Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Whenever I check my router's logs during off hours (11pm - 4am), I still notice a lot of traffic coming in and going out on misc ports. My question is should be concerned about this or are they just harmless ICMP messages?
When I say misc ports I'm talking about numbers that ranges in the 3,000's, 4,000's, 5,000's, 30,000's, 40'000's, and 50,000's. I'm running a linux proxy/firewall between my router and lan so I could close off any unneeded ports.
Perhaps I should have done this already but so far I haven't noticed any malicous log in attempts on any of our servers (knocks on wood).
What do you all think? Should I close off all inbound and outbound traffic for all unused ports, and just keep the basics open like 25, 80, 110, 143, etc etc.
Obviously I will have to do some further configuration later on because services like windows update and symantec live update may stop working after I close off the ports. But correcting that should be a quick fix.
Could you post an example of some of the traffic by capturing some packets with tcpdump? Is the traffic originating from one host in particular or is it just random IPs?
If this is an internet-facing router, then it's going to see alot of garbage packets from portscans and virus infected windows machines. That's just the normal background that's on the internet. I'd be concerned if the traffic was coming from a single host or if they were able to establish a connection to a strange port.
Wrt to firewalling, I would definitely recommend filtering any un-solicited incomming traffic. Egress filtering is a good idea as well, but can be a bit more difficult to get working properly.
You can turn on iptables to allow ONLY the ports you want. If it is internet facing I would recommend doing that.
Short of that you can just disable unusued services (telnet, ftpd etc...) in you inetd or xinetd (depending on distro) configuration. This will prevent it from opening ports just for LISTENING that hackers try to exploit.
Also for specific ports you can run "lsof -i :<portno>" to find out which process is associated with the port (has to be done while the port is still active - not for historical use.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.