Re: what basic security for Mdva 2006 - Mandrake

This is a discussion on Re: what basic security for Mdva 2006 - Mandrake ; Bit Twister wrote: Re: what basic security for Mdva 2006 From: Adam Date: Saturday 14 October 2006 01:46:07 pm To: Bit Twister no references Well, this is almost fun. Next stop is http://www.catb.org/~esr/faqs/smart-questions.html re asking useful questions, and http://lists.thedatalist.com/portlist/lookup.php?port= new, ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: what basic security for Mdva 2006

  1. Re: what basic security for Mdva 2006

    Bit Twister wrote:





    Re: what basic security for Mdva 2006
    From:
    Adam
    Date:
    Saturday 14 October 2006 01:46:07 pm
    To:
    Bit Twister
    no references

    Well, this is almost fun. Next stop is

    http://www.catb.org/~esr/faqs/smart-questions.html
    re asking useful questions, and

    http://lists.thedatalist.com/portlist/lookup.php?port=
    new, and looks interesting.

    And
    http://tldp.org/HOWTO/Security-Quick...WTO/index.html
    for perhaps the master document for my original query. Thanks Moe.


    In my paranoid un-hacked mode, (am on-line, but with no mysterious modem
    activity), the unedited netstat -anptu is below.

    5335 and 7741 show nothing in grep /etc/services. And both unassigned on the
    Port Lookup. Hmmm. I'll keep plugging away.




    [user@ispx ~]$ su
    Password:
    [root@ispx user]# netstat -anptu
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address
    State PID/Program name
    tcp 0 0 0.0.0.0:111 0.0.0.0:*
    LISTEN 2266/portmap
    tcp 0 0 0.0.0.0:6000 0.0.0.0:*
    LISTEN 2876/X
    tcp 0 0 127.0.0.1:5335 0.0.0.0:*
    LISTEN 2976/mDNSResponder
    tcp 0 0 0.0.0.0:828 0.0.0.0:*
    LISTEN 2342/rpc.statd
    tcp 0 0 0.0.0.0:7741 0.0.0.0:*
    LISTEN 3209/lisa
    tcp 0 0 203.173.200.124:4279 202.58.36.23:80
    ESTABLISHED 4397/konquerordHWis
    tcp 0 0 203.173.200.124:3873 64.62.243.240:80
    ESTABLISHED 4256/konquerorMIoWt
    tcp 0 0 203.173.200.128:2087 203.109.252.31:119
    ESTABLISHED 3589/kontact
    tcp 0 0 203.173.200.124:4533 64.62.243.247:80
    ESTABLISHED 4813/konquerorGGi4q
    tcp 0 0 :::6000 :::*
    LISTEN 2876/X
    udp 0 0 0.0.0.0:822 0.0.0.0:*
    2342/rpc.statd
    udp 0 0 0.0.0.0:825 0.0.0.0:*
    2342/rpc.statd
    udp 0 0 0.0.0.0:7741 0.0.0.0:*
    3209/lisa
    udp 0 0 0.0.0.0:5353 0.0.0.0:*
    2976/mDNSResponder
    udp 0 0 0.0.0.0:111 0.0.0.0:*
    2266/portmap
    udp 0 0 127.0.0.1:123 0.0.0.0:*
    3023/ntpd
    udp 0 0 0.0.0.0:123 0.0.0.0:*
    3023/ntpd
    udp 0 0 :::123 :::*
    3023/ntpd
    [root@ispx user]# grep 5335 /etc/services
    [root@ispx user]# grep 6000 /etc/services
    x11 6000/tcp X # the X Window System
    quake 26000/tcp
    quake 26000/udp
    [root@ispx user]# grep 111 /etc/services
    sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
    sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
    [root@ispx user]# grep 7741 /etc/services
    [root@ispx user]#


    > http://www.catb.org/~esr/faqs/smart-questions.html



  2. Re: what basic security for Mdva 2006

    On Sat, 14 Oct 2006 17:46:57 +1300, Adam wrote:
    > In my paranoid un-hacked mode, (am on-line, but with no mysterious modem
    > activity), the unedited netstat -anptu is below.


    Yea, now people can provide you better help.

    Question, did you go into the Mandriva Control Center and enable the
    firewall for PPP0?

    > 5335 and 7741 show nothing in grep /etc/services. And both unassigned on the
    > Port Lookup. Hmmm. I'll keep plugging away.


    Those are normal and research on those ports will not yield you anything.

    You have two major choices to help protect your system. Of course you
    can do both but you seemed to want only one method. They are
    Use your firewall to block all incomming connections which allows you
    to play around with services on your system or try to keep services
    running to a minimum which a cracker might attack and try to protect
    those as best as possible.

    Having said that, I am impressed on what you have showing,
    *if* you are showing everything returned by the netstat command.

    Some things I expeced to see are not there implying you knew enough to
    disable them, but then again if that is so, I am supprised that some
    of the others that are running.

    So let's reformat somewhat and chat.

    > [root@ispx user]# netstat -anptu


    All you know at this point are:
    what services are listening and connected,
    at the time you ran the netstat command.

    > Active Internet connections (servers and established)
    > Proto Recv-Q Send-Q Local Address Foreign Address
    > State PID/Program name
    > 127.0.0.1:123 0.0.0.0:* 3023/ntpd
    > 0.0.0.0:123 0.0.0.0:* 3023/ntpd
    > :::123 :::* 3023/ntpd


    man ntpd will tell you about your system clock being synced to network time.

    > 0.0.0.0:6000 0.0.0.0:* LISTEN 2876/X
    > :::6000 :::* LISTEN 2876/X


    Needed for your gui apps (kontact, konqueror,....)

    > 203.173.200.124:4279 202.58.36.23:80 ESTABLISHED 4397/konquerordHWis
    > 203.173.200.124:3873 64.62.243.240:80 ESTABLISHED 4256/konquerorMIoWt
    > 203.173.200.128:2087 203.109.252.31:119 ESTABLISHED 3589/kontact
    > 203.173.200.124:4533 64.62.243.247:80 ESTABLISHED 4813/konquerorGGi4q


    And the following services can be disabled assuming this system is not
    on a local network.

    > 127.0.0.1:5335 0.0.0.0:* LISTEN 2976/mDNSResponder
    > 0.0.0.0:828 0.0.0.0:* LISTEN 2342/rpc.statd
    > 0.0.0.0:7741 0.0.0.0:* LISTEN 3209/lisa
    > 0.0.0.0:822 0.0.0.0:* 2342/rpc.statd
    > 0.0.0.0:825 0.0.0.0:* 2342/rpc.statd
    > 0.0.0.0:7741 0.0.0.0:* 3209/lisa
    > 0.0.0.0:5353 0.0.0.0:* 2976/mDNSResponder
    > 0.0.0.0:111 0.0.0.0:* 2266/portmap
    > 0.0.0.0:111 0.0.0.0:* LISTEN 2266/portmap



  3. Re: what basic security for Mdva 2006


    Thnx as always, B-T. I'll inspect the LDP closer.
    Minor points below, FYI. Thnx again.



    [ ... ]
    > Question, did you go into the Mandriva Control Center and enable the
    > firewall for PPP0?


    No, but will-do.

    [ ... ]
    > Some things I expected to see are not there implying you knew enough to
    > disable them, but then again if that is so, I am surprised that some
    > of the others that are running.


    AFAIA; its basic Mandriva 2006 as workstation not server. Probably not much
    network stuff installed, too much dev and doc stuff and a recent update.

    > man ntpd will tell you about your system clock being synced to network
    > time.
    > ...
    > And the following services can be disabled assuming this system is not
    > on a local network.

    ... [ 9 services ]. Can netstat & port query & manual for info.






  4. Re: what basic security for Mdva 2006

    On Sat, 14 Oct 2006, in the Usenet newsgroup alt.os.linux.mandrake, in article
    , Adam wrote:

    >Well, this is almost fun.


    Good, we'll be able to charge admission fees for it ;-)

    >http://lists.thedatalist.com/portlist/lookup.php?port=
    >new, and looks interesting.
    >
    >And
    >http://tldp.org/HOWTO/Security-Quick...WTO/index.html
    >for perhaps the master document for my original query. Thanks Moe.


    You're welcome.

    Bear in mind that there is no law that says "service $FOO" has to be on
    port $BAR, and that the service listening on port $BAZ _must_be_ $QUX.
    The stuff listed in the ftp://ftp.iana.org/assignment/port-numbers only
    says where you can expect to find a service - the so-called "well-known"
    ports. But it takes just one additional variable to change the port a
    server is running on, or where a client will look.

    >5335 and 7741 show nothing in grep /etc/services. And both unassigned on the
    >Port Lookup. Hmmm. I'll keep plugging away.


    >tcp 0 0 127.0.0.1:5335 0.0.0.0:*

    LISTEN 2976/mDNSResponder

    and there is an example. "mDNS" is the Multicast DNS service - as described
    in draft-cheshire-dnsext-multicastdns-06.txt (a proposed draft of an RFC,
    available from the IETF), but it's supposed to be listening on port 5353.
    Someone had an attack of the fumble-fingers. This is the reason you use
    the netstat (or 'fuser' or 'lsof') command(s) to find out what actually is
    there - it may not be what the RFCs or official lists say.

    Old guy

+ Reply to Thread