Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I ran nmap -p 1- *.*.*.244 on myself and got this:
(The 65489 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
7/tcp open echo
9/tcp open discard
11/tcp open systat
15/tcp open netstat
70/tcp open gopher
79/tcp open finger
80/tcp open http
109/tcp open pop-2
110/tcp open pop-3
111/tcp open sunrpc
119/tcp open nntp
138/tcp open netbios-dgm
139/tcp open netbios-ssn
143/tcp open imap2
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
540/tcp open uucp
635/tcp open unknown
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
2001/tcp open dc
4000/tcp open unknown
4001/tcp open unknown
5742/tcp open unknown
6000/tcp open X11
6001/tcp open X11:1
6667/tcp open irc
12345/tcp open NetBus
12346/tcp open NetBus
20034/tcp open unknown
27665/tcp open Trinoo_Master
30303/tcp open unknown
31337/tcp open Elite
32768/tcp open unknown
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
40421/tcp open unknown
40425/tcp open unknown
49724/tcp open unknown
54320/tcp open bo2k
Ive always ran nmap with the options -sT -sS on myself and only came up with a few open ports. Then I ran it without any options, just a standard port scan. So do I have a bunch of trojans installed on my box?
I also have port sentry running wiht the -tcp and -udp options. I also have snort IDS running and logging in binary.
I jsut dont get it... before installing both portsentry and snort I would scan myself and show only a few necessary ports open...now Im getting this...
Short answer. Ditch Portsentry. Regulate port access using your firewall. If you need blocking capabilities look on the Snort site for contribs like Guardian etc.
Alternatively try running PS in stealth mode, rescan. If result still the same apply answer one.
Why? Cuz PS only listens for connections being made to a port, while Snort, aw well, youre running Snort... So what if I spoofed a bunch of IP addies (use nmap decoys)? PS would block 'em all (if you use its blocking caps tho) while for Snort+Guardian to block I first need to send you some bad packet/exploit/whatever that would trigger a signature rule match.
Uhm, thats what I'm trying to say. PS (unless in stealth mode) binds to all ports you specify, lighting up your boxes like the verbthingie xmas tree.
As Nmap scans ports, each port is obliged to return status in the form of a message which can be exploited to see if there's a service running on the port (TCP return SYN ACK), if it's firewalled (-j (DENY|DROP)), or if there's no service on the port (TCP return RST).
Since PS has bound to the port Nmap scans the system won't send the RST to say there ain't no service running and so Nmap thinks it's open.
Alright, I scanned while having the PS in stealth mode only and recieved the same responce as my first post which means I suppose, Ill use your First suggestion of your first post.
What I really wouldv'e like was something to run real time on a term window that would show different tcp, udp, icmp connection attempts in real time. I have a great lil firewall called "Tiny" on my windows partition that does exactly this. I dont have to go to a file each time I want to find out if ive been probed, Its right there in real time on a seperate window... Ive gotten the packet sniffer to work, but in real time its not practical.
If you have any specific suggestions that'd be great. In the mean time Ill check out Gaurdian. Thanks
Alright, I scanned while having the PS in stealth mode only and recieved the same responce as my first post which means I suppose, Ill use your First suggestion of your first post.
By all means, if you're satisfied using PS for whatever reason, continue using it...
What I really wouldv'e like was something to run real time on a term window that would show different tcp, udp, icmp connection attempts in real time.
You could have some logchecker running (swatch?) or just "tail" the /var/log/snort.log.
Ive gotten the packet sniffer to work, but in real time its not practical.
Why not? Is the traffic volume that large?
So I must not be using the right options or I have a command out of place... How would you set this up to display all warnings in real time?
---------
As for the packet sniffer[tcpdump] (I scowered google for a good tut for "dummies" but havent found one yet) IM probably not applying the proper options to cut out all the ARP traffic (Is that what they mean when they say ARP poisoning? The "poisoning" of the log with ARP traffic?) out. I have a high speed connect but I dont think thats the problem. The man wasnt much help either. I didnt understand alot of the terms and acronyms that I suppose they assume you would know...
Basically I need to find out which options to apply to cut out the unnecessary traffic such as ARP and webrequest from my box.
[root@psyklopsbox root]# snort -c /usr/src/snort-1.8.6/snort.conf not src net 127.0.0.1 -l /var/log/snort tail -f /var/log/snort
Log directory = /var/log/snort
Uhhh... You shouldn't try to add external commands to Snort like that... Just open up another xterm and "tail -vf /var/log/snort.log"
In my snort.conf I've got "output alert_syslog LOCAL5", and in syslog.conf I've entered "local5.*<tab><tab>/var/log/snort.log". Do "touch" the logfile first and set permissions on it.
As for the packet sniffer[tcpdump] (I scowered google for a good tut for "dummies" but havent found one yet) IM probably not applying the proper options to cut out all the ARP traffic (Is that what they mean when they say ARP poisoning? The "poisoning" of the log with ARP traffic?) out.
Uhm. Why have Tcpdump as well? Snort is well capable of storing logged packets as tcpdump compatible. If you start Snort with "-a" flag you'll get ARP logged, remove that flag and presto. ARP logging gone :-]
ARP cache poisoning is also known as a "Man In The Middle" attack. In short, if host A and B (on the same subnet!) communicate with eachother, you could spoof traffic by saying "I'm B" to A and "I'm A" to B, routing traffic between A and B tru your box. Cuz each IP address on a LAN (ethernet) is linked to the unique code of each ethernet card (MAC) you can detect changes and build a picture of MAC/IP pairs on your subnet with "Arpwatch". An example of a tool for ARP spoofing is "Hunt".
Basically I need to find out which options to apply to cut out the unnecessary traffic such as ARP and webrequest from my box.
Make a file called /etc/snort.bpf. Add the flag "-F /etc/snort.bpf" to Snorts' startup flags.
Now try this for an BPF filter: the file /etc/snort.bpf should contain the lines (w/o quotes)
"not src net <insert your $HOME_NET> and not port 80"
Another way would be to cut down on the included rule files in your snort.conf. If you're not running IIS, webservices, etc, why add these rule files? I know I haven't added them all, simply cuz of performance issues.
I also see that you are familiar with slackware. Im wondering if youve had any success or experience putting it on a laptop? I eventually want to move to this distro, as I heard its most UNIX like.
I also see that you are familiar with slackware.
Uhhhh... soz, no, it's just I like to think "Linux Basics" when I'm doing something, basic tools of the trade are common in each distro and adhering to the FHS makes things easier also...
You better take slacky questions to the Distributions/Slackware forum else I'm robbing them of question-uptime :-]
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.