Re: securing the system, stopping unnecessary services and closing open ports.
On Mon, Aug 29, 2011 at 02:46:52PM +0200, yudi v wrote: Probably portmap... See if it's installed $ dpkg --get-selections portmap If it is, and it bothers you, it can be removed - check and see if anything uses it:- # apt-get -s remove portmap | less If it's the only package to be removed:- # apt-get --purge remove portmap Check your port:- $ netstat -an | grep 111 Or 'netstat -plant' ... Regards Johann -- Johann SpiesTelefoon: 021-808 4699 Databestuurder / Data manager Sentrum vir Navorsing oor Evaluasie, Wetenskap en Tegnologie Centre for Research on Evaluation, Science and Technology Universiteit Stellenbosch. Preach the word; be instant in season, out of season; reprove, rebuke, exhort with all longsuffering and doctrine. II Timothy 4:2 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110830062848.ga5...@sun.ac.za
Re: securing the system, stopping unnecessary services and closing open ports.
The following packages will be REMOVED: cifs-utils libnfsidmap2 nfs-common nfs-kernel-server samba samba-common samba-common-bin samba-doc smbclient smbfs swat winbind 0 upgraded, 0 newly installed, 12 to remove and 4 not upgraded. Remv smbfs [2:4.5-2] Remv cifs-utils [2:4.5-2] Remv nfs-kernel-server [1:1.2.2-4] Remv nfs-common [1:1.2.2-4] Remv libnfsidmap2 [0.23-2] Remv swat [2:3.5.6~dfsg-3squeeze5] Remv samba [2:3.5.6~dfsg-3squeeze5] Remv winbind [2:3.5.6~dfsg-3squeeze5] Remv smbclient [2:3.5.6~dfsg-3squeeze5] Remv samba-common-bin [2:3.5.6~dfsg-3squeeze5] Remv samba-common [2:3.5.6~dfsg-3squeeze5] Remv samba-doc [2:3.5.6~dfsg-3squeeze5] I purged the above files but still have the following service running. 111/tcp open rpcbind -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
On 29/08/11 18:35, yudi v wrote: snipped I purged the above files but still have� the following service running. 111/tcp open� rpcbind -- Kind regards, Yudi Probably portmap... See if it's installed $ dpkg --get-selections portmap If it is, and it bothers you, it can be removed - check and see if anything uses it:- # apt-get -s remove portmap | less If it's the only package to be removed:- # apt-get --purge remove portmap Check your port:- $ netstat -an | grep 111 SUN RPC is another protocol that uses that port. Cheers -- I've got a bathtub and an imagination, I'm staying indoors this summer. That way I can listen to music that I like. — Bill Hicks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e5b62b5.7030...@gmail.com
Re: securing the system, stopping unnecessary services and closing open ports.
Probably portmap... See if it's installed $ dpkg --get-selections portmap If it is, and it bothers you, it can be removed - check and see if anything uses it:- # apt-get -s remove portmap | less If it's the only package to be removed:- # apt-get --purge remove portmap Check your port:- $ netstat -an | grep 111 Thanks for that info, once again. Much appreciated. -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
I use postpaid mobile broadband and my IP is both the system address and the gateway. There is no NAT with postpaid service, it's only available with prepaid in Australia. Not sure why. Not sure what you mean there I suspect you mean only postpaid allow a static IP address (for some accounts). I use both prepaid and postpaids USB UMTS modems with different ISPs - they all use the same, weird, setup where the remote address is defaulted to (different dogs, same leg action) - perhaps that's the NAT you're referring to?? ie. Could not determine remote IP address: defaulting to 10.64.64.64[*1] eg. ppp0 inet address and p-t-p are different, and the ip I use for remote access is different again (the one shown in http://myip.dk) my system IP for ppp0 is 101.***.***.*** and it's not static. but from what I can remember all postpaid accounts in Australia have 10.***.***.*** addresses and are behind NAT. The only way I could SSH was*by reverse port forwarding. I eventually ended up getting postpaid. That's how it works in Australia. I believe you are not in Aus. See this post for more info. http://forums.whirlpool.net.au/forum-replies.cfm?t=1488078 *** The only things I need are CUPS and SMTP for Zimbra. I will disable the rest. I guess I have to use update.rc-d. you could just remove them eg:- # apt-get --purge remove libnfsidmap2 nfs-common samba if you don't use samba at all (cifs-utils samba samba-common samba-common-bin smbfs) then change samba to samba* I'd suggest using -s instead of --purge first - just in case samba was originally pulled in by another package which you want to keep. Thanks for the info. Will definitely uninstall samba and nfs. -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
On 28/08/11 18:37, yudi v wrote: snipped my system IP for ppp0 is 101.***.***.*** and it's not static. but from what I can remember all postpaid accounts in Australia have 10.***.***.*** addresses and are behind NAT. I've yet to see any (non-SLA business class) USB UMTS modems by any of the major Oz companies pre-paid or post-paid that don't use that arrangement. The only way I could SSH was/by reverse port forwarding. http://myip.dk/ will give you the remote access address. Just ssh to the displayed address. I'd suggest you try - it's easier than just believing everything you read on whirlpool. The signal to noise ratio there can be bad. Exetel have good tech support - Vodaphail don't even know where their towers are - and they wouldn't tell you even if they did know. If you have a static IP plan - the myip.dk displayed address is still the one you remote into to - *not* the ppp0 inet or p-t-p address. I eventually ended up getting postpaid. That's how it works in Australia. I believe you are not in Aus. They've moved Canberra? Why wasn't I told?? See this post for more info. http://forums.whirlpool.net.au/forum-replies.cfm?t=1488078 You mean the ex-vodaphone social networking consultant? NOTE: the person who told you it's not possible to vnc into your machine is wrong too. snipped -- Kind regards, Yudi -- You ever noticed how people who believe in Creationism look really unevolved? You ever noticed that? Eyes real close together, eyebrow ridges, big furry hands and feet. I believe God created me in one day Yeah, looks liked He rushed it. — Bill Hicks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e5a0f41.3050...@gmail.com
Re: securing the system, stopping unnecessary services and closing open ports.
http://myip.dk/ will give you the remote access address. Just ssh to the displayed address. I'd suggest you try - it's easier than just believing everything you read on whirlpool. The signal to noise ratio there can be bad. Exetel have good tech support - Vodaphail don't even know where their towers are - and they wouldn't tell you even if they did know. If you have a static IP plan - the myip.dk displayed address is still the one you remote into to - *not* the ppp0 inet or p-t-p address. Thanks for sharing that info. They've moved Canberra? Why wasn't I told?? It's back where it should be now. No need to panic mate. -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
# apt-get --purge remove libnfsidmap2 nfs-common samba if you don't use samba at all (cifs-utils samba samba-common samba-common-bin smbfs) then change samba to samba* I'd suggest using -s instead of --purge first - just in case samba was originally pulled in by another package which you want to keep. these are the files that will be uninstalled. I cannot see anything in there that I am using: The following packages will be REMOVED: cifs-utils libnfsidmap2 nfs-common nfs-kernel-server samba samba-common samba-common-bin samba-doc smbclient smbfs swat winbind 0 upgraded, 0 newly installed, 12 to remove and 4 not upgraded. Remv smbfs [2:4.5-2] Remv cifs-utils [2:4.5-2] Remv nfs-kernel-server [1:1.2.2-4] Remv nfs-common [1:1.2.2-4] Remv libnfsidmap2 [0.23-2] Remv swat [2:3.5.6~dfsg-3squeeze5] Remv samba [2:3.5.6~dfsg-3squeeze5] Remv winbind [2:3.5.6~dfsg-3squeeze5] Remv smbclient [2:3.5.6~dfsg-3squeeze5] Remv samba-common-bin [2:3.5.6~dfsg-3squeeze5] Remv samba-common [2:3.5.6~dfsg-3squeeze5] Remv samba-doc [2:3.5.6~dfsg-3squeeze5] -- Kind regards, Yudi
securing the system, stopping unnecessary services and closing open ports.
Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. it even had SSH listening on 22, changed the port # and also changed PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output: also installed gufw and set it to deny as default. root@computer:/home/user# grep -ir Failed password /var/log/* /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2 /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2 root@computer:/home/user# grep -ir BREAK-IN /var/log/* /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT! how can I find out if this system has been compromised? what are the steps I need to take to secure it? -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
Ports 139, 445 and 901 are samba running. Port 631 is cups, your printer driver. 111 and 2049 are for NFS. If you don't need them, you should be able to turn them off...If you do need it, then you should be able to firewall it, using iptables to limit access to the hosts or subnets you need. On Sat, Aug 27, 2011 at 11:05 AM, yudi v yudi@gmail.com wrote: Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. it even had SSH listening on 22, changed the port # and also changed PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output: also installed gufw and set it to deny as default. root@computer:/home/user# grep -ir Failed password /var/log/* /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2 /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2 root@computer:/home/user# grep -ir BREAK-IN /var/log/* /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT! how can I find out if this system has been compromised? If you are looking for ssh attempts, you shoud peruse /var/log/auth.log and look for unusual logins. The ones like you mention above are failed. You could run fail2ban or another one that watches your ssh port and in the event of too many failed attempts, can block the IP through iptables. Be careful, because if someone spoofs the address, then you could block some site that you need to access. Another idea would be to run a Host-based Intrusion Detection System (HIDS). Tripwire is a classic example, as it does md5sums of critical files and you run it against your machine looking for changes. However, I have come to prefer OSSEC (http://ossec.net), which does md5summing in the background: OSSEC HIDS Notification. 2011 Aug 25 07:25:59 Received From: (013hornet) 192.168.224.13-syscheck Rule: 550 fired (level 7) - Integrity checksum changed. Portion of the log(s): Integrity checksum changed for: '/etc/sudoers' Size changed from '552' to '692' Old md5sum was: 'fc78e5599202f204e48df73a15e81533' New md5sum is : '377364efbaefe7138d3fe4081d98b592' Old sha1sum was: '9053767a81a35ded809dd7269d984589a8f09d13' New sha1sum is : '6bcc831d9407626328 callto:9407626328 651b68dc73763472b11374' but also watches your logs for events: OSSEC HIDS Notification. 2011 Aug 25 06:43:57 Received From: (056worf) 192.168.224.56-/var/log/auth.log Rule: 40101 fired (level 12) - System user successfully logged to the system. Portion of the log(s): Aug 25 06:43:56 worf su[9338]: + ??? root:nobody Having said all of that, if you suspect your machine was compromised (the failed logins messages in the logs only indicate that you had some failed attempts), nuke it and rebuild. After you rebuild, set up iptables, ossec, run nmap or nessus on it and put it back in service. Regards, --b what are the steps I need to take to secure it? -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
On Sun, 28 Aug 2011 01:05:47 +1000 yudi v yudi@gmail.com wrote: Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. An email *client* needs no ports open, assuming the firewall is a stateful one, as pretty well all are. Nothing connects to it, it connects to other servers as needed. 139, 445 and 901 suggest you are running samba, which is not normally necessary on a desktop machine, unless you are making network shares available from it. If that's not what you intend, remove or disable samba. If you need to connect to Windows shares on the same subnet, install smbclient. If you use shares between subnets, you may need the full samba for its nmbd component, which can use WINS servers or even be one. ipp is CUPS, the network printing server, and you know whether you need that. RPCbind is needed with nfs. I wouldn't have thought you'd need that, as it's the *nix network filing system, and you wouldn't be using that by accident. it even had SSH listening on 22, changed the port # and also changed PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output: also installed gufw and set it to deny as default. root@computer:/home/user# grep -ir Failed password /var/log/* /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2 /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2 root@computer:/home/user# grep -ir BREAK-IN /var/log/* /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT! how can I find out if this system has been compromised? You can try chkrootkit and rkhunter, but the latter at least works better if it has scanned the system in a known clean state. Neither are automatic: you either run them manually or use a cron job. Booting from a live CD will allow you to compare ps and other normally-compromised binaries with the correct hashes as shown by whatever repository