david.rabine

User Tools

Site Tools

Trace:
computers:securitynotes

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
computers:securitynotes [2007/03/12 14:05] – created davidcomputers:securitynotes [2007/04/25 12:00] (current) david
Line 1: Line 1:
 +====== Checking Open Ports ======
 +
 This [[http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-ports.html|Red Hat Security Page]] had a great list of things you can check. This [[http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-ports.html|Red Hat Security Page]] had a great list of things you can check.
  
Line 48: Line 50:
 The command returns the following output: The command returns the following output:
  
 +<code>
 tcp      0 0.0.0.0:834    0.0.0.0:  LISTEN   653/ypbind tcp      0 0.0.0.0:834    0.0.0.0:  LISTEN   653/ypbind
 +</code>
  
-The presence of the open port in netstat is reassuring because a cracker opening a port surreptitiously on a hacked system would likely not allow it to be revealed through this command. Also, the [p] option reveals the process id (PID) of the service which opened the port. In this case the open port belongs to ypbind (NIS), which is an RPC service handled in conjunction with the portmap service.+The presence of the open port in //netstat// is reassuring because a cracker opening a port surreptitiously on a hacked system would likely not allow it to be revealed through this command. Also, the [p] option reveals the process id (PID) of the service which opened the port. In this case the open port belongs to //ypbind// (NIS), which is an RPC service handled in conjunction with the //portmap// service.
  
-The lsof command reveals similar information since it is also capable of linking open ports to services:+The //lsof// command reveals similar information since it is also capable of linking open ports to services:
  
 +<code>
 lsof -i | grep 834 lsof -i | grep 834
 +</code>
  
 Below is the relevant portion of the output for this command: Below is the relevant portion of the output for this command:
  
 +<code>
 ypbind      653        0    7u  IPv4       1319                 TCP *:834 (LISTEN) ypbind      653        0    7u  IPv4       1319                 TCP *:834 (LISTEN)
 ypbind      655        0    7u  IPv4       1319                 TCP *:834 (LISTEN) ypbind      655        0    7u  IPv4       1319                 TCP *:834 (LISTEN)
 ypbind      656        0    7u  IPv4       1319                 TCP *:834 (LISTEN) ypbind      656        0    7u  IPv4       1319                 TCP *:834 (LISTEN)
 ypbind      657        0    7u  IPv4       1319                 TCP *:834 (LISTEN) ypbind      657        0    7u  IPv4       1319                 TCP *:834 (LISTEN)
 +</code>
 +
 +As you can see, these tools can reveal a great about the status of the services running on a machine. These tools are flexible and can provide a wealth of information about network services and configuration. Consulting the man pages for //lsof//, //netstat//, //nmap//, and services is therefore highly recommended. 
 +
 +====== Dropping Unwanted Packets ======
 +
 +Some dude/dudette was flooding the apache server with requests, so I added an iptables rule to drop packets from his/her IP.
 +
 +<code>
 +# drop all incoming packets from 88.241.152.169
 +iptables -I INPUT -s 88.241.152.169 -j DROP
 +# list your iptables rules
 +iptables -L -n
 +</code>
 +
  
-As you can see, these tools can reveal a great about the status of the services running on a machine. These tools are flexible and can provide a wealth of information about network services and configuration. Consulting the man pages for lsof, netstat, nmap, and services is therefore highly recommended.  
computers/securitynotes.1173708345.txt.gz · Last modified: 2007/03/12 14:07 (external edit)