[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] /tmp/-v ?
- Subject: RE: [cobalt-security] /tmp/-v ?
- From: "E Venema" <evenema@xxxxxxxxxxxxx>
- Date: Tue, 29 May 2001 15:35:13 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,
when I do a netstat -lnp I get the following result:
[root admin]# netstat -lnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
27785/httpd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
655/mysqld
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
580/sendmail: accep
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN
528/httpd
tcp 0 0 0.0.0.0:444 0.0.0.0:* LISTEN
528/httpd
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
519/inetd
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
519/inetd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
519/inetd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
519/inetd
raw 0 0 0.0.0.0:1 0.0.0.0:*
7 -
raw 0 0 0.0.0.0:6 0.0.0.0:*
7 -
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name
Path
unix 0 [ ACC ] STREAM LISTENING 521 655/mysqld
/var/lib/mysql/mysql.sock
unix 0 [ ACC ] STREAM LISTENING 512 617/postmaster
/tmp/.s.PGSQL.5432
What would be running on port 1 and port 6???
Can anybody enlighten me? It's a Raq4 i with all updates installed
thanks in advance
Erik Venema
DutchNet
_____________________________________________________________________
Postbus 3 Verkoop/billing: sales@xxxxxxxxxxxxx
3734 ZG Den Dolder Storingsmeldingen: support@xxxxxxxxxxxxx
tel.: 030-2292693 Technische vragen: helpdesk@xxxxxxxxxxxxx
fax.: 030-2292694 DutchNet website: www.dutch-net.com
_____________________________________________________________________
***************************************************************************
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Graeme Fowler
Sent: dinsdag 29 mei 2001 12:43
To: 'cobalt-security@xxxxxxxxxxxxxxx'
Subject: RE: [cobalt-security] /tmp/-v ?
Carrie (and list)
> How do we stop the RaQ from listening to a port?
Don't have a service running which listens to it. If the port's open, then
something is listening; even if it is PortSentry.
This is where the netstat command comes in useful. Try running:
netstat -lnp
which shows you listening ports and the process holding them open. And
remember that editing inetd.conf isn't enough to close ports which it has
opened; you have to restart inetd (either by sending it a SIGHUP or giving
it a restart from /etc/rc.d/init.d/inetd)
> I've got two things running in my inetd.conf... ftp and pop3.
> Yet all of these other ports are open, even though I'm not running
> this crap... and PortSentry has to bind to them because they're open.
PortSentry is probably opening them itself!
Take careful note that PortSentry has three distinct, different modes of
operation. I suggest you have a read at
http://www.psionic.com/abacus/portsentry/ and note the differences.
Mode 1 - Classic:
Binds to predefined ports and listens out for connections.
Mode 2 - Enhanced
Similar to Mode 1, but uses a raw socket rather than binding to the ports.
Mode 3 - Advanced (Stealth)
At startup, portsentry notes what ports you already have open and ignores
them. It then uses a raw socket to listen to the unused ports and acts as
you configure it upon them. This mode can generate a huuuuge amount of data
(most of which can be ignored).
[ with regard to your original question about the file in /tmp, I bet
someone - you? - ran a command which takes -v as an argument but by mistake
you piped or redirected the output to your switch instead:) ]
Detecting port scans is all very well IMHO but you're better off keeping
(and excuse the metaphor & repetition here) your doors and windows shut in
the first place by keeping your system up-to-date.
The only way to make sure your machine isn't vulnerable to attack is by
switching off services (as Carrie has tried to do) and keeping all your
network-facing services as up-to-date and patched as is possible.
Your machines are facing the internet; it's a hostile place.
HTH
Graeme
--
Graeme Fowler
Systems Administrator
Host Europe Group plc
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security