l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
January 6: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2001 Dec 30 17:06

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Attempted access -- I think
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Attempted access -- I think



On Thu, 14 Jun 2001, Cam Ellison wrote:

> jdnewmil@dcn.davis.ca.us wrote:
> > 
> > On Thu, 14 Jun 2001, Cam Ellison wrote:
> > 
> 
> > >
> > > I agree.  I am running dhcp, of course, but the client, not the server.
> > > Should I assume that someone has been messing around in my machine, and
> > > that the other host is trying to re-establish connection?
> > 
> > I don't think so. You haven't said anything about your network connection
> > arrangement... cable modem?  Some ISPs use private addresses for their
> > internal equipment, so in the widest possible picture it is possible that
> > the dhcp server is legitimate.  It could also be some newbie who installed
> > "everything" on a new Red Hat box, too.
> > 
> > It could be some cracker setting themself up to hand out dhcp leases so
> > they can intercept communications from dhcp clients in a
> > "man-in-the-middle" attack.  However, if you haven't been taking
> > precautions like ssh until now, I can't see what benefit that would offer
> > them over promiscously monitoring your traffic.
> > 
> 
> As you said, it is weird.  What I have here is my linux box with a Samba
> server for my kids' machine, which my wife also uses, and netatalk for
> the Mac Powerbook I use for work.  Yes, I have a cable modem connection
> for which I use dhcp.  I have ssh set up, but have not been able to get
> the Mac set up in a way that allows me to connect, so I haven't.  I have
> proftpd running, but there's only one way in -- through my username and
> password.  I get regular hits on that, too, though only recently have I
> bothered to sic anyone one them.

ftp passes usernames and passwords in plaintext.  The only valid use of
ftp in an unsecured environment is anonymous access to public files.  If
they sniff you ftp'ing in, and your telnet or ssh ports are open to the
outside, they can then log in as you, from which position there are
numerous ways to obtain the root password.

If you really need external access to private files, use scp via ssh v2.

> 
> > 
> > These are service (port) names.  AFAIK netstat doesn't tell you process
> > names.
> > 
> > > netbios-dgm
> > > netbios-ns
> > 
> > Eeek! exposed Samba? are you blocking all tcp/udp ports 137-139 yet?
> > 
> Yeah.  I had not realized until I ran it that this was happening.  The
> Samba conf file is set up tightly -- encrypted passwords and no guests
> -- so I think it's been OK.  There is now a rule to deny all input
> through the cable (eth1) on those ports.
> 
> > > ntalk
> > > talk
> > > discard
> > > sunrpc
> > 
> I think I will leave sunrpc,

in your configuration I see no reason to.  It is like finger... a way for
outsiders to scope you out.

> but I have taken talk and talkd out.  I can
> find no reference to discard.  It is not in the locate db, and is not a
> Debian package.  Odd.  Does it ring any bells with you?

It is a basic "cat >/dev/null" service.  Probably not dangerous, but there
is no reason why it should be enabled either.

[...]

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!