LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-04-2004, 10:32 PM   #1
Xon
Member
 
Registered: Sep 2004
Posts: 49

Rep: Reputation: 15
Security Issues?


[root@supermario xon]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:32768 *:* LISTEN
tcp 0 0 localhost:10026 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
udp 0 0 localhost:domain *:*
udp 0 0 224.0.0.251:5353 *:*
udp 0 0 localhost:5353 *:*
udp 0 0 *:sunrpc *:*

[root@supermario xon]# nmap -sS -P0 -O 212.205.247.4

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-05 01:28 EDT
Interesting ports on xxx.xxx (xxx.xxx.xxx.xxx):
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/tcp open rpcbind
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.7 (X86)

Nmap run completed -- 1 IP address (1 host up) scanned in 6.678 seconds

When im online these are happening, when im not "smtp" listens on 25 port. How when im getting online smtp stops listening?

Is there any possibility of compromised? The 32768 port with fuser -v -n tcp 32768 shows that postfix listens there, should i stop it with chkconfig? Im not using it (even smtp even rpcbind)

From where i can stop rcpbind/sunrpc?
 
Old 10-04-2004, 11:44 PM   #2
serz
Member
 
Registered: Apr 2003
Location: Buenos Aires, Argentina
Distribution: Slackware, Gentoo
Posts: 397

Rep: Reputation: 30
Have you checked the init scripts? Some script must be starting that..
 
Old 10-04-2004, 11:45 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
All the entries with "localhost" as the 4th field are accepting only local connections and aren't accesible remotely (that's why they don't turn up in the nmap scan). If you are using any of these, you can leave them on, otherwise turn them off.

You definitely need to turn off portmap/sunrpc. You haven't told us what version of linux you're using, so it's hard to say exactly, but on a redhat-based system you can use:
service portmap stop
chkconfig portmap off

In other systems, kill the process itself and make the startup script in /etc/rc.d non-executable.

Looking at your port list, I'm also not sure why you have a DNS daemon on port 53 (domain) AND a multicast DNS daemon on port 5353. In fact I've only see the multicast DNS on Apple networks with Rendevous and Appletalk.

I also see that your still running the 2.4.7 kernel which is real old and vulnerable to numerous exploits. So you need to update that as soon as possible.

Last edited by Capt_Caveman; 10-04-2004 at 11:47 PM.
 
Old 10-04-2004, 11:45 PM   #4
Xon
Member
 
Registered: Sep 2004
Posts: 49

Original Poster
Rep: Reputation: 15
i saw the rc.d one but didnt see any entries for rpcbind/sunrpc/smtp ..

Im running mandrake 10. For the DNS you saw its a good question..

Mandrake 10 are crazy lol

Last edited by Xon; 10-04-2004 at 11:48 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
security issues with a RH 9.2 merlin Linux - Security 1 02-24-2004 04:13 PM
security issues with compilers? complus Linux - Security 2 09-11-2003 12:39 PM
Solaris 5.1 security issues hopbalt Solaris / OpenSolaris 6 08-04-2003 05:31 AM
Bind and security issues jchristman Linux - Networking 0 07-16-2003 08:36 AM
NAT security issues ilumin8d Linux - Security 1 05-10-2002 11:35 AM


All times are GMT -5. The time now is 07:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration