Re: [expert] thanks for the check port cmdln
Matthew Micene wrote: > > On Mon, 11 Sep 2000, you wrote: > > > the XFS port listed in the pmfirewall.conf file > > > > I am still trying to track down the actual UDP port it listens on but as > far as I can tell, netstat -nlp shows port 1029 open but doesn't list > which process has it open. lsof doesn't show xfs using UDP, but both show > the unix socket in use by xfs. The xfs man pages talk about TCP port > assignment and I can't find the source for the -udpPort 0 workaround I am > playing with. That all said :) when xfs is started with -udpPort 0, udp > port 1029 stops listening. *shrug* The default XFS setup on mandrake is 'unix/:-1' which means it uses unix domain sockets rather than TCP/UDP sockets. So there's no chance of someone not on the machine talking to xfs. If it has been changed on your machine, the XF86Config file is one place to look for the current setting. > > > > yesterday, and added to it all the ports for known trojans (linux, > windows > and otherwise), one by freakin' one of them, and now have a list > of ipchains > rules a mile and a half long! > > Nah, paranoid is having a listing that denies all traffic from the IANA > reserved blocks properly listed and/or bitmasked so no one can use the > reserved addresses (and not just the RFC 1918 ones either :) to spoof > pakcets at my firewalls :) as well as the known trojan port list, a black > hole list for known bad addresses *grin* The simplest setting is to deny everything, then only permit things that you want to use. As for denying RFC1918 addresses (10.x/8, 172.16.x/12 adn 192.168.x/16), there is little point to doing this - no ISP carries routes for these addresses, so any return packets from such addresses will be lost. I think the only point of doing this would be to guard against blind attacks where the return packets are not necessary to the attack, but it's unlikely these would come from such addresses so it's better to guard against them in other ways. It's best to have a separate firewall if you have a spare PC and ethernet cards - that way you can install a stripped down firewall such as those based on LRP (www.linuxrouter.org) or the new Smoothwall, www.smoothwall.org, which looks pretty good. Mandrake is not a very good choice for firewalls unless you have a spare Pentium or better; it's quite hard to get hold of the 486 Mandrake CD. Richard Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] thanks for the check port cmdln
Matthew Micene wrote: [snip] > chain policies. I did not mean to imply in my first post that the ports > listening in the netstat output were listening THROUGH the firewall, but > showed the need for a firewall to be put in place :) If I'd have been a bit more clueful, I'd have realized that... Ron -- +--+ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA WWW : [EMAIL PROTECTED] | | | | Most overused words: feel, cool/kewl, fun, myBlah.com| | Most underused word: think | +--+ Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] thanks for the check port cmdln
On Mon, 11 Sep 2000, you wrote: > the XFS port listed in the pmfirewall.conf file > I am still trying to track down the actual UDP port it listens on but as far as I can tell, netstat -nlp shows port 1029 open but doesn't list which process has it open. lsof doesn't show xfs using UDP, but both show the unix socket in use by xfs. The xfs man pages talk about TCP port assignment and I can't find the source for the -udpPort 0 workaround I am playing with. That all said :) when xfs is started with -udpPort 0, udp port 1029 stops listening. *shrug* > yesterday, and added to it all the ports for known trojans (linux, windows > and otherwise), one by freakin' one of them, and now have a list of ipchains > rules a mile and a half long! Nah, paranoid is having a listing that denies all traffic from the IANA reserved blocks properly listed and/or bitmasked so no one can use the reserved addresses (and not just the RFC 1918 ones either :) to spoof pakcets at my firewalls :) as well as the known trojan port list, a black hole list for known bad addresses *grin* And as a side note, yes IPChains is designed to stop packets from getting at all the services that are running on a particular box. That was why I originally posted that everyone needs to be running some sort of firewall, ie IPChains. As far as the policy settings for IPChains, they should reflect your general security policy. If your model is "That which is not explicitly denied is allowed" then the IPChains policy rules for your firewall should be -P ACCEPT. If you go with a "That which is not explicitly permitted is denied" then use the -P REJECT or -P DENY for your chain policies. I did not mean to imply in my first post that the ports listening in the netstat output were listening THROUGH the firewall, but showed the need for a firewall to be put in place :) M -- Matthew Micene Systems Development Manager Express Search Inc. www.ExpressSearch.com A host is a host from coast to coast, and no one will talk to a host too close Unless the host that isn't close is busy, hung or dead Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] thanks for the check port cmdln
