[ale] xinetd config (RH7.2)
Gene Matthews
gene at mmc-inc.com
Thu Feb 28 13:08:24 EST 2002
Sorry for all the traffic. My fingers are working faster than my
brain. It is portsentry. I stopped it and then netsat -l (with xinetd
down) shows nothing.
thanks,
gene
On Thu, 2002-02-28 at 13:05, Gene Matthews wrote:
> I just had a thought (dangerous, I know!). The install/setup of
> portsentry predates me on this box and I don't know much about it. But
> I'm seeing some of the ports that are being listened for in the
> portsentry conf file. Could it be portsentry opening these ports?
>
> Any portsentry guru's out there?
>
> thanks,
>
> gene
>
>
> On Thu, 2002-02-28 at 13:00, Gene Matthews wrote:
> > I tried to disabled = yes and restarted xinetd and I am still seeing way
> > too many services being listened for.
> >
> > I have even stopped xinetd and then done 'netstat -l' and I still see
> > finger, echo, discard, etc. all having a state of "LISTEN".
> >
> > Hmmm. This is a relatively new (couple of weeks) RH7.2 upgrade.
> > Comparing the ps and netstat executables to my laptop (also RH7.2) they
> > look the same:
> >
> > -r-xr-xr-x 1 root root 63180 Aug 27 2001 /bin/ps
> > -rwxr-xr-x 1 root root 83132 Jul 31 2001 /bin/netstat
> >
> > I don't THINK i've been hacked. Any ideas on how I find what is telling
> > it to listen to certain services if it isn't xinetd?
> >
> > There isn't much running on this box:
> >
> >
> > # ps -ef
> > UID PID PPID C STIME TTY TIME CMD
> > root 1 0 0 12:46 ? 00:00:04 init [3]
> > root 2 1 0 12:46 ? 00:00:00 [keventd]
> > root 3 1 0 12:46 ? 00:00:00 [kapm-idled]
> > root 4 0 0 12:46 ? 00:00:00 [ksoftirqd_CPU0]
> > root 5 0 0 12:46 ? 00:00:00 [kswapd]
> > root 6 0 0 12:46 ? 00:00:00 [kreclaimd]
> > root 7 0 0 12:46 ? 00:00:00 [bdflush]
> > root 8 0 0 12:46 ? 00:00:00 [kupdated]
> > root 9 1 0 12:46 ? 00:00:00 [mdrecoveryd]
> > root 13 1 0 12:46 ? 00:00:00 [kjournald]
> > root 79 1 0 12:46 ? 00:00:00 [khubd]
> > root 172 1 0 12:46 ? 00:00:00 [kjournald]
> > root 173 1 0 12:46 ? 00:00:00 [kjournald]
> > root 174 1 0 12:46 ? 00:00:00 [kjournald]
> > root 833 1 0 12:46 ? 00:00:00 syslogd -m 0
> > root 838 1 0 12:47 ? 00:00:00 klogd -2
> > root 944 1 0 12:47 ? 00:00:00 /usr/sbin/apmd -p 10 -w
> > 5 -W -P /etc/sysconfig/apm-scripts/apmscript
> > root 981 1 0 12:47 ? 00:00:00 /usr/sbin/sshd
> > root 1031 1 0 12:47 ? 00:00:00 crond
> > daemon 1067 1 0 12:47 ? 00:00:00 /usr/sbin/atd
> > root 1084 1 0 12:47 ? 00:00:00 /usr/sbin/portsentry
> > -tcp
> > root 1088 1 0 12:47 ? 00:00:00 /usr/sbin/portsentry
> > -udp
> > root 1141 1 0 12:47 tty1 00:00:00 /sbin/mingetty tty1
> > root 1142 1 0 12:47 tty2 00:00:00 /sbin/mingetty tty2
> > root 1143 1 0 12:47 tty3 00:00:00 /sbin/mingetty tty3
> > root 1144 1 0 12:47 tty4 00:00:00 /sbin/mingetty tty4
> > root 1145 1 0 12:47 tty5 00:00:00 /sbin/mingetty tty5
> > root 1146 1 0 12:47 tty6 00:00:00 /sbin/mingetty tty6
> > root 1149 981 0 12:47 ? 00:00:00 /usr/sbin/sshd
> > gene 1150 1149 0 12:47 pts/0 00:00:00 -bash
> > root 1188 1150 0 12:47 pts/0 00:00:00 su -
> > root 1189 1188 0 12:47 pts/0 00:00:00 -bash
> > root 1338 1189 0 13:01 pts/0 00:00:00 ps -ef
> >
> >
> > Anyone have any ideas?
> >
> > Thanks,
> >
> > Gene
> >
> > On Thu, 2002-02-28 at 12:08, James P. Kinney III wrote:
> > > Should be:
> > >
> > > disabled = yes
> > >
> > > On Thu, 2002-02-28 at 12:08, Gene Matthews wrote:
> > > > I'm trying to tighten down a RH7.2 box. Below is what /etc/xinetd.conf
> > > > currently looks like. I have added the 'disabled' line to the defaults
> > > > and sent a SIGUSR2 signal to the xinetd pid. However, a lot of unwanted
> > > > services are still being listened for.
