question about services

Tyler Littlefield tyler at tysdomain.com
Sun Nov 9 11:37:41 EST 2008 

Hello,
I just found myself a victim to a rather intertaining dos attack.
Apparently, someone thought it was amusing to spam postfix, and it flooded 
syslog with nice connection limit messages. I noticed because my disk drive 
was spinning, and i didn't have any jobs scheduled, when I checked uptime it 
was past 3.0 on all columns.
I just killed postfix, and then ran my iptables script--no idea why it 
didn't do that to begin with, I thought iptables would run that on start.
Anyway, I'm interested in shutting down services that I don't need. I was 
wondering if I needed portmap. here's a readout of my lsof -i:
the moo, sshd, and apache services are cool--I've killed the portmap demon 
for now, I believe.
lsof -i
COMMAND    PID     USER   FD   TYPE DEVICE SIZE NODE NAME
apache2   2084     root    4u  IPv6   4960       TCP *:www (LISTEN)
moo       2571  vertigo    3u  IPv4   7906       TCP *:7777 (LISTEN)
moo       2571  vertigo    7u  IPv4   7905       TCP *:8888 (LISTEN)
moo       2571  vertigo    9u  IPv4  83432       TCP 
97-118-25-229.hlrn.qwest.net:56380->97-118-25-229.hlrn.qwest.net:8888 
(ESTABLISHED)
moo       2571  vertigo   11u  IPv4 113853       TCP 
97-118-25-229.hlrn.qwest.net:8888->tds-portable:4778 (ESTABLISHED)
moo       2582  vertigo    7u  IPv4   7941       TCP *:8192 (LISTEN)
named     3027     bind   20u  IPv6  11973       TCP *:domain (LISTEN)
named     3027     bind   21u  IPv4  11976       TCP localhost:domain 
(LISTEN)
named     3027     bind   23u  IPv4  11981       TCP localhost:953 (LISTEN)
named     3027     bind   24u  IPv6  11982       TCP [::1]:953 (LISTEN)
named     3027     bind   25u  IPv4  85968       TCP 
97-118-25-229.hlrn.qwest.net:domain (LISTEN)
named     3027     bind  512u  IPv6  11972       UDP *:domain
named     3027     bind  513u  IPv4  11975       UDP localhost:domain
named     3027     bind  515u  IPv4  11979       UDP *:39608
named     3027     bind  516u  IPv6  11980       UDP *:54817
named     3027     bind  517u  IPv4  85967       UDP 
97-118-25-229.hlrn.qwest.net:domain
dhclient3 3645     root    5u  IPv4  16202       UDP *:bootpc
sshd      3666     root    3u  IPv6  16267       TCP *:ssh (LISTEN)
sshd      3666     root    4u  IPv4  16269       TCP *:ssh (LISTEN)
proftpd   3744  proftpd    1u  IPv6  16922       TCP *:ftp (LISTEN)
apache2   6942 www-data    4u  IPv6   4960       TCP *:www (LISTEN)
apache2   6943 www-data    4u  IPv6   4960       TCP *:www (LISTEN)
apache2   6944 www-data    4u  IPv6   4960       TCP *:www (LISTEN)
apache2   6945 www-data    4u  IPv6   4960       TCP *:www (LISTEN)
apache2   6946 www-data    4u  IPv6   4960       TCP *:www (LISTEN)
sshd      7677     root    3u  IPv4  83983       TCP 
97-118-25-229.hlrn.qwest.net:ssh->tds-portable:4478 (ESTABLISHED)
sshd      7681    tyler    3u  IPv4  83983       TCP 
97-118-25-229.hlrn.qwest.net:ssh->tds-portable:4478 (ESTABLISHED)
when I dpkg --purge portmap it tries to stop it and hangs.
I'm also purging xinet.d for scripts that don't need to be running.
Besides that, I'm not sure what else I can do--here's the iptables script I 
use, if more suggestions could be made:
echo iptables
echo configuring:
echo -=-=-=-=-=-=-=
echo flushing default rules
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
echo setting default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo allowing for current connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.1/24 -j ACCEPT
iptables -A INPUT -i eth0 -s 127.0.0.1/24 -j drop
echo initializing rules
iptables -A INPUT -p tcp -s 0/0 --destination-port 21 --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --destination-port 20 --syn -j ACCEPT
echo added ftp
iptables -A INPUT -p tcp -s 0/0 --destination-port 22 --syn -j ACCEPT
echo added ssh
#iptables -A INPUT -p tcp -s 0/0 --destination-port 25 --syn -j ACCEPT
#echo added smtp
iptables -A INPUT -p tcp -s 0/0 --destination-port 8888 --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --destination-port 7777 --syn -j ACCEPT
echo added vertigo
iptables -A INPUT -p tcp -s 0/0 --destination-port 8192 --syn -j ACCEPT
echo added valiant
iptables -A INPUT -p tcp -s 0/0 --destination-port 80 --syn -j ACCEPT
echo added http
iptables -A INPUT -p tcp -s 0/0 --destination-port 1241 --syn -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --destination-port 1241 -j ACCEPT
echo added nessus
echo configuring icmp
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 14 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 16 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 18 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
echo all done!
TIA,
Thanks,
Tyler Littlefield
email: tyler at tysdomain.com
web: tysdomain-com
Visit for quality software and web design.
skype: st8amnd2005

More information about the Speakup mailing list