Date: Sat, 9 Sep 2000 01:24:30 -0400 From: "David Liu" <dliu@mindspring.com> To: <questions@freebsd.org> Subject: 12345/tcp open NetBus Message-ID: <LMECIAEPHBBFPHLIOHMNAEAECAAA.dliu@mindspring.com>
next in thread | raw e-mail | index | archive | help
Hi,
The following is the output of ps and sockstat. I always reboot my system
after changing
the configuration files so the following is an accurate reflection of the
system. I don't remember where I found the section on shutting down the
inetd.conf file. Some of info I got was from reading the shell scripts and
determining what env. variables they were looking for.
The "specific shortcoming in the documentation" is not describing what each
env. variable used
in the shell scripts are. For example, to shutdown the portmap daemon, you
need to specify
portmap_enable="NO" in the "rc.conf" file.
To make FreeBSD secure out of the box, the portmap daemon should not be
started since most users do not need it and it presents a serious security
hole for servers connected to the Internet.
As a side note, several of the ports are out of date and do not install
properly (i.e. apache13-fp) without hacking them.
Thanks,
David
/* ps aux */
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 548 0.0 0.4 420 244 p0 R+ 12:46AM 0:00.00 ps aux
root 1 0.0 0.5 532 304 ?? ILs 6:03PM 0:00.01 /sbin/init --
root 2 0.0 0.0 0 0 ?? DL 6:03PM 0:00.01 (pagedaemon)
root 3 0.0 0.0 0 0 ?? DL 6:03PM 0:00.00 (vmdaemon)
root 4 0.0 0.0 0 0 ?? DL 6:03PM 0:00.01 (bufdaemon)
root 5 0.0 0.0 0 0 ?? DL 6:03PM 0:00.23 (syncer)
root 28 0.0 0.2 208 92 ?? Is 6:03PM 0:00.00 adjkerntz -i
root 108 0.0 0.6 536 368 ?? Is 10:03PM 0:00.00 /sbin/dhclient
xl0
root 246 0.0 0.6 524 372 ?? Ss 10:03PM 1:24.75 /sbin/natd -n
xl0
root 262 0.0 1.0 904 608 ?? Ss 10:03PM 0:00.09 syslogd -s
root 271 0.0 1.3 1096 808 ?? D 10:03PM 0:00.02 amd -p -a
/.amd_mnt -c 1800 -l syslog /host /
root 272 0.0 1.3 1096 808 ?? D 10:03PM 0:00.02 amd -p -a
/.amd_mnt -c 1800 -l syslog /host /
root 287 0.0 1.1 948 692 ?? Is 10:03PM 0:00.04 cron
root 303 0.0 0.8 876 488 ?? Is 10:03PM 0:00.02 moused -p
/dev/psm0 -t auto
root 337 0.0 2.8 2068 1708 ?? Ss 10:03PM 0:00.36
/usr/local/sbin/httpd -DMOD_FP
root 353 0.0 1.9 1776 1164 ?? Is 10:03PM 0:00.01
/usr/local/sbin/sshd (sshd2)
nobody 359 0.0 2.8 2092 1708 ?? I 10:03PM 0:00.00
/usr/local/sbin/httpd -DMOD_FP
nobody 360 0.0 2.8 2092 1708 ?? I 10:03PM 0:00.00
/usr/local/sbin/httpd -DMOD_FP
nobody 361 0.0 2.8 2092 1708 ?? I 10:03PM 0:00.00
/usr/local/sbin/httpd -DMOD_FP
nobody 362 0.0 2.8 2092 1708 ?? I 10:03PM 0:00.00
/usr/local/sbin/httpd -DMOD_FP
nobody 363 0.0 2.8 2092 1708 ?? I 10:03PM 0:00.00
/usr/local/sbin/httpd -DMOD_FP
root 365 0.0 3.2 2652 1976 ?? S 10:03PM 0:01.90
/usr/local/bin/python /usr/local/abacus/hosts
root 367 0.0 0.9 880 572 ?? Is 10:03PM 0:00.01
