From owner-freebsd-questions@FreeBSD.ORG Tue Aug 24 09:24:39 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FB2F16A4CE for ; Tue, 24 Aug 2004 09:24:39 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id D510C43D41 for ; Tue, 24 Aug 2004 09:24:37 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i7O9OSsu086876 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 24 Aug 2004 10:24:28 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i7O9OSIa086875; Tue, 24 Aug 2004 10:24:28 +0100 (BST) (envelope-from matthew) Date: Tue, 24 Aug 2004 10:24:28 +0100 From: Matthew Seaman To: Volker Kindermann Message-ID: <20040824092428.GA716@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Volker Kindermann , Bob Ababurko , questions@freebsd.org References: <5.2.1.1.0.20040824000315.01a74178@mail.dc2.adelphia.net> <20040824083730.0cbf11b6@ariel.office.volker.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline In-Reply-To: <20040824083730.0cbf11b6@ariel.office.volker.de> User-Agent: Mutt/1.5.6i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 24 Aug 2004 10:24:29 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040705, clamav-milter version 0.74a on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: Bob Ababurko cc: questions@freebsd.org Subject: Re: portscan looks like.... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 09:24:39 -0000 --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 24, 2004 at 08:37:30AM +0200, Volker Kindermann wrote: > Hi Bob, >=20 >=20 > > PORT STATE SERVICE > > 22/tcp open ssh > > 25/tcp open smtp > > 80/tcp open http > > 111/tcp open rpcbind > > 1023/tcp open netvenuechat [...] > > Then there is the case of the port 1023. I have no idea how to > > turn=20 > > this off or how it got turned on. Could the rpcbind allowed someone > > into my computer to hack it up? I am pretty scared at this point.=20 >=20 > First try to disable rpcbind and look afterwards, if port 1023 is still > open. If it ist, install lsof from ports. This tool will tell you which > application is listening on this port. sockstat(1) will tell you that just as well, and it's a standard part of the system. Chances are port 1023 is open because of portmap(8) (a.k.a rpcbind(8) in 5.x). To see what ports portmap is managing, use the rpcinfo(8) command: # rpcinfo -p As for telling if your system has been compromised, it depends on the level of sophistication of whoever attacks you. Chances are that if you're just an ordinary home user without any particular secrets or other motives for anyone to break in, you'll not come to the attention of anyone good enough to cover their tracks thoroughly. In fact, about the only sort of intrusion attempt you're likely to see would be automated or semi-automated attacks /intended for Linux or Windows servers/ by Skript Kiddiez. Needless to say, these tend not to work. The most effective things you can do to prevent yourself being compromised are: - keep your system and ports up to date - be vigilant: look at what the daily security e-mail is telling you, subscribe to freebsd-announce@... and/or freebsd-security@... so that you get notified of any security advisories. Scan through system logs for anomalous entries occasionally. Check for strange processes (use ps(1)) or for logins from odd systems or at odd times (use last(1)). - Install security/portaudit so that you get notifications of any vulnerabilities in your installed ports - Think about what you are doing as you use the system. Get into good security habits: try and ensure that processes/users have only the minimum necessary permissions in order to function. Always use ssh(1) or similarly encrypted channels for remote access to systems. Never log in directly as root -- use su(1) or better, sudo(1) instead. Always use secure (ie. unguessable) passwords -- install and use security/apg if you find it hard to think up good ones. There's a shedload of useful monitoring software you can install to help you detect if you have been attacked or compromised, but for most home users, it's really overkill. Particularly noteworthy are security/snort -- which will examine all of the network traffic reaching your system and detect which of it is unfriendly -- and one of the security/tripwire ports, which will build a cryptographically secured database of checksums of all of the important files on your system which you can use to immediately detect any changes. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBKwlMiD657aJF7eIRAomxAKCBflv0Oes6veQmQnxkz2jnwYXuRgCgijTu COUQFxe7nNgKttsS3Hvr9wE= =sUV6 -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz--