[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: securing the system, stopping unnecessary services and closing open ports.

Ports 139, 445 and 901 are samba running. Port 631 is cups, your printer driver. 111 and 2049 are for NFS.  If you don't need them, you should be able to turn them off...If you do need it, then you should be able to firewall it, using iptables to limit access to the hosts or subnets you need.

On Sat, Aug 27, 2011 at 11:05 AM, yudi v <yudi.tux@gmail.com> wrote:
Nmap suggests the following ports are open:

25/tcp   open  smtp
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
901/tcp  open  samba-swat
2049/tcp open  nfs

I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open.

it even had SSH listening on 22, changed the port # and also  changed PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following output:
also installed gufw and set it to deny as default.

root@computer:/home/user# grep -ir "Failed password" /var/log/*
/var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2
/var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2
root@computer:/home/user# grep -ir BREAK-IN /var/log/*
/var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co [190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT!


how can I find out if this system has been compromised?

If you are looking for ssh attempts, you shoud peruse /var/log/auth.log and look for unusual logins. The ones like you mention above are failed. You could run fail2ban or another one that watches your ssh port and in the event of too many failed attempts, can block the IP through iptables. Be careful, because if someone spoofs the address, then you could block some site that you need to access.

Another idea would be to run a Host-based Intrusion Detection System (HIDS). Tripwire is a classic example, as it does md5sums of critical files and you run it against your machine looking for changes. However, I have come to prefer OSSEC (http://ossec.net), which does md5summing in the background:

OSSEC HIDS Notification.
2011 Aug 25 07:25:59

Received From: (013hornet) 192.168.224.13->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):

Integrity checksum changed for: '/etc/sudoers'
Size changed from '552' to '692'
Old md5sum was: 'fc78e5599202f204e48df73a15e81533'
New md5sum is : '377364efbaefe7138d3fe4081d98b592'
Old sha1sum was: '9053767a81a35ded809dd7269d984589a8f09d13'
New sha1sum is : '6bcc831d9407626328651b68dc73763472b11374'

but also watches your logs for events:
OSSEC HIDS Notification.
2011 Aug 25 06:43:57

Received From: (056worf) 192.168.224.56->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
Portion of the log(s):

Aug 25 06:43:56 worf su[9338]: + ??? root:nobody

Having said all of that, if you suspect your machine was compromised (the failed logins messages in the logs only indicate that you had some failed attempts), nuke it and rebuild. After you rebuild, set up iptables, ossec, run nmap or nessus on it and put it back in service.

Regards,
--b


what are the steps I need to take to secure it?
--
Kind regards,
Yudi


Reply to: