Originally Posted by iSlinky
I've remove all irc references from /etc/services
This file only serves documentation purposes for you and for programs such as netstat, etc. You've actually made it a bit harder for you to detect an IRC connection by doing this. Your changes have no effect on the box's security, revert them if possible.
In the situation you describe, I would suggest you simply tighten-up your host's firewall regarding outgoing traffic, to make sure no IRC traffic sneaks out. Granted, there really shouldn't be any IRC traffic sneaking out in the first place if you aren't using IRC, but well it's additional peace of mind.
First, ask yourself what is the traffic you *need* to be able to leave your box. Then, set your firewall to only allow those types of packets. For example, let's say you only needed to be able to surf the Web. This would mean you want to allow outgoing DNS, HTTP, and HTTPS packets. Your setup could look like:
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p UDP --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p TCP --dport 443 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
The last line will give you a heads-up if any unwanted packets were filtered while trying to leave the box (you'll need to monitor syslog in order to see). I don't know how familiar
you are with iptables, so if you have any questions please let us know. If you could post your current iptables setup when you reply it would be great:
Also, what distro are you using?