[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Firewall/Port Problem

From: "Cynthia Blue" <lucyblue xmission com>
To: <redhat-install-list redhat com>
Subject: Re: Firewall/Port Problem
Date: Mon, 9 Dec 2002 17:01:21 -0700

Thanks for the reply...
I'm looking in dev for anything odd.. and GNOME is telling me there are more
files than it can open.  There are a bunch of odd things in there... some
fd1h1200, 0 bytes block device, but I am not familiar with RH Linux yet to
know what is okay, and what is not.   Some tty3 files, 0 byte character
device, last modified today.  A whole bunch of stuff.

Can someone hack into a server through port 25?  I don't know if it's
someone targeting me specifically, or if it was just something random. I had
a W2K server going and it kept crashing on me after a while... so maybe I
have someone targeting my IP address... the RH Linux server seemed great and
secure until I opened port 25 for  ftping some files.  :(

Thanks,
Cyn

> > I was wondering if Firestarter would clash with Guarddog in any way. I
> > recently installed Guarddog. Unfortunately, I suspect someone cracked my
> > system last night, as all ports are now disabled and I don't know how to
> > enable any of them again.  Maybe I can do something with Firestarter..
I'm
> > very new to Linux, trying to understand everything going on...
>
> Firestarter manipulates the iptables kernel-level firewall.  Guarddog
> is a sniffer, I believe, and tells you if an attempt was made on one of
> your ports.  However, the port must NOT be blocked by iptables for
> guarddog to detect an attempt.  I won't swear to that, as I've not used
> guarddog.
>
> > With my server... last night I opened port 25 (ftp), already had 80, 21
and
> > 110 open. This morning, only 23 was open (telnet).  I closed down 23,
but
> > now can't get anything else open again.  :(
>
> Be VERY careful.  You may have been hacked in that opening ANYTHING
> opens EVERYTHING.  Double check the modify times on all your network
> daemons (wu-ftpd, apache, etc.).  If the times seem recent, you've been
> hacked and you'd better do a fresh install.  Also check utilities
> like ls, ps, netstat and find.  Check the /dev directory for odd
> directories.  Get a fresh install of ls and find and check for
> directories which start with multiple "."s.
>
> If you're not ABSOLUTELY confident, reinstall.  And run tripwire.  It's
> not foolproof, but it will tell you if something changed.
>
> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer     rstevens vitalstream com -
> - VitalStream, Inc.                       http://www.vitalstream.com -
> -                                                                    -
> -           This message printed using recycled bandwidth            -
> ----------------------------------------------------------------------
>
>
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list redhat com
> https://listman.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request redhat com
> Subject: unsubscribe
>

Follow-Ups:
- Re: Firewall/Port Problem
  - From: Rick Stevens

References:
- ftp problem
  - From: Mark DiTullio
- Re: ftp problem
  - From: Bob McClure Jr
- Re: ftp problem
  - From: Rick Stevens
- Firewall/Port Problem
  - From: Cynthia Blue
- Re: Firewall/Port Problem
  - From: Rick Stevens

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]