you use. The bottom line is that you cannot be completely sure, but if ps hasn't been touched you are probably OK. what are the steps I need to take to secure it? As you say, deny root logins, but I would strongly recommend dropping passwords altogether and using keys. If you connect from Windows, you will already know about puTTY, which generates its own keypairs and (currently I believe) can't use *nix-generated keys. The change of port number is often denigrated as 'security by obscurity', but then what else is a digital certificate? If running ssh on an obscure port prevents pretty much all automated password brute-forcing (and it does) then you're better off than many other people have been. What Internet connection do you have, and what is forwarded? If you are only forwarding ssh from a stateful packet filtering NAT router, then you already have quite a lot of protection to other services, but I'd still use at least a second line of filtering, as you have now done. The gufw application and several other 'firewalls' are front ends to iptables/netfilter, the actual packet filter. Use netstat to check what services you have listening, and on which interfaces. Most services can be configured to listen only to some interfaces, and many only need to use localhost, so they can be closed off from outside access. The open ports you need depend on what local networking you do. There's more, of course, but it's a lifetime study. Others will no doubt offer more suggestions. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110827171616.293b2...@jretrading.com
Re: securing the system, stopping unnecessary services and closing open ports.
On 8/27/2011 11:38 AM, Brad Alexander wrote: Ports 139, 445 and 901 are samba running. Port 631 is cups, your printer driver. 111 and 2049 are for NFS. If you don't need them, you should be able to turn them off...If you do need it, then you should be able to firewall it, using iptables to limit access to the hosts or subnets you need. On Sat, Aug 27, 2011 at 11:05 AM, yudi v yudi@gmail.com mailto:yudi@gmail.com wrote: Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. it even had SSH listening on 22, changed the port # and also changed PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output: also installed gufw and set it to deny as default. root@computer:/home/user# grep -ir Failed password /var/log/* /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2 /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2 root@computer:/home/user# grep -ir BREAK-IN /var/log/* /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co http://corporat190-24225223.sta.etb.net.co [190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT! how can I find out if this system has been compromised? If you are looking for ssh attempts, you shoud peruse /var/log/auth.log and look for unusual logins. The ones like you mention above are failed. You could run fail2ban or another one that watches your ssh port and in the event of too many failed attempts, can block the IP through iptables. Be careful, because if someone spoofs the address, then you could block some site that you need to access. Another idea would be to run a Host-based Intrusion Detection System (HIDS). Tripwire is a classic example, as it does md5sums of critical files and you run it against your machine looking for changes. However, I have come to prefer OSSEC (http://ossec.net), which does md5summing in the background: OSSEC HIDS Notification. 2011 Aug 25 07:25:59 Received From: (013hornet) 192.168.224.13-syscheck Rule: 550 fired (level 7) - Integrity checksum changed. Portion of the log(s): Integrity checksum changed for: '/etc/sudoers' Size changed from '552' to '692' Old md5sum was: 'fc78e5599202f204e48df73a15e81533' New md5sum is : '377364efbaefe7138d3fe4081d98b592' Old sha1sum was: '9053767a81a35ded809dd7269d984589a8f09d13' New sha1sum is : '6bcc831d9407626328 callto:9407626328651b68dc73763472b11374' but also watches your logs for events: OSSEC HIDS Notification. 2011 Aug 25 06:43:57 Received From: (056worf) 192.168.224.56-/var/log/auth.log Rule: 40101 fired (level 12) - System user successfully logged to the system. Portion of the log(s): Aug 25 06:43:56 worf su[9338]: + ??? root:nobody Having said all of that, if you suspect your machine was compromised (the failed logins messages in the logs only indicate that you had some failed attempts), nuke it and rebuild. After you rebuild, set up iptables, ossec, run nmap or nessus on it and put it back in service. Regards, --b what are the steps I need to take to secure it? -- Kind regards, Yudi If you need to actively scan for a rootkit, you can check out rkhunter , ckrootkit or sleuthkit, just to name a few. If you want to get creative with tools, my gentoo box has this in app-forensic: afflib air chkrootkit examiner galleta lynis magicrescue metadata.xml ovaldi rdd rkhunter sleuthkit zzuf aideautopsy cmospwd foremost libewf mac-robber memdump openscap pasco rifiuti scalpel yasat You can try some of these if you want, but I've only used the three I initially mentioned. -- Chris Brennan -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) 0xD5B20C0C.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: securing the system, stopping unnecessary services and closing open ports.
