From: EL CiD (elcid@pinolero.net)
Date: Fri Mar 09 2001 - 09:16:40 PST
Hi there. Thanks for the reply. Actually its an external DNS server. I
recently patch it from an ealier version of BIND. I am new to this game,
and I am trying to learn as much as possible. I have my port 21 behind a
firewall, and I am debating wheather BIND should be behind a firewall, even
although its an external DNS server. Got a little question for you guys. I
know you can have " SOME" protection by disabling certain ICMP attacks such
as PING commands to your web/mail/dns server. I just dont have the details
on how to implement such thing. Also is it a good idea to do so? The othe
little question " promise! " is since PMfirewall is catching and denying
hackers attack on port 111, no further ground works needs to be done? I
mean, should I enter a command under pmfirewall.rules.local file as to DENY
ALL access to that port? I really cant see how that will help further.
Thanks
----- Original Message -----
From: "Johannes B. Ullrich" <euclidian@euclidian.com>
To: <pmfirewall@pointman.org>
Sent: Friday, March 09, 2001 5:00 AM
Subject: RE: [pmfirewall] Help... Could someone here give me some security
tips?
>
> Port 111 should (and can be) closed on a system. It is only used for
> remote access to system stats. Some network management systems may use
> it, but for a home system, this port is not used. (acutally, I think
> ISPs could just block that port)
>
> Port 111 is one of the most scanned for ports these days. The recently
> release Linux "Ramen" worm takes advantage of it. Many Linux distros
> are vulnerable (e.g. RedHat 7, unless you patch it). 111, together
> with others like 53 (BIND) and 21 (wu-ftp) are regulars on Dshield.org 's
> top 10 list of most scanned ports.
> See: http://www.dshield.org/topports.php
>
> For your other questions: NFS - Network File System. Similar to Windows
> file sharing as it allows you to mount remote drives. Similar to Windows
> file sharing in other ways as it is not very secure. I don't think 111
> is related to NFS.
>
> BTW: you mention that you run BIND. At least you got the latest
> version. But if you use it for internal use only (caching name server),
> you can block port 53 for external access as well. May need a bit
> of tinkering to get it right so BIND can still query other name servers.
>
>
> On Thu, 8 Mar 2001, Yader Wong wrote:
>
> > Now the question is.. Can I safely and completedly closed this port 111
> > altogether? I am running Bind 8.2.3 and Postfix. As far as I am
concerned,
> > port 111 should not have anything to do with bind port 53 and postfix
port
> > 25/110 - pop3/smtp. Please forgive my ignorance on this subject, I am a
> > novice linux user/admin but what does NFS does? Since port 111 seems to
be
> > related in some ways with NFS services.
> >
> >
> >
> >
> > -----Original Message-----
> > From: owner-pmfirewall@pointman.org
> > [mailto:owner-pmfirewall@pointman.org]On Behalf Of Geoffrey Sadler
> > Sent: Thursday, March 08, 2001 7:59 PM
> > To: pmfirewall@pointman.org
> > Subject: RE: [pmfirewall] Help... Could someone here give me some
> > security tips?
> >
> >
> > 111 is a commonly exploited port. Just to let you guys know. Unless a
> > person actually penatrates your system. isp in the us can not do didly
> > otherwise. So, when you get a deny it is a good thing and your really
> > shouldn't worry about it unless you have other services running.
> >
> > -----Original Message-----
> > From: owner-pmfirewall@pointman.org
> > [mailto:owner-pmfirewall@pointman.org]On Behalf Of Doug Holtz
> > Sent: Thursday, March 08, 2001 9:20 PM
> > To: pmfirewall@pointman.org
> > Subject: Re: [pmfirewall] Help... Could someone here give me some
> > security tips?
> >
> >
> > I have someone at my port 111 also. From inside my roadrunner address
> > scheme. I'm also getting some messages about xinetd errors when someone
> > else from an unknown IP address tried access.
> > I looked at robertgraham's page; whet does this group think this is?
> >
> > Thanks
> > ----- Original Message -----
> > From: Steve Kaiser <skaiser@larsonwi.com>
> > To: <pmfirewall@pointman.org>
> > Sent: Thursday, March 08, 2001 2:01 PM
> > Subject: Re: [pmfirewall] Help... Could someone here give me some
security
> > tips?
> >
> >
> > > Someone is trying to connect to your SunRPC portmap port, often the
> > > first step in scanning a system. See
> > >
> > > http://www.robertgraham.com/pubs/firewall-seen.html#1.1
> > >
> > > Geoffrey Sadler wrote:
> > >
> > > > It is trying to connect to your port 111. You got it backwards.
> > > >
> > > > -----Original Message-----
> > > > From: owner-pmfirewall@pointman.org
> > > > [mailto:owner-pmfirewall@pointman.org]On Behalf Of EL CiD
> > > > Sent: Thursday, March 08, 2001 11:45 AM
> > > > To: pmfirewall@pointman.org
> > > > Subject: [pmfirewall] Help... Could someone here give me
> > > > some security tips?
> > > >
> > > > Reading my log files.. I found the following Mar 7 16:57:21
> > > > pinolero kernel: Packet log: input DENY eth0 PROTO=6
> > > > 216.221.215.98:1762 65.180.26.26:111 L=60 S=0x00 I=11257
> > > > F=0x4000 T=51 SYN (#50) From what I can understand, this
> > > > IP 216.221.215.98 tried to connect to port 1762. Does
> > > > anyone here knows what port 1762 does? Also, I did a Whois
> > > > on this Ip , and this is the info I got. Pinging
> > > > dns.openvenue.net [216.221.215.98] with 32 bytes of
> > > > data: So its a DNS server... . I do run my own dns server,
> > > > but why in hell would another DNS server tried to contact
> > > > mine at port 1762?? Please any info will be appreciated
> > > >
> > >
> > >
> >
****************************************************************************
> > > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
> > pmfirewall"
> > > * in the message body to majordomo@pointman.org. Please direct other
> > > * questions, comments, or problems to pmfirewall-owner@pointman.org.
> > > *
> > > * Need answers fast? Check the list archive located at:
> > > * http://www.pointman.org/PMFirewall/list-archive/
> > > *
> >
> >
****************************************************************************
> > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
pmfirewall"
> > * in the message body to majordomo@pointman.org. Please direct other
> > * questions, comments, or problems to pmfirewall-owner@pointman.org.
> > *
> > * Need answers fast? Check the list archive located at:
> > * http://www.pointman.org/PMFirewall/list-archive/
> > *
> >
> >
****************************************************************************
> > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
pmfirewall"
> > * in the message body to majordomo@pointman.org. Please direct other
> > * questions, comments, or problems to pmfirewall-owner@pointman.org.
> > *
> > * Need answers fast? Check the list archive located at:
> > * http://www.pointman.org/PMFirewall/list-archive/
> > *
> >
> >
****************************************************************************
> > * To UNSUBSCRIBE from the list, send a message with "unsubscribe
pmfirewall"
> > * in the message body to majordomo@pointman.org. Please direct other
> > * questions, comments, or problems to pmfirewall-owner@pointman.org.
> > *
> > * Need answers fast? Check the list archive located at:
> > * http://www.pointman.org/PMFirewall/list-archive/
> > *
> >
>
>
****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe
pmfirewall"
> * in the message body to majordomo@pointman.org. Please direct other
> * questions, comments, or problems to pmfirewall-owner@pointman.org.
> *
> * Need answers fast? Check the list archive located at:
> * http://www.pointman.org/PMFirewall/list-archive/
> *
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:40:31 PDT