FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-27-2011, 06:21 PM
Brian
 
Default securing the system, stopping unnecessary services and closing open ports.

On Sun 28 Aug 2011 at 01:05:47 +1000, yudi v wrote:

> Nmap suggests the following ports are open:
>
> 25/tcp open smtp
> 111/tcp open rpcbind
> 139/tcp open netbios-ssn
> 445/tcp open microsoft-ds
> 631/tcp open ipp
> 901/tcp open samba-swat
> 2049/tcp open nfs
>
> I run a desktop email client that uses smtp apart from that I do not know
> why rest of the above services are open.

If the smtp server is exim4 it only accepts local mail with its default
settings. No problem there. CUPS (port 631) in its default install will
only print from the the local machine. No problem here either.

Incidentally, the services are open because they are running. That is
the meaning of 'open'. They running because you have installed them.

> it even had SSH listening on 22, changed the port # and also changed

Never! sshd on port 22. Whatever next?

> PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following
> output:

There is no need to but if you feel better after doing it ....

> also installed gufw and set it to deny as default.

You did get desparate, didn't you? Was this before or after reading the
documentation for the services you installed?

> root@computer:/home/user# grep -ir "Failed password" /var/log/*
> /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for
> root from 60.242.242.121 port 56631 ssh2
> /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for
> invalid user admin from 190.24.225.223 port 22792 ssh2
> root@computer:/home/user# grep -ir BREAK-IN /var/log/*
> /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping
> checking getaddrinfo for
> corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE
> BREAK-IN ATTEMPT!

Is your root password something really easy, like password5 or is (say)
12+ characters? Do you have a user 'admin'? What is there to be worried
about.

> how can I find out if this system has been compromised?

There is no evidence here that it has been.

> what are the steps I need to take to secure it?

Don't install services you don't need. Configure those you want safely.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110827182145.GF4474@desktop">http://lists.debian.org/20110827182145.GF4474@desktop
 
Old 08-27-2011, 06:43 PM
Brian
 
Default securing the system, stopping unnecessary services and closing open ports.

On Sat 27 Aug 2011 at 17:16:16 +0100, Joe wrote:

> On Sun, 28 Aug 2011 01:05:47 +1000
> yudi v <yudi.tux@gmail.com> wrote:
> >
> > how can I find out if this system has been compromised?
>
> You can try chkrootkit and rkhunter, but the latter at least works

A natural history expedition searching for unicorns and dodos would have
as much success as these two programs are likely to have.

> > what are the steps I need to take to secure it?
>
> As you say, deny root logins, but I would strongly recommend dropping
> passwords altogether and using keys. If you connect from Windows, you

Keys and passwords each have their place. One is not inherently more
secure than the other.

> (currently I believe) can't use *nix-generated keys. The change of port
> number is often denigrated as 'security by obscurity', but then what
> else is a digital certificate? If running ssh on an obscure port
> prevents pretty much all automated password brute-forcing (and it does)
> then you're better off than many other people have been.

You are most probably correct. On a higher port number sshd will
experience fewer probes. But it was secure on port 22 anyway, so there
doesn't seem much point in moving it in that regard.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110827184308.GG4474@desktop">http://lists.debian.org/20110827184308.GG4474@desktop
 

Thread Tools




All times are GMT. The time now is 05:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org