Difference between revisions of "Security"
(4 intermediate revisions by the same user not shown) | |||
Line 16: | Line 16: | ||
rpcinfo -T udp -p | What kind of rpc services are running on the server | ||
rpc is an intern process communication | |||
$ rpcinfo -T udp -p | |||
program vers proto port service | program vers proto port service | ||
100000 4 tcp 111 portmapper | 100000 4 tcp 111 portmapper | ||
Line 27: | Line 31: | ||
100024 1 tcp 45698 status | 100024 1 tcp 45698 status | ||
Line 34: | Line 36: | ||
# try to uninstall & delete it and make sure we don't uninstall any important programme on the server which is actually used. | # try to uninstall & delete it and make sure we don't uninstall any important programme on the server which is actually used. | ||
==== FIND ==== | |||
== | =====USE CHANGELOG===== | ||
=== | |||
Find in the Changelog whether somebody installed or changed the portmapper | Find in the Changelog whether somebody installed or changed the portmapper | ||
Line 52: | Line 53: | ||
$ nano /root/Changelog | $ nano /root/Changelog | ||
===SEARCH=== | =====SEARCH===== | ||
Where can we find the executable ? | Where can we find the executable ? | ||
Line 63: | Line 64: | ||
Find out in which package of our debian distribution the portmapper is active | Find out in which package of our debian distribution the portmapper is active | ||
$apt-cache search portmapper | $apt-cache search portmapper | ||
remotetea - Sun ONC/RPC support for Java | remotetea - Sun ONC/RPC support for Java | ||
Ask whether the package is installed: | Ask whether the package is installed: | ||
$dpkg -l|grep remotetea | $dpkg -l|grep remotetea | ||
Line 75: | Line 78: | ||
As portmapper is active on port 111, we listen to open ports and what kind of services are running and find again the open port 111 | As portmapper is active on port 111, we listen to open ports and what kind of services are running and find again the open port 111 | ||
$ netstat -lnptu|grep 111 | $ netstat -lnptu|grep 111 | ||
Line 80: | Line 84: | ||
tcp6 0 0 :::111 :::* LISTEN 1707/rpcbind | tcp6 0 0 :::111 :::* LISTEN 1707/rpcbind | ||
udp 0 0 0.0.0.0:111 0.0.0.0:* 1707/rpcbind | udp 0 0 0.0.0.0:111 0.0.0.0:* 1707/rpcbind | ||
udp6 0 0 :::111 :::* 1707/rpcbind | udp6 0 0 :::111 :::* 1707/rpcbind | ||
== | ==== UNINSTALL==== | ||
Uninstall the package while verifying its dependencies | Uninstall the package while verifying its dependencies | ||
Line 92: | Line 96: | ||
Reading state information... Done | Reading state information... Done | ||
The following packages were automatically installed and are no longer required: | The following packages were automatically installed and are no longer required: | ||
libgssglue1 libsasl2-modules wwwconfig-common | |||
Use 'apt-get autoremove' to remove them. | Use 'apt-get autoremove' to remove them. | ||
The following packages will be REMOVED: | The following packages will be REMOVED: | ||
nfs-common rpcbind | |||
0 upgraded, 0 newly installed, 2 to remove and 151 not upgraded. | 0 upgraded, 0 newly installed, 2 to remove and 151 not upgraded. | ||
After this operation, 805 kB disk space will be freed. | After this operation, 805 kB disk space will be freed. |
Latest revision as of 12:01, 30 June 2016
Bogus http requests
Hackers can send bogus http requests to get the server to generate error pages because the information about the server OS and web server version can be useful to them. The information given out by the server seems not sufficiently reduced. Its not a good idea to broadcast the versions of software your running. While it doesn't make your server any more secure, it may make you less of a target. See http://helpinlinux.com/apache-server-tokens/
- Open up /etc/apache2/conf.d/security
- Set ServerTokens OS to Prod.
- Turn ServerSignature to Off.
- Restart Apache web server.
Portmapper
The port mapper (rpc.portmap or just portmap, or rpcbind) is an Open Network Computing Remote Procedure Call (ONC RPC) service that runs on network nodes that provide other ONC RPC services. If you need to run this service, that is perfectly acceptable. However, if this is a mis-configuration, it would be a good idea to stop it.
https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Portmapper
What kind of rpc services are running on the server
rpc is an intern process communication
$ rpcinfo -T udp -p
program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 37209 status 100024 1 tcp 45698 status
- find the executable files which contains portmapper
- try to uninstall & delete it and make sure we don't uninstall any important programme on the server which is actually used.
FIND
USE CHANGELOG
Find in the Changelog whether somebody installed or changed the portmapper
$ grep -i portmapper Changelog
Consult Changelog
$ less Changelog
If you do changes on the server use Changelog. Changelog edit file
$ nano /root/Changelog
SEARCH
Where can we find the executable ?
$ which portmapper
Simply find the file
$locate portmapper
Find out in which package of our debian distribution the portmapper is active
$apt-cache search portmapper remotetea - Sun ONC/RPC support for Java
Ask whether the package is installed:
$dpkg -l|grep remotetea
After reading online, whe realize that the portmapper is used for NFS systems which are managed by rpcbind. To verify whether portmapper is used, we show the description of a package: $ apt-cache show rpcbind
Rpcbind uses portmapper!
As portmapper is active on port 111, we listen to open ports and what kind of services are running and find again the open port 111
$ netstat -lnptu|grep 111
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1707/rpcbind tcp6 0 0 :::111 :::* LISTEN 1707/rpcbind udp 0 0 0.0.0.0:111 0.0.0.0:* 1707/rpcbind udp6 0 0 :::111 :::* 1707/rpcbind
UNINSTALL
Uninstall the package while verifying its dependencies
$ apt-get remove rpcbind
Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: libgssglue1 libsasl2-modules wwwconfig-common Use 'apt-get autoremove' to remove them. The following packages will be REMOVED: nfs-common rpcbind 0 upgraded, 0 newly installed, 2 to remove and 151 not upgraded. After this operation, 805 kB disk space will be freed.
We don't consider lib's, because packages which are libraries, are not providing any services. So we autoremove packages&libraries, on which no other package depends and which where not manually installed.
$ apt-get autoremove
To check how may packages are manually installed
$ apt-mark showmanual|wc -l