Re: securing the system, stopping unnecessary services and closing open ports.
On Sun 28 Aug 2011 at 01:05:47 +1000, yudi v wrote:
> Nmap suggests the following ports are open:
> 25/tcp open smtp
> 111/tcp open rpcbind
> 139/tcp open netbios-ssn
> 445/tcp open microsoft-ds
> 631/tcp open ipp
> 901/tcp open samba-swat
> 2049/tcp open nfs
> I run a desktop email client that uses smtp apart from that I do not know
> why rest of the above services are open.
If the smtp server is exim4 it only accepts local mail with its default
settings. No problem there. CUPS (port 631) in its default install will
only print from the the local machine. No problem here either.
Incidentally, the services are open because they are running. That is
the meaning of 'open'. They running because you have installed them.
> it even had SSH listening on 22, changed the port # and also changed
Never! sshd on port 22. Whatever next?
> PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following
There is no need to but if you feel better after doing it ....
> also installed gufw and set it to deny as default.
You did get desparate, didn't you? Was this before or after reading the
documentation for the services you installed?
> root@computer:/home/user# grep -ir "Failed password" /var/log/*
> /var/log/auth.log.1:Aug 14 13:50:37 computer sshd: Failed password for
> root from 184.108.40.206 port 56631 ssh2
> /var/log/auth.log.1:Aug 15 22:13:10 computer sshd: Failed password for
> invalid user admin from 220.127.116.11 port 22792 ssh2
> root@computer:/home/user# grep -ir BREAK-IN /var/log/*
> /var/log/auth.log.1:Aug 15 22:13:08 computer sshd: reverse mapping
> checking getaddrinfo for
> corporat190-24225223.sta.etb.net.co[18.104.22.168] failed - POSSIBLE
> BREAK-IN ATTEMPT!
Is your root password something really easy, like password5 or is (say)
12+ characters? Do you have a user 'admin'? What is there to be worried
> how can I find out if this system has been compromised?
There is no evidence here that it has been.
> what are the steps I need to take to secure it?
Don't install services you don't need. Configure those you want safely.