fri, 13 Aug 2004 21:56:17 -0400, Tong [EMAIL PROTECTED] wrote: Hi, I've just noticed that my debian testing open many ports by default: How can I close them? Firstly open up the rc file for your inetd (e.g. /etc/inetd.conf) and comment out any lines you don't need. This should do (at least) discard, echo, daytime. Then, determine which programs are responsible for the remaining open ports. Stop them from running and prevent them from starting by default if necessary. How to do this varies on an application-to-application basis; but can probably be forced by removing the package in question (if you aren't using it at all) or using update-rc.d (I think). If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Or better yet, Jon should checkout the following link: http://www.debian.org/doc/user-manuals#securing The harden-doc is outdated except on unstable, so you're better off reading the online version at the above page. Dana -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall packages (was: All these open ports)
[EMAIL PROTECTED] wrote: ... Thus far, I haven't been able to find anything that provides canned-up functionality of the nature of the Windows Zone Alarm, although I can probably overcome that by iptables scripting, whereas with the Windows firewalls you get whatever is there and have to live with it. You could get something close to Zone Alarm (minus the application permissions stuff) with a very short iptables script which set the policies for INPUT and FORWARD to DROP, and OUTPUT to ACCEPT, and adding a couple of rules for allowing related and established connections on the INPUT chain. I'm sure there are basic HOWTOs on this floating around - google for something like iptables introduction and you should find some good hits. -- Paul http://paulgear.webhop.net -- Did you know? If you use two dashes followed by a space as your signature separator, good email programs will chop them off automatically, reducing noise in email replies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
Generally speaking, to close a port, you shut down whatever deamon is listening on it. For example, if you had port 80 open, and want to close it, shut down your web server (apache or whatever else). Same with ssh - to close that port, shut down sshd. On Fri, 13 Aug 2004 21:56:17 -0400, Tong [EMAIL PROTECTED] wrote: Hi, I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN tcp0 0 *:time *:* LISTEN tcp0 0 *:discard *:* LISTEN tcp0 0 *:682 *:* LISTEN tcp0 0 *:daytime *:* LISTEN tcp0 0 *:sunrpc*:* LISTEN tcp0 0 *:www *:* LISTEN tcp0 0 *:x11-1 *:* LISTEN tcp0 0 *:auth *:* LISTEN tcp0 0 *:ssh *:* LISTEN tcp0 0 cxmr.dyndns.org:8118*:* LISTEN tcp0 0 cxmr.dyndns.org:822 *:* LISTEN tcp0 0 *:ipp *:* LISTEN tcp0 0 *:3128 *:* LISTEN udp0 0 *:discard *:* udp0 0 *:676 *:* udp0 0 *:679 *:* udp0 0 *:icpv2 *:* udp0 0 *:bootpc*:* udp0 0 *:sunrpc*:* udp0 0 *:ipp *:* How can I close them? Thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Fri, 13 Aug 2004 21:56:17 -0400, Tong [EMAIL PROTECTED] wrote: Hi, I've just noticed that my debian testing open many ports by default: How can I close them? Firstly open up the rc file for your inetd (e.g. /etc/inetd.conf) and comment out any lines you don't need. This should do (at least) discard, echo, daytime. Then, determine which programs are responsible for the remaining open ports. Stop them from running and prevent them from starting by default if necessary. How to do this varies on an application-to-application basis; but can probably be forced by removing the package in question (if you aren't using it at all) or using update-rc.d (I think). If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. -- Jon Dowland [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall packages (was: All these open ports)
There are other available packages: I use FireHOL I used to use iptables + wondershaper in RH. I notice there are many ready-made firewall packages available in Debian. I'm wondering which one is recommended (ease to use/updated frequently, etc)? So am I, but I don't think this is the right place to ask. It seems like most people here just hack iptables directly. There's also a Debian firewall mailing list, but I posted something there and got no replies, so I'm not sure it's used very much. If you do a web search for debian firewall you'll probably find any number of other sites with firewall related forums where you can ask that question (I think there's one on the sourceforge site). I just loaded Firestarter because it seemed to be trendy firewall of the week, so maybe I'd be able to get support for it. But I could be wrong about both of those things... In any case, it doesn't provide all the functionality I want, and I expect to have to hack its iptables infrastructure (actually, being able to get at the iptables commands it uses as a foundation is a plus). Thus far, I haven't been able to find anything that provides canned-up functionality of the nature of the Windows Zone Alarm, although I can probably overcome that by iptables scripting, whereas with the Windows firewalls you get whatever is there and have to live with it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
Hello Tong ([EMAIL PROTECTED]) wrote: I've just noticed that my debian testing open many ports by default: Some of them are opened by inetd. You can use dpkg-reconfigure inetd, or edit /etc/inetd.conf and comment out the protocols you don't need. After that, restart inetd. tcp0 0 *:www *:* LISTEN This is a web server, maybe apache. It probably runs in standalone mode. If you don't need it, deinstall it. You can also bind it to some or several IPs like Cups or ssh. tcp0 0 *:x11-1 *:* LISTEN Check your login manager. Maby it opens a port. Look for Xservers files on your system. If you use kdm, open /etc/kde3/kdm/Xservers, and change all the lines like this: original: :0 [EMAIL PROTECTED] /usr/X11R6/bin/X vt7 changed: :0 [EMAIL PROTECTED] /usr/X11R6/bin/X -nolisten tcp vt7 tcp0 0 *:auth *:*LISTEN Some identd, like oidentd or pidentd. Probably run from inetd, and pretty harmless. You may need this one for some IRC networks. If you don't need it, deinstall it. tcp0 0 *:ssh *:*LISTEN Well, you should know what this is. You can configure ssh to listen only to selected IPs, e.g. those of your LAN interface, if you want. Check the sshd_config man page. tcp0 0 *:ipp *:*LISTEN Probably Cups printing. If you only use the printer on the computer Cups runs on, open /etc/cups/cupsd.conf, replace Port 631 by Listen 127.0.0.1:631 and restart Cups. udp0 0 *:ipp *:* Again Cups, this time browsing for network printers. If you don't need this, change Browsing On to Browsing Off in /etc/cups/cupsd.conf. best regards Andreas Janssen -- Andreas Janssen [EMAIL PROTECTED] PGP-Key-ID: 0xDC801674 ICQ #17079270 Registered Linux User #267976 http://www.andreas-janssen.de/debian-tipps.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
[EMAIL PROTECTED] wrote: I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN tcp0 0 *:time *:* LISTEN tcp0 0 *:discard *:* LISTEN tcp0 0 *:682 *:* LISTEN I'm curious which utility produced that listing; I haven't seen lsof produce that - ? Buy a firewall or set up iptables. You can just load the Firestarter package; it will allow you to block ports (via a generated iptables script). There are other available packages: I use FireHOL -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Fri, 13 Aug 2004 23:55:46 -0600, s. keeling wrote: Incoming from [EMAIL PROTECTED]: I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN I'm curious which utility produced that listing; I haven't seen lsof produce that - ? That would be /bin/netstat -tnupl or something like that. Yeah, I just used netstat -a -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Firewar packages (was: All these open ports)
On Sat, 14 Aug 2004 11:07:58 +0200, Jerome BENOIT wrote: Buy a firewall or set up iptables. You can just load the Firestarter package; it will allow you to block ports (via a generated iptables script). There are other available packages: I use FireHOL I used to use iptables + wondershaper in RH. I notice there are many ready-made firewall packages available in Debian. I'm wondering which one is recommended (ease to use/updated frequently, etc)? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
All these open ports
Hi, I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN tcp0 0 *:time *:* LISTEN tcp0 0 *:discard *:* LISTEN tcp0 0 *:682 *:* LISTEN tcp0 0 *:daytime *:* LISTEN tcp0 0 *:sunrpc*:* LISTEN tcp0 0 *:www *:* LISTEN tcp0 0 *:x11-1 *:* LISTEN tcp0 0 *:auth *:* LISTEN tcp0 0 *:ssh *:* LISTEN tcp0 0 cxmr.dyndns.org:8118*:* LISTEN tcp0 0 cxmr.dyndns.org:822 *:* LISTEN tcp0 0 *:ipp *:* LISTEN tcp0 0 *:3128 *:* LISTEN udp0 0 *:discard *:* udp0 0 *:676 *:* udp0 0 *:679 *:* udp0 0 *:icpv2 *:* udp0 0 *:bootpc*:* udp0 0 *:sunrpc*:* udp0 0 *:ipp *:* How can I close them? Thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Fri, Aug 13, 2004 at 09:56:17PM -0400, Tong wrote: Hi, I've just noticed that my debian testing open many ports by default: Uninstall the respective services. Or, use a firewalling system (dedicated firewall, iptables, etc...) To find out what service uses what port: stefan:~$ sudo lsof -i tcp:www # substitute your port name/number Password: COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME apache 221 root 16u IPv4173 TCP *:www (LISTEN) apache 629 root 16u IPv4173 TCP *:www (LISTEN) apache 630 root 16u IPv4173 TCP *:www (LISTEN) apache 631 root 16u IPv4173 TCP *:www (LISTEN) apache 632 root 16u IPv4173 TCP *:www (LISTEN) apache 633 root 16u IPv4173 TCP *:www (LISTEN) How can I close them? Buy a firewall or set up iptables. I'm sure you want to be able to print/see graphics/ssh in. Note that some services have options to use UNIX-domain sockets exclusively, such as the X-server (look for -nolisten tcp, etc). You probably don't use all of these: Webserver? If no, no apache. Dict Server? Disable. The client uses dict.org, not localhost. XServer? If you don't use the windowing system, get rid of it (note: _not_ using it is rare, GNOME/KDE require it) SSH? CUPS? (network printing) As for discard/time/daytime, you need to comment out lines in your /etc/inetd.conf (but how can you exploit a service whose purpose is to discard everything you throw at it?) I share a LAN with my parent's Windoze boxes, and my LAN is already firewalled, so I didn't worry much about this... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN tcp0 0 *:time *:* LISTEN tcp0 0 *:discard *:* LISTEN tcp0 0 *:682 *:* LISTEN I'm curious which utility produced that listing; I haven't seen lsof produce that - ? Buy a firewall or set up iptables. You can just load the Firestarter package; it will allow you to block ports (via a generated iptables script). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
Incoming from [EMAIL PROTECTED]: I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN I'm curious which utility produced that listing; I haven't seen lsof produce that - ? That would be /bin/netstat -tnupl or something like that. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: testing open ports on the user's side
On Thu, May 27, 2004 at 10:32:20PM -0700, Alvin Oga wrote: I'm working on a web site that includes streamed rich media files. I need a way to test to see which ports the user can access if they're behind a firewall. I'm guess that I need to try and send them an object (a picture maybe?) on one of the ports I need information about and then see if the picture is received or not. any secure site will only allow port 80 or port 443 for web ... It's not the server I'm testing, it's the user. Some streaming video (RealPlayer) doesn't come through on regular ports so the client wants a little app that they can ping at the *user* to figure out if they should send RealPlayer or something else. (I'm working on an auto-detection suite and my partner is working on the associated wizard/help files.) Basically we don't want to present the user with the option of RealPlayer if the port isn't even open for the user to receive the stream. Not sure if that makes sense yet. It's not so much a Debian question as it is a general ports on the web question. thanks, emma -- Emma Jane Hogbin [[ 416 417 2868 ][ www.xtrinsic.com ]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: testing open ports on the user's side
On Friday 28 May 2004 15:59, Emma Jane Hogbin hurled the following on the wire: On Thu, May 27, 2004 at 10:32:20PM -0700, Alvin Oga wrote: I'm working on a web site that includes streamed rich media files. I need a way to test to see which ports the user can access if they're behind a firewall. I'm guess that I need to try and send them an object (a picture maybe?) on one of the ports I need information about and then see if the picture is received or not. any secure site will only allow port 80 or port 443 for web ... It's not the server I'm testing, it's the user. Some streaming video (RealPlayer) doesn't come through on regular ports so the client wants a little app that they can ping at the *user* to figure out if they should send RealPlayer or something else. You will never be very successfull if you try to connect to a port on the client. Any client with an adminitstrator with half a brain will only allow incoming traffic that is part of a connection that originated on the client. (so called statefull filtering) With some exceptions like bootp. Furthermore any client that's behind a device that does NAT is unreachable. A client receiving data on a port and a client being reachable and listening on a port are 2 different things. Even if the client is open on the internet (no firewall or NAT) when you connect to it, you can only see if it sends you a RST since that port will be closed. I really think you'd better let them try to see if it works. joost DISCLAIMER This e-mail and any attached files are confidential and may be legally privileged. If you are not the addressee, any disclosure, reproduction, copying, distribution, or other dissemination or use of this communication is strictly prohibited. If you have received this transmission in error please notify A.S.T.R.I.D. nv/sa immediately and then delete this e-mail. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: testing open ports on the user's side
On Fri, 28 May 2004 09:59:20 -0400 Emma Jane Hogbin [EMAIL PROTECTED] wrote: On Thu, May 27, 2004 at 10:32:20PM -0700, Alvin Oga wrote: I'm working on a web site that includes streamed rich media files. I need a way to test to see which ports the user can access if they're behind a firewall. I'm guess that I need to try and send them an object (a picture maybe?) on one of the ports I need information about and then see if the picture is received or not. any secure site will only allow port 80 or port 443 for web ... It's not the server I'm testing, it's the user. Some streaming video (RealPlayer) doesn't come through on regular ports so the client wants a little app that they can ping at the *user* to figure out if they should send RealPlayer or something else. (I'm working on an auto-detectionsuite and my partner is working on the associated wizard/help files.) Basically we don't want to present the user with the option of RealPlayer if the port isn't even open for the user to receive the stream. Not sure if that makes sense yet. It's not so much a Debian question as it is a general ports on the web question. In that case, all good ISPs allow connections on just about any port, provided the connection is initiated from the user side. So, I would think rather than trying to ping the user, you need to get the user's comp to try pulling a small file from the appropriate port on the server. Even something like a little javascript pulling some text from a url such as http://www.example.com:5190 (where 5190 is replaced with the port for RealPlayer) would work to test this, I would think. HTH, Jacob -- GnuPG Key: 1024D/16377135 Random .signature #27: Have you ever noticed that at trade shows Microsoft is always the one giving away stress balls? pgpyQr0hirowV.pgp Description: PGP signature
Re: testing open ports on the user's side
On Fri, May 28, 2004 at 07:08:24AM -0700, Alvin Oga wrote: grab the plug-info from the users browser ( if its setup to tell you ) use nmap or any port scanner to see if you can scan that port you want on their machine This is the one I need to know about. Sorry to be so dense, but if I google nmap and port scanner I'll find exactly what I need? thanks, emma -- Emma Jane Hogbin [[ 416 417 2868 ][ www.xtrinsic.com ]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: testing open ports on the user's side
On Fri, 28 May 2004, Emma Jane Hogbin wrote: any secure site will only allow port 80 or port 443 for web ... It's not the server I'm testing, it's the user. Some streaming video that secure site works both ways ... user or server .. (RealPlayer) doesn't come through on regular ports so the client wants a little app that they can ping at the *user* to figure out if they should send RealPlayer or something else. (I'm working on an auto-detection suite and my partner is working on the associated wizard/help files.) Basically we don't want to present the user with the option of RealPlayer if the port isn't even open for the user to receive the stream. grab the plug-info from the users browser ( if its setup to tell you ) use nmap or any port scanner to see if you can scan that port you want on their machine if both are okay send um the 10M *.ra or 1MB *.swf file or anything else c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: testing open ports on the user's side
On Friday 28 May 2004 16:25, Emma Jane Hogbin hurled the following on the wire: On Fri, May 28, 2004 at 07:08:24AM -0700, Alvin Oga wrote: grab the plug-info from the users browser ( if its setup to tell you ) use nmap or any port scanner to see if you can scan that port you want on their machine This is the one I need to know about. Sorry to be so dense, but if I google nmap and port scanner I'll find exactly what I need? A user can be able to receive traffic on port x, but that port will still be closed for a port scan. The user MUST initiate the connection. Problem is, that's hard, since as someone suggested, picking up something from thee server on a given port doesn't do any good (I think) the client will connect from a random port. DISCLAIMER This e-mail and any attached files are confidential and may be legally privileged. If you are not the addressee, any disclosure, reproduction, copying, distribution, or other dissemination or use of this communication is strictly prohibited. If you have received this transmission in error please notify A.S.T.R.I.D. nv/sa immediately and then delete this e-mail. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
testing open ports on the user's side
Hi everyone, I'm working on a web site that includes streamed rich media files. I need a way to test to see which ports the user can access if they're behind a firewall. I'm guess that I need to try and send them an object (a picture maybe?) on one of the ports I need information about and then see if the picture is received or not. There must be some kind of script already written that can do this for me (Perl package, maybe?). Any suggestions would be appreciated, emma -- Emma Jane Hogbin [[ 416 417 2868 ][ www.xtrinsic.com ]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: testing open ports on the user's side
