Scot L. Harris wrote:
On Wed, 2005-07-20 at 16:15, Mike McCarty wrote:
Scot L. Harris wrote:
[what should I do?]
[snip]
[I wrote]
Apparently, 113 is used for some old e-mail query/response. Since
that port is closed, I'm probably ok on that score.
Port 113 is suppose to be used for ident services. RFC 1413 provides
the details. This should not be a problem, however your router should
stealth this port as well. Have seen this before. Depends on the
router implementation. Not sure why they don't stealth that port as
well as all the others.
The only thing this does is let someone know that there is a machine at
your IP address. They can then waste additional time trying to see if
there is any other ports open at that address. If port 113 did not
respond at all then no one would know there was a computer at your IP
address.
But if the port is closed, then I don't see my exposure. Except that
now they know the temporary (well, with DSL, not so temp) IP address.
How do I check that port? I guess I could just stealth it on my router,
if I poked
around some. Actually, since I'm behind my router, I'm not even really
looking at
my machine. I'm looking at the firewall in my router.
Correct, this is a port that is closed on your firewall, not your
computer. To run a full test against your systems you would really need
another system on your LAN running nmap or nessus to run a full port
scan.
I don't have any other computers on my "LAN". It comprises a
router and a computer. I have a cable run to another computer
with Windows 98 on it, which is turned off, and remains off.
I don't think I have much exposure from a computer which is off :-)
I used the default. The output from iptables is rather long, so I won't
post it here,
but how do I check exactly what is open? The output is a little confusing.
service iptables status
should list the current rule set that is running. If you have the
default and have not opened any ports then it should be relatively
short. One grip I had was in past versions of FC ntp would cut holes in
the firewall when it started. Not sure this is still the case or not.
I suspect other applications cut their own holes in the firewall also.
IMHO this is a bad thing. The firewall should have one place to open up
ports and that should be under the admins control. Not some program
that happens to get installed and started at boot time.
# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:telnet
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Suffered some line-wrap in the paste.
Run chkrootkit and rkhunter, setup tripwire and review the reports
daily. Monitor your log files and check netstat periodically for
anything strange.
Hmm, I seem not to have chkrootkit, rkhunter, nor tripwire installed.
Believe you should find these in extras or in the base install. I know
tripwire is in extras.
Is there a way to get them from the original CDs? Or should I use
yum?
I don't know how to "lock down" iptables, but if no ports are exposed,
how can
anything get in? Except by doing something like overflowing my browser
buffer on a request I make (or email buffer, etc.)? I've got Java and
Javascript
disabled. OTOH, I have heard of "evil" .png problems. I do accept images.
If you have the default iptables rules then things should be blocked
from getting in. Additional steps can be taken to have iptables limit
what can go out of your system. Only those applications that you use
Ok, my iptables output is above. Any recommendations?
[snip]
My browser reports that localhost refused the connection.
The find (ghastly idea to search the whole system) did not
find anything, after about 20 minutes.
:)
But it proved that you did not have that file on your system. :)
From what you have described you are fairly well protected. Just think
of security in layers, router/firewall, iptables, selinux, strong
passwords, disable services, etc.
I guess so. I haven't seen anything which would encourage me
to use selinux, yet.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
