OK, I'm starting to settle somewhat in my new Linux home. Now that I've got the important stuff like nice wallpapers for my desktop out of the way I started poking around in the log files. Some strange things lurk in there... For example I found I had /var/log/httpd/access_log, with quite a few entries like this:
210.23.229.57 - - [30/Dec/2001:15:08:34 +1100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317 210.23.229.57 - - [30/Dec/2001:15:08:35 +1100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 317 210.23.229.57 - - [30/Dec/2001:15:08:36 +1100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 210.23.229.57 - - [30/Dec/2001:15:08:37 +1100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 210.23.229.57 - - [30/Dec/2001:15:08:38 +1100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 ... I don't know what any of this means, but I don't like it! cmd.exe? winnt? Who is 210.23.229.57 anyway, and why is he accessing my system, when I'm not even serving any web pages? This is a desktop workstation and I didn't want to run a web server in the first place but I guess doing my kitchen-sink install I ended up with Apache running... never mind, I turned it off now. But this shook me out of my complacency regarding security. I started to look at various things running by default and one by one I turned them off. Right now doing "nmap localhost" produces the following output: Port State Service 22/tcp open ssh 113/tcp open auth 6000/tcp open X11 That's not too bad, is it? I still have a few questions though. I know I want sshd, but what about that service on port 113? What does it do? What about X11? I think I need this one :) But is there anything I can do to make it secure? For example, I never run remote sessions, so does it *have* to keep that port open? I hope this pretty much closes the topic of ports and services. Now, are there any other areas I should I look at to make my system as impenetrable from the outside as possible? ---------------------------------------------------------------- "Directed denial of service attacks. Computer security averted and disabled. Files deleted from hard drives. Is this the work of malicious hackers breaking into a computer system? No. This is what the RIAA envisions is fair play in their crusade to control the distribution of copyrighted material." - arstechnica.com ---------------------------------------------------------------- -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
