I recently got my linux box (mandrake 7.0) up and running. I got the pppoe working with my DSL provider (sympatico in canada if anyone has question on the setup). I am not quite sure what happened with the firewall, but it was setup pretty good(?) by one of the tools included with mandrake. IP Masq was also setup in the process. I went to <A HREF=" TARGET="_new"> and similar sites to test the fortitude of my firewall. <A HREF=" TARGET="_new"> reported that I was very secure as did the other sites. I also ran the test on the sites from my internal machines and the reports came back the same. I am wondering if I should believe them or not. Where would I find the IPchains configuration file. I looked where some of the documentation suggested, but I could not find anything resembling the files.<br><br>BTW, I also ran nmap in it's default mode on the box's internal and external addresses. Both before and after the firewall was setup. I must say the only thing that it detected was port 139 (samba share), it didn't say that it could access the port or not.<br><br>I thought the firewall was pretty secure, but I was on IRC last night and an ominous message was left for me. I don't remember the exact message. But since the box seemed like it was under an unusual processing load I cut the connection to the internet and examined the running processes. I didn't find anything out of the ordinary. So I examined the log files (I am not sure if they are setup properly or are even logging the right things?) and couldn't find anything out of the ordinary. So I shut the system down for the evening and will tackle it again after work. What should I be logging and how do I make sure that it is working?<br><br> <p>Troy<br><a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a><br><a href= > </a><br>
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How secure am I?
- Thread starter fenris
- Start date
What was the ominous message? What has probably happened is that someone has got your IP address from IRC and then started scanning your server. When you say the server seemed to be under an unusual load, how did that manifest itself? If the disk was thrashing a lot, then it may have been someone scanning your ports, and your firewall logging the fact. Any log files in /var/log showing a sudden increase in size?<br><br>One note of caution, though, if you want to drastically decrease the chances of your computer getting scanned or attacked, stop using IRC. It's the main hangout of every script kiddy who ever got his hands on the URL to a root kit, who thinks that they are the next Keanu Reeves. The IP address of other users is ridiculously easy to find out, and that's usually where they start. </end public paranoia warning> ;^)<br><br>I wouldn't worry about things too much though. Before you get back online, make sure "top" is installed. Then, the next time your system seems to be under excess strain, run "top" and see what appears at the top of the list. <p> <br><a href=mailto: > </a><br><a href= > </a><br>--<br>
0 1 - Just my two bits
0 1 - Just my two bits
- Thread starter
- #3
Thanks for the advice. I realize that IRC is where the script kiddies lie, that's is why I went there. I wanted to see if I was secure. <br>I should have described what I meant when I said the system was under an unusual load. X was being very sluggish and un-responsive. The disk was thrashing quite a bit more then usually. As far as the logs go, I don't think I have the logging set up properly. Heres what happened, I had been playing around with my firewall(testing it and such).I decided to test the firewall out on irc, I figured with it set to deny, and not reject, that it would peak someones interest into scanning me. So I left my machine logged into IRC and went to have a game of miniputt
When I came back (about an hour later) I could hear a lot of disk activity coming from the machine. I turned on the monitor and I noticed that someone messaged me with the simply message "HAHAHAHAHAHAHAHAHAHA...." At that point I su to root and disconnect the adsl. I procedded to investigate the logs, that is where I am have trouble. I don't know which logs to check and what to look for. <br><br>BTW, what does "top" do?<br> <p>Troy<br><a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a><br><a href= > </a><br>
When I came back (about an hour later) I could hear a lot of disk activity coming from the machine. I turned on the monitor and I noticed that someone messaged me with the simply message "HAHAHAHAHAHAHAHAHAHA...." At that point I su to root and disconnect the adsl. I procedded to investigate the logs, that is where I am have trouble. I don't know which logs to check and what to look for. <br><br>BTW, what does "top" do?<br> <p>Troy<br><a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a><br><a href= > </a><br>The firewall should be logging via syslog to a file in /var/log, I believe. That's where I would start my investigations.<br><br>"top" is an excellent little utility that prints a constantly refreshing display of current processes, and other details about your Linux, to the terminal. By default, it is sorted in descending order of CPU usage, but you can order by memory used, CPU time used, etc. It's an excellent tool for quickly identifying CPU hogs. <p> <br><a href=mailto: > </a><br><a href= > </a><br>--<br>
0 1 - Just my two bits
0 1 - Just my two bits
RootPrompt put up a link to <A HREF=" TARGET="_new"> this morning. The article talks about setting up PortSentry - a utility that will monitor attempts to access your server TCP/IP ports. Thought it might be of interest. <p> <br><a href=mailto: > </a><br><a href= > </a><br>--<br>