> > > >
> > > >
> > > > defaults
> > > > {
> > > > disabled
> > > > instances = 60
> > > > log_type = SYSLOG authpriv
> > > > log_on_success = HOST PID
> > > > log_on_failure = HOST
> > > > cps = 25 30
> > > >
> > > > }
> > > >
> > > > includedir /etc/xinetd.d
> > > >
> > > >
> > > >
> > > > The only thing enabled in /etc/xinetd.d/ is amanda. However, a 'netstat
> > > > -l' still shows lots of stuff open. I know somethings don't use
> > > > inetd/xinetd; they may have their own deamon (like sshd). But finger,
> > > > echo, discard, etc. do (I think!).
> > > >
> > > > Anyone have any pointers. The 'disabled' flag should work if I'm
> > > > reading the man page correctly and sending the SIGUSR2 should reload
> > > > it. I'm trying to avoid a reboot.
> > > >
> > > > Thanks,
> > > >
> > > > Gene
> > > >
> > > > # netstat -l
> > > > Active Internet connections (only servers)
> > > > Proto Recv-Q Send-Q Local Address Foreign Address
> > > > State
> > > > tcp 0 0 *:tcpmux *:*
> > > > LISTEN
> > > > tcp 0 0 *:20034 *:*
> > > > LISTEN
> > > > tcp 0 0 *:32771 *:*
> > > > LISTEN
> > > > tcp 0 0 *:32772 *:*
> > > > LISTEN
> > > > tcp 0 0 *:40421 *:*
> > > > LISTEN
> > > > tcp 0 0 *:32773 *:*
> > > > LISTEN
> > > > tcp 0 0 *:32774 *:*
> > > > LISTEN
> > > > tcp 0 0 *:31337 *:*
> > > > LISTEN
> > > > tcp 0 0 *:ircd *:*
> > > > LISTEN
> > > > tcp 0 0 *:systat *:*
> > > > LISTEN
> > > > tcp 0 0 *:5742 *:*
> > > > LISTEN
> > > > tcp 0 0 *:imap *:*
> > > > LISTEN
> > > > tcp 0 0 *:finger *:*
> > > > LISTEN
> > > > tcp 0 0 *:netstat *:*
> > > > LISTEN
> > > > tcp 0 0 *:54320 *:*
> > > > LISTEN
> > > > tcp 0 0 *:2000 *:*
> > > > LISTEN
> > > > tcp 0 0 *:ingreslock *:*
> > > > LISTEN
> > > > tcp 0 0 *:ssh *:*
> > > > LISTEN
> > > > tcp 0 0 *:nntp *:*
> > > > LISTEN
> > > > tcp 0 0 *:socks *:*
> > > > LISTEN
> > > > tcp 0 0 *:12345 *:*
> > > > LISTEN
> > > > tcp 0 0 *:12346 *:*
> > > > LISTEN
> > > > tcp 0 0 *:635 *:*
> > > > LISTEN
> > > > tcp 0 0 *:49724 *:*
> > > > LISTEN
> > > > tcp 0 0 *:uucp *:*
> > > > LISTEN
> > > > udp 0 0 *:640
> > > > *:*
> > > > udp 0 0 *:641
> > > > *:*
> > > > udp 0 0 *:who
> > > > *:*
> > > > udp 0 0 *:tcpmux
> > > > *:*
> > > > udp 0 0 *:32770
> > > > *:*
> > > > udp 0 0 *:32771
> > > > *:*
> > > > udp 0 0 *:32772
> > > > *:*
> > > > udp 0 0 *:32773
> > > > *:*
> > > > udp 0 0 *:32774
> > > > *:*
> > > > udp 0 0 *:echo
> > > > *:*
> > > > udp 0 0 *:discard
> > > > *:*
> > > > udp 0 0 *:snmp
> > > > *:*
> > > > udp 0 0 *:snmptrap
> > > > *:*
> > > > udp 0 0 *:54321
> > > > *:*
> > > > udp 0 0 *:700
> > > > *:*
> > > > udp 0 0 *:tftp
> > > > *:*
> > > > udp 0 0 *:amanda
> > > > *:*
> > > > udp 0 0 *:31337
> > > > *:*
> > > > Active UNIX domain sockets (only servers)
> > > > Proto RefCnt Flags Type State I-Node Path
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Gene Matthews
> > > > Matthews Midrange Consulting, Inc.
> > > > (678) 923-8327
> > > > (877) 882-6291 (toll free)
> > > > http://mmc-inc.com
> > > >
> > > >
> > > > ---
> > > > This message has been sent through the ALE general discussion list.
> > > > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > > > sent to listmaster at ale dot org.
> > > >
> > > --
> > > James P. Kinney III \Changing the mobile computing world/
> > > President and COO \ one Linux user /
> > > Local Net Solutions,LLC \ at a time. /
> > > 770-493-8244 \.___________________________./
> > >
> > > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > > <jkinney at localnetsolutions.com>
> > > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
> > >
> > >
> > --
> > Gene Matthews
> > Matthews Midrange Consulting, Inc.
> > (678) 923-8327
> > (877) 882-6291 (toll free)
> > http://mmc-inc.com
> >
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > sent to listmaster at ale dot org.
> >
> --
> Gene Matthews
> Matthews Midrange Consulting, Inc.
> (678) 923-8327
> (877) 882-6291 (toll free)
> http://mmc-inc.com
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
>
--
Gene Matthews
Matthews Midrange Consulting, Inc.
(678) 923-8327
(877) 882-6291 (toll free)
http://mmc-inc.com
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list