securing the system, stopping unnecessary services and closing open ports.

Ports 139, 445 and 901 are samba running. Port 631 is cups, your printer
driver. 111 and 2049 are for NFS. If you don't need them, you should be
able to turn them off...If you do need it, then you should be able to
firewall it, using iptables to limit access to the hosts or subnets you
need.

On Sat, Aug 27, 2011 at 11:05 AM, yudi v wrote:

Nmap suggests the following ports are open:

25/tcp open smtp
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
901/tcp open samba-swat
2049/tcp open nfs

I run a desktop email client that uses smtp apart from that I do not know
why rest of the above services are open.

it even had SSH listening on 22, changed the port # and also changed
PermitRootLogin to no in /etc/ssh/sshd_config after looking at the following
output:
also installed gufw and set it to deny as default.

:/home/user# grep -ir "Failed password" /var/log/*
/var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password
for root from 60.242.242.121 port 56631 ssh2
/var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password
for invalid user admin from 190.24.225.223 port 22792 ssh2
:/home/user# grep -ir BREAK-IN /var/log/*
/var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping
checking getaddrinfo for corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT!


how can I find out if this system has been compromised?

If you are looking for ssh attempts, you shoud peruse /var/log/auth.log and
look for unusual logins. The ones like you mention above are failed. You
could run fail2ban or another one that watches your ssh port and in the
event of too many failed attempts, can block the IP through iptables. Be
careful, because if someone spoofs the address, then you could block some
site that you need to access.

Another idea would be to run a Host-based Intrusion Detection System (HIDS).
Tripwire is a classic example, as it does md5sums of critical files and you
run it against your machine looking for changes. However, I have come to
prefer OSSEC (http://ossec.net), which does md5summing in the background:

OSSEC HIDS Notification.
2011 Aug 25 07:25:59

Received From: (013hornet) 192.168.224.13->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):

Integrity checksum changed for: '/etc/sudoers'
Size changed from '552' to '692'
Old md5sum was: 'fc78e5599202f204e48df73a15e81533'
New md5sum is : '377364efbaefe7138d3fe4081d98b592'
Old sha1sum was: '9053767a81a35ded809dd7269d984589a8f09d13'
New sha1sum is : '6bcc831d9407626328 <callto:9407626328>
651b68dc73763472b11374'

but also watches your logs for events:
OSSEC HIDS Notification.
2011 Aug 25 06:43:57

Received From: (056worf) 192.168.224.56->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the
system."
Portion of the log(s):

Aug 25 06:43:56 worf su[9338]: + ??? root:nobody

Having said all of that, if you suspect your machine was compromised (the
failed logins messages in the logs only indicate that you had some failed
attempts), nuke it and rebuild. After you rebuild, set up iptables, ossec,
run nmap or nessus on it and put it back in service.

Regards,

what are the steps I need to take to secure it?
Kind regards,
Yudi

Ports 139, 445 and 901 are samba running. Port 631 is cups, your printer driver. 111 and 2049 are for NFS.  If you don&#39;t need them, you should be able to turn them off...If you do need it, then you should be able to firewall it, using iptables to limit access to the hosts or subnets you need. <br>
<br><div class="gmail_quote">On Sat, Aug 27, 2011 at 11:05 AM, yudi v <span dir="ltr">&lt;<a href="mailto:"></a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Nmap suggests the following ports are open:<br><br>25/tcp   open  smtp<br>111/tcp  open  rpcbind<br>139/tcp  open  netbios-ssn<br>445/tcp  open  microsoft-ds<br>631/tcp  open  ipp<br>901/tcp  open  samba-swat<br>2049/tcp open  nfs<br>

<br>I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open. <br><br>it even had SSH listening on 22, changed the port # and also 





changed PermitRootLogin to no





in /etc/ssh/sshd_config after looking at the following output:<br>also installed gufw and set it to deny as default.<br><br>:/home/user# grep -ir &quot;Failed password&quot; /var/log/*<br>
/var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2<br>/var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2<br>

:/home/user# grep -ir BREAK-IN /var/log/*<br>/var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for <a href="http://corporat190-24225223.sta.etb.net.co" target="_blank">corporat190-24225223.sta.etb.net.co</a> [190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT!<br>

<br><br>how can I find out if this system has been compromised?<br></blockquote><div><br>If you are looking for ssh attempts, you shoud peruse /var/log/auth.log and look for unusual logins. The ones like you mention above are failed. You could run fail2ban or another one that watches your ssh port and in the event of too many failed attempts, can block the IP through iptables. Be careful, because if someone spoofs the address, then you could block some site that you need to access.<br>
<br>Another idea would be to run a Host-based Intrusion Detection System (HIDS). Tripwire is a classic example, as it does md5sums of critical files and you run it against your machine looking for changes. However, I have come to prefer OSSEC (<a href="http://ossec.net">http://ossec.net</a>), which does md5summing in the background: <br>
<br>OSSEC HIDS Notification.<br>2011 <span class="Object" id="OBJ_PREFIX_DWT448_com_zimbra_date"><span class="Object" id="OBJ_PREFIX_DWT449_com_zimbra_date">Aug 25 07</span></span>:25:59<br><br>Received From: (013hornet) 192.168.224.13-&gt;syscheck<br>
Rule: 550 fired (level 7) -&gt; &quot;Integrity checksum changed.&quot;<br>Portion of the log(s):<br><br>Integrity checksum changed for: &#39;/etc/sudoers&#39;<br>Size changed from &#39;552&#39; to &#39;692&#39;<br>Old md5sum was: &#39;fc78e5599202f204e48df73a15e81533&#39;<br>
New md5sum is : &#39;377364efbaefe7138d3fe4081d98b592&#39;<br>Old sha1sum was: &#39;9053767a81a35ded809dd7269d984589a8f09d13&#39;<br>New sha1sum is : &#39;6bcc831d<span class="" id="OBJ_PREFIX_DWT450_com_zimbra_phone"><a href="callto:9407626328">9407626328</a></span>651b68dc73763472b11374&#39;<br>
<br>but also watches your logs for events:<br>OSSEC HIDS Notification.<br>2011 <span class="Object" id="OBJ_PREFIX_DWT480_com_zimbra_date"><span class="Object" id="OBJ_PREFIX_DWT481_com_zimbra_date">Aug 25 06</span></span>:43:57<br>
<br>Received From: (056worf) 192.168.224.56-&gt;/var/log/auth.log<br>Rule: 40101 fired (level 12) -&gt; &quot;System user successfully logged to the system.&quot;<br>Portion of the log(s):<br><br><span class="Object" id="OBJ_PREFIX_DWT482_com_zimbra_date">Aug 25 06</span>:43:56 worf su[9338]: + ??? root:nobody<br>
<br>Having said all of that, if you suspect your machine was compromised (the failed logins messages in the logs only indicate that you had some failed attempts), nuke it and rebuild. After you rebuild, set up iptables, ossec, run nmap or nessus on it and put it back in service.<br>
<br>Regards,<br>--b<br><br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><br>what are the steps I need to take to secure it?<br>-- <br>
Kind regards,<br><font color="#888888">Yudi<br><br>
</font></blockquote></div><br>



To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/CAKmZw+asW+...5duDk-n0u+