On Sun, 28 Aug 2011 01:05:47 +1000 yudi v <yudi....@gmail.com> wrote:
> Nmap suggests the following ports are open: > > 25/tcp open smtp > 111/tcp open rpcbind > 139/tcp open netbios-ssn > 445/tcp open microsoft-ds > 631/tcp open ipp > 901/tcp open samba-swat > 2049/tcp open nfs > > I run a desktop email client that uses smtp apart from that I do not > know why rest of the above services are open. An email *client* needs no ports open, assuming the firewall is a stateful one, as pretty well all are. Nothing connects to it, it connects to other servers as needed. 139, 445 and 901 suggest you are running samba, which is not normally necessary on a desktop machine, unless you are making network shares available from it. If that's not what you intend, remove or disable samba. If you need to connect to Windows shares on the same subnet, install smbclient. If you use shares between subnets, you may need the full samba for its nmbd component, which can use WINS servers or even be one. ipp is CUPS, the network printing server, and you know whether you need that. RPCbind is needed with nfs. I wouldn't have thought you'd need that, as it's the *nix network filing system, and you wouldn't be using that by accident. > > it even had SSH listening on 22, changed the port # and also changed > PermitRootLogin to no in /etc/ssh/sshd_config after looking at the > following output: > also installed gufw and set it to deny as default. > > root@computer:/home/user# grep -ir "Failed password" /var/log/* > /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed > password for root from 60.242.242.121 port 56631 ssh2 > /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed > password for invalid user admin from 190.24.225.223 port 22792 ssh2 > root@computer:/home/user# grep -ir BREAK-IN /var/log/* > /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse > mapping checking getaddrinfo for > corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE > BREAK-IN ATTEMPT! > > > how can I find out if this system has been compromised? You can try chkrootkit and rkhunter, but the latter at least works better if it has scanned the system in a known clean state. Neither are automatic: you either run them manually or use a cron job. Booting from a live CD will allow you to compare ps and other normally-compromised binaries with the correct hashes as shown by whatever repository you use. The bottom line is that you cannot be completely sure, but if ps hasn't been touched you are probably OK. > > what are the steps I need to take to secure it? As you say, deny root logins, but I would strongly recommend dropping passwords altogether and using keys. If you connect from Windows, you will already know about puTTY, which generates its own keypairs and (currently I believe) can't use *nix-generated keys. The change of port number is often denigrated as 'security by obscurity', but then what else is a digital certificate? If running ssh on an obscure port prevents pretty much all automated password brute-forcing (and it does) then you're better off than many other people have been. What Internet connection do you have, and what is forwarded? If you are only forwarding ssh from a stateful packet filtering NAT router, then you already have quite a lot of protection to other services, but I'd still use at least a second line of filtering, as you have now done. The gufw application and several other 'firewalls' are front ends to iptables/netfilter, the actual packet filter. Use netstat to check what services you have listening, and on which interfaces. Most services can be configured to listen only to some interfaces, and many only need to use localhost, so they can be closed off from outside access. The open ports you need depend on what local networking you do. There's more, of course, but it's a lifetime study. Others will no doubt offer more suggestions. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110827171616.293b2...@jretrading.com