From owner-freebsd-security Mon Jun 19 7: 9:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id 4888637BCEB for ; Mon, 19 Jun 2000 07:09:01 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id QAA20358; Mon, 19 Jun 2000 16:12:17 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Date: Mon, 19 Jun 2000 16:13:23 +0200 (CEST) From: Bart van Leeuwen To: "tjk@tksoft.com" Cc: Oleg Strizhak , FreeBSD-security@freebsd.org Subject: Re: tried to be cracked In-Reply-To: <200006191351.GAA07969@uno.tksoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org to add to that, on 4.0 it seems to be man hosts_options for info on the hosts.allow file. Another very usefuill command to look at is sockstat (-an), it will tell you which 'command' is actually listening to which port on your machine. Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- On Mon, 19 Jun 2000, tjk@tksoft.com wrote: > You don't need any service you don't know about. > > You can disable all of them, except ftp and telnet, if > you use telnet. You should also not have any daemons > running which you don't use. mountd, nfsd, portmap, etc.. > > Try > "man hosts.allow" or "man hosts_access" > (not at a FreeBSD box right now, so can't check.) > > Anyway, you can use "netstat -n -a" to find out what > ports you have open. > > Troy > > > > > Hi all! > > > > Today seeng this in messages: > > Jun 17 03:30:01 servak su: _secure_path: /xxx/.login_conf is not owned by uid 65534 > > Jun 17 03:30:01 servak su: _secure_path: /xxx/.login_conf is not owned by uid 65534 > > > > checked all the logs -- there was no login via telnet, ssh. Nothing of activity was detected for that period of time on my http or ftp daemons. So I suppose that it was through one of the predifined inetd services. > > > > Here is my inetd.conf's enabled nodes: > > > > ftp stream tcp nowait root /usr/local/sbin/proftpd proftpd > > telnet stream tcp nowait root /usr/libexec/telnetd telnetd > > shell stream tcp nowait root /usr/libexec/rshd rshd > > login stream tcp nowait root /usr/libexec/rlogind rlogind > > finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s > > comsat dgram udp wait tty:tty /usr/libexec/comsat comsat > > ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd > > > > > > # > > # IPv6 services > > # > > ftp stream tcp6 nowait root /usr/local/sbin/proftpd proftpd > > telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd > > shell stream tcp6 nowait root /usr/libexec/rshd rshd > > login stream tcp6 nowait root /usr/libexec/rlogind rlogind > > finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s > > > > Question is: which of these daemons can be disabled (or even inetd itself) w/o any harm. I've no use of NFS -- plain http/ftp/pop server. SMTP and POP stuff is already handled by tcpserv. > > > > I've already set up hosts.allow: denied any w/o reverse DNS, allowed any ftp, portmap, and ssh; denied all other daemons/users except trusted address. > > Where can I find out additional info about hosts.allow syntax? > > > > Thanx in advance. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message