[ale] Comments sought on port scan

Bob's ALE Mail transam at cavu.com
Mon Dec 11 21:55:52 EST 2000


> 'Lo -

> I'm trying to minimize vulnerability of my Linux box prior to leaving it
> 7/24 on a static IP on the net.

> I installed nmap-2.53.1 and its front-end from rpms, and ran it against my
> RH6.2-2.2.17 box with the following results. Is this good, bad, or
> indifferent? Do I need 'sunrpc' service (for potmapper, I think) or
> 'printer' service? I tried editing 'printer' service out of
> '/etc/services' and restarting 'inetd', but these ports all seem to
> presist. SHould I be more paranoid? How? What are the most indicative
> 'nmap' scans to run? What other tools would be good to try?

> Thanks for any suggestions.

> **********************************************************************
> Starting nmap V. 2.53 by fyodor at insecure.org ( www.insecure.org/nmap/ )
>  Interesting ports on $HOST.mills-atl.com (aa.bb.cc.dd):
> (The 1516 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh                     
Ok so long as all of your accounts have good passwords on them.

> 25/tcp     open        smtp                    
Does your ISP intercept SMTP (sendmail)?  Most do but if yours does not
you either want to ensure that your sendmail is up-to-date and securely
configured or turn it off.

> 111/tcp    open        sunrpc                  
Turn this off or be cracked!

> 113/tcp    open        auth                    
ok.

> 515/tcp    open        printer                 
If you don't have a printer then turn this off.  If you do, ensure that you
have an up-to-date version that is free of known holes.

> 941/tcp    open        unknown                 
I don't know what this is.  DO 'netstat -ap' and to see the PID of the
process having it open and then do "ps -axlww|grep PID" and analyze.

> 6000/tcp   open        X11                     
Definitely disable this by causing X to not listen on the TCP port!

> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=2320376 (Good luck!)
Good

> Remote operating system guess: Linux 2.1.122 - 2.2.14
Verify that you really are running 2.2.17.  Recent versions older than
2.2.16 have a kernel vulnerability.

> Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds
> **********************************************************************

> -- 
> Regards -
>  John Mills

Bob Toxen
bob at cavu.com
transam at cavu.com                       [Bob's ALE Bulk email]
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My new book: Real World Linux Security]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and software consulting since 1990.

GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
     Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
sub  2048g/03FFCCB9 2000-06-21
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list