Strange connection
Scot L. Harris
webid at cfl.rr.com
Wed Jul 20 21:59:43 UTC 2005
On Wed, 2005-07-20 at 17:17, Mike McCarty wrote:
> Scot L. Harris wrote:
>
> But if the port is closed, then I don't see my exposure. Except that
> now they know the temporary (well, with DSL, not so temp) IP address.
>
That is what I was saying. Nothing should be able to get through that
port, but the bad guys know there is a system at that address. More
than likely they will just move on to the next address that has more
interesting open ports available. :)
Remember the idea here is to be just a little harder to crack than the
next guy. :)
>
> I don't have any other computers on my "LAN". It comprises a
> router and a computer. I have a cable run to another computer
> with Windows 98 on it, which is turned off, and remains off.
>
If you wanted to you could use the windows system to run a scan against
your linux box. From what you have described this is not really
needed. Just something you might want to do just to learn from it.
> I don't think I have much exposure from a computer which is off :-)
>
As long as it is physically secured and does not have any critical data
on it that someone can steal..... :)
> # service iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT ipv6-crypt-- anywhere anywhere
> ACCEPT ipv6-auth-- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:smtp
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:http
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:https
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:ftp
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:ssh
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:telnet
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
This tells me that you have enabled the default services in
system-config-securitylevel. smtp (email), http/https (apache), ftp,
ssh, and telnet have their ports opened on your system.
Based on what you have described you can go into
system-config-securitylevel and turn those off so those ports will not
be open.
> >>Hmm, I seem not to have chkrootkit, rkhunter, nor tripwire installed.
> >>
> >
> Is there a way to get them from the original CDs? Or should I use
> yum?
>
I would use yum.
> > If you have the default iptables rules then things should be blocked
> > from getting in. Additional steps can be taken to have iptables limit
> > what can go out of your system. Only those applications that you use
>
> Ok, my iptables output is above. Any recommendations?
>
As mentioned above, if you are not using telnet, ssh, ftp, smtp, http to
connect to your system you can disable those ports.
For the truly paranoid the output chain would contain a list of rules
that blocks everything but those applications you use. But that can be
difficult to setup and maintain.
> I guess so. I haven't seen anything which would encourage me
> to use selinux, yet.
>
selinux is just another layer of defense. If some how a hacker managed
to get on your system selinux should make it more difficult for that
hacker to gain elevated privileges and/or modify certain critical files
on your system. IMHO it will take a couple of years for selinux to
develop fully and for the various distributions to implement policies
that work for most users.
--
Scot L. Harris
webid at cfl.rr.com
Behold the warranty -- the bold print giveth and the fine print taketh away.
More information about the fedora-list
mailing list