/usr/local/psionic/portsentry/portsentry -tcp
root 369 0.0 0.9 880 572 ?? Is 10:03PM 0:00.18
/usr/local/psionic/portsentry/portsentry -udp
root 381 0.0 1.2 1052 756 v0 Ss+ 10:03PM 0:04.67
/usr/libexec/getty Pc ttyv0
root 382 0.0 1.0 920 624 v1 Is+ 10:03PM 0:00.01
/usr/libexec/getty Pc ttyv1
root 383 0.0 1.0 920 624 v2 Is+ 10:03PM 0:00.01
/usr/libexec/getty Pc ttyv2
root 384 0.0 1.0 920 624 v3 Is+ 10:03PM 0:00.01
/usr/libexec/getty Pc ttyv3
root 385 0.0 1.0 920 624 v4 Is+ 10:03PM 0:00.01
/usr/libexec/getty Pc ttyv4
root 386 0.0 1.0 920 624 v5 Is+ 10:03PM 0:00.01
/usr/libexec/getty Pc ttyv5
root 387 0.0 1.0 920 624 v6 Is+ 10:03PM 0:00.01
/usr/libexec/getty Pc ttyv6
root 388 0.0 1.0 920 624 v7 Is+ 10:03PM 0:00.01
/usr/libexec/getty Pc ttyv7
root 522 0.0 2.4 1840 1472 ?? S 12:36AM 0:00.31
/usr/local/sbin/sshd (sshd2)
dliu 523 0.0 1.4 1016 868 p0 Is 12:37AM 0:00.02 -bash (bash)
root 524 0.0 1.5 1276 916 p0 I 12:37AM 0:00.04 _su (csh)
root 526 0.0 1.5 1032 884 p0 S 12:37AM 0:00.03 bash
root 0 0.0 0.0 0 0 ?? DLs 6:03PM 0:00.01 (swapper)
nmap -sS -O localhost
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1473 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
2/tcp open compressnet
3/tcp open compressnet
4/tcp open unknown
5/tcp open rje
7/tcp open echo
9/tcp open discard
11/tcp open systat
15/tcp open netstat
19/tcp open chargen
20/tcp open ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
70/tcp open gopher
79/tcp open finger
80/tcp open http
87/tcp open priv-term-l
109/tcp open pop-2
110/tcp open pop-3
111/tcp open sunrpc
119/tcp open nntp
138/tcp open netbios-dgm
139/tcp open netbios-ssn
143/tcp open imap2
144/tcp open news
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
540/tcp open uucp
635/tcp open unknown
1023/tcp open unknown
1024/tcp open kdm
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
2001/tcp open dc
2049/tcp open nfs
6667/tcp open irc
8080/tcp open http-proxy
12345/tcp open NetBus
12346/tcp open NetBus
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
TCP Sequence Prediction: Class=random positive increments
Difficulty=5406 (Worthy challenge)
Remote operating system guess: FreeBSD 2.2.1 - 4.0
/* sockstat */
Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd2 522 6 tcp4 216.77.240.142.22 165.247.135.53.103
root portsent 369 0 udp4 *.1035 *.*
root portsent 369 1 udp4 *.1 *.*
root portsent 369 2 udp4 *.7 *.*
root portsent 369 3 udp4 *.9 *.*
root portsent 369 4 udp4 *.19 *.*
root portsent 369 5 udp4 *.66 *.*
root portsent 369 6 udp4 *.67 *.*
root portsent 369 7 udp4 *.69 *.*
root portsent 369 8 udp4 *.111 *.*
root portsent 369 9 udp4 *.137 *.*
root portsent 369 10 udp4 *.138 *.*
root portsent 369 11 udp4 *.161 *.*
root portsent 369 12 udp4 *.162 *.*
root portsent 369 13 udp4 *.177 *.*
root portsent 369 14 udp4 *.474 *.*
root portsent 369 15 udp4 *.513 *.*
