[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] /tmp/-v ?

Subject: RE: [cobalt-security] /tmp/-v ?
From: "E Venema" <evenema@xxxxxxxxxxxxx>
Date: Tue, 29 May 2001 15:35:13 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi,

when I do a netstat -lnp I get the following result:

[root admin]# netstat -lnp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
27785/httpd
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
655/mysqld
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
580/sendmail: accep
tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN
528/httpd
tcp        0      0 0.0.0.0:444             0.0.0.0:*               LISTEN
528/httpd
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
519/inetd
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
519/inetd
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN
519/inetd
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
519/inetd
raw        0      0 0.0.0.0:1               0.0.0.0:*
    7           -
raw        0      0 0.0.0.0:6               0.0.0.0:*
    7           -
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name
Path
unix  0      [ ACC ]     STREAM     LISTENING     521    655/mysqld
/var/lib/mysql/mysql.sock
unix  0      [ ACC ]     STREAM     LISTENING     512    617/postmaster
/tmp/.s.PGSQL.5432


What would be running on port 1 and port 6???

Can anybody enlighten me? It's a Raq4 i with all updates installed

thanks in advance
Erik Venema

DutchNet
_____________________________________________________________________
Postbus 3                     Verkoop/billing:    sales@xxxxxxxxxxxxx
3734 ZG  Den Dolder         Storingsmeldingen:  support@xxxxxxxxxxxxx
tel.: 030-2292693           Technische vragen: helpdesk@xxxxxxxxxxxxx
fax.: 030-2292694            DutchNet website:      www.dutch-net.com
_____________________________________________________________________
***************************************************************************


-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Graeme Fowler
Sent: dinsdag 29 mei 2001 12:43
To: 'cobalt-security@xxxxxxxxxxxxxxx'
Subject: RE: [cobalt-security] /tmp/-v ?


Carrie (and list)

> How do we stop the RaQ from listening to a port?

Don't have a service running which listens to it. If the port's open, then
something is listening; even if it is PortSentry.
This is where the netstat command comes in useful. Try running:

netstat -lnp

which shows you listening ports and the process holding them open. And
remember that editing inetd.conf isn't enough to close ports which it has
opened; you have to restart inetd (either by sending it a SIGHUP or giving
it a restart from /etc/rc.d/init.d/inetd)

> I've got two things running in my inetd.conf... ftp and pop3.
> Yet all of these other ports are open, even though I'm not running
> this crap... and PortSentry has to bind to them because they're open.

PortSentry is probably opening them itself!

Take careful note that PortSentry has three distinct, different modes of
operation. I suggest you have a read at
http://www.psionic.com/abacus/portsentry/ and note the differences.

Mode 1 - Classic:
Binds to predefined ports and listens out for connections.

Mode 2 - Enhanced
Similar to Mode 1, but uses a raw socket rather than binding to the ports.

Mode 3 - Advanced (Stealth)
At startup, portsentry notes what ports you already have open and ignores
them. It then uses a raw socket to listen to the unused ports and acts as
you configure it upon them. This mode can generate a huuuuge amount of data
(most of which can be ignored).

[ with regard to your original question about the file in /tmp, I bet
someone - you? - ran a command which takes -v as an argument but by mistake
you piped or redirected the output to your switch instead:) ]

Detecting port scans is all very well IMHO but you're better off keeping
(and excuse the metaphor & repetition here) your doors and windows shut in
the first place by keeping your system up-to-date.
The only way to make sure your machine isn't vulnerable to attack is by
switching off services (as Carrie has tried to do) and keeping all your
network-facing services as up-to-date and patched as is possible.

Your machines are facing the internet; it's a hostile place.

HTH

Graeme
--
Graeme Fowler
Systems Administrator
Host Europe Group plc
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- RE: [cobalt-security] /tmp/-v ?
  - From: Rob van Eijk
- [cobalt-security] OT: Co location sites?
  - From: Karen Coghlan

References:
- RE: [cobalt-security] /tmp/-v ?
  - From: Graeme Fowler

Prev by Date: Re: [cobalt-security] /tmp/-v ?
Next by Date: RE: [cobalt-security] ipchains?
Previous by thread: RE: [cobalt-security] /tmp/-v ?
Next by thread: RE: [cobalt-security] /tmp/-v ?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index