help: howto to make the machine secure!!
From: Frank Ratzlow (frank_ratzlow_at_hotmail.com)
Date: 07/05/03
- Previous message: Thomas Tornblom: "Re: Beware! Sun Kernel patch 105181-34 Solaris 2.6"
- Next in thread: Anthony Mandic: "Re: help: howto to make the machine secure!!"
- Reply: Anthony Mandic: "Re: help: howto to make the machine secure!!"
- Reply: Alan Coopersmith: "Re: help: howto to make the machine secure!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 4 Jul 2003 15:13:17 -0700
Hallo folks,
I'm about to loose my nerves because the data center where my server
is running is cut off the network once again because the machine is
scanning other servers.
At first, how can I check out what is the source bin file that starts
these scanes?
Even after I commented out nearly every port in /etc/inet/inetd.conf
netstat -a
tells me that ports as telnet echo exec ... are still listening. Why
that?
I just want to show up ftp and.
I commented out all rpc services as it is said to be insecure.
In fact the only things I need are started via run scripts during the
boot (oracle, tomcat, sshd, webmin)
According to a co-worker of the data-center the machine is infected by
a trojan or the like. How do I get rid off such a nightmare.
I discovered that as soon as the traffic goes up I get error messages
in /var/adm/messages stating:
==============================================
Jul 4 23:16:05 sunsrv01 sh1t[12685]: [ID 939540 user.error]
pmap_getmaps rpc problem: RPC: Unable to receive; Routine will place
interface out of state
Jul 4 23:16:50 sunsrv01 sh1t[11676]: [ID 130275 user.error]
pmap_getmaps rpc problem: RPC: Timed out
Jul 4 23:33:36 sunsrv01 sh1t[13737]: [ID 338853 user.error]
pmap_getmaps rpc problem: RPC: Unable to receive; An event requires
attention
Jul 4 23:38:04 sunsrv01 sh1t[28379]: [ID 130275 user.error]
pmap_getmaps rpc problem: RPC: Timed out
Jul 4 23:40:14 sunsrv01 sh1t[7412]: [ID 130275 user.error]
pmap_getmaps rpc problem: RPC: Timed out
==============================================
What does it mean beside that there is something wrong?
The system is running solaris 9 (sparc) with the latest recommended
patches applied.
I would be very grateful if someone could guide me to end this
torture.
TIA
Frank
frank_ratzlow@nojunk.hotmail.com
P.S. some config infos
===============inetd.conf=======================
#
# Copyright 1989-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)inetd.conf 1.50 02/02/10 SMI"
#
# Configuration file for inetd(1M). See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
# <service_name> <socket_type> <proto> <flags> <user>
<server_pathname> <args>
#
# Syntax for TLI-based Internet services:
#
# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
#
# IPv6 and inetd.conf
# By specifying a <proto> value of tcp6 or udp6 for a service, inetd
will
# pass the given daemon an AF_INET6 socket. The following daemons
have
# been modified to be able to accept AF_INET6 sockets
#
# ftp telnet shell login exec tftp finger printer
#
# and service connection requests coming from either IPv4 or
IPv6-based
# transports. Such modified services do not normally require separate
# configuration lines for tcp or udp. For documentation on how to do
this
# for other services, see the Solaris System Administration Guide.
#
# You must verify that a service supports IPv6 before specifying
<proto> as
# tcp6 or udp6. Also, all inetd built-in commands (time, echo,
discard,
# daytime, chargen) require the specification of <proto> as tcp6 or
udp6
#
# The remote shell server (shell) and the remote execution server
# (exec) must have an entry for both the "tcp" and "tcp6" <proto>
values.
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to
disable
# some or all of these services to improve security.
#
#systat stream tcp nowait root /usr/bin/ps ps -ef
#netstat stream tcp nowait root /usr/bin/netstat netstat -f inet
#
# Time service is used for clock synchronization.
#
time stream tcp6 nowait root internal
time dgram udp6 wait root internal
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
# echo stream tcp6 nowait root internal
# echo dgram udp6 wait root internal
# discard stream tcp6 nowait root internal
# discard dgram udp6 wait root internal
# daytime stream tcp6 nowait root internal
# daytime dgram udp6 wait root internal
# chargen stream tcp6 nowait root internal
# chargen dgram udp6 wait root internal
#
#
# RPC services syntax:
# <rpc_prog>/<vers> <endpoint-type> rpc/<proto> <flags> <user> \
# <pathname> <args>
#
# <endpoint-type> can be either "tli" or "stream" or "dgram".
# For "stream" and "dgram" assume that the endpoint is a socket
descriptor.
# <proto> can be either a nettype or a netid or a "*". The value is
# first treated as a nettype. If it is not a valid nettype then it is
# treated as a netid. The "*" is a short-hand way of saying all the
# transports supported by this system, ie. it equates to the "visible"
# nettype. The syntax for <proto> is:
# *|<nettype|netid>|<nettype|netid>{[,<nettype|netid>]}
# For example:
# dummy/1 tli rpc/circuit_v,udp wait root /tmp/test_svc test_svc
#
# Solstice system and network administration class agent server
# 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
#
# rpc.cmsd is a data base daemon which manages calendar data backed
# by files in /var/spool/calendar
#
#
# Sun ToolTalk Database Server
#
# 100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd
rpc.ttdbserverd
#
# Sun KCMS Profile Server
#
# 100221/1 tli rpc/tcp wait root
/usr/openwin/bin/kcms_server kcms_server
#
# Sun Font Server
#
fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
#
# CacheFS Daemon
#
# 100235/1 tli rpc/ticotsord wait root /usr/lib/fs/cachefs/cachefsd
cachefsd
# OCFSERV - OCF (Smart card) Daemon
# 100150/1 tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv
# dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
#100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
# METAD - SLVM metadb Daemon
#100229/1 tli rpc/tcp wait root /usr/sbin/rpc.metad rpc.metad
# METAMHD - SLVM HA Daemon
#100230/1 tli rpc/tcp wait root /usr/sbin/rpc.metamhd rpc.metamhd
# METAMEDD - SLVM Mediator Daemon
#100242/1 tli rpc/tcp wait root /usr/sbin/rpc.metamedd rpc.metamedd
# LPD - Print Protocol Adaptor (BSD listener)
#printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd
# RSHD - rsh daemon (BSD protocols)
#shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
#shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
# RLOGIND - rlogin daemon (BSD protocols)
#login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind
# REXECD - rexec daemon (BSD protocols)
#exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
#exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
# COMSATD - comsat daemon (BSD protocols)
comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
# TALKD - talk daemon (BSD protocols)
#talk dgram udp wait root /usr/sbin/in.talkd in.talkd
# FINGERD - finger daemon
#finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd
# RSTATD - rstat daemon
#rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd
# RUSERSD - rusers daemon (gives out user information)
#rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
# RWALLD - rwall daemon (allows others to post messages to users)
#walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld
# SPRAYD - spray daemon (used for testing)
#sprayd/1 tli rpc/datagram_v wait root /usr/lib/netsvc/spray/rpc.sprayd rpc.sprayd
# GSSD - GSS Daemon
#100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd
# TFTPD - tftp server (primarily used for booting)
#tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
# TNAMED - tname server (it is an obsolete IEN-116 name server
protocol)
#name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
# TELNETD - telnet server daemon
#telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd
sun-dr stream tcp wait root /usr/lib/dcs dcs
#sun-dr stream tcp6 wait root /usr/lib/dcs dcs
# smserverd to support removable media devices
#100155/1 tli rpc/ticotsord wait root /usr/lib/smedia/rpc.smserverd
rpc.smserverd
# REXD - rexd server provides only minimal authentication
#rexd/1 tli rpc/tcp wait root /usr/sbin/rpc.rexd rpc.rexd
