Strange connection

Mike McCarty mike.mccarty at sbcglobal.net
Wed Jul 20 21:17:35 UTC 2005


Scot L. Harris wrote:
> On Wed, 2005-07-20 at 16:15, Mike McCarty wrote:
> 
>>Scot L. Harris wrote:
>>
>[what should I do?]

[snip]

[I wrote]

>>Apparently, 113 is used for some old e-mail query/response. Since
>>that port is closed, I'm probably ok on that score.
>>
> 
> 
> Port 113 is suppose to be used for ident services.  RFC 1413 provides
> the details.  This should not be a problem, however your router should
> stealth this port as well.  Have seen this before.  Depends on the
> router implementation.  Not sure why they don't stealth that port as
> well as all the others.
> 
> The only thing this does is let someone know that there is a machine at
> your IP address.  They can then waste additional time trying to see if
> there is any other ports open at that address.  If port 113 did not
> respond at all then no one would know there was a computer at your IP
> address.

But if the port is closed, then I don't see my exposure. Except that
now they know the temporary (well, with DSL, not so temp) IP address.

>>How do I check that port? I guess I could just stealth it on my router, 
>>if I poked
>>around some. Actually, since I'm behind my router, I'm not even really 
>>looking at
>>my machine. I'm looking at the firewall in my router.
> 
> Correct, this is a port that is closed on your firewall, not your
> computer.  To run a full test against your systems you would really need
> another system on your LAN running nmap or nessus to run a full port
> scan.  

I don't have any other computers on my "LAN". It comprises a
router and a computer. I have a cable run to another computer
with Windows 98 on it, which is turned off, and remains off.

I don't think I have much exposure from a computer which is off :-)

>>I used the default. The output from iptables is rather long, so I won't 
>>post it here,
>>but how do I check exactly what is open? The output is a little confusing.
>>
> 
> 
> service iptables status
> 
> should list the current rule set that is running.  If you have the
> default and have not opened any ports then it should be relatively
> short.  One grip I had was in past versions of FC ntp would cut holes in
> the firewall when it started.  Not sure this is still the case or not. 
> I suspect other applications cut their own holes in the firewall also. 
> IMHO this is a bad thing.  The firewall should have one place to open up
> ports and that should be under the admins control.  Not some program
> that happens to get installed and started at boot time.

# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:telnet
REJECT     all  --  anywhere             anywhere            reject-with 
icmp-host-prohibited

Suffered some line-wrap in the paste.

>>>Run chkrootkit and rkhunter, setup tripwire and review the reports
>>>daily.  Monitor your log files and check netstat periodically for
>>>anything strange.
>>> 
>>>
>>
>>Hmm, I seem not to have chkrootkit, rkhunter, nor tripwire installed.
>>
> 
> 
> Believe you should find these in extras or in the base install.  I know
> tripwire is in extras.  

Is there a way to get them from the original CDs? Or should I use
yum?

>>I don't know how to "lock down" iptables, but if no ports are exposed, 
>>how can
>>anything get in? Except by doing something like overflowing my browser
>>buffer on a request I make (or email buffer, etc.)? I've got Java and 
>>Javascript
>>disabled. OTOH, I have heard of "evil" .png problems. I do accept images.
>>
> 
> 
> If you have the default iptables rules then things should be blocked
> from getting in.  Additional steps can be taken to have iptables limit
> what can go out of your system.  Only those applications that you use

Ok, my iptables output is above. Any recommendations?

[snip]

>>My browser reports that localhost refused the connection.
>>The find (ghastly idea to search the whole system) did not
>>find anything, after about 20 minutes.
> 
> 
> :)
> 
> But it proved that you did not have that file on your system.  :)
> 
>>From what you have described you are fairly well protected.  Just think
> of security in layers, router/firewall, iptables, selinux, strong
> passwords, disable services, etc.

I guess so. I haven't seen anything which would encourage me
to use selinux, yet.

Mike

-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!




More information about the fedora-list mailing list