First off, my apologies if this email is considered off-topic. The reason I am posting to this list about this subject is because I have received excellent help and support in the past from other debian users.
Just yesterday I noticed in one of my log files a number of connection attempts to my box (Debian 2.1 potato salad!) on different ports. I noticed this after they had all happened - I was offline when I noticed them. The reason I hadn't noticed them when they were happening because I was in another workspace and was struggling to get XEmacs to compile from source. Here is the section of my /var/log/daemon.log file (I have wrapped some of the long lines myself): (1) Sep 30 21:05:20 phoenix tcplogd: auth connection attempt from kralle.zdv.Uni-Mainz.DE [134.93.8.158] Sep 30 21:07:04 phoenix tcplogd: auth connection attempt from kralle.zdv.Uni-Mainz.DE [134.93.8.158] (2) Oct 1 19:27:04 phoenix tcplogd: port 1016 connection attempt from [EMAIL PROTECTED] [139.134.94.157] Oct 1 19:27:09 phoenix last message repeated 3 times (3) Oct 1 20:58:02 phoenix tcplogd: auth connection attempt from [24.220.0.13] (4) Oct 2 20:59:12 phoenix tcplogd: auth connection attempt from pavlov.midco.net [24.220.0.13] (5) Oct 2 21:01:19 phoenix portmap[6185]: connect from 209.20.7.247 to dump(): request from unauthorized host Oct 2 21:01:20 phoenix tcplogd: sunrpc connection attempt from [EMAIL PROTECTED] [209.20.7.247] Oct 2 21:01:20 phoenix tcplogd: auth connection attempt from 209-20-7-247.dialin.interlog.com [209.20.7.247] Oct 2 21:13:15 phoenix tcplogd: auth connection attempt from pavlov.midco.net [24.220.0.13] (6) Oct 2 21:18:17 phoenix tcplogd: port 13223 connection attempt from [EMAIL PROTECTED] [209.30.227.164] Oct 2 21:18:17 phoenix tcplogd: port 13223 connection attempt from [EMAIL PROTECTED] [209.127.129.69] Oct 2 21:18:17 phoenix tcplogd: port 13223 connection attempt from [EMAIL PROTECTED] [209.127.129.69] Oct 2 21:18:17 phoenix tcplogd: port 13223 connection attempt from [EMAIL PROTECTED] [209.30.227.164] Oct 2 21:18:18 phoenix tcplogd: port 13223 connection attempt from [EMAIL PROTECTED] [209.30.227.164] Oct 2 21:18:19 phoenix tcplogd: port 13223 connection attempt from [EMAIL PROTECTED] [209.127.129.69] Oct 2 21:18:19 phoenix tcplogd: port 13223 connection attempt from [EMAIL PROTECTED] [209.30.227.164] Oct 2 21:18:20 phoenix tcplogd: port 13223 connection attempt from [EMAIL PROTECTED] [209.127.129.69] Oct 2 21:19:00 phoenix tcplogd: port 13223 connection attempt from [EMAIL PROTECTED] [209.94.148.97] Oct 2 21:19:02 phoenix last message repeated 3 times (This above block of messages starting from (6) gets repeated then). (1) seems to be legitimate since I think I was downloading sth from a website on that host. Don't know for sure but I maybe wrong about that. (2) is definitely someone probing my system. Not sure about (3) but that ip address looks kinda familiar Not sure about (4) but that hostname/domain sounds familiar, maybe a website that I was visiting at the time. (5) and (6) are again port scan/probe attempts on my system. Now, I have setup tcp_wrappers to be very restrictive: /etc/hosts.allow: ALL: LOCAL /etc/hosts.deny: ALL: ALL Also, I have disabled most services from /etc/inetd.conf: #:INTERNAL: Internal services #echo stream tcp nowait root internal #echo dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal #<off># discard stream tcp nowait root internal #<off># discard dgram udp wait root internal #<off># daytime stream tcp nowait root internal #<off># daytime dgram udp wait root internal #<off># time stream tcp nowait root internal #<off># time dgram udp wait root internal #:STANDARD: These are standard services. #<off># ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd #<off># telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd #:BSD: Shell, login, exec and talk are BSD protocols. #<off># talk dgram udp wait nobody.tty /usr/sbin/tcpd /usr/sbin/in.talkd #<off># ntalk dgram udp wait nobody.tty /usr/sbin/tcpd /usr/sbin/in.ntalkd #<off># shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd #<off># login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #<off># exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd #:MAIL: Mail, news and uucp services. #:INFO: Info services #<off># finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/cfingerd ## finger stream tcp nowait nobody /usr/sbin/tcpd /usr/sbin/in.fingerd #<off># ident stream tcp nowait nobody /usr/sbin/identd identd -i #:BOOT: Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers." #tftp dgram udp wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd /boot #bootps dgram udp wait root /usr/sbin/bootpd bootpd -i -t 120 #:RPC: RPC based services #mountd/1 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.mountd #rstatd/1-3 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.rstatd #rusersd/2-3 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.rusersd #walld/1 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.rwalld #:HAM-RADIO: amateur-radio services #:OTHER: Other services #<off># saft stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sendfiled #<off># socks stream tcp nowait root /usr/sbin/sockd sockd -I However, when I ran nmap on my system, it showed that the following ports were still open: @phoenix:[/home/ssahmed] nmap localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on phoenix (127.0.0.1): Port State Protocol Service 111 open tcp sunrpc 1024 open tcp unknown 6000 open tcp X11 7100 open tcp font-service Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds Now for my questions (finally!): (1) How is the attacker (I don't want to say hacker or cracker because that always seems to start a debate on the correst usage and meaning of the two terms!!) able to determine my IP address ? I am accessing the internet by a dialup PPP connection to my ISP. (2) What do I need the sunrpc service for ? If I disable it, what do I lose ? (3) What service is running on port 1024 ? I grepped /etc/services and there was no such port 1024 listed in there ? (4) Are there any vulnerabilities with running the X11 service open on port 6000 ? What is this service and should I close it ? (5) The X font server seems to be running on port 7100 even though I am not currently using TT fonts. How can I disable this for now ? If I decide to install TT fonts on my system, how do I secure the XFS which will be needed ? (6) I'd like to be able to respond to a port scan attempt in real-time, and possibly stop it altogether. What programs are available in debian to do this ? Can anyone recommend other strategies/tips on how to respond to a port scan attempt in real-time ? What I would like to happen is this: - log the intrusion/probe attempt to some special log file including as much information about the person as possible. - log what the person was able to find out about my system and how far they got - email a warning note to that person with all the information that I was able to find out about them and possibly CC: it to some other address as well. Also, if there is anything else that should be commented/disabled in /etc/inetd.conf, I'd be glad to hear about it. Thanks for reading the email (if you made it this far!). I definitely intend to take security of my system more seriously from now. I'd appreciate any comments/suggestions/advice on this matter. Thanks. PS : If anyone wishes to, we can take this discussion to private email. -- Salman Ahmed ssahmed AT interlog DOT com