From owner-freebsd-security  Fri Dec 14 15:26: 3 2001
Delivered-To: freebsd-security@freebsd.org
Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214])
	by hub.freebsd.org (Postfix) with ESMTP id 5675037B419
	for <security@freebsd.org>; Fri, 14 Dec 2001 15:25:55 -0800 (PST)
Received: (from root@localhost)
	by new-dns.whc.net (8.11.4/8.11.4/kbp)
	id <fBENNYf87155-carlos@rjstech.com> for security@freebsd.org;
	Fri, 14 Dec 2001 16:23:34 -0700 (MST)
Received: from null ([66.85.10.234])
	by smtp.whc.net (8.11.4/8.11.4/kbpav) with SMTP
	id <fBENMeT87081-carlos@rjstech.com> for <security@FreeBSD.ORG>;
	Fri, 14 Dec 2001 16:22:41 -0700 (MST)
Reply-To: <carlos@rjstech.com>
From: "Carlos Andrade" <carlos@rjstech.com>
To: <security@freebsd.org>
Subject: okay now  I am worried 
Date: Fri, 14 Dec 2001 16:21:35 -0700
Message-ID: <000001c184f6$133d72e0$fa01a8c0@rjstech.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
In-Reply-To: <bulk.96770.20010128124336@hub.freebsd.org>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
X-Virus-Scanned: by AMaViS perl-11
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

The following has been in my log for a few days :
-x86 FreeBSD 4.2 machine (btw)
-logging in vain is turned on
-the only thing I am running is natd (gateway for our company) and very few
ports are specifically left open
-I do not allow inside traffic to go in to the outside nic (and vice versa)
to stop spoofing
-I specifically blocked ports 135, 139, 3389, 6667, 6668 cause nmap said
that they were responding or open for some reason.

(date) /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:XXXX

where XXXX has been the following :
1389, 1396, 1523, 1530

sockstat -4 returns that the only thing open is natd
user 	command	pid	fd	proto	local_add	foreign_add
ROOT	natd		xxx	3	div4	*.8668	*.*
ROOT	natd		XXX	4	icm4	*.*		*.*

sockstat -6 returns nothing (since I am not running ip6)

sockstat -u returns :
cron, syslogd and natd

running ps -auwx | sort | uniq returns
buffdaemon, pagedaemon, swapper, syncer, my bash shell, init, natd, the tty
terminals, adjkerntz, syslogd, cron, and ps

reading up on the ports udp 512 is biff, but I am not running any mail
server.  The only mail I get is generated by daily reports in cron.

so am I crazy or ?

----
Carlos A. Andrade
IS Manager
RJS Technologies
915.845.5228 ext 13  915.845.2119 fax
carlos@rjstech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message