[Courses] [Security] another netstat
Raven, corporate courtesan
raven at oneeyedcrow.net
Wed Mar 6 19:59:12 EST 2002
Heya --
Wow! This looks like a shining example of the "when in doubt,
install and run everything" policy. I'm not really a fan of that -- I
think it should be easy to choose what you run and what you don't, but
turning on a million things that most people will never use just so the
few who will will complain that it's not on... not a good idea.
Quoth Lorne Gutz (Wed, Mar 06, 2002 at 12:49:27PM -0500):
> This computer was SuSE 7.1, then upgraded to 7.3. Nothing special has
> ever been done to make it secure because it runs behind a firewall.
> It operates on a network where the majority of computer run NT.
The firewall will protect you from external threats, but most
hacks happen from inside the company. I've seen varying statistics for
how many that is, but most estimates range from 60% to 90%. Internal
security is almost always weaker than external security, so it's easier.
And just think of how many people you know that hate their
jobs/bosses/co-workers...
I'm a big believer in defense in depth. Yes, I have a firewall
that protects my home network. My workstation has a firewall too. That
way, if somehow my husband's Windows box gets compromised, I'm okay. I
run logcheck (I agree with the plug; it is a great tool) so I'm aware of
problems on all my boxes. I have set key files on my workstation so
that they can't be changed, even by root. That way, if my box gets
compromised, the black hat will have to reboot it to trojan ssh. I'll
notice that reboot. Defense in depth basically means that you're
constantly thinking, "what if, what if, what if" , and you have lines of
defense to fall back to.
Of course, this also means that you spend a lot of time and
effort on network security. That's worth it for me, because I think
it's fun. It's worth it for my company -- they pay for me, after all.
[grin] But many people just don't see it as that much of a priority.
You just have to decide if the risk of being hacked is worth the cost of
maintaining a relatively secure network.
> grumpy:/home/lgutz # netstat -pl
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> PID/Program name
> tcp 0 0 *:login *:* LISTEN
> 1110/inetd
Aaaah! login! Kill it! Kill it! [grin]
Er, I mean, how do you normally log in to your box? If this is
what you use, I would highly recommend using ssh remotely and/or a local
console login that doesn't listen on a port instead. There are a good
number of programs that transparantly use login or the r-tools (rlogin,
rsh, things like that), but they are usually reconfigurable to use ssh
instead.
> tcp 0 0 *:nfs *:* LISTEN
> 947/rpc.nfsd
If you're not sharing remote drives with NFS, get rid of this.
> tcp 0 0 *:time *:* LISTEN
> 1110/inetd
Another one you probably don't need if you're not actively using
it. Time services and NTP are things that I constantly dither about.
They are insecure and hackable. But they're also really useful,
especially in a larger network, and as far as I know there's not a good
replacement for the insecure xntpd. So this one's a judgement call --
how paranoid do you feel like being?
> tcp 0 0 *:sco-sysmgr *:* LISTEN
> 859/ypbind
Ypbind isn't necessary unless you're using Sun's yp directory
info.
> tcp 0 0 *:finger *:* LISTEN
> 1110/inetd
Another one that you probably don't need. It gives out
information about you -- though some people put their PGP keys in their
.plan file and then say "Finger me for my PGP key". There have been
holes in it. I generally turn it off, but it's not a tragedy if you
don't.
> tcp 0 0 *:sunrpc *:* LISTEN
> 531/portmap
More Sun networking. Turn it off if you're not using it.
> tcp 0 0 *:6000 *:* LISTEN
> 7242/Xa
Set it to not listen on an external port, with the URL I sent in
response to Katie's netstat.
> tcp 0 0 *:www-http *:* LISTEN
> 1234/httpd
Keep it if you're meaning to run a Web server on this box.
Otherwise turn it off. (Note to the newbies -- you don't have to run a
Web server in order to see Web pages. You only need a Web client for
that, like a browser. Netscape, Opera, etc.)
> tcp 0 0 *:723 *:* LISTEN
> 543/rpc.statd
Again, unless you're doing Sun networking, kill it.
> tcp 0 0 *:ssh *:* LISTEN
> 439/sshd
You want this. [grin]
> tcp 0 0 *:telnet *:* LISTEN
> 1110/inetd
Oooh! Kill it, and especially kill it if you haven't patched
it recently. There was an exploit in pretty much all versions of telnet
derived from the BSD code base found about six months to a year ago.
This includes Linux, Cisco, and a bunch of other OSs. There are many
exploit scripts out there for it. Even if telnet weren't a really bad
idea from a security POV because of the cleartext passwords, the exploit
means you really don't want to be running it.
> tcp 0 0 *:ipp *:* LISTEN
> 597/cupsd
If you're not using print services, kill it.
> tcp 0 0 *:smtp *:* LISTEN
> 823/sendmail: accep
If you're running a local mail server that needs to accept mail,
keep it. If you just need to send mail using your local server, set
sendmail not to listen on a port.
> tcp 0 0 *:700 *:* LISTEN
> 944/rpc.mountd
Kill it.
> tcp 0 0 *:auth *:* LISTEN
> 639/in.identd
Again, reference my comments to Katie.
> udp 0 0 *:filenet-tms *:*
> -
> udp 0 0 *:nfs *:*
> 947/rpc.nfsd
> udp 0 0 *:talk *:*
> 1110/inetd
> udp 0 0 *:ntalk *:*
> 1110/inetd
All these can go, unless you're using Sun networking (for NFS),
or really want to be able to message users on your box without using
e-mail. There have been talk exploits. I'd kill it.
> udp 0 0 *:797 *:*
> -
> udp 0 0 *:798 *:*
> -
> udp 0 0 *:799 *:*
> -
I haven't seen these before, but with the port numbers so close,
I'll bet they're related to...
> udp 0 0 *:mdbs_daemon *:*
> -
I have no idea what this is, and couldn't find any sensible
references by googling. Anyone else ever seen that before?
If you don't know what it is and you're not using it, try
killing it. See if it breaks anything. (You can always run the
startup script in /etc/init.d/[whatever] start to restart it if you do
need it after all.)
Why should you shut down things that you don't know about?
Here's a good example:
http://vapid.dhs.org/ifg.html
In the interests of brevity, I've snipped a bunch of the UDP
services that we've already discussed the TCP counterparts of.
> udp 0 0 *:32868 *:*
> 28720/kmail
I don't actually know offhand if there's a way to configure
Kmail not to listen on a port for you. On the other hand, I don't know
of any exploits for that, either. I'd have a poke through the settings
and see if there's any way to set it not to do that. (And I'm really
wondering why it would need to.)
> have fun with this if you like
I did. [grin]
Cheers,
Raven "Kill it. Kill it."
"Sed, sed, awk. Like duck, duck, goose. Sync, sync, halt. It's the
order of nature."
-- me, after too long a day at work
More information about the Courses
mailing list