Re: Re: How do I disable (close) ports?
On Wed, Dec 05, 2001 at 01:24:54PM +0100, J. Paul Bruns-Bielkowicz wrote: - Original Message - From: Rolf Kutz [EMAIL PROTECTED] Commenting out things in /etc/services doesn't disable anything. It seems to. The above ports were closed just by commenting them out of /etc/services and then rebooting. This is *purely* by coincidence, because the startup-scripts does indeed use the NAME for the startup, and not the port. It's quite possible that some package upgrade will change this, and suddenly, the services will start. Trust us, this is *not* the way to disable services. Did you even read all things said in this thread? I gave a rather lengthy description in an earlier mail, and there's also been numerous good replys, most of them telling you that editing /etc/services is not the correct way to disable services. It might work, yes, but system changes may change that later, and you'll have to use the *correct* way then. Just use the correct way in the FIRST place, i.e. removing the startup scripts from the correct /etc/rc?.d/-catalog, as I described, and commenting out from /etc/inetd.conf You're not going to become a good Linux-administrator before you realize that you should UNDERSTAND what you do instead of just guessing and be happy because it worked. -- - Vegard Engen, member of the first RFC1149 implementation team. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: How do I disable (close) ports?
On Wed, Dec 05, 2001 at 02:04:32PM +0100, J. Paul Bruns-Bielkowicz wrote: You're not going to become a good Linux-administrator before you realize that you should UNDERSTAND what you do instead of just guessing and be happy because it worked. Becoming a good administrator is making it work and keeping it working. It seems there is an official way of closing the ports and an unofficial (wrong?) way of doing it. Understanding is gained, among others through experience, and this is quite an experience judging by quantity of replies Yes, you are right, sorry about my rather harsh reply. Just that I've been in the game some time, seeing too many people who refuse to learn, who wants a simple way spoonfead to them, and refusing to even look at documentation even when pointed at specific documents. Sometimes, you jump to the wrong conclusions too early. But listen to what has been said, restore the original /etc/services file, and disable it the correct way instead. As has been pointed out, none of the things you have done are guaranteed to work after your next package update of Debian. -- - Vegard Engen, member of the first RFC1149 implementation team. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Netscape running as root
On Tue, Dec 04, 2001 at 11:56:19PM -0600, Jor-el wrote: Hi, Why is running Netscape as root considered to be a security problem? I just tried installing vmware on my system and it needs root to install, and it searched for Netscape. The installer, fortunately, was an intelligent one and proceeded with the install after I cancelled its search for Netscape (it said the install help wouldnt be available without Netscape). Well, it's stupid to surf as root, because there *might* be some uncovered security holes in Netscape, and if you surf as root, any malicious things a web-page abusing such a hole does, have the potential to do damage to the whole machine, not only the user running it. In addition, you might revel that a probable unix-machine is running at such and such IP, and there is a root-user there. However, security by obscurity never was that effective, so this is not that large a problem. Running netscape as root to view some local html pages is not that much of a security risk, but it depends whether or not you trust the source of the web-pages. If it is something really stupid to run Netscape as root, I'd like to point out to VMWare that their requirement to have Netscape for the install is bad. Depends how they did it. If it was to render local web-pages, it can be forgiven. -- - Vegard Engen, member of the first RFC1149 implementation team.
Re: Re: How do I disable (close) ports?
On Wed, Dec 05, 2001 at 01:24:54PM +0100, J. Paul Bruns-Bielkowicz wrote: - Original Message - From: Rolf Kutz [EMAIL PROTECTED] Commenting out things in /etc/services doesn't disable anything. It seems to. The above ports were closed just by commenting them out of /etc/services and then rebooting. This is *purely* by coincidence, because the startup-scripts does indeed use the NAME for the startup, and not the port. It's quite possible that some package upgrade will change this, and suddenly, the services will start. Trust us, this is *not* the way to disable services. Did you even read all things said in this thread? I gave a rather lengthy description in an earlier mail, and there's also been numerous good replys, most of them telling you that editing /etc/services is not the correct way to disable services. It might work, yes, but system changes may change that later, and you'll have to use the *correct* way then. Just use the correct way in the FIRST place, i.e. removing the startup scripts from the correct /etc/rc?.d/-catalog, as I described, and commenting out from /etc/inetd.conf You're not going to become a good Linux-administrator before you realize that you should UNDERSTAND what you do instead of just guessing and be happy because it worked. -- - Vegard Engen, member of the first RFC1149 implementation team.
Re: How do I disable (close) ports?
