[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

portscan looks like....



On Tue, Aug 24, 2004 at 08:37:30AM +0200, Volker Kindermann wrote:
> Hi Bob,
> 
> 
> > PORT     STATE SERVICE
> > 22/tcp   open  ssh
> > 25/tcp   open  smtp
> > 80/tcp   open  http
> > 111/tcp  open  rpcbind
> > 1023/tcp open  netvenuechat
[...]
> >      Then there is the case of the port 1023.  I have no idea how to
> >      turn 
> > this off or how it got turned on.  Could the rpcbind allowed someone
> > into my computer to hack it up?  I am pretty scared at this point. 
> 
> First try to disable rpcbind and look afterwards, if port 1023 is still
> open. If it ist, install lsof from ports. This tool will tell you which
> application is listening on this port.

sockstat(1) will tell you that just as well, and it's a standard part
of the system.

Chances are port 1023 is open because of portmap(8) (a.k.a rpcbind(8)
in 5.x).  To see what ports portmap is managing, use the rpcinfo(8)
command:

    # rpcinfo -p

As for telling if your system has been compromised, it depends on the
level of sophistication of whoever attacks you.  Chances are that if
you're just an ordinary home user without any particular secrets or
other motives for anyone to break in, you'll not come to the attention of
anyone good enough to cover their tracks thoroughly.  In fact, about
the only sort of intrusion attempt you're likely to see would be
automated or semi-automated attacks /intended for Linux or Windows
servers/ by Skript Kiddiez.  Needless to say, these tend not to work.

The most effective things you can do to prevent yourself being
compromised are:

    - keep your system and ports up to date

    - be vigilant: look at what the daily security e-mail is telling
      you, subscribe to freebsd-announce_(_at_)__(_dot_)__(_dot_)__(_dot_)_ and/or
      freebsd-security_(_at_)__(_dot_)__(_dot_)__(_dot_)_ so that you get notified of any security
      advisories.  Scan through system logs for anomalous entries
      occasionally.  Check for strange processes (use ps(1)) or for
      logins from odd systems or at odd times (use last(1)).

    - Install security/portaudit so that you get notifications of any
      vulnerabilities in your installed ports

    - Think about what you are doing as you use the system.  Get into
      good security habits: try and ensure that processes/users have
      only the minimum necessary permissions in order to function.
      Always use ssh(1) or similarly encrypted channels for remote
      access to systems.  Never log in directly as root -- use su(1)
      or better, sudo(1) instead.  Always use secure (ie. unguessable)
      passwords -- install and use security/apg if you find it hard to
      think up good ones.

There's a shedload of useful monitoring software you can install to
help you detect if you have been attacked or compromised, but for most
home users, it's really overkill.  Particularly noteworthy are
security/snort -- which will examine all of the network traffic
reaching your system and detect which of it is unfriendly -- and one
of the security/tripwire ports, which will build a cryptographically
secured database of checksums of all of the important files on your
system which you can use to immediately detect any changes.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040824/bbaf9ab0/attachment.bin

Visit your host, monkey.org