[Gllug] netstat -pan --inet

Jackson, Harry HJackson at colt-telecom.com
Fri Feb 8 10:49:07 UTC 2002 

> -----Original Message-----
> From: John Edwards [mailto:john_ed at cornerstonelinux.co.uk]
> > 
> > Active Internet connections (servers and established)
> > Proto Recv-Q Send-Q Local Address           Foreign Address 
>         State
> > PID/Program name
> > tcp        0      0 192.168.10.1:139        0.0.0.0:*
> > LISTEN      2059/smbd
> > tcp        0      0 192.168.10.1:53         0.0.0.0:*
> > LISTEN      2244/pdnsd
> > tcp        0      0 192.168.10.1:22         0.0.0.0:*
> > LISTEN      2219/sshd
> > tcp        0      0 192.168.10.1:3128       0.0.0.0:*
> > LISTEN      2328/(squid)
> > tcp        0      0 192.168.10.1:22         192.168.10.2:1047
> > ESTABLISHED 1877/sshd
> > udp        0      0 192.168.10.1:137        0.0.0.0:*
> > 2056/nmbd
> > udp        0      0 0.0.0.0:137             0.0.0.0:*
> > 2056/nmbd
> > udp        0      0 192.168.10.1:138        0.0.0.0:*
> > 2056/nmbd
> > udp        0      0 0.0.0.0:138             0.0.0.0:*
> > 2056/nmbd
> 
> nmbd = Samba's NetBios naming daemon, which resolves the 
> names for Windows 
> files sharing. Needed on one machine on each subnet, 
> preferably a Samba box.

I am running samba as the fileserver for my MS box which is still not
entirely configured properly but its almost there.


> 
> > udp        0      0 192.168.10.1:53         0.0.0.0:*
> > 2244/pdnsd
> 
> Some kind of DNS server. Useful

I installed pdnsd to have a go at it. It is no longer on my system as I have
everything working without it. I intend to try bind at some point. I have no
need for bind but I want to set it up to say that I have set it up.

> 
> > udp        0      0 0.0.0.0:3130            0.0.0.0:*
> > 2328/(squid)
> 
> Squid web cache/proxy.

As I am using a dial up so I decided to use squid to see if performance
would improve as I am most often on the same sites. I noticed a marked
improvement in surfability after I installed squid and will always be using
it in the future. Does junkbuster do caching?

> 
> > raw        0      0 0.0.0.0:1               0.0.0.0:*       
>         7
> > 2244/pdnsd
> 
> "TCP port service multiplexer", why 
> 
> > raw        0      0 0.0.0.0:6               0.0.0.0:*       
>         7
> > 256/scanlogd
> > raw        0      0 0.0.0.0:6               0.0.0.0:*       
>         7
> > 253/scandetd
> > raw        0      0 0.0.0.0:17              0.0.0.0:*       
>         7
> > 253/scandetd
> 
> Are these some kind of port scanning detection stuff you have 
> installed ?

After the talk at Gllug I decided I would have a look at snort. I have got
two network cards in my RH/MS machine that intend to use for checking
firewalls and generally playing with snort configuration as it looks like a
bit of a tw at t to get right. When I scan my machine I get mail detailing from
where and when which is nice but I think this is part and parcel with Linux.


> 
> > I have built a firewall and now closed the various 
> listeners is tcp wrappers
> > next or chrooting stuff. I know this is not in the correct 
> order but I
> > decided I would do the most interesting first.
> > 
> > Harry
> 
> TCP wrappers generally only effect things run from inetd, or 
> which are 
> compiled with it enabled (SSH can do this). This should not be used 
> instead of proper firewall controls.
> 
> Candidate for chroot may include Squid and your DNS server, 
> but I don't 
> think Samba can be easily chrooted as it's a file server (nor 
> can SSH).
> 
> ps. If you are looking for security hardening scripts, look 
> at Bastille 
> for RedHat and Debian has something similar (in testing I think).

I have run Bastille on Debian and it did highlight some obvious clangers
that have now been taken care of.

I find security very interesting and hence my new found vigour. If anyone
would like to have a look at what their system looks like from the internet
go to 

www.grc.com and look for Shields Up. It does a scan on various ports on your
PC and shows you the results. I noticed that my smtp port (25) was open last
night when my firewall was flushed so I closed this and it found no open
ports. I then run the firewall and it all came back as stealth so I was
quite pleased with myself. I am still forwarding through my firewall which
is unacceptable at the moment. I would like to get a proxy in place for all
my services to avoid forwarding through the server but I think I am going to
require this due to my OU stuff.

Harry (with paranoid hat on)



*************************************************************************************
COLT Telecommunications
Registered in England No. 2452736
Registered Office: Bishopsgate Court, 4 Norton Folgate, London E1 6DQ
Tel. 020 7390 3900

This message is subject to and does not create or vary any contractual
relationship between COLT Telecommunications, its subsidiaries or 
affiliates ("COLT") and you. Internet communications are not secure
and therefore COLT does not accept legal responsibility for the
contents of this message.  Any view or opinions expressed are those of
the author. The message is intended for the addressee only and its
contents and any attached files are strictly confidential. If you have
received it in error, please telephone the number above. Thank you.
*************************************************************************************


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list