Re: Firewall/Port Problem

[Rick Stevens <rstevens vitalstream com>]

Cynthia Blue wrote:
> I was wondering if Firestarter would clash with Guarddog in any way. I
> recently installed Guarddog. Unfortunately, I suspect someone cracked my
> system last night, as all ports are now disabled and I don't know how to
> enable any of them again.  Maybe I can do something with Firestarter.. I'm
> very new to Linux, trying to understand everything going on...

Firestarter manipulates the iptables kernel-level firewall.  Guarddog
is a sniffer, I believe, and tells you if an attempt was made on one of
your ports.  However, the port must NOT be blocked by iptables for
guarddog to detect an attempt.  I won't swear to that, as I've not used
guarddog.

> With my server... last night I opened port 25 (ftp), already had 80, 21 and
> 110 open. This morning, only 23 was open (telnet).  I closed down 23, but
> now can't get anything else open again.  :(

Be VERY careful.  You may have been hacked in that opening ANYTHING
opens EVERYTHING.  Double check the modify times on all your network
daemons (wu-ftpd, apache, etc.).  If the times seem recent, you've been
hacked and you'd better do a fresh install.  Also check utilities
like ls, ps, netstat and find.  Check the /dev directory for odd
directories.  Get a fresh install of ls and find and check for
directories which start with multiple "."s.

If you're not ABSOLUTELY confident, reinstall.  And run tripwire.  It's
not foolproof, but it will tell you if something changed.

----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens vitalstream com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-           This message printed using recycled bandwidth            -
----------------------------------------------------------------------