0 1 - Just my two bits
0 1 - Just my two bits
- Thread starter
- #6
Andy, Thank you very much for your input. I tried the top program last night. It looks like it will be very useful. <br><br>Might I ask you another question, when/if you identify a memory hog what steps do you take to take Do you just kill the process or is there something else that can be done? Also would you know any sites on the internet that would explain the significance of the file system in unix/linux. What I am looking for is something that would explain where and why certain files are located where there are, for example /etc/rc.d. To me that is a rather cryptic directory with some important scripts.<br><br>Thanks...<br>P.S. Now that my linux box is up and running, I am almost tempted to get rid of my windows box <br><br>Regards, <p>Troy Williams B.Eng.<br><a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a><br><a href= > </a><br>
<br><br>Regards, <p>Troy Williams B.Eng.<br><a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a><br><a href= > </a><br>Some processes are going to be memory hogs, and there is not a lot you can do about it :-( If you are running X, for example, you will probably find that it is at the top of the memory use list...<br><br>If you decide that you don't need to be running a particular memory hog, the best thing to do is to identify how it is started by the system, and then disable it. This might mean editing /etc/inetd.conf, or it might mean removing a script from one of the /etc/rc.d directories, followed by a reboot of your box.<br><br>As to an explanation of the filesystem hierarchy, a good place to start is <A HREF=" TARGET="_new"> - the home page of the Filesystem Hierarchy Standard. Most major Linux distros, including Debian, Red Hat, Caldera, SuSE, and derivatives of these, implement this standard.<br><br>Unfortunately, it doesn't explain anything about the /etc/rc.d directory that is puzzling you, so I'll try and summarise a little here.<br><br>The /etc/rc.d directory contains files, or sub-directories that contain files, that are run whenever you change the run-level of your Unix/Linux box. This implies when you start up and shutdown your Linux box as well, as you are changing the run-level of the server from 0 (off) to 2 (multi-user), 3 (multi-user with networking), or 5 (multi-user with networking and X), or vice-versa.<br><br>One way of changing run-levels is to run the "init" command followed by a run-level. For example, "init 1" will change you to single user mode.<br><br>Which scripts are run? If you are moving into a run-level from a lower run-level, then scripts starting with "S" are executed and are passed a parameter of "start". If coming down into a run level from a higher run level, then scripts starting with "K" are run, with a paramter of "stop".<br><br>This explains why, for example, "K<i>xx</i>sendmail" and "S<i>xx</i>sendmail" may look like the same script. It's because they are the same script. However, the script checks the arguement it's been passed and acts accordingly. It's done this way so that all of your service start and stop information is in the same place. The master copy of each script is usually kept in /etc/rc.d/init.d and then linked to the various rc?.d directories.<br><br>When you get into the nitty gritty of the scripts themselves, they are as simple or as complex as the creator of your Linux distribution wants to make them... At this level, you would need to have a dig around the actual scripts to try and figure out what is going on. If you have any specific questions, post back here and we'll see what we can do to answer <p> <br><a href=mailto: > </a><br><a href= > </a><br>--<br>
0 1 - Just my two bits
<p> <br><a href=mailto: > </a><br><a href= > </a><br>--<br>0 1 - Just my two bits
- Thread starter
- #9
Andy, thank you for the link and the description of the rc.d directory. Now I know why there were copies of scripts with different numbers, it makes sense now. Thank you for you help I appreciate it.<br><br>As far as windows goes I also need something to watch those asf files ;-)....<br><br><br><br> <p>Troy Williams B.Eng.<br><a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a><br><a href= > </a><br>
No problem, Troy. Glad to be of help <br><br>I just realised that I didn't mention the significance of the numbers in the rc file names. Just in case you haven't worked it out yourself, the numbers order the files into the right sequence. This means, for example, that the Ethernet card is brought up before the web server is started.<br><br>I just thought of another use for a Windows box - the colour of BSOD matches the decor in my home "server room" quite nicely. ;^) <p> <br><a href=mailto: > </a><br><a href= > </a><br>--<br>
0 1 - Just my two bits
<br><br>I just realised that I didn't mention the significance of the numbers in the rc file names. Just in case you haven't worked it out yourself, the numbers order the files into the right sequence. This means, for example, that the Ethernet card is brought up before the web server is started.<br><br>I just thought of another use for a Windows box - the colour of BSOD matches the decor in my home "server room" quite nicely. ;^) <p> <br><a href=mailto: > </a><br><a href= > </a><br>--<br>0 1 - Just my two bits
'colour of BSOD matches the decor in my home "server room"' -- that is *very* sad Andy... <p>Mike<br><a href=mailto:michael.j.lacey@ntlworld.com>michael.j.lacey@ntlworld.com</a><br><a href= Cargill's Corporate Web Site</a><br>
- Status
Similar threads