pmfirewall, as long as you chose not to open the ports during the install, blocks external traffic to ports 5999:6003--XServer. Actually, I don't see the XFS port listed in the pmfirewall.conf file, but neither is it listed in my open/listening ports. NFS, on 2049 is blocked by pmfirewall because I elected to close it. If you are paranoid about ports being left open, pmfirewall.conf has examples of ipchains rules which you can copy, paste, and edit to match your needs/desires. I, either like an idiot with nothing better to do, or a madly anal bastard with nothing better to do, went through my pmfirewall.conf file just yesterday, and added to it all the ports for known trojans (linux, windows and otherwise), one by freakin' one of them, and now have a list of ipchains rules a mile and a half long! Of course, you can do this as well... or ask me to e-mail the damned thing to you so you don't have to type it all--I just hope I don't get an onslaught of requests that outnumbers the unread messages I have from this very mailing list! :-) --Greg - Original Message - From: "Ron Johnson, Jr." <[EMAIL PROTECTED]> > > Well that's pretty bad. I used PMFirewall to set up my ipchains > commands, but apparently it has left some things out... It > was my assumption that PMFirewall blocked everything then > allowed only certain ports in... > > Ron > Matthew Micene wrote: > > > > On Mon, 11 Sep 2000, you wrote: > > > Since the foreign address is 0.0.0.0, does that mean that these > > > ports are accessable by the world? Port 515 is the print > > > spooler, so it sounds bad that that should be world accessable. > > > > You'd better believe it. And if you want it to get worse, open an X > > Window session and watch X pop up on port 6000 and xfs on port 2046 I > > think. This is why EVERYONE running a linux box (at home or otherwise) > > needs to have a firewall installed of some sort. One solution is > > tcpserver as a replacement for inet super server because it supports > > binding to a specific interface or address. It is limited in the fact > > that it only handles TCP protocols. __ Vous avez un site perso ? 2 millions de francs à gagner sur i(france) ! Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
RE: [expert] thanks for the check port cmdln
The info I had while constructing my ipchains firewall seems to be the opposite. I lead off with: # Set the default policy to deny ipchains -P input DENY ipchains -P output REJECT ipchains -P forward REJECT Now note that those are policy settings and not input/output rules. Matthew Zaleski > -Original Message- > From: Ken Wahl [mailto:[EMAIL PROTECTED]] > Sent: Monday, September 11, 2000 4:48 PM > To: [EMAIL PROTECTED] > Subject: Re: [expert] thanks for the check port cmdln > > > On Mon, 11 Sep 2000, Ron Johnson, Jr. wrote: > > > Matthew Micene wrote: > > > > > > On Mon, 11 Sep 2000, you wrote: > > > > Since the foreign address is 0.0.0.0, does that mean that these > > > > ports are accessable by the world? Port 515 is the print > > > > spooler, so it sounds bad that that should be world accessable. > > > > > > You'd better believe it. And if you want it to get > worse, open an X > > > Window session and watch X pop up on port 6000 and xfs on > port 2046 I > > > think. This is why EVERYONE running a linux box (at home > or otherwise) > > > needs to have a firewall installed of some sort. One solution is > > > tcpserver as a replacement for inet super server because > it supports > > > binding to a specific interface or address. It is > limited in the fact > > > that it only handles TCP protocols. > > > > Well that's pretty bad. I used PMFirewall to set up my ipchains > > commands, but apparently it has left some things out... It > > was my assumption that PMFirewall blocked everything then > > allowed only certain ports in... > > > > Ron > > > > I hope someone will jump in and correct if I'm wrong but I think your > original assumption about PMFirewall is correct. Just > because a netstat > command will show a port as listening, doesn't mean that > PMFirewall will > let anyone besides localhost connect to it if you have PMFirewall > configured to deny/reject connection attempts to that particular port. > > Take a look at your ipchains as root with "ipchains -L". > Remember that > the chains are processed one line at a time from the top > down. The first > line will be an "accept all" then there should be rules to accept > connections to particular ports if you want those services > running. Then > there will be explicit reject chains for common exploits > (netbios, etc. > plus denial for 5999-6003) and then there should be a rule to accept > connections in the temp range 1023-65535. The final input > chain should be > an explicit deny all to block anything that was not > specifically permitted > in the chains prior. > > If I have this wrong then someone please tell me, as I've got > some work to > do if that is the case. > > Thanks. > > -- > #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# > | Ken Wahl, CCNA [EMAIL PROTECTED] PGP Key ID: 3CF9AB36 | > | PGP Public Key: http://www.ipass.net/~kenwahl/pgpkey.txt | > #-=-=-=-=-=-=-=--> Powered by Linux Mandrake <--=-=-=-=-=-=-# > > Linux up 1 day, 17:03, 1 user, load average: 0.00, 0.00, 0.00 > > > > > Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] thanks for the check port cmdln
