OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Spackman (spackmanopenhistory.org)
Date: Sun Jan 21 2001 - 04:50:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Sun, Jan 21, 2001 at 05:03:35AM -0500, Dave wrote:
    > Hi,
    >
    > The setup:
    > I'm on a stand-alone machine with ppp dial-up, I have pmfirewall up &
    > running fine, a fresh LM 7.2 install with security updates only, (install
    > was custom development with medium security level). My username is
    > sundance.
    >
    > The problem:
    > Root gets daily message as follows (sorry, it's kind of long):

    (snip)

    > Security Warning: these home directory should not be owned by someone
    > else or
    > writeable :
    > user=zope(104) : home directory is group writeable.
    >
    > These are the ports listening on your machine :
    > Active Internet connections (only servers)
    > Proto Recv-Q Send-Q Local Address Foreign Address State
    >
    > PID/Program name
    > tcp 0 0 *:631 *:*
    > LISTEN
    > 395/cupsd
    > tcp 0 0 *:6000 *:*
    > LISTEN
    > 600/X
    > tcp 0 0 *:1024 *:*
    > LISTEN
    > 590/kdm
    > tcp 0 0 *:10000 *:*
    > LISTEN
    > 566/perl
    > tcp 0 0 *:mysql *:*
    > LISTEN
    > 550/mysqld
    > tcp 0 0 *:smtp *:*
    > LISTEN
    > 463/master
    > tcp 0 0 *:auth *:*
    > LISTEN
    > 361/identd
    > tcp 0 0 *:sunrpc *:*
    > LISTEN
    > 315/portmap
    > udp 0 0 *:631 *:*
    >
    > 395/cupsd
    > udp 0 0 *:xdmcp *:*
    >
    > 590/kdm
    > udp 0 0 *:10000 *:*
    >
    > 566/perl
    > udp 0 0 *:sunrpc *:*
    >
    > 315/portmap
    > raw 0 0 *:icmp *:* 7
    >
    > -
    > raw 0 0 *:tcp *:* 7
    >
    > -
    > ----------------------
    > Jeez, sorry about the length. For what it's worth, the wp8 entries
    > were created by Wordperfect. Anyway, I'd like to know if all these logs
    > are real security issues, and just what I might do to fix things if
    > neccesary.
    >
    > BTW, I have xinetd completely turned off/disabled, my hosts.deny is
    > ALL:ALL and my hosts.allow is ALL:127.0.0
    >
    > Thanks very much.
    > Dave.

    Unless you are using portmap, mysql, identd, master, or those others,
    you should disable them in DrakConf-->Startup services or modify their
    config files. Cups, for example, doesn't need to be listening or
    accepting connections if you aren't allowing others to connect to your
    printer through a network (that is, the printer you use is attached
    directly to your machine and no one else is using it to print).
    So you could change the config file to stop it from listening for incoming
    I get the same daily report, and the only open ports are X (but not
    accepting anything), kdm (ditto), licq (if I leave it on), portsentry (you
    might want to turn that on also, the command is:
    portsentry -audp
    portsentry -atcp
    for advanced udp and tcp monitoring).

    Don't know what the raw ones are, but I get them too.

    I cannot comment much on the long list of world writable files except to say
    that I get a daily list that is very similar. Hopefully someone can comment
    on how much we should be worrying about so many world writable files.

    If you are not using zope, uninstall it and remove the zope group. If you
    are using it, than I have no idea what the best course of action is.

    have fun 

    -- 
Chris and Yoshiko Spackman

    www.openhistory.org
spackmanopenhistory.org  (English)
yoshikoopenhistory.org   (Japanese)