# FTPD - FTP server daemon
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd -a
# KTKT_WARND - Kerberos V5 Warning Messages Daemon
#100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd
ktkt_warnd
# RQUOTAD - rquotad server supports UFS disk quotas for NFS clients
#rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad
# UUCPD - uucp daemon (must run as root to read /etc/shadow)
#uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
# Kerberos V5 DB Propagation Daemon
#krb5_prop stream tcp nowait root /usr/lib/krb5/kpropd kpropd
cvspserver stream tcp nowait root /usr/local/bin/cvs cvs -f
--allow-root /data/src/master pserver
===============================================
============netstat -a=========================
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- -------
*.sunrpc Idle
*.* Unbound
*.32771 Idle
*.time Idle
*.echo Idle
*.discard Idle
*.daytime Idle
*.chargen Idle
*.biff Idle
*.name Idle
*.syslog Idle
*.177 Idle
sunsrv01.32774 sunsrv01.syslog Connected
*.10000 Idle
*.* Unbound
UDP: IPv6
Local Address Remote Address
State If
--------------------------------- ---------------------------------
---------- -----
*.time
Idle
*.echo
Idle
*.discard
Idle
*.daytime
Idle
*.chargen
Idle
TCP: IPv4
Local Address Remote Address Swind Send-Q Rwind Recv-Q
State
-------------------- -------------------- ----- ------ ----- ------
-------
*.* *.* 0 0 49152 0
IDLE
*.sunrpc *.* 0 0 49152 0
LISTEN
*.* *.* 0 0 49152 0
IDLE
*.time *.* 0 0 49152 0
LISTEN
*.echo *.* 0 0 49152 0
LISTEN
*.discard *.* 0 0 49152 0
LISTEN
*.daytime *.* 0 0 49152 0
LISTEN
*.chargen *.* 0 0 49152 0
LISTEN
*.32771 *.* 0 0 49152 0
LISTEN
*.32772 *.* 0 0 49152 0
LISTEN
*.32773 *.* 0 0 49152 0
LISTEN
*.shell *.* 0 0 49152 0
LISTEN
*.shell *.* 0 0 49152 0
LISTEN
*.login *.* 0 0 49152 0
LISTEN
*.exec *.* 0 0 49152 0
LISTEN
*.exec *.* 0 0 49152 0
LISTEN
*.telnet *.* 0 0 49152 0
LISTEN
*.sun-dr *.* 0 0 49152 0
LISTEN
*.sun-dr *.* 0 0 49152 0
LISTEN
*.ftp *.* 0 0 49152 0
LISTEN
*.uucp *.* 0 0 49152 0
LISTEN
*.cvspserver *.* 0 0 49152 0
LISTEN
*.5987 *.* 0 0 49152 0
LISTEN
*.898 *.* 0 0 49152 0
LISTEN
*.32774 *.* 0 0 49152 0
LISTEN
*.5988 *.* 0 0 49152 0
LISTEN
*.32775 *.* 0 0 49152 0
LISTEN
sunsrv01.32777 sunsrv01.32771 49152 0 49152 0
ESTABLISHED
sunsrv01.32771 sunsrv01.32777 49152 0 49152 0
ESTABLISHED
*.32779 *.* 0 0 49152 0
LISTEN
*.ssh *.* 0 0 49152 0
LISTEN
*.10000 *.* 0 0 49152 0
LISTEN
*.* *.* 0 0 49152 0
IDLE
TCP: IPv6
Local Address Remote Address
Swind Send-Q Rwind Recv-Q State If
--------------------------------- ---------------------------------
----- ------ ----- ------ ----------- -----
*.* *.*
0 0 49152 0 IDLE
*.time *.*
0 0 49152 0 LISTEN
*.echo *.*
0 0 49152 0 LISTEN
*.discard *.*
0 0 49152 0 LISTEN
*.daytime *.*
0 0 49152 0 LISTEN
*.chargen *.*
0 0 49152 0 LISTEN
*.shell *.*
0 0 49152 0 LISTEN
*.login *.*
0 0 49152 0 LISTEN
*.exec *.*
0 0 49152 0 LISTEN
*.telnet *.*
0 0 49152 0 LISTEN
*.sun-dr *.*
0 0 49152 0 LISTEN
*.ftp *.*
0 0 49152 0 LISTEN
*.ssh *.*
0 0 49152 0 LISTEN
==============================================================
- Previous message: Thomas Tornblom: "Re: Beware! Sun Kernel patch 105181-34 Solaris 2.6"
- Next in thread: Anthony Mandic: "Re: help: howto to make the machine secure!!"
- Reply: Anthony Mandic: "Re: help: howto to make the machine secure!!"
- Reply: Alan Coopersmith: "Re: help: howto to make the machine secure!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
