Re: System security question

[Viktor Rosenfeld]

"Marco C ." wrote:

> and I have another question: my netstat revealed these strange ports:
> tcp0  0 *:6000 *:*LISTEN

This is the X server, if I am not mistaken.  IHMO nothing to worry
about.

> tcp0  0 *:1024 *:*LISTEN

Dunno, what that is though.


MfG Viktor
-- 
Viktor Rosenfeld
WWW: http://www.informatik.hu-berlin.de/~rosenfel/
Geek Code (3.1):
  GCS/SS d-@ s+: a20 C++ UL++$ P+ L+++ E--- W++ N++ o? K? !W O? M? V?
  PS++@ PE+(-) Y+ P?(+++) t+ 5+ X R? !tv b+ DI+ D- G e>+++ h- r- !x+

Re: System security question

[Marco C .]

Il  5 gennaio 2001 (venerdì), alle 13:08, Nathan E Norman ha scritto:

> have a printer then don't run lpd.  If you have a printer but only
> print locally, I think you can unbind the tcp port but I'd have to
 ^^^

what does it mean? how can I do this?
and I have another question: my netstat revealed these strange ports:
tcp0  0 *:6000 *:*LISTEN  
tcp0  0 *:1024 *:*LISTEN

can anyone help me?
hi, marco

-- 
-BEGIN GEEK CODE BLOCK-
Version: 3.12
G!/MU d-(--) s:- a-- C++@ UL>++ P>+ L++> E@ 
W+>++ N- o? K- w-- O--@ M->+ V- PS+ PE-@ Y PGP- t-- 
5? X-- R-(*) tv+>++ b+ DI+@ D- G>++ e++ h-- r% y--@ 
--END GEEK CODE BLOCK--

Re: System security question

[Ray Percival]

If you are printing locally I would suggest pdq and xpdq. Read about them on 
www.linuxprinting.org You can apt-get them from unstable and I think testing. 
If you just make a sym link called lpd pointing to pdq alot of things work very 
well. 

-- Original Message --
From: Nathan E Norman <[EMAIL PROTECTED]>
Date: Fri, 5 Jan 2001 13:08:05 -0600

>On Sat, Jan 06, 2001 at 02:15:53AM +1100, Martin Bishop wrote:
>> Netstat shows the following services on my home machine:
>> 
>> Active Internet connections (servers and established)
>> *:printer
>
>This is lpd.  You only need this if your mascine has a printer
>atteched to it AND accepts print jobs from other PCs.  Id you don't
>have a printer then don't run lpd.  If you have a printer but only
>print locally, I think you can unbind the tcp port but I'd have to
>look it up.  I really hate lpd; I think it's the worst part of
>unix-like systems.
>
>> *:dict
>
>This is a dictionary server ... not sure why you're running this :)
>
>> *:sunrpc
>
>You only need this if you're running NFS or NIS (or some other RPC
>service).  Chances are you're not, so remove the start links for
>portmap.
>
>> *:auth
>
>This is the ident (RFC1412) protocol ... it's stupid but lots of
>servers want to connect here before they let you use the service.
>I recommend oidentd.
>
>> *:smtp
>
>Unless you _receive_ mail from the network, you don't need to bind to
>the smtp port.  For sending mail you simply need to run through the
>queue periodically.  Exim used to have a default setup where reception
>was controlled by inetd and sending was a cronjob.  I'm sure this is
>still documented somewhere (in other words, you don't run exim as a
>daemon, you fire off a queue runner every 10 minutes ...)
>
>HTH,
>
>-- 
>Nathan Norman - Staff Engineer | A good plan today is better
>Micromuse Inc. | than a perfect plan tomorrow.
>mailto:[EMAIL PROTECTED]   |   -- Patton
>
>

Re: System security question

[Nathan E Norman]

On Sat, Jan 06, 2001 at 02:15:53AM +1100, Martin Bishop wrote:
> Netstat shows the following services on my home machine:
> 
> Active Internet connections (servers and established)
> *:printer

This is lpd.  You only need this if your mascine has a printer
atteched to it AND accepts print jobs from other PCs.  Id you don't
have a printer then don't run lpd.  If you have a printer but only
print locally, I think you can unbind the tcp port but I'd have to
look it up.  I really hate lpd; I think it's the worst part of
unix-like systems.