On Tue, Dec 04, 2001 at 09:18:09PM +0100, J. Paul Bruns-Bielkowicz wrote: Hi, I disabled all but a few ports in /etc/services, but I have tcp0 0 pa237.olsztyn.sdi.t:111 80.116.215.37:1064 ESTABLISHED Well, you're not actually DIABLING anythingin /etc/services. That file is just a list of known port-numbers. However, some services will be configured to use the names instead of the port-numbers whendeciding which port to use. As it can't find it in /etc/services, it can't start. But, it's the wrong way to do it. when I netstat my machine. What exactly does this mean? I just want 25/tcp opensmtp 37/tcp opentime 66/tcp opensql*net 80/tcp openhttp 110/tcpopenpop-3 443/tcpopenhttps 3306/tcp openmysql open. How can I close ports 111 and 859? They are not enabled in /etc/services Thanks, J. Paul Bruns-Bielkowicz http://www.america.prv.pl Look in /etc/inetd.conf. It's there that you have to close a bunch of services. inetd is sort of a supoer-daemon that listens on a lot of ports and starts a program that gets the connection after it's established. Then, look in /etc/inittab. There, you will have a line that looks like this: id:2:initdefault: This line says what RUNLEVEL your machine will start in. If your machine has a 2 there, go to /etc/rc2.d and list the catalog. The process init, which is the mother of ALL other processes, will use the symbolic links there to say which services to start and which to stop in that runlevel. Take note: Not everything *are* services, some things are programs that should be run on boottime, and some are simply local daemons. syslog, for example, you do not want to stop. The symbolic links that start with an S will be run with a start argument, those with a K will be run with a stop argument. Thus, to keep a services from starting in that runlevel, remove the S-scriptfrom the catalog. You only remove the symbolic link, the real script lays in /etc/init.d - thus if you want to add it again, just reinstate the symbolic link. Just note the way the files are made up. Another, less drastic way to remove services, is to just mv the files, that is rename them. It's enough to change S to s and K to k, then it will not be run. But as I said, you should not just go ahead and remove things there without knowing what they are. They could even be vital for the functionality of the machine. So, just look at the scripts and try to understand what service they start. And if they start no service, leave it there if unsure. What I'm trying to say, is that some learning and understanding is definitely needed here. Study the files I've mentioned, and if you learn it, you will have learnt something extremely important. -- - Vegard Engen, member of the first RFC1149 implementation team. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange AIDE reports
On Mon, Sep 24, 2001 at 02:02:49PM +0300, Juha Jäykkä wrote: I keep receiving strange reports from AIDE. The number of changed files increases monotonically daily and the affair started immediately after installation, so I doubt there has been a break-in - unless someone managed to spoof my DNS queries or hijack my connections to ftp.fi.debian.org. Aside from the understandable (are they, really?) changes in Ctimes of /dev/xconsole and /dev/tty*, I get the following (for example): File: /usr/bin/splay MD5: old = nuNALnPFG98QSxxAeJ2rZw== , new = hBi7I+KhEOWW5mfSciXJlg== SHA1: old = 3lpox5dX50hvj3p6z0nyZ/cshFg= , new = mFPQd21+i8fF2LQJVZLitJZFx2U= File: /usr/lib/Amaya/applis/bin/amaya MD5: old = IQwcW65xdJIoC3/pAh6P8A== , new = 2HG/njXLRrF1GTp7Rd3EVw== The software versions are (all are unstable/i386): [snip] rest. Any ideas except a break-in? Well - you say you're using unstable. Are you updating your system? There are a lot of changes in unstable. After a package replacement, binary files will of course have changed. -- - Vegard Engen, member of the first RFC1149 implementation team. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange AIDE reports
On Mon, Sep 24, 2001 at 02:02:49PM +0300, Juha Jäykkä wrote: I keep receiving strange reports from AIDE. The number of changed files increases monotonically daily and the affair started immediately after installation, so I doubt there has been a break-in - unless someone managed to spoof my DNS queries or hijack my connections to ftp.fi.debian.org. Aside from the understandable (are they, really?) changes in Ctimes of /dev/xconsole and /dev/tty*, I get the following (for example): File: /usr/bin/splay MD5: old = nuNALnPFG98QSxxAeJ2rZw== , new = hBi7I+KhEOWW5mfSciXJlg== SHA1: old = 3lpox5dX50hvj3p6z0nyZ/cshFg= , new = mFPQd21+i8fF2LQJVZLitJZFx2U= File: /usr/lib/Amaya/applis/bin/amaya MD5: old = IQwcW65xdJIoC3/pAh6P8A== , new = 2HG/njXLRrF1GTp7Rd3EVw== The software versions are (all are unstable/i386): [snip] rest. Any ideas except a break-in? Well - you say you're using unstable. Are you updating your system? There are a lot of changes in unstable. After a package replacement, binary files will of course have changed. -- - Vegard Engen, member of the first RFC1149 implementation team.