root portsent 369 16 udp4 *.517 *.*
root portsent 369 17 udp4 *.518 *.*
root portsent 369 18 udp4 *.520 *.*
root portsent 369 19 udp4 *.635 *.*
root portsent 369 20 udp4 *.640 *.*
root portsent 369 21 udp4 *.641 *.*
root portsent 369 22 udp4 *.666 *.*
root portsent 369 23 udp4 *.700 *.*
root portsent 369 24 udp4 *.2049 *.*
root portsent 369 25 udp4 *.28001 *.*
root portsent 369 26 udp4 *.32770 *.*
root portsent 369 27 udp4 *.32771 *.*
root portsent 369 28 udp4 *.32772 *.*
root portsent 369 29 udp4 *.32773 *.*
root portsent 369 30 udp4 *.32774 *.*
root portsent 369 31 udp4 *.31337 *.*
root portsent 369 32 udp4 *.54321 *.*
root portsent 367 0 tcp4 *.1024 *.*
root portsent 367 1 tcp4 *.1 *.*
root portsent 367 2 tcp4 *.2 *.*
root portsent 367 3 tcp4 *.3 *.*
root portsent 367 4 tcp4 *.4 *.*
root portsent 367 5 tcp4 *.5 *.*
root portsent 367 6 tcp4 *.7 *.*
root portsent 367 7 tcp4 *.9 *.*
root portsent 367 8 tcp4 *.11 *.*
root portsent 367 9 tcp4 *.15 *.*
root portsent 367 10 tcp4 *.19 *.*
root portsent 367 11 tcp4 *.20 *.*
root portsent 367 12 tcp4 *.21 *.*
root portsent 367 13 tcp4 *.23 *.*
root portsent 367 14 tcp4 *.25 *.*
root portsent 367 15 tcp4 *.53 *.*
root portsent 367 16 tcp4 *.70 *.*
root portsent 367 17 tcp4 *.79 *.*
root portsent 367 18 tcp4 *.87 *.*
root portsent 367 19 tcp4 *.109 *.*
root portsent 367 20 tcp4 *.110 *.*
root portsent 367 21 tcp4 *.111 *.*
root portsent 367 22 tcp4 *.119 *.*
root portsent 367 23 tcp4 *.138 *.*
root portsent 367 24 tcp4 *.139 *.*
root portsent 367 25 tcp4 *.143 *.*
root portsent 367 26 tcp4 *.144 *.*
root portsent 367 27 tcp4 *.512 *.*
root portsent 367 28 tcp4 *.513 *.*
root portsent 367 29 tcp4 *.514 *.*
root portsent 367 30 tcp4 *.515 *.*
root portsent 367 31 tcp4 *.540 *.*
root portsent 367 32 tcp4 *.635 *.*
root portsent 367 33 tcp4 *.1080 *.*
root portsent 367 34 tcp4 *.1114 *.*
root portsent 367 35 tcp4 *.1524 *.*
root portsent 367 36 tcp4 *.2000 *.*
root portsent 367 37 tcp4 *.2001 *.*
root portsent 367 38 tcp4 *.2049 *.*
root portsent 367 39 tcp4 *.4000 *.*
root portsent 367 40 tcp4 *.4001 *.*
root portsent 367 41 tcp4 *.5742 *.*
root portsent 367 42 tcp4 *.6667 *.*
root portsent 367 43 tcp4 *.12345 *.*
root portsent 367 44 tcp4 *.12346 *.*
root portsent 367 45 tcp4 *.20034 *.*
root portsent 367 46 tcp4 *.30303 *.*
root portsent 367 47 tcp4 *.32771 *.*
root portsent 367 48 tcp4 *.32772 *.*
root portsent 367 49 tcp4 *.32773 *.*
root portsent 367 50 tcp4 *.32774 *.*
root portsent 367 51 tcp4 *.31337 *.*
root portsent 367 52 tcp4 *.40421 *.*
root portsent 367 53 tcp4 *.40425 *.*
root portsent 367 54 tcp4 *.49724 *.*
root portsent 367 55 tcp4 *.54320 *.*
nobody httpd 363 16 tcp4 *.8080 *.*
nobody httpd 363 17 tcp4 *.80 *.*
nobody httpd 362 16 tcp4 *.8080 *.*
nobody httpd 362 17 tcp4 *.80 *.*
nobody httpd 361 16 tcp4 *.8080 *.*
