[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] /tmp/-v ?
- Subject: RE: [cobalt-security] /tmp/-v ?
- From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Tue, 29 May 2001 11:42:37 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Carrie (and list)
> How do we stop the RaQ from listening to a port?
Don't have a service running which listens to it. If the port's open, then
something is listening; even if it is PortSentry.
This is where the netstat command comes in useful. Try running:
netstat -lnp
which shows you listening ports and the process holding them open. And
remember that editing inetd.conf isn't enough to close ports which it has
opened; you have to restart inetd (either by sending it a SIGHUP or giving
it a restart from /etc/rc.d/init.d/inetd)
> I've got two things running in my inetd.conf... ftp and pop3.
> Yet all of these other ports are open, even though I'm not running
> this crap... and PortSentry has to bind to them because they're open.
PortSentry is probably opening them itself!
Take careful note that PortSentry has three distinct, different modes of
operation. I suggest you have a read at
http://www.psionic.com/abacus/portsentry/ and note the differences.
Mode 1 - Classic:
Binds to predefined ports and listens out for connections.
Mode 2 - Enhanced
Similar to Mode 1, but uses a raw socket rather than binding to the ports.
Mode 3 - Advanced (Stealth)
At startup, portsentry notes what ports you already have open and ignores
them. It then uses a raw socket to listen to the unused ports and acts as
you configure it upon them. This mode can generate a huuuuge amount of data
(most of which can be ignored).
[ with regard to your original question about the file in /tmp, I bet
someone - you? - ran a command which takes -v as an argument but by mistake
you piped or redirected the output to your switch instead:) ]
Detecting port scans is all very well IMHO but you're better off keeping
(and excuse the metaphor & repetition here) your doors and windows shut in
the first place by keeping your system up-to-date.
The only way to make sure your machine isn't vulnerable to attack is by
switching off services (as Carrie has tried to do) and keeping all your
network-facing services as up-to-date and patched as is possible.
Your machines are facing the internet; it's a hostile place.
HTH
Graeme
--
Graeme Fowler
Systems Administrator
Host Europe Group plc