Re: securing the system, stopping unnecessary services and closing open ports.

To: debian-user@lists.debian.org
Subject: Re: securing the system, stopping unnecessary services and closing open ports.
From: Brian <ad44@cityscape.co.uk>
Date: Sat, 27 Aug 2011 19:21:45 +0100
Message-id: <[🔎] 20110827182145.GF4474@desktop>
In-reply-to: <[🔎] CACo--mvqoi4DRk66R8CGdfCJdzd0fM8ZTw+GuaYZpt14iyaQ2A@mail.gmail.com>
References: <[🔎] CACo--mvqoi4DRk66R8CGdfCJdzd0fM8ZTw+GuaYZpt14iyaQ2A@mail.gmail.com>

On Sun 28 Aug 2011 at 01:05:47 +1000, yudi v wrote:

> Nmap suggests the following ports are open:
> 
> 25/tcp   open  smtp
> 111/tcp  open  rpcbind
> 139/tcp  open  netbios-ssn
> 445/tcp  open  microsoft-ds
> 631/tcp  open  ipp
> 901/tcp  open  samba-swat
> 2049/tcp open  nfs
> 
> I run a desktop email client that uses smtp apart from that I do not know
> why rest of the above services are open.

If the smtp server is exim4 it only accepts local mail with its default
settings. No problem there. CUPS (port 631) in its default install will
only print from the the local machine. No problem here either.

Incidentally, the services are open because they are running. That is
the meaning of 'open'. They running because you have installed them.

> it even had SSH listening on 22, changed the port # and also  changed

Never! sshd on port 22. Whatever next?

> PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following
> output:

There is no need to but if you feel better after doing it ....

> also installed gufw and set it to deny as default.

You did get desparate, didn't you? Was this before or after reading the
documentation for the services you installed?

> root@computer:/home/user# grep -ir "Failed password" /var/log/*
> /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for
> root from 60.242.242.121 port 56631 ssh2
> /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for
> invalid user admin from 190.24.225.223 port 22792 ssh2
> root@computer:/home/user# grep -ir BREAK-IN /var/log/*
> /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping
> checking getaddrinfo for
> corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE
> BREAK-IN ATTEMPT!

Is your root password something really easy, like password5 or is (say)
12+ characters? Do you have a user 'admin'? What is there to be worried
about.

> how can I find out if this system has been compromised?

There is no evidence here that it has been.

> what are the steps I need to take to secure it?

Don't install services you don't need. Configure those you want safely.

Reply to:

References:
- securing the system, stopping unnecessary services and closing open ports.
  - From: yudi v <yudi.tux@gmail.com>

Prev by Date: Re: Is there a way to tell when a system was first booted?
Next by Date: Re: securing the system, stopping unnecessary services and closing open ports.
Previous by thread: Re: securing the system, stopping unnecessary services and closing open ports.
Next by thread: Re: securing the system, stopping unnecessary services and closing open ports.
Index(es):
- Date
- Thread