[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security Setup: how to respond to a portscan (This is long!)

"Salman Ahmed" <ssahmed@interlog.com> writes:

> them. The reason I hadn't noticed them when they were happening because
> I was in another workspace and was struggling to get XEmacs to compile
> from source.

What struggle? XEmacs should compile on a typical Debian system, just

make install
mkdir -p /usr/local/xemacs/lib/xemacs/site-packages/lisp
cd /usr/local/xemacs/lib/xemacs
tar xzf ..../xemacs-sumo.tar.gz

Inspecting your logs seems like a good thing to do during the boring
waiting period :-)

> Here is the section of my /var/log/daemon.log file (I have wrapped
> some of the long lines myself):

All the [auth] connections are simply FTP sites trying to identify you.

> Oct  1 19:27:04 phoenix tcplogd: port 1016 connection attempt from
>                 unknown@CWIP-T-009-p-94-157.tmns.net.au []
> Oct  1 19:27:09 phoenix last message repeated 3 times
I would only worry about attempts from machines not known to you.

> (1) How is the attacker (I don't want to say hacker or cracker because that
>     always seems to start a debate on the correst usage and meaning of the
>     two terms!!) able to determine my IP address ? I am accessing the
>     internet by a dialup PPP connection to my ISP.

Typically by scanning your ISP's DNS database or doing an nmap over
all its assigned numbers. If the report on securityfocus.com was
correct you can scan the whole internet in 2 months in this way.

> (2) What do I need the sunrpc service for ?

Things like mounting NFS volumes. (There used to be an infamous old
Linux hole in that service. Maybe that is why they were probing it).

> (4) Are there any vulnerabilities with running the X11 service open on
>     port 6000 ? What is this service and should I close it ?

This is the X server, i.e. one of two methods programs can use to
access the screen (the other is unix domain sockets). 
If you never run programs remotely you could firewall it off (letting
localhost still have access). I think you are more or less safe as
long as you don't do stupid things with xhosts.

> (5) The X font server seems to be running on port 7100 even though I
>     am not currently using TT fonts. How can I disable this for now ?

Rename the SXXxfs links in /etc/rc.? to KXXxfs and stop it by hand for
this setting.

>     If I decide to install TT fonts on my system, how do I secure the
>     XFS which will be needed ?

Make sure it is running as nobody (on Slink it runs as root by default).

> (6) I'd like to be able to respond to a port scan attempt in real-time,
>     and possibly stop it altogether.
>     What programs are available in debian to do this ?

I don't think there is much you can do about it, at least not quickly.
port scans are so common that a lot of people think it isn't worth the

> Thanks for reading the email (if you made it this far!). I definitely
> intend to take security of my system more seriously from now.

I know the feeling. The first time I connect our lap-top to the
network at my  girl-friends work I got portscanned after 15 minutes or
so. It is scary.


Reply to: