Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
Ive just done a port scan on my self and found some interesting things,
i used nmap and it came up with these .
Code:
Port State Service
1/tcp open tcpmux
11/tcp open systat
15/tcp open netstat
79/tcp open finger
111/tcp open sunrpc
113/tcp open auth
119/tcp open nntp
515/tcp open printer
540/tcp open uucp
635/tcp open unknown
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
6667/tcp open irc
12345/tcp open NetBus
12346/tcp open NetBus
27665/tcp open Trinoo_Master
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k
Yesterday i had only half this amount open , i did download portsentry
last night , and since then all these extra ports are open.
Code:
540/tcp open uucp
635/tcp open unknown
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
27665/tcp open Trinoo_Master
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k
Im not sure , but a few of those dont look like they should be there ,i did find this on Trinoo_Master here
im still as i type this , but if someone could have a look at these ports and tell me whats what , and any ports i should close ,keeping in mind that im just learning about ports , and portsentry,any feed back
i will greatfully accept.
As root:
1) run "netstat -anp", and
2) correllate PID with process from running "ps", and
3) validate listening apps (md5sum, pkg manager, integrity checkers like Aide, Samhain or tripwire), and
4) download chkrootkit(.org) and scan (just in case).
I bet it's just a portsentry and firewall configuration issue.
G'day unSpawn , thanks for your quick reply .
i ran netstat -anp it showed nothing out of the ordinary from what
i can tell anyway .(i could copy/paste it all here , but their's a hell of a lot )
Next i tried ps-A ,looked at all the PID's seamed ok.
As for the md5sum ,this is where im finding a conflict of interest.
from what i can tell it should be f8574cb4259e4936ba28239e1a450be6
taken from here
So has the download been tampered with ?
I'm in the process of downloading chkrootkit now ,i'll be checking the md5sum before installing ,(if i can figure out how, some of those download without options)
Regards
AXO
BTW is the tutorial still underway , the mailing list has been very quiet
the last few weeks?
ok after a little playing ,i found that i was using md5sum wrong.
Also i found that if i turn portsentry off , those ports are closed .
So i gather that portsentry only has those ports open to for listen
for trouble.
I also tried chkrootkit , i did have a moment when i saw : Checking `bindshell'... INFECTED (PORTS: 1524 31337)
but that was fine when portsentry was turned off.
All in all i think its fine ,if someone has anything to add im all ears.
i ran netstat -anp it showed nothing out of the ordinary from what
i can tell anyway .
SOP would be to verify the "fingerprint" of the binaries showing, preferably using an integrity detection checker like Aide, Samhain or tripwire with the databases on ro media. This way you don't have to be able to "tell" if something is OK, but the integrity checker will be able to.
Next i tried ps-A ,looked at all the PID's seamed ok.
Uhhh. See above.
BTW is the tutorial still underway , the mailing list has been very quiet the last few weeks?
As far as I'm concerned, yes.
Also i found that if i turn portsentry off , those ports are closed .
So i gather that portsentry only has those ports open to for listen
for trouble.
If you *must* use Portsentry, check the different modes it can run with.
I also tried chkrootkit , i did have a moment when i saw : Checking `bindshell'... INFECTED (PORTS: 1524 31337)
but that was fine when portsentry was turned off.
Yes, unfortunately wrt to that detection is not that strong.
If you check the Bash script (or run inexpert mode "-x") you see it'll just grep the netstat-provided list of open ports in listening state for "31337".
You should be aware you should not trust (the output of) tools on a running system too much w/o being able to verify the tool you are running actually *is* the tool you installed. *Everyone* should install and an integrity checker like Aide, Samhain or tripwire after installing the OS, and save the databases (and a copy of the binary) on ro media. That way you can achieve a higher level of trust wrt the ability to discover system anomalies.
I know you're relatively new to Linux, and if you would be willing to answer, I'd like to ask you how/why you choose Portsentry over other portscan detectors? Features? Read article? Recommendation?
I know you're relatively new to Linux, and if you would be willing to answer, I'd like to ask you how/why you choose Portsentry over other portscan detectors? Features? Read article? Recommendation?
Nothing serious, just curious why.
No problem,
To cut a long story short , after fiddling around i thought it was time
to have have a look at what ports i had open , so i had a trusted friend( who is a linux user ) do a port scan on me . after some help from him , i closed what ports (we) thought needed closing.
He mentioned to me that i should have something like portsentry , he didn't mention any others , he also mentioned to have a look at /etc/hosts.allow
and /etc/hosts.deny . which i havn't yet . I'm still trying to get my head around portsentry.
So i guess i really i didn't really know about any others, and it was a spur
of the moment thing to get portsentry .
After reading your post , i will look at the others, except i'm not looking forward to setting up my tri-boot (Debian,RH,Windoze) system again.
I understand now that i should have implemented something from the start, live and learn i guess .
Thanks for your reply unSpawn .
Originally posted by unSpawn
If you *must* use Portsentry, check the different modes it can run with.
I'm still getting my head around portsentry , but this is what i have so far.
All I've done is uncomment from the default settings.
Code:
# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
# Advanced Stealth Scan Detection Options #
ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
ADVANCED_EXCLUDE_UDP="520,138,137,6
# Hosts to ignore
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
HISTORY_FILE="/var/lib/portsentry/portsentry.history"
BLOCKED_FILE="/var/lib/portsentry/portsentry.blocked"
# DNS Name resolution - Setting this to "1" will turn on DNS lookups
# for attacking hosts. Setting it to "0" (or any other value) will shut
# it off.
RESOLVE_HOST = "1"
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP="0"
BLOCK_TCP="0"
# Generic Linux
KILL_ROUTE="/sbin/route add -host $TARGET$ gw 127.0.0.1"
# TCP Wrappers#
KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
# Scan trigger value#
SCAN_TRIGGER="0"
To be honest most of all that is way over my head , all I've done is uncomment what looks the most logical and hope for the best.
Ok, cool. I deleted my portsentry configs a few yrs ago, but I vaguely remember something about some "advanced TCP/UDP stealth mode". There you wouldn't select specific ports to monitor but a range (or even all ports, can't remember). Dunno if this changed in the new release of Portsentry.
Also I think it would be best to turn off resolving hosts, it'll cost too much time. Resolve hosts manually later when you scan the logs and want to investigate certain "incidents".
A twofold problem.
The first "real" problem with portscan detectors like Portsentry that monitor specific ports is they open ports to listen on. This means the port is in use and can't be used by other applications, and besides that having something bound to and listening on a port you want closed is somewhat of a contradiction.
The second "problem" is the "value" of a scan alert. If nothing is listening on the port, then what do you need to be alerted for?
Portsentry doesn't scrub packets for malicious contents like Snort does. This means tripping a port is just that. OTOH take this off-site example of a possibly bad configured Apache proxy. Apart from the need to properly set up Apache with ACL's, Portsentry would only be able to detect someone triggering a connection, but would *never* be able to filter and alert on a packets contents to block CONNECT type.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.