On Tue, Aug 24, 2004 at 08:37:30AM +0200, Volker Kindermann wrote:
Hi Bob,
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
1023/tcp open netvenuechat
[...]
Then there is the case of the port 1023. I have no idea how to
turn
this off or how it got turned on. Could the rpcbind allowed someone
into my computer to hack it up? I am pretty scared at this point.
First try to disable rpcbind and look afterwards, if port 1023 is still
open. If it ist, install lsof from ports. This tool will tell you which
application is listening on this port.
sockstat(1) will tell you that just as well, and it's a standard part
of the system.
Chances are port 1023 is open because of portmap(8) (a.k.a rpcbind(8)
in 5.x). To see what ports portmap is managing, use the rpcinfo(8)
command:
# rpcinfo -p
As for telling if your system has been compromised, it depends on the
level of sophistication of whoever attacks you. Chances are that if
you're just an ordinary home user without any particular secrets or
other motives for anyone to break in, you'll not come to the attention of
anyone good enough to cover their tracks thoroughly. In fact, about
the only sort of intrusion attempt you're likely to see would be
automated or semi-automated attacks /intended for Linux or Windows
servers/ by Skript Kiddiez. Needless to say, these tend not to work.
The most effective things you can do to prevent yourself being
compromised are:
- keep your system and ports up to date
- be vigilant: look at what the daily security e-mail is telling
you, subscribe to [EMAIL PROTECTED] and/or
[EMAIL PROTECTED] so that you get notified of any security
advisories. Scan through system logs for anomalous entries
occasionally. Check for strange processes (use ps(1)) or for
logins from odd systems or at odd times (use last(1)).
- Install security/portaudit so that you get notifications of any
vulnerabilities in your installed ports
- Think about what you are doing as you use the system. Get into
good security habits: try and ensure that processes/users have
only the minimum necessary permissions in order to function.
Always use ssh(1) or similarly encrypted channels for remote
access to systems. Never log in directly as root -- use su(1)
or better, sudo(1) instead. Always use secure (ie. unguessable)
passwords -- install and use security/apg if you find it hard to
think up good ones.
There's a shedload of useful monitoring software you can install to
help you detect if you have been attacked or compromised, but for most
home users, it's really overkill. Particularly noteworthy are
security/snort -- which will examine all of the network traffic
reaching your system and detect which of it is unfriendly -- and one
of the security/tripwire ports, which will build a cryptographically
secured database of checksums of all of the important files on your
system which you can use to immediately detect any changes.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgpwSzv8szu9a.pgp
Description: PGP signature
