From owner-freebsd-security Thu May 17 12: 3:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id A043637B422 for ; Thu, 17 May 2001 12:03:26 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id OAA28136; Thu, 17 May 2001 14:03:25 -0500 (CDT) Received: from proton.centtech.com(10.177.173.77) by prox via smap (V2.1+anti-relay+anti-spam) id xma028134; Thu, 17 May 01 14:03:21 -0500 Message-ID: <3B042079.AC957064@centtech.com> Date: Thu, 17 May 2001 14:03:21 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Bill Mitcheson Cc: freebsd-security@freebsd.org Subject: Re: New info on our Port 1023 problem. References: <3B042085.39247322@pyramus.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's typically pretty insecure. If you aren't running NIS/YP on your machines, you can get rid of it. If you do need it, you should be filtering it with ipfw or ipfilter. Eric Bill Mitcheson wrote: > > I ran sockstat and came up with the following: > > root ypserv 117 5 tcp *.1023 *.* > > Ypserv was also running on a couple of other ports as UDP instead of TCP. Is > this bad? > > Rob Simmons wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: RIPEMD160 > > > > Were you running any services on that port? The command "sockstat" should > > tell you if there is anything listening on that port. If there is nothing > > listening on the port, you don't have to worry about them poking at that > > port. > > > > Robert Simmons > > Systems Administrator > > http://www.wlcg.com/ > > > > On Thu, 17 May 2001, Bill Mitcheson wrote: > > > > > We noticed unauthorized activity yesterday. After investigating we found > > > that there was someone coming in from Asia and they were trying to > > > access port 1023. I could not find much info on that port and was > > > wondering if anyone knows of that port, what common attacks to that port > > > are, and how to stop future attacks? > > > > > > Bill Mitcheson. > > > Network Administrator, > > > Pyramus Online. > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.5 (FreeBSD) > > Comment: For info see http://www.gnupg.org > > > > iD8DBQE7BBXQv8Bofna59hYRAwgNAJ0WjqRSOsNgHibg59s7JJjPOovwAACeNExx > > xntXYcmqMvzu6ER22/biI5I= > > =WrEW > > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 The idea is to die young as late as possible. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message