hi ya On Fri, 28 May 2004, Emma Jane Hogbin wrote: I'm working on a web site that includes streamed rich media files. I need a way to test to see which ports the user can access if they're behind a firewall. I'm guess that I need to try and send them an object (a picture maybe?) on one of the ports I need information about and then see if the picture is received or not. any secure site will only allow port 80 or port 443 for web ... all other ports is disallowed ... ie nothing else will work - if other ports is allowed ... nice things can also come into their secure box thru those open ports - imho, people should download what they want ... not be sent stuff they dont want .. no clickie, no object to come down the pike - you know the pic was received ... by looking at your logs and see that xxx bytes of that file was sent vs aborted - if they have java running in their browser, you can get any other info you want if they allow it to send out info c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: open ports question
Lo, on Wednesday, June 5, Paul Johnson did write: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Jun 05, 2002 at 02:32:00PM -0400, tvn1981 wrote: 9/tcp opendiscard Not sure myself... Standard TCP service; routes everything written to that port to the bit bucket. I'm not aware of any security risks here. 13/tcp opendaytime 37/tcp opentime ntp daemon, you can safely disable these in inetd.conf No, it's not the ntp daemon; that listens on 123/tcp (see /etc/services). The daytime service responds to connections simply by writing the current time, in human-readable form, to the connection and closing. I think time does the same, but in machine-readable format: [nanny-ogg:~]$ telnet localhost time Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ÀªH¤Connection closed by foreign host. [nanny-ogg:~]$ telnet localhost daytime Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Thu Jun 6 15:46:32 2002 Connection closed by foreign host. Far as I know, you can safely disable these (I'm not running inetd at all on either of my two machines, and nobody's complained at me yet). As with discard, though, I don't know if they're a security risk. 113/tcpopenauth identd. Keep if you *ever* connect to IRC; most networks will drop you if it can't get an ident response. Does this service have any uses besides IRC? Richard -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
open ports question
Hi, I have the following ports open and I am not sure what they are. Whether or not they are really needed. My other Linux box (rh) doesn't have these so I am wondering what these are in Debian 9/tcp opendiscard 13/tcp opendaytime 37/tcp opentime 113/tcpopenauth 139/tcpopennetbios-ssn #this seems like my samba's server - can someone confirm ? Thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: open ports question
On 5 Jun 2002, tvn1981 wrote: Hi, I have the following ports open and I am not sure what they are. Whether or not they are really needed. My other Linux box (rh) doesn't have these so I am wondering what these are in Debian 9/tcp opendiscard 13/tcp opendaytime 37/tcp opentime 113/tcpopenauth 139/tcpopennetbios-ssn #this seems like my samba's server - can someone confirm ? Look at /etc/inetd.conf, and comment out the lines for the first 3 there if you're worried about them. Yes, 139 is your samba server. and 113 is the ident server, which you may or may not need. mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: open ports question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Jun 05, 2002 at 02:32:00PM -0400, tvn1981 wrote: 9/tcp opendiscard Not sure myself... 13/tcp opendaytime 37/tcp opentime ntp daemon, you can safely disable these in inetd.conf 113/tcpopenauth identd. Keep if you *ever* connect to IRC; most networks will drop you if it can't get an ident response. 139/tcpopennetbios-ssn #this seems like my samba's server smbd (samba) - -- Baloo -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE8/olcNtWkM9Ny9xURAjt9AKCMmxuCHBxIjQ1hxl8jrSAVx6uiswCePC53 yEviBURvofvvFI57Vr7Jo9M= =gOOV -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: open ports question
On Wednesday 05 June 2002 02:57 pm, Paul Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Jun 05, 2002 at 02:32:00PM -0400, tvn1981 wrote: 9/tcp opendiscard Not sure myself... $ cat //etc/services| grep 9/tcp discard 9/tcp sink null ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: open ports question
On Wed, 2002-06-05 at 13:32, tvn1981 wrote: Hi, I have the following ports open and I am not sure what they are. Whether or not they are really needed. My other Linux box (rh) doesn't have these so I am wondering what these are in Debian 9/tcp opendiscard 13/tcp opendaytime 37/tcp opentime 113/tcpopenauth 139/tcpopennetbios-ssn #this seems like my samba's server - can someone confirm ? A good thing to know in the future is the fuser command. As root you can run fuser -n tcp port number and it will give you the pid of the program that has opened that port. A very nice tool that I wish was available on the NT servers I have to deal with. -Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: open ports with iptables
