From owner-freebsd-security Thu May 17 12: 9: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 75E8E37B423 for ; Thu, 17 May 2001 12:08:56 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org (nb40.netbriefings.com [64.183.199.40]) by poontang.schulte.org (8.12.0.Beta7/8.12.0.Beta7) with ESMTP id f4HJ8iWB022941; Thu, 17 May 2001 14:08:45 -0500 (CDT) Message-Id: <5.1.0.14.0.20010517140530.034218f8@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 17 May 2001 14:07:43 -0500 To: anderson@centtech.com, Bill Mitcheson From: Christopher Schulte Subject: Re: New info on our Port 1023 problem. Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3B042079.AC957064@centtech.com> References: <3B042085.39247322@pyramus.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don't forget /var/yp/securenets man ypserv(8) will help you. If NIS is not used, kill it. In any event, do a full service audit and turn off all unused services. This is a basic sysadmin principle. At 02:03 PM 5/17/2001 -0500, Eric Anderson wrote: >It's typically pretty insecure. If you aren't running NIS/YP on your >machines, you can get rid of it. If you do need it, you should be >filtering it with ipfw or ipfilter. > >Eric > > > >Bill Mitcheson wrote: > > > > I ran sockstat and came up with the following: > > > > root ypserv 117 5 tcp *.1023 *.* > > > > Ypserv was also running on a couple of other ports as UDP instead of > TCP. Is > > this bad? > > > > Rob Simmons wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: RIPEMD160 > > > > > > Were you running any services on that port? The command "sockstat" > should > > > tell you if there is anything listening on that port. If there is > nothing > > > listening on the port, you don't have to worry about them poking at that > > > port. > > > > > > Robert Simmons > > > Systems Administrator > > > http://www.wlcg.com/ > > > > > > On Thu, 17 May 2001, Bill Mitcheson wrote: > > > > > > > We noticed unauthorized activity yesterday. After investigating we > found > > > > that there was someone coming in from Asia and they were trying to > > > > access port 1023. I could not find much info on that port and was > > > > wondering if anyone knows of that port, what common attacks to that > port > > > > are, and how to stop future attacks? > > > > > > > > Bill Mitcheson. > > > > Network Administrator, > > > > Pyramus Online. > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v1.0.5 (FreeBSD) > > > Comment: For info see http://www.gnupg.org > > > > > > iD8DBQE7BBXQv8Bofna59hYRAwgNAJ0WjqRSOsNgHibg59s7JJjPOovwAACeNExx > > > xntXYcmqMvzu6ER22/biI5I= > > > =WrEW > > > -----END PGP SIGNATURE----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- >------------------------------------------------------------------------------- >Eric Anderson anderson@centtech.com Centaur Technology (512) >418-5792 >The idea is to die young as late as possible. >------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message