[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] ssh listening on ports 81 & 444
- Subject: Re: [cobalt-security] ssh listening on ports 81 & 444
- From: Dmitry Alexeyev <dmi_a@xxxxxxxxxx>
- Date: Tue, 17 Feb 2004 23:15:33 +0300
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> dmitri wrote:
> > ssh listening at ports 81 and 444 means someone, maybe you,
> > have set up port forwarding to have secure connection with
> > admin interface.
>
> Is that normal?
No
> I do have a secure connection to the admin interface
> -- https with a self-signed certificat -- but didn't think it had
> anything to do with ssh -- please correct me if I am wrong.
You are absolutely right!
> Could
> someone have done someting on the raq550 admin interface to set up
> this sort of port forwarding? Im the only one with a shell (AFAIK!).
Perhaps you are mistaking here?
Then your should go through complete security audit.
>
> Once I killed those instances of ssh that were listening on ports 81
> & 444 it hasn't happenend again, and I can find nothing else abnormal
> on the system.
Maybe you have installed some security software, which provides secure
connection to admin?
If someone ran sshd at those ports, it had root priviledges. So, no
reason to set up port forwardind...
>
> Also, I can't see any point in someone doing this for malicious
> purposes as ports 81 & 444 were closed to the world on the firewall
> (watchguard firebox), and sshd was listening to the world on 22.
Probably it was nice way to bypass firewall and logging...
>
> I have taken the machine off the network -- Am I right to be so
> paraniod?
You are absolutely right, I suppose. You have to make sure the box is
secure...
Dmitry