LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] logwatch - should I be worried?

[ILUG] logwatch - should I be worried?

Niall O Broin niall at linux.ie
Sun Jul 17 16:23:09 IST 2005 

On 17 Jul 2005, at 15:32, Timothy Murphy wrote:

> On Sun 17 Jul 2005 13:25, Niall O Broin wrote:
>
>>> Most of these are targeted at ports 1026, 1027
>>> which I take to be some kind of ssh or ssl attack.
>>
>> No - Calendar Access Protocol and ExoSee respectively - grep for the
>> number in /etc/services. ExoSee is some kind of personal file sharing
>> system, and I presume there is some Microsoft vulnerability on certain
>> machines providing CAP access.
>
> Thanks for the correction.

Someone else pointed out different services which use these ports. The 
problem with ports over 1024 is that there isn't really any agreement 
about them, and what standards there are have evolved over time. What's 
important from your POV though is that packets from the outside world 
can't get to those ports on your LAN, no matter what is listening (or 
not).

>>> Is there any chance that this attack will succeed at some point?
>>
>> Yes, yes there is. All you need to do is
>> a) Have a Windows box inside your LAN running the vulnerable software.
>> b) Have your Shorewall box forwarding 1026 and 1027 to that Windows 
>> box.
>
> Well, as far as I can see, these packets are rejected as soon as they 
> arrive,
> so I don't think they could get to my grand-daughter's Windows machine.

That's because your Shorewall is wrongly configured - you have to tell 
it to forward those ports to your grand-daughter's Windows machine. Of 
course, you might NOT want to do that.

>> nmap  publicIP.of.your.firewall
>>
>> and check that all ports shown as open are intentionally open.
>
> Thanks for the suggestion.
> I've tried it out, and got quite a long list of ports:
> ===================================
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-07-17 
> 15:24 BST
> Interesting ports on 83-70-225-169.b-ras1.prp.dublin.eircom.net
> (83.70.225.169):
> (The 1020 ports scanned but not shown below are in state: closed)
> PORT      STATE    SERVICE
> 110/tcp   filtered pop3
> 143/tcp   filtered imap
> ...
> 65301/tcp filtered pcanywhere
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 62.307 
> seconds
> ===================================
>
> All of the ports say "filtered".
> Does that mean I'm safe?

Filtered is good - that means that a firewall (shorewall in your case, 
though sometimes ISPs filter certain ports before they get to your 
system - not sure if any Irish ISPs currently do though) is stopping 
nmap from determining if the ports are open or closed.



Niall

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell