Security Setup: how to respond to a portscan (This is long!)
First off, my apologies if this email is considered off-topic. The
reason I am posting to this list about this subject is because I
have received excellent help and support in the past from other
debian users.
Just yesterday I noticed in one of my log files a number of connection
attempts to my box (Debian 2.1 potato salad!) on different ports. I
noticed this after they had all happened - I was offline when I noticed
them. The reason I hadn't noticed them when they were happening because
I was in another workspace and was struggling to get XEmacs to compile
from source.
Here is the section of my /var/log/daemon.log file (I have wrapped
some of the long lines myself):
(1)
Sep 30 21:05:20 phoenix tcplogd: auth connection attempt from
kralle.zdv.Uni-Mainz.DE [134.93.8.158]
Sep 30 21:07:04 phoenix tcplogd: auth connection attempt from
kralle.zdv.Uni-Mainz.DE [134.93.8.158]
(2)
Oct 1 19:27:04 phoenix tcplogd: port 1016 connection attempt from
unknown@CWIP-T-009-p-94-157.tmns.net.au [139.134.94.157]
Oct 1 19:27:09 phoenix last message repeated 3 times
(3)
Oct 1 20:58:02 phoenix tcplogd: auth connection attempt from [24.220.0.13]
(4)
Oct 2 20:59:12 phoenix tcplogd: auth connection attempt from
pavlov.midco.net [24.220.0.13]
(5)
Oct 2 21:01:19 phoenix portmap[6185]: connect from 209.20.7.247
to dump(): request from unauthorized host
Oct 2 21:01:20 phoenix tcplogd: sunrpc connection attempt from
unknown@209-20-7-247.dialin.interlog.com [209.20.7.247]
Oct 2 21:01:20 phoenix tcplogd: auth connection attempt from
209-20-7-247.dialin.interlog.com [209.20.7.247]
Oct 2 21:13:15 phoenix tcplogd: auth connection attempt from
pavlov.midco.net [24.220.0.13]
(6)
Oct 2 21:18:17 phoenix tcplogd: port 13223 connection attempt from
unknown@p227-164.atnt5.dialup.ftw1.flash.net [209.30.227.164]
Oct 2 21:18:17 phoenix tcplogd: port 13223 connection attempt from
unknown@port5.eb1.alphainternet.net [209.127.129.69]
Oct 2 21:18:17 phoenix tcplogd: port 13223 connection attempt from
unknown@port5.eb1.alphainternet.net [209.127.129.69]
Oct 2 21:18:17 phoenix tcplogd: port 13223 connection attempt from
unknown@p227-164.atnt5.dialup.ftw1.flash.net [209.30.227.164]
Oct 2 21:18:18 phoenix tcplogd: port 13223 connection attempt from
unknown@p227-164.atnt5.dialup.ftw1.flash.net [209.30.227.164]
Oct 2 21:18:19 phoenix tcplogd: port 13223 connection attempt from
unknown@port5.eb1.alphainternet.net [209.127.129.69]
Oct 2 21:18:19 phoenix tcplogd: port 13223 connection attempt from
unknown@p227-164.atnt5.dialup.ftw1.flash.net [209.30.227.164]
Oct 2 21:18:20 phoenix tcplogd: port 13223 connection attempt from
unknown@port5.eb1.alphainternet.net [209.127.129.69]
Oct 2 21:19:00 phoenix tcplogd: port 13223 connection attempt from
unknown@me-portland-us734.javanet.com [209.94.148.97]
Oct 2 21:19:02 phoenix last message repeated 3 times
(This above block of messages starting from (6) gets repeated then).
(1) seems to be legitimate since I think I was downloading sth from a
website on that host. Don't know for sure but I maybe wrong about that.
(2) is definitely someone probing my system.
Not sure about (3) but that ip address looks kinda familiar
Not sure about (4) but that hostname/domain sounds familiar, maybe
a website that I was visiting at the time.
(5) and (6) are again port scan/probe attempts on my system.
Now, I have setup tcp_wrappers to be very restrictive:
/etc/hosts.allow: ALL: LOCAL
/etc/hosts.deny: ALL: ALL
Also, I have disabled most services from /etc/inetd.conf:
#:INTERNAL: Internal services
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
#<off># discard stream tcp nowait root internal
#<off># discard dgram udp wait root internal
#<off># daytime stream tcp nowait root internal
#<off># daytime dgram udp wait root internal
#<off># time stream tcp nowait root internal
#<off># time dgram udp wait root internal
#:STANDARD: These are standard services.
#<off># ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd
#<off># telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd
#:BSD: Shell, login, exec and talk are BSD protocols.
#<off># talk dgram udp wait nobody.tty /usr/sbin/tcpd /usr/sbin/in.talkd
#<off># ntalk dgram udp wait nobody.tty /usr/sbin/tcpd /usr/sbin/in.ntalkd
#<off># shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd
#<off># login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind
#<off># exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd
#:MAIL: Mail, news and uucp services.
#:INFO: Info services
#<off># finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/cfingerd
## finger stream tcp nowait nobody /usr/sbin/tcpd /usr/sbin/in.fingerd
#<off># ident stream tcp nowait nobody /usr/sbin/identd identd -i
#:BOOT: Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers."
#tftp dgram udp wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd /boot
#bootps dgram udp wait root /usr/sbin/bootpd bootpd -i -t 120
#:RPC: RPC based services
#mountd/1 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.mountd
#rstatd/1-3 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.rstatd
#rusersd/2-3 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.rusersd
#walld/1 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.rwalld
#:HAM-RADIO: amateur-radio services
#:OTHER: Other services
#<off># saft stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sendfiled
#<off># socks stream tcp nowait root /usr/sbin/sockd sockd -I
However, when I ran nmap on my system, it showed that the following ports
were still open:
@phoenix:[/home/ssahmed] nmap localhost
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on phoenix (127.0.0.1):
Port State Protocol Service
111 open tcp sunrpc
1024 open tcp unknown
6000 open tcp X11
7100 open tcp font-service
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
Now for my questions (finally!):
(1) How is the attacker (I don't want to say hacker or cracker because that
always seems to start a debate on the correst usage and meaning of the
two terms!!) able to determine my IP address ? I am accessing the
internet by a dialup PPP connection to my ISP.
(2) What do I need the sunrpc service for ? If I disable it, what do I
lose ?
(3) What service is running on port 1024 ? I grepped /etc/services and
there was no such port 1024 listed in there ?
(4) Are there any vulnerabilities with running the X11 service open on
port 6000 ? What is this service and should I close it ?
(5) The X font server seems to be running on port 7100 even though I
am not currently using TT fonts. How can I disable this for now ?
If I decide to install TT fonts on my system, how do I secure the
XFS which will be needed ?
(6) I'd like to be able to respond to a port scan attempt in real-time,
and possibly stop it altogether.
What programs are available in debian to do this ?
Can anyone recommend other strategies/tips on how to respond to a port
scan attempt in real-time ? What I would like to happen is this:
- log the intrusion/probe attempt to some special log file including
as much information about the person as possible.
- log what the person was able to find out about my system and how
far they got
- email a warning note to that person with all the information that
I was able to find out about them and possibly CC: it to some other
address as well.
Also, if there is anything else that should be commented/disabled in
/etc/inetd.conf, I'd be glad to hear about it.
Thanks for reading the email (if you made it this far!). I definitely
intend to take security of my system more seriously from now. I'd
appreciate any comments/suggestions/advice on this matter.
Thanks.
PS : If anyone wishes to, we can take this discussion to private
email.
--
Salman Ahmed
ssahmed AT interlog DOT com
Reply to: