Strange connection
Mike McCarty
mike.mccarty at sbcglobal.net
Wed Jul 20 21:17:35 UTC 2005
Scot L. Harris wrote:
> On Wed, 2005-07-20 at 16:15, Mike McCarty wrote:
>
>>Scot L. Harris wrote:
>>
>[what should I do?]
[snip]
[I wrote]
>>Apparently, 113 is used for some old e-mail query/response. Since
>>that port is closed, I'm probably ok on that score.
>>
>
>
> Port 113 is suppose to be used for ident services. RFC 1413 provides
> the details. This should not be a problem, however your router should
> stealth this port as well. Have seen this before. Depends on the
> router implementation. Not sure why they don't stealth that port as
> well as all the others.
>
> The only thing this does is let someone know that there is a machine at
> your IP address. They can then waste additional time trying to see if
> there is any other ports open at that address. If port 113 did not
> respond at all then no one would know there was a computer at your IP
> address.
But if the port is closed, then I don't see my exposure. Except that
now they know the temporary (well, with DSL, not so temp) IP address.
>>How do I check that port? I guess I could just stealth it on my router,
>>if I poked
>>around some. Actually, since I'm behind my router, I'm not even really
>>looking at
>>my machine. I'm looking at the firewall in my router.
>
> Correct, this is a port that is closed on your firewall, not your
> computer. To run a full test against your systems you would really need
> another system on your LAN running nmap or nessus to run a full port
> scan.
I don't have any other computers on my "LAN". It comprises a
router and a computer. I have a cable run to another computer
with Windows 98 on it, which is turned off, and remains off.
I don't think I have much exposure from a computer which is off :-)
>>I used the default. The output from iptables is rather long, so I won't
>>post it here,
>>but how do I check exactly what is open? The output is a little confusing.
>>
>
>
> service iptables status
>
> should list the current rule set that is running. If you have the
> default and have not opened any ports then it should be relatively
> short. One grip I had was in past versions of FC ntp would cut holes in
> the firewall when it started. Not sure this is still the case or not.
> I suspect other applications cut their own holes in the firewall also.
> IMHO this is a bad thing. The firewall should have one place to open up
> ports and that should be under the admins control. Not some program
> that happens to get installed and started at boot time.
# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:telnet
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Suffered some line-wrap in the paste.
>>>Run chkrootkit and rkhunter, setup tripwire and review the reports
>>>daily. Monitor your log files and check netstat periodically for
>>>anything strange.
>>>
>>>
>>
>>Hmm, I seem not to have chkrootkit, rkhunter, nor tripwire installed.
>>
>
>
> Believe you should find these in extras or in the base install. I know
> tripwire is in extras.
Is there a way to get them from the original CDs? Or should I use
yum?
>>I don't know how to "lock down" iptables, but if no ports are exposed,
>>how can
>>anything get in? Except by doing something like overflowing my browser
>>buffer on a request I make (or email buffer, etc.)? I've got Java and
>>Javascript
>>disabled. OTOH, I have heard of "evil" .png problems. I do accept images.
>>
>
>
> If you have the default iptables rules then things should be blocked
> from getting in. Additional steps can be taken to have iptables limit
> what can go out of your system. Only those applications that you use
Ok, my iptables output is above. Any recommendations?
[snip]
>>My browser reports that localhost refused the connection.
>>The find (ghastly idea to search the whole system) did not
>>find anything, after about 20 minutes.
>
>
> :)
>
> But it proved that you did not have that file on your system. :)
>
>>From what you have described you are fairly well protected. Just think
> of security in layers, router/firewall, iptables, selinux, strong
> passwords, disable services, etc.
I guess so. I haven't seen anything which would encourage me
to use selinux, yet.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the fedora-list
mailing list