Date: Fri, 16 Apr 1999 18:21:49 -0500 (EST) From: Yasholomew Yashinski To: Yashy-Hack Subject: [yh] intro to ports and ipchains Message-ID: After a recent conversation on IRC, I thought it might be important to mention port scanning. Everyone should have a copy of nmap [1] on their box. Your first step should be to open /etc/inetd.conf as root, and comment out EVERYTHING. (This means place a # at the beginning of EVERY line). Then save that new file, and as root type: # killall -HUP inetd now portscan yourself again: # nmap localhost and you should have NO ports open. If you do, kill whatever is running it. (A common one is port 515 (printer)) where you would do # kill -9 lpd [ You can type $ ps aux to get a list of running proccesses ] or whatever daemon is running that process. In case you are unaware, one of the most popular ways to get "cracked" is by having unnecessary ports open. Basically, keep everything closed unless you NEED it open. Even things such as telnetd have proven to be insecure (you should run sshd instead). If you want to see what ports you have open, and don't have a good port scanner installed, I (along with the help of Dmitri) wrote a script for my IRC bot, which uses nmap to scan a user, and /msg him the results. Basically open your IRC client, do /server irc.yashy.com and once connected to the server, do /join #yashy-hack . You should see a bot named "Sekurity" there. You can now type !nmap on the channel and be patient (sek is only on a 33.6) as the bot will port scan you, and eventually /msg you the results. You should hope you have NOTHING open. If you see something open, and aren't sure what it is, you can do !faqs ports on the channel for a good URL. As I'm usually lurking in there, be patient and I can try to help you as well. I just caught a list member with SEVENTEEN ports open! 8/ You will also want to learn ip-chains (firewall) fairly quickly (provided you have it installed, and are using a new kernel. As it depends on your setup, I will give you a basic idea of mine, and hopefully you scan hack it to suit you: (yashy@euphoria)(3/tty8)(06:13pm:04/16/99) ($:~): cat bin/fw-up #!/bin/sh # Masquerade everything being forwarded out eth0 # added [Sun Oct 24 10:55:03 EDT 1999]: replace with ppp0 if you're using ppp ipchains -A forward -i eth0 -j MASQ ipchains -I forward -p tcp -s 192.168.1.2 -j MASQ # Drop anyone trying to get into private network ipchains -P forward REJECT # Firewall (basic version) ipchains -A input -p TCP -d any/0 21 -j ACCEPT ipchains -A input -p TCP -d any/0 22 -j ACCEPT ipchains -A input -p TCP -d any/0 25 -j ACCEPT ipchains -A input -p TCP -d any/0 80 -j ACCEPT ipchains -A input -p TCP -d any/0 110 -j ACCEPT ipchains -A input -p TCP -d any/0 111 -j REJECT ipchains -A input -p TCP -d any/0 113 -j ACCEPT ipchains -A input -p TCP -d any/0 119 -j REJECT ipchains -A input -p TCP -d any/0 771 -j REJECT ipchains -A input -p TCP -d any/0 774 -j REJECT ipchains -A input -p TCP -d any/0 781 -j REJECT ipchains -A input -p TCP -d any/0 6000 -l -j REJECT (yashy@euphoria)(4/tty8)(06:13pm:04/16/99) ($:~): I think it is fairly obvious what each do, you can read the man page, and the howto for further info. You can also replace REJECT with DENY should you prefer for the packets to get denied, instead of just dropped. ..Yashy The only way tcsh "rocks" is when the rocks are attached to it's feet in the deepest part of a very deep lake. (Linus Torvalds) [1] Nmap http://www.insecure.org/nmap/ Where you can download the latest NMAP. You will also notice Stanys name there for help with the Solaris port (Congrats Stany) as well as the nmap script I wrote for eggdrop bots. _______ Yashy-Hack http://yashy.com/~monarc/ to unsubscribe: echo unsubscribe | mail yashy-hack-request@yashy.com