From owner-freebsd-security Thu Sep 6 8:14: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id C46C237B401 for ; Thu, 6 Sep 2001 08:13:57 -0700 (PDT) Received: (qmail 78319 invoked by uid 1000); 6 Sep 2001 15:18:41 -0000 Date: Thu, 6 Sep 2001 16:18:41 +0100 From: Marc Rogers To: Chris Faulhaber Cc: Fernan Aguero , security@freebsd.org Subject: Re: some weird stuff found Message-ID: <20010906161841.E99287@shady.org> References: <08705D38.78FF6AC2.00A48379@netscape.net> <20010906105345.A8026@peitho.fxp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20010906105345.A8026@peitho.fxp.org>; from jedgar@fxp.org on Thu, Sep 06, 2001 at 10:53:45AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Probably a Linux or Solaris rpc attack/exploit. Doesn't affect > FreeBSD machines (except for annoying log entries). I would take this as a warning however. It is a sure sign of someone attempting (in a rather clumsy and inaccurate way typical of most kiddies) to break into your hosts. Mos kids these days use a scattergun approach to hacking and justf ire off as many exploits as possible till one gets a result. I swear half of them dont even know which way to pint them. You should probably take steps to block access to your network from the ip ranges these attacks are originating from. You might want to think about installing snort. > > > 3 - If I run 'nmap -v localhost' I can see a few ports open > *snip* > > What services run on 1020 and 1021? I am not aware of having enabled > > those, and they do not appear in /etc/services. > > > > Run sockstat (or lsof, etc) to see what is bound to those ports. run lsof, but just to be safe, I would download it as a clean install file from a trusted location (ftp.freebsd.org for example) and compile it just before you plan to use it. This is the safest way to ensure you are seeing a true representation of what is running on your system. Look for those ports you are unsure about, and see which open files are linked in to them. This will show you which binary was responsible for opening that socket. If in doubt, kill off the process, and chmod the binary to prevent useage. > > > And relating to this, do i need sendmail listening on 25 and 587 if > > I only need to send mail to a smart host? > > You can probably just use -q30m for sendmail flags if you are not > accepting email which will not opening listening sockets. I would advise against running sendmail period. There are many better and more secure alternatives these days (personaly I like postfix or qmail). You certainly do not need to be running sendmail as a daemon. Killall -9 sendmail will releive you of that particular worry. (dont forget to edit your rc.conf, adding sendmail_enable="NO" to prevent it being restarted at boot time. > > > Also: I need to print to a network printer but I'm not a print server. > > Do I need 515 open? > > Nope. See the lpd(8) man page (-p option). > > > How do I close those ports (25,587,515)? > > First see what programs are bound to those ports (see above). > 25 == telnetd (run from inetd) errm 23 is usualy telnetd. 25 is the external port of sendmail. See my comments on sendmail, above. as mentioned before, use lsof and netstat (careful with what netstat says tho as it is easily compromised and might be lying) to diagnose whats running and decide if you need those services. I would seriously consider to adding a local firewall to your host though, especialy as you are running an x server. Good security should be like an onion, layered. hope this helps, Marc Rogers Technical Director European Data Corporation To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message