Fw: [SLE] Install Problem #2 - portmapper and other services
[SLE] List: Forwarding progress of Install Problem #2 (re: portmap) because the attached log file is almost 24k and will get rejected. Anders I set RUN_Parallel in /etc/sysconfig/boot to "no" (it was set to yes with no surrounding apostrophes).Result was some differences to the log file so I am mailing you the new log file as an attachment. I appreciate the effort you are making to help sort out these install problems. Just a guess -- because of the several references to port 139 -- could there be some unintalled or misconfigured tcp/udp module causing first portmap and then these other services to fail after first starting?
Ted Hilts wrote:
Just a guess -- because of the several references to port 139 -- could there be some unintalled or misconfigured tcp/udp module causing first portmap and then these other services to fail after first starting?
139 tcp is used by Windows networking. Is it possible you have an infected Windows machine on the same network segment you are on, that is maybe flooding /attacking you and causing you your problems? -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
Dernit, I hit Reply earlier and didn't reply to the list. D'oh. Here goes... Joe Morris (NTM) wrote:
Ted Hilts wrote:
Just a guess -- because of the several references to port 139 -- could there be some unintalled or misconfigured tcp/udp module causing first portmap and then these other services to fail after first starting?
139 tcp is used by Windows networking. Is it possible you have an infected Windows machine on the same network segment you are on, that is maybe flooding /attacking you and causing you your problems?
Indeed. 139 tcp is Windows "shares" (netbios) It's more than likely a few hijacked windows machines on your subnet "attacking" you. What I've got: I've got a single machine, but it sits behind a router with every "conventional" port turned off/blocked. I offer two services: ssh and http, on nonstandard ports - 3918 and 3898 respectively. Basically I was tired of the bots trying to brute-force login on ssh, so I moved everything. I mapped them on the router from external high ports to the normal ports internally. It works very well. My logs are absolutely silent, yet I can still get in from the outside world. Why those port numbers? I arbitrarily picked them from popular frequencies in the 80 meter band (HF). If you're bare-assed naked connected to a cable modem, I highly recommend buying a router, even if it's the cheapest Linksys you can find at WalMart and turning off all the ports you don't need and high-port-mapping the services you do need. Then nmap and nessus test your setup from the outside. Then you too could have a /var/log/messages that looks like this: Oct 24 20:59:00 linux /USR/SBIN/CRON[10906]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Oct 24 21:09:08 linux -- MARK -- Oct 24 21:29:08 linux -- MARK -- Oct 24 21:49:09 linux -- MARK -- Oct 24 21:59:00 linux /USR/SBIN/CRON[11074]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Oct 24 22:09:09 linux -- MARK -- Oct 24 22:29:09 linux -- MARK -- Oct 24 22:49:09 linux -- MARK -- Oct 24 22:59:00 linux /USR/SBIN/CRON[11240]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Oct 24 23:09:09 linux -- MARK -- Oct 24 23:29:09 linux -- MARK -- Oct 24 23:49:09 linux -- MARK -- Oct 24 23:59:00 linux /USR/SBIN/CRON[11409]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) -- Dan
participants (3)
-
Daniel Podgurski
-
Joe Morris (NTM)
-
Ted Hilts