> *:dict

This is a dictionary server ... not sure why you're running this :)

> *:sunrpc

You only need this if you're running NFS or NIS (or some other RPC
service).  Chances are you're not, so remove the start links for
portmap.

> *:auth

This is the ident (RFC1412) protocol ... it's stupid but lots of
servers want to connect here before they let you use the service.
I recommend oidentd.

> *:smtp

Unless you _receive_ mail from the network, you don't need to bind to
the smtp port.  For sending mail you simply need to run through the
queue periodically.  Exim used to have a default setup where reception
was controlled by inetd and sending was a cronjob.  I'm sure this is
still documented somewhere (in other words, you don't run exim as a
daemon, you fire off a queue runner every 10 minutes ...)

HTH,

-- 
Nathan Norman - Staff Engineer | A good plan today is better
Micromuse Inc. | than a perfect plan tomorrow.
mailto:[EMAIL PROTECTED]   |   -- Patton


pgpBp0etIYBXB.pgp
Description: PGP signature

Re: System security question

[Michael Smith]

I don't like sunrpc hanging out at all exposed to the world.  I get probed
regularly on it.  Block it out with /etc/hosts.deny the following way:
PORTMAP : ALL

I usually install ipchains on my box and then block out the ports I don't want
exposed with:
ipchains -F #remove all the rules, the default is alot of things that allow you
to still operate the box from afar
ipchains -A input -p TCP -s 0.0.0.0/0 -d 0.0.0.0/0 $portnumber -j REJECT
#portnumber for sunrpc is 111, printer is 515.  Use nmap to see what ports are
open.

Unfortunately, most security is just knowing what stuff does, so there's no
substitute for being a good sysad.  Look around.  I usually check something I
don't know what it is with a web search for "exploit linux processname" to see
what's been reported on it.

Martin Bishop wrote:

> Hi,
>
> Netstat shows the following services on my home machine:
>
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address   Foreign Address State
> tcp0  0 *:printer   *:* LISTEN
> tcp0  0 *:dict  *:* LISTEN
> tcp0  0 *:sunrpc*:* LISTEN
> tcp0  0 *:auth  *:* LISTEN
> tcp0  0 *:smtp  *:* LISTEN

--
Organizing Linux users is like herding cats,
only harder.

Re: System security question

[David B . Harris]

To quote Martin Bishop <[EMAIL PROTECTED]>,
# Netstat shows the following services on my home machine:

# Is it safe to leave it as it is? I've closed of all services in
# inetd.conf and I'm using Firestarter as my firewall. I'm a little
# paranoid that my system is listening for connections. But I don't
# know enough to tell if these are internal services or if these 
# services are listening to outside connections.
# 
# What do you guys advise?

Well, Linux is a very network-oriented operating system, so you'll
always have things listening for connections. Those particular ones look
fairly normal.

HOWEVER, you should do a couple of things:

1) Read up on hosts.allow and hosts.deny , and then edit them in /etc .
Make sure you make them secure.
2) Use a real firewall(not that Firestarter isn't nice, I use it myself
to display firewall logs), such as "rc.firewall"(recently renamed to
"rcf"), which you can find on Freshmeat. Read all the instructions very
carefully, and set it up.

If you have a nearly-inpenetrable firewall, you don't really need to
worry so much about what's listening for connections on your machine. Of
course, always worry, but you won't need to fret over it so much.

Dave

System security question

[Martin Bishop]

Hi,

Netstat shows the following services on my home machine:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address State  
tcp0  0 *:printer   *:* LISTEN  
tcp0  0 *:dict  *:* LISTEN  
tcp0  0 *:sunrpc*:* LISTEN  
tcp0  0 *:auth  *:* LISTEN  
tcp0  0 *:smtp  *:* LISTEN  

Is it safe to leave it as it is? I've closed of all services in
inetd.conf and I'm using Firestarter as my firewall. I'm a little
paranoid that my system is listening for connections. But I don't
know enough to tell if these are internal services or if these 
services are listening to outside connections.

What do you guys advise?

M.