Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok What exactly is simple network management protocol from what i can gather it's a udp protocol to enumerate your network ... I have a linksys router and I am getting hits ever few min. on port 169 so firestarter says ..... is someone gathering info could they be trapping or sniffing my out going stuff.?? How is it going right thru my router? how can I stop it and find out where it's coming from? firestarter lists my router as the incoming IP.
$whatis snmp: foldoc, techtarget.
IIRC, SNMP uses TCP/UDP port 161 and 162 is for SNMP-Trap tho it could be 169 as well like you've stated. (w/o firmware upgrades?) there exists a flaw in some SOHO routers where remote users are able to either take over a router or at leas DD0S it using SNMP. Many ppl not changing default passwds helps as well.
Rr.sans.org states w/o details you should be able to disable SNMP on the Linksys for the port connected to the Internet if you're only managing it from the LAN and if you're not able to turn it off use the NAT function and dump it on an unused network address. Unfortunately I don't have access to a Linksys, so if you need details someone else will have to come up with it.
Thanks I forward the 161,162,169 ports to a unused ip address. Since you seem to know about security stuff can I ask you another question? firestarter was getting pounded with trinity and sunrpc and snmp trap and lots of unknowns I went to bed and when I got up the next day my gui was broken for firestarter so I don't know how to get my logs to see if it was still going on. a port scan from a windows box on my lan says it's still up and running if I try to open the gui from a command line I get Gtk errors. I uninstalled firestarter and reinstalled it but no help ....did they root my box and wipe a file to keep from seeing what there doing???
Heh, no I don't know about security. It's that security knows about me, and that's what keeps me moving :-]
Firestarter reads its logs (depending on your distro) from /var/log/messages or /usr/adm/messages, so if you've installed it you could read log entries from there. I don't think any cracker will ever bother with fscking up Firestarter, Gnome or any of it's dependancies to stop ppl from looking at logs :-]
One of the first things to do if you suspect your box has been 0wned would be to look at the logs, lastlog, network connections, and running apps to see if you can find stuff to fuel your suspicions: list the output and dump on another box or floppy. If yes, I hope you did install a passive integrity checker like Aide or Tripwire to help you scan for changes in the system, and maybe run chkrootkit(.org) as well. If yes again and you've found signs stuff has been changed or added system/regular users on that system can't account for it's a good point to disconnect the box, boot from an install/rescue/trinux or orher cd or floppy and investigate further.
Ok I founf the log file and seem to make some since out of them but theres one problem. the loggs stop three days ago and i mean ALL the logs mail, boot, and messages. theres messages and the n messages .1 .2 and so on the higher the number the older the log right? so then messages with no .# would be the newist? but it stops three days ago abouth the time of the problem got anymore ideas? do I need to do some kind of dump to get the lateist logs?
Ok I founf the log file and seem to make some since out of them but theres one problem. the loggs stop three days ago and i mean ALL the logs mail, boot, and messages. theres messages and the n messages .1 .2 and so on the higher the number the older the log right? so then messages with no .# would be the newist? but it stops three days ago abouth the time of the problem got anymore ideas? do I need to do some kind of dump to get the lateist logs?
Opps I didn't mean to dup. that Hey would you look at my logs if I e-mail them to you? there seems to be some other stuff mixed in the log files"messages" something about a sound card error could that be causing my problem? my sound works fine. but i did turn off the KDE sounds cause for one they were annoying and two, real player streaming video wouldn't work cause it said it was busy.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.