doing a search for -dport or -sport for source and destination ports thank you for your reply, but I am not getting much wiser with this document. I learn by examples. I was thinking about this: iptables -A INPUT -i eth0 -d 212.127.10.10 -dport 135 -j ACCEPT iptables -A OUTPUT -i eth1 -s 192.168.1.1 -sport 135 -j ACCEPT internal ip address on the world side of your firewall box - either thats wrong or you must have a router doing nat before any packets will arrive? Hello, Simply said I want to do this with iptables: ipmasqadm portfw -a -P tcp -L $extip 135 -R 192.168.1.1 135 so that tcp traffic from port 135 is directly forwarded to port 135 on my local machine and vice versa. Sorry if I was unclear. Thanks in advance, Sebastiaan
Re: open ports with iptables
Under the netfilter model, this is known as DNAT (Destination NAT, because it is the destination field of incoming packets that is being rewritten). you'll want something like the following: iptables -t nat -A PREROUTING -d $extip -p tcp --dport 135 -j DNAT --to-destination 192.168.1.1 (also see http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/ for more info). hth, Vineet * Sebastiaan ([EMAIL PROTECTED]) [010622 12:29]: doing a search for -dport or -sport for source and destination ports thank you for your reply, but I am not getting much wiser with this document. I learn by examples. I was thinking about this: iptables -A INPUT -i eth0 -d 212.127.10.10 -dport 135 -j ACCEPT iptables -A OUTPUT -i eth1 -s 192.168.1.1 -sport 135 -j ACCEPT internal ip address on the world side of your firewall box - either thats wrong or you must have a router doing nat before any packets will arrive? Hello, Simply said I want to do this with iptables: ipmasqadm portfw -a -P tcp -L $extip 135 -R 192.168.1.1 135 so that tcp traffic from port 135 is directly forwarded to port 135 on my local machine and vice versa. Sorry if I was unclear. Thanks in advance, Sebastiaan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] pgpQpCvap18WG.pgp Description: PGP signature
closeing open ports
What file do i need to edit to close open ports, ex, port 111 /tcp sunrpc 515/ tcp printer 2000/ tcp callback Thanks for your time michael
Re: closeing open ports
On Sun, Apr 29, 2001 at 01:13:07AM -0700, Michael Earls wrote: What file do i need to edit to close open ports, ex, port 111 /tcp sunrpc 515/ tcp printer 2000/ tcp callback Install and configure ipchains. There are various firewall packages that you can configure on top of ipchains as well to provide more monitoring. Ideally have minimal ports open. My gateway box has only 5 ports open for misc sevices such as http and ssh. -B -- Brandon High [EMAIL PROTECTED] If you lend someone $20, and never see that person again; it was probably worth it.
Re: closeing open ports
On Sun, Apr 29, 2001 at 01:13:07AM -0700, Michael Earls wrote: What file do i need to edit to close open ports, ex, port 111 /tcp sunrpc 515/ tcp printer 2000/ tcp callback Run the command - # lsof | grep LISTEN This is another option - $ less /etc/services | grep 111 sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP kx 2111/tcp# X over Kerberos As you can see it's portmap. Kill the running process and - # update-rc.d -f portmap remove Take a look at the man pages lsof and update-rc.d for more detail. hth, kent -- From seeing and seeing the seeing has become so exhausted First line of The Panther - R. M. Rilke
Re: closeing open ports
On Sun, Apr 29, 2001 at 01:13:07AM -0700, Michael Earls wrote: What file do i need to edit to close open ports, ex, port 111 /tcp sunrpc 515/ tcp printer 2000/ tcp callback Also comment out everything you don't need in - /etc/inetd.conf and run - # /etc/init.d/inetd restart kent -- From seeing and seeing the seeing has become so exhausted First line of The Panther - R. M. Rilke
RE: closeing open ports
What is a good starting point / reference point on ipchains. I have it installedx but not config. Is there a file that i can edit for ipchains? I only need 21 ftp 22 ssh 25 smtp 80 http what would be a good script for that? thanks again michael -Original Message- From: Brandon High [mailto:[EMAIL PROTECTED] Sent: Saturday, April 28, 2001 10:21 PM To: Michael Earls Cc: debian-user@lists.debian.org Subject: Re: closeing open ports On Sun, Apr 29, 2001 at 01:13:07AM -0700, Michael Earls wrote: What file do i need to edit to close open ports, ex, port 111 /tcp sunrpc 515/ tcp printer 2000/ tcp callback Install and configure ipchains. There are various firewall packages that you can configure on top of ipchains as well to provide more monitoring. Ideally have minimal ports open. My gateway box has only 5 ports open for misc sevices such as http and ssh. -B -- Brandon High [EMAIL PROTECTED] If you lend someone $20, and never see that person again; it was probably worth it.