On Sun 28 Aug 2011 at 01:05:47 +1000, yudi v wrote: Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. If the smtp server is exim4 it only accepts local mail with its default settings. No problem there. CUPS (port 631) in its default install will only print from the the local machine. No problem here either. Incidentally, the services are open because they are running. That is the meaning of 'open'. They running because you have installed them. it even had SSH listening on 22, changed the port # and also changed Never! sshd on port 22. Whatever next? PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output: There is no need to but if you feel better after doing it also installed gufw and set it to deny as default. You did get desparate, didn't you? Was this before or after reading the documentation for the services you installed? root@computer:/home/user# grep -ir Failed password /var/log/* /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2 /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2 root@computer:/home/user# grep -ir BREAK-IN /var/log/* /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT! Is your root password something really easy, like password5 or is (say) 12+ characters? Do you have a user 'admin'? What is there to be worried about. how can I find out if this system has been compromised? There is no evidence here that it has been. what are the steps I need to take to secure it? Don't install services you don't need. Configure those you want safely. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110827182145.GF4474@desktop
Re: securing the system, stopping unnecessary services and closing open ports.
On Sat 27 Aug 2011 at 17:16:16 +0100, Joe wrote: On Sun, 28 Aug 2011 01:05:47 +1000 yudi v yudi@gmail.com wrote: how can I find out if this system has been compromised? You can try chkrootkit and rkhunter, but the latter at least works A natural history expedition searching for unicorns and dodos would have as much success as these two programs are likely to have. what are the steps I need to take to secure it? As you say, deny root logins, but I would strongly recommend dropping passwords altogether and using keys. If you connect from Windows, you Keys and passwords each have their place. One is not inherently more secure than the other. (currently I believe) can't use *nix-generated keys. The change of port number is often denigrated as 'security by obscurity', but then what else is a digital certificate? If running ssh on an obscure port prevents pretty much all automated password brute-forcing (and it does) then you're better off than many other people have been. You are most probably correct. On a higher port number sshd will experience fewer probes. But it was secure on port 22 anyway, so there doesn't seem much point in moving it in that regard. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110827184308.GG4474@desktop
Re: securing the system, stopping unnecessary services and closing open ports.
On 08/27/2011 02:43 PM, Brian wrote: A natural history expedition searching for unicorns and dodos would have as much success as these two programs are likely to have. I was once on a natural history expedition. We found no unicorns, but we did find dodos. We weren't looking for them, but we did find them -- one night while we were looking at each other around the camp fire. And I like playing with chkrootkit and rkhunter. It gives me something to do in those moments when I miss fiddling with the vast array of anti-malware programs I used to use in Windows. 8-D -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e5941f6.10...@comcast.net
Re: securing the system, stopping unnecessary services and closing open ports.
