Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Killing Unecessary Services (FTP,Qmail) (Hackers)
« previous next »
Pages: [1]   Go Down

Killing Unecessary Services (FTP,Qmail) (Hackers)

  • 1 Replies
  • 921 Views

Mike

Killing Unecessary Services (FTP,Qmail) (Hackers)
« on: February 02, 2000, 11:59:39 PM »
I have discovered recently that my e-smith server for some reason is popular for hackers
and the likse to try to gain access.  While going through the /var/log/secure and other logs, I
 have noticed a lot of attempts to gain entry via the FTP server, the qmail server, telnet and a
few others. here are a few examples

Jan 17 19:46:18 bart proftpd[2576]: ANONYMOUS FTP login as 'anonymous' from ustc.
merc.iastate.edu [129.186.204.13] to xxx.xxx.xxx.xxx:21
Jan 17 02:18:31 bart qmail-popup[2241]: refused connect from 210.55.25.10
Jan 17 02:18:37 bart in.proftpd[2242]: connect from 210.55.25.10
Jan 17 19:46:30 bart qmail-popup[2577]: refused connect from 129.186.204.13
Jan 17 19:45:57 bart in.proftpd[2575]: connect from 129.186.204.13
Jan 17 19:46:13 bart in.proftpd[2576]: connect from 129.186.204.13  
Jan 23 16:10:41 bart in.identd[1545]: connect from 199.2.106.1
Jan 23 16:58:38 bart in.identd[1556]: connect from 204.143.229.115
Jan 23 17:04:06 bart in.identd[1562]: connect from 204.143.229.115
Jan 23 17:05:44 bart in.identd[1563]: connect from 204.143.229.115
Jan 23 17:51:52 bart in.identd[1576]: connect from 204.143.229.115
Jan 23 17:53:32 bart in.identd[1577]: connect from 204.143.229.115
Jan 23 17:53:38 bart in.identd[1578]: connect from 204.143.229.115
Jan 23 18:22:04 bart in.identd[1589]: connect from 204.143.229.115
Jan 23 19:09:14 bart in.identd[1602]: connect from 209.81.8.247
Jan 23 19:09:14 bart in.identd[1603]: connect from 209.81.8.247
Jan 23 19:09:14 bart in.identd[1604]: connect from 209.81.8.247
Jan 23 19:09:14 bart in.identd[1605]: connect from 209.81.8.247
Jan 23 20:56:15 bart in.identd[1635]: connect from 204.143.229.115
Jan 29 09:02:28 bart in.proftpd[2306]: connect from 210.183.214.13
Feb  1 16:49:37 bart in.identd[1724]: connect from 146.50.3.20
Feb  2 08:57:54 bart qmail-smtpd[2596]: connect from cable4-001.xxx.net
Feb  2 11:48:30 bart in.identd[2669]: connect from 199.2.106.1
Feb  2 12:05:37 bart in.identd[2677]: connect from 198.88.120.2
Feb  2 12:05:42 bart in.identd[2678]: connect from 198.88.120.2
Feb  2 12:05:48 bart in.identd[2679]: connect from 198.88.120.2



This is just a small sample of the logs, as you can see, I am receiving more access attempts
then what I am comfortable with.   What concerned me most is that a user somehow
managed to log in via 'anonymous' FTP, which I thought was not possible except from within
the e-smith LAN.

How do I completely disable these services in order to tighten up security?  The e-smith
server is only acting as a ipchains gateway and all other services besides internal Telnet are
not used. I would like to retain access to the web based admin so killing apache, at least the
intranet access is not an option.  Any help would me most appreciated.

Thanks In Advance

Mike
Logged

Charlie Brady

RE: Killing Unecessary Services (FTP,Qmail) (Hacke
« Reply #1 on: February 03, 2000, 01:23:20 AM »
Mike wrote:

> I have discovered recently that my e-smith server for some reason
> is popular for hackers and the likse to try to gain access. While going
> through the /var/log/secure and other logs, I have noticed a lot of
> attempts to gain entry via the FTP server, the qmail server, telnet
> and a  few others. here are a few examples
...
> This is just a small sample of the logs, as you can see, I am receiving
> more access attempts
> then what I am comfortable with. What concerned me most is that
> a user somehow managed to log in via 'anonymous' FTP, which I
> thought was not possible except from within  the e-smith LAN.

As far as I can tell from the logs your e-smith server is working normally.

The e-smith server ships with an FTP server which allows anonymous FTP access from the Internet.

You haven't shown any telnet connections, and the only POP accesses were refused connection.

The idend daemon connections may be probes, but they are also expected when you connect to SMTP mail transport agents - so the log entries may indicate outgoing mail.

The qmail-smtpd connection looks like a probe, but there are no known vulnerabilities in the qmail mail daemon.

You can disable all of these services very easily by shutting down the inetd daemon. If you want to do something less drastic you will need to
reconfigure inetd. Consult inetd documentation and the e-smith customisation documentation at http://www.e-smith.org/

If you want to disable external HTTP access you will need to change either the access lists or the bind address. Documentation for apache can be found at www.apache.org.

Feel free to email me if you want to discuss this further.

Regards

Charlie
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Killing Unecessary Services (FTP,Qmail) (Hackers)