Re: closeing open ports
On Sun, Apr 29, 2001 at 01:38:33AM -0700, Michael Earls wrote: What is a good starting point / reference point on ipchains. I have it installedx but not config. Is there a file that i can edit for ipchains? I only need 21 ftp 22 ssh 25 smtp 80 http You may want to open auth too. Closing service can be done by /etc/inetd and update-rc.d but for your purpose installing ipchain based firewall may be better. If this is gateway machine, you want to install ipmasq package. To close service, by ipchain, follow http://bugs.debian.org/87499 The script attached is actually for potato ipmasq. My quick reference site has same info. -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED], GnuPG-key: 1024D/D5DE453D + + My debian quick-reference, http://www.aokiconsulting.com/quick/+ pgpkkn11F3cgO.pgp Description: PGP signature
RE: closeing open ports
that was great info, but i do not need to masq any ips, i just need to limit the ports being open, i have edited inetd.conf, but there were some ports not listed in there. here is a port scan on my box, [EMAIL PROTECTED] mearls]# nmap -sS -sU vermeer Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ ) Interesting ports on vermeer.michaelearls.com (207.86.78.22): (The 3092 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 22/tcp openssh 25/tcp opensmtp 69/udp filteredtftp 80/tcp openhttp 111/tcpopensunrpc 111/udpopensunrpc 138/udpopennetbios-dgm 515/tcpopenprinter 517/udpopentalk 1024/tcp openkdm 1025/udp openblackjack 1026/udp openunknown Nmap run completed -- 1 IP address (1 host up) scanned in 1709 seconds from port 111 to 1026. I only need the first ones open, does your ipchain script do that without trying to masq or what do i need to change to fix that. Thanks for your time michael -Original Message- From: Osamu Aoki [mailto:[EMAIL PROTECTED] Behalf Of Osamu Aoki Sent: Sunday, April 29, 2001 2:05 AM To: Michael Earls Cc: debian-user@lists.debian.org Subject: Re: closeing open ports On Sun, Apr 29, 2001 at 01:38:33AM -0700, Michael Earls wrote: What is a good starting point / reference point on ipchains. I have it installedx but not config. Is there a file that i can edit for ipchains? I only need 21 ftp 22 ssh 25 smtp 80 http You may want to open auth too. Closing service can be done by /etc/inetd and update-rc.d but for your purpose installing ipchain based firewall may be better. If this is gateway machine, you want to install ipmasq package. To close service, by ipchain, follow http://bugs.debian.org/87499 The script attached is actually for potato ipmasq. My quick reference site has same info. -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED], GnuPG-key: 1024D/D5DE453D + + My debian quick-reference, http://www.aokiconsulting.com/quick/+
Re: closeing open ports
On Sun, Apr 29, 2001, Michael Earls wrote: that was great info, but i do not need to masq any ips, i just need to limit the ports being open, i have edited inetd.conf, but there were some ports not listed in there. here is a port scan on my box, Mike, Hi. I just joined thread so I can't comment on much, but make sure you're not running portsentry (or understand better its implications), since it will bind to many of your ports to track attempted connects (in other words, you might actually be seeing portsentry and not the listed services on those ports). Hope I haven't missed something else joining this thread now, and, if so, please accept my apologies. Hope this helps and take care, Daniel -- Daniel A. Freedman Laboratory for Atomic and Solid State Physics Department of Physics Cornell University
Re: closeing open ports
On Sun, Apr 29, 2001 at 11:38:25AM -0700, Michael Earls wrote: that was great info, but i do not need to masq any ips, i just need to limit the ports being open, i have edited inetd.conf, but there were some ports not listed in there. here is a port scan on my box, [EMAIL PROTECTED] mearls]# nmap -sS -sU vermeer Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ ) Interesting ports on vermeer.michaelearls.com (207.86.78.22): (The 3092 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 22/tcp openssh 25/tcp opensmtp 69/udp filteredtftp 80/tcp openhttp 111/tcpopensunrpc 111/udpopensunrpc 138/udpopennetbios-dgm 515/tcpopenprinter 517/udpopentalk 1024/tcp openkdm 1025/udp openblackjack 1026/udp openunknown Nmap run completed -- 1 IP address (1 host up) scanned in 1709 seconds from port 111 to 1026. I only need the first ones open, does your ipchain script do that without trying to masq or what do i need to change to fix that. Yes you can filter without masq, and you should in your situation but you should also learn what services your box is running and how to shut them down. You have a web server, portmap, etc. running. If you aren't using those at this time there really isn't a reason to run them. I sent either you or another person on the list instructions on how to do so using portmap as an example. You can do the same thing with many other services. If you didn't see my post or didn't understand or I messed up somewhere post back and let me know. kent -- From seeing and seeing the seeing has become so exhausted First line of The Panther - R. M. Rilke