nobody httpd 361 17 tcp4 *.80 *.*
nobody httpd 360 16 tcp4 *.8080 *.*
nobody httpd 360 17 tcp4 *.80 *.*
nobody httpd 359 16 tcp4 *.8080 *.*
nobody httpd 359 17 tcp4 *.80 *.*
root sshd2 353 3 tcp4 *.22 *.*
root sshd2 353 4 udp4 *.22 *.*
root httpd 337 16 tcp4 *.8080 *.*
root httpd 337 17 tcp4 *.80 *.*
root amd 272 4 udp4 *.1023 *.*
root amd 272 5 tcp4 *.1023 *.*
root amd 272 6 udp4 *.1022 *.*
root amd 272 7 udp4 *.1021 *.*
root amd 271 4 udp4 *.1023 *.*
root amd 271 5 tcp4 *.1023 *.*
root amd 271 6 udp4 *.1022 *.*
root amd 271 7 udp4 *.1021 *.*
root syslogd 262 4 udp4 *.514 *.*
root dhclient 108 3 udp4 *.* *.*
root dhclient 108 6 udp4 *.68 *.*
/* rc.conf file */
# This file now contains just the overrides from /etc/defaults/rc.conf
# please make all changes to this file.
# -- sysinstall generated deltas -- #
ifconfig_ed0="inet 192.168.0.1 netmask 255.255.255.0"
hostname="Finch"
linux_enable="NO"
moused_enable="YES"
gateway_enable="YES"
usbd_enable="NO"
ntpdate_flags="otc1.psu.edu"
ifconfig_xl0="DHCP"
hostname="finch.dyndns.com"
sendmail_enable="NO"
ipv6_enable="NO"
router_enable="NO"
ntpdate_enable="YES"
sshd_enable="NO"
firewall_enable="YES"
firewall_type="SIMPLE"
natd_enable="YES"
natd_interface="xl0"
inetd_enable="NO"
portmap_enable="NO"
# Later change to YES, prevents X-windows from running
kern_securelevel_enable="NO"
kern_securelevel="2"
amd_flags="-a /.amd_mnt -c 1800 -l syslog /host /etc/amd.map /net
/etc/amd.map"
amd_enable="YES"
-----Original Message-----
From: bobj@smtp.ufl.edu [mailto:bobj@smtp.ufl.edu]On Behalf Of Bob
Johnson
Sent: Friday, September 08, 2000 8:27 PM
To: David Liu
Cc: freebsd-doc@FreeBSD.ORG
Subject: Re: Documentation suggestion
David Liu wrote:
>
> Hi,
>
> I was trying to secure my Freebsd 4.1 server by following the handbook and
> disabled
> inetd.conf and as many of the services which I don't need. A nmap port
scan
> stiil show that
> many of my ports are still open. Please address this in your handbook. I
> need to know for example why port 12345 is open and how to shut it down.
>
> Thanks for your help and a great product,
>
The port scan doesn't match your config file. If you didn't reboot
after editing the config file, then try rebooting and scanning again.
After you do that, if things aren't what you expect, post the scan and
the rc.conf, plus the result of "ps -ax", to questions@freebsd.org.
If, during this process, you can identify what specific shortcoming in
the documentation caused you difficulty, please post that information
to the doc list. Actually, now that you mention it, I can't even find
instructions on disabling inetd.conf in the Handbook. Were you reading
the Handbook, or a tutorial, or the FAQ, or The Complete FreeBSD?
Thanks,
- Bob
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LMECIAEPHBBFPHLIOHMNAEAECAAA.dliu>