[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] worried about seeing connections to :81
- Subject: Re: [cobalt-security] worried about seeing connections to :81
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Thu, 6 Dec 2001 09:27:01 -0500
- Organization: Befriend Internet Services LLC
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
"william ross" <will@xxxxxxxxxxx> wrote:
> i'm not very up on netstat and its output, so i'd be very glad if
> someone could tell me whether to worry or not. i'm puzzled to see a
> lot of connections to :81 in the output. most are closed (about 50)
> but several appear to be open.
Even if the connections are in an ESTABLISHED state that doesn't mean that
someone has gotten access to the admin interface. It just means that they
at least attempted to view a page on that port. They could have entered a
URL ending in /admin, /siteadmin or /personal on port 80 (those paths
redirects to port 81) or they could have entered a path to port 81 directly
(less likely to be the case, but more likely to indicate they're doing
something malicious).
> portsentry is running, and in quite a paranoid state, but i've never
> interfered much with (or, indeed, used) the admin interface or port
> 81.
If you and other users who need access to the admin interface have known IP
addresses you could always use ipchains (not installed by default) to limit
access to port 81 to users from a list of IPs. I wouldn't be too worried
about what you saw though. Just make sure your passwords are strong
(especially admin and root) so you're not as easily succeptible to a brute
force or dictionary attack.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/