Hi, ipp is CUPS, the network printing server, and you know whether you need that. Now that you mention it... I also see cups listening on all devices: $ sudo netstat -nlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp0 0 0.0.0.0:631 0.0.0.0:* 1646/cupsd I need CUPS for printing, but my laptop is for sure not a printing server, so no open port is necessary. cups.dconf contains this # Only listen for connections from the local machine. Listen localhost:631 However, as you can see, it still opens the port on all interfaces. Is that a bug, or is the configuration incorrect? Kind regards, Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201108272128.42920.ralfjun...@gmx.de
Re: securing the system, stopping unnecessary services and closing open ports.
On Sat, Aug 27, 2011 at 5:05 PM, yudi v yudi@gmail.com wrote: Nmap suggests the following ports are open: 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat 2049/tcp open nfs Which nmap command did you use? What happens when you do a 'Common Ports' scan with Shields up ( https://www.grc.com/x/ne.dll?bh0bkyd2 )? What kind of internet connection and modem do you have?
Re: securing the system, stopping unnecessary services and closing open ports.
Just to clarify my post. This is a new install and I was a bit careless while installing. It has no data on it. I was more concerned with LUKS+LVM working at install. I did not realize I selected to install SSH, I do not use Samba or NFS not sure how those got installed. Again it might have been an oversight. On my other system I have SSH setup with fail2ban, and only using pub keys. I was going to setup same config on this system but got sidetracked. I use postpaid mobile broadband and my IP is both the system address and the gateway. There is no NAT with postpaid service, it's only available with prepaid in Australia. Not sure why. The only things I need are CUPS and SMTP for Zimbra. I will disable the rest. I guess I have to use update.rc-d. There's lot of info here I haven't heard about before. I will go through it and post back. -- Kind regards, Yudi
Re: securing the system, stopping unnecessary services and closing open ports.
On 28/08/11 11:39, yudi v wrote: Just to clarify my post. This is a new install and I was a bit careless while installing. It has no data on it. I was more concerned with LUKS+LVM working at install. I did not realize I selected to install SSH, I do not use Samba or NFS not sure how those got installed. With KDE by default you get libnfsidmap and nfs-common. Samba (server) is not installed by default - though something else may have pulled it in. One boxen that don't use them - I just remove and purge nfs and samba (likewise ssh). Again it might have been an oversight. On my other system I have SSH setup with fail2ban, and only using pub keys. I was going to setup same config on this system but got sidetracked. I use postpaid mobile broadband and my IP is both the system address and the gateway. There is no NAT with postpaid service, it's only available with prepaid in Australia. Not sure why. Not sure what you mean there I suspect you mean only postpaid allow a static IP address (for some accounts). I use both prepaid and postpaids USB UMTS modems with different ISPs - they all use the same, weird, setup where the remote address is defaulted to (different dogs, same leg action) - perhaps that's the NAT you're referring to?? ie. Could not determine remote IP address: defaulting to 10.64.64.64[*1] eg. ppp0 inet address and p-t-p are different, and the ip I use for remote access is different again (the one shown in http://myip.dk) The only things I need are CUPS and SMTP for Zimbra. I will disable the rest. I guess I have to use update.rc-d. you could just remove them eg:- # apt-get --purge remove libnfsidmap2 nfs-common samba if you don't use samba at all (cifs-utils samba samba-common samba-common-bin smbfs) then change samba to samba* I'd suggest using -s instead of --purge first - just in case samba was originally pulled in by another package which you want to keep. There's lot of info here I haven't heard about before. I will go through it and post back. -- Kind regards, Yudi NOTE: just because a port is open doesn't necessarily mean it's accepting connections. Cheers [*1] PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED -- You ever noticed how people who believe in Creationism look really unevolved? You ever noticed that? Eyes real close together, eyebrow ridges, big furry hands and feet. I believe God created me in one day Yeah, looks liked He rushed it. — Bill Hicks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e59b23a.8010...@gmail.com