Matthew Micene wrote: > > On Mon, 11 Sep 2000, you wrote: > > Since the foreign address is 0.0.0.0, does that mean that these > > ports are accessable by the world? Port 515 is the print > > spooler, so it sounds bad that that should be world accessable. > > You'd better believe it. And if you want it to get worse, open an X > Window session and watch X pop up on port 6000 and xfs on port 2046 I > think. This is why EVERYONE running a linux box (at home or otherwise) > needs to have a firewall installed of some sort. One solution is > tcpserver as a replacement for inet super server because it supports > binding to a specific interface or address. It is limited in the fact > that it only handles TCP protocols. > > As far as X and xfs go ... pass the -nolisten tcp to your startx script as > a server arg and X will no longer listen on the network for connections. > xfs will take -udpPort 0 to to turn off network requests, but I still > haven't found a good place in prefdm or the like to pass that arg > automatically. If anyone has any tips please post them. "netstat -an --inet | grep LISTEN" says that port 139 (NETBIOS session service) is listening to the world, but "ipchains -L" says this: [root 13:06:16 /home/me (4000.87KB)]# ipchains -L Chain input (policy ACCEPT): target prot opt sourcedestinationports REJECT udp -- anywhere indi0.indi.se.verio.net/24 any -> 113 DENY tcp -- anywhere anywhere any -> netbios-ns:netbios-ssn DENY udp -- anywhere anywhere any -> netbios-ns:netbios-ssn Does this mean that even though netbios-ssn is listening on 113 that ipchains will block any outside requests? (BTW, I guess samba needs netbios-ssn for my internal LAN, which has Windows boxen sharing disks & printer.) Ron -- +--+ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA WWW : [EMAIL PROTECTED] | | | | Most overused words: feel, cool/kewl, fun, myBlah.com| | Most underused word: think | +--+ Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] thanks for the check port cmdln
Matthew Micene wrote: > > On Mon, 11 Sep 2000, you wrote: > > Since the foreign address is 0.0.0.0, does that mean that these > > ports are accessable by the world? Port 515 is the print > > spooler, so it sounds bad that that should be world accessable. > > You'd better believe it. And if you want it to get worse, open an X > Window session and watch X pop up on port 6000 and xfs on port 2046 I > think. This is why EVERYONE running a linux box (at home or otherwise) > needs to have a firewall installed of some sort. One solution is > tcpserver as a replacement for inet super server because it supports > binding to a specific interface or address. It is limited in the fact > that it only handles TCP protocols. Well that's pretty bad. I used PMFirewall to set up my ipchains commands, but apparently it has left some things out... It was my assumption that PMFirewall blocked everything then allowed only certain ports in... Ron -- +--+ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA WWW : [EMAIL PROTECTED] | | | | Most overused words: feel, cool/kewl, fun, myBlah.com| | Most underused word: think | +--+ Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] thanks for the check port cmdln
On Mon, 11 Sep 2000, you wrote: > Since the foreign address is 0.0.0.0, does that mean that these > ports are accessable by the world? Port 515 is the print > spooler, so it sounds bad that that should be world accessable. You'd better believe it. And if you want it to get worse, open an X Window session and watch X pop up on port 6000 and xfs on port 2046 I think. This is why EVERYONE running a linux box (at home or otherwise) needs to have a firewall installed of some sort. One solution is tcpserver as a replacement for inet super server because it supports binding to a specific interface or address. It is limited in the fact that it only handles TCP protocols. As far as X and xfs go ... pass the -nolisten tcp to your startx script as a server arg and X will no longer listen on the network for connections. xfs will take -udpPort 0 to to turn off network requests, but I still haven't found a good place in prefdm or the like to pass that arg automatically. If anyone has any tips please post them. -- Matthew Micene Systems Development Manager Express Search Inc. www.ExpressSearch.com A host is a host from coast to coast, and no one will talk to a host too close Unless the host that isn't close is busy, hung or dead Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] thanks for the check port cmdln
> Tony Smith wrote: > > > > How can i check which ports on my computer are open > > > i will be sitting on my server ? > > > > I use "netstat -an --inet | grep LISTEN" to show me which ports are > > accessible. Remove the grep to see active connections too. Also, check out > > lsof which will allow you to tell which processes are connected/listening. > > > > Tony This is great... 1 question though: Proto Recv-Q Send-Q Local Address Foreign AddressState* tcp0 0 0.0.0.0:230.0.0.0:* LISTEN tcp0 0 0.0.0.0:210.0.0.0:* LISTEN tcp0 0 0.0.0.0:515 0.0.0.0:* LISTEN Since the foreign address is 0.0.0.0, does that mean that these ports are accessable by the world? Port 515 is the print spooler, so it sounds bad that that should be world accessable. TIA, Ron -- +--+ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA WWW : [EMAIL PROTECTED] | | | | Most overused words: feel, cool/kewl, fun, myBlah.com| | Most underused word: think | +--+ Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
[expert] thanks for the check port cmdln
Tony Smith wrote: > > How can i check which ports on my computer are open > > i will be sitting on my server ? > > I use "netstat -an --inet | grep LISTEN" to show me which ports are > accessible. Remove the grep to see active connections too. Also, check out > lsof which will allow you to tell which processes are connected/listening. > > Tony > > > Keep in touch with http://mandrakeforum.com: > Subscribe the "[EMAIL PROTECTED]" mailing list. Good use of the command I hadn't known that, thanks! mikey [EMAIL PROTECTED] Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