Re: closeing open ports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 29 April 2001 05:13, Michael Earls wrote: What file do i need to edit to close open ports, ex, port 111 /tcp sunrpc 515/ tcp printer 2000/ tcp callback Another usefull thing to do when the port you want to close is not listed on /etc/services and you don't have a clue of what service is binded to that port is to run (as root) fuser -a -n proto port, where proto may be tcp, udp or file. For example, if you are serving http with apache at port 80: #fuser -a -n tcp 80 It will return the pid(s) that apache is using. - -- - -- echo [EMAIL PROTECTED] | tr -d A-Z ...one ring to rule them all... ...one ring to find them... ...one ring to bring them all and in the darkness bind them... - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD4DBQE67GluReiO4HOP+5gRAgELAJdsvg734metfVA4rpu86yv6KO/MAJwKGkiW hWO9GC4MFlUX2iILe29aJw== =8Auw -END PGP SIGNATURE-
Re: closeing open ports
On Sun, Apr 29, 2001 at 04:20:14PM -0300, Rogerio Bastos wrote: Another usefull thing to do when the port you want to close is not listed on /etc/services and you don't have a clue of what service is binded to that port is to run (as root) fuser -a -n proto port, where proto may be tcp, udp or file. For example, if you are serving http with apache at port 80: #fuser -a -n tcp 80 It will return the pid(s) that apache is using. lsof can also be used in a similar manner. # lsof -i :80 -B -- Brandon High [EMAIL PROTECTED] War is Peace. Slavery is Freedom. AOL is the Internet.
Re: open ports remaining
On Sat, Feb 17, 2001 at 11:13:52PM -0500, Glenn Becker wrote: Interesting ports on localhost (127.0.0.1): PortState Protocol Service 22 opentcpssh 25 opentcpsmtp 53 opentcpdomain 111 opentcpsunrpc So, the questions: I have read some about sunrpc in the list archives but have not found how to close the port; don't know what domain is, and am confused smtp is still there since I've commented out the line in inetd.conf ... I have set my hosts.deny to the best way ive found to disable portmap is to rename /sbin/portmap to something else. there are so many different things that may call on it, its just easier for me to rename it then modify a bunch of scripts. as for smtp it depends what MTA your using, if you dont plan on having a mail server i would reccomend using postfix as it's easy to get it to listen on the internal network interfaces and not the external. domain is the DNS, usually bind. you can remove it if you want. ssh is fine. also be sure to run a UDP portscan as well. (nmap -sU) i also reccomend if your not already to scan all ports with -p 1-65535 nate
Re: open ports remaining
On Sat, Feb 17, 2001 at 10:46:40PM -0800, [EMAIL PROTECTED] wrote: the best way ive found to disable portmap is to rename /sbin/portmap to something else. there are so many different things that may call on it, its just easier for me to rename it then modify a bunch of just make sure you rename it with dpkg-divert or else you will just get a new /sbin/portmap the next time netbase gets upgraded (say if there were a security release). fortunatly in woody portmap is split into its very own package so you can disable it the Right Way: apt-get --purge remove portmap ;-) myself i have not had problems with just doing a simple rm -f /etc/rcS.d/*portmap, along with purging nfs-common, nfs-*server, and nis (which is not priority standard). scripts. as for smtp it depends what MTA your using, if you dont plan on having a mail server i would reccomend using postfix as it's easy to get it to listen on the internal network interfaces and not the external. domain is the DNS, usually bind. you can remove it if you want. ssh is fine. also be sure to run a UDP portscan as well. (nmap -sU) i also reccomend if your not already to scan all ports with -p 1-65535 hehe and then go away for a week or three while it works on that ;-) -- Ethan Benson http://www.alaska.net/~erbenson/ pgpBqhs2FQuAb.pgp Description: PGP signature
open ports remaining
All, I have been trying to secure my Debian box, which enjoys a DSL connection. I've been going through /etc/inetd.conf, commenting out services, and K'ing others in the /etc/rc2.d/, until what I have left is the following (output from nmap): Interesting ports on localhost (127.0.0.1): PortState Protocol Service 22 opentcpssh 25 opentcpsmtp 53 opentcpdomain 111 opentcpsunrpc So, the questions: I have read some about sunrpc in the list archives but have not found how to close the port; don't know what domain is, and am confused smtp is still there since I've commented out the line in inetd.conf ... I have set my hosts.deny to ALL EXCEPT sshd: ALL ... I guess then port 22 is not a concern? Thanks for any help with this. Trying (always!) to become a smarter user. Best, Glenn Becker Online Producer, Community SCIFI.COM
