I was wondering how would you block certain ports in APF
for example if i want to block port 21 how would i do that
Full Version: How To Block Ports
pico /etc/apf/conf.apf
Scroll down in the file to where it says something like:
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
and
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
You might have to scroll down a little more to see the outbound ports. The settings up above are just samples - it's not how my server is setup. Remove the number 21 (or whatever ports you want to close) from both places. Save the changes.
Restart APF.
Scroll down in the file to where it says something like:
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
and
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
You might have to scroll down a little more to see the outbound ports. The settings up above are just samples - it's not how my server is setup. Remove the number 21 (or whatever ports you want to close) from both places. Save the changes.
Restart APF.
The reason I'm asking is this
when i do netstat -n i get output below
now there are bunch of 6667 and 6660 ports which is IRC
now is this a connection from my server to the irc server
or is someone running an irc server on my server. I'm really not sure
so thats why I'm asking
root@hosting [~]# netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 xx.xx.x.xxx:80 67.161.234.95:3967 ESTABLISHED
tcp 0 0 xx.xx.x.xxx:80 67.161.234.95:3965 TIME_WAIT
tcp 0 0 xx.xx.x.xxx:80 67.161.234.95:3964 TIME_WAIT
tcp 0 0 xx.xx.x.xxx:46323 161.53.178.240:6667 ESTABLISHED
tcp 0 0 xx.xx.x.xxx:80 203.144.143.7:1646 FIN_WAIT2
tcp 0 1 xx.xx.x.xxx:44825 69.16.172.34:6660 SYN_SENT
tcp 0 0 xx.xx.x.xxx:46811 161.53.178.240:6667 ESTABLISHED
tcp 0 1 xx.xx.x.xxx:44769 69.16.172.34:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44793 69.16.172.34:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44797 195.54.102.4:6667 SYN_SENT
tcp 0 0 xx.xx.x.xxx:80 203.144.143.7:1640 FIN_WAIT2
tcp 0 1 xx.xx.x.xxx:44748 195.54.102.4:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44831 216.152.77.10:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44828 216.152.77.10:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44765 216.152.77.10:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44766 66.197.0.145:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44785 66.197.0.145:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44815 66.197.0.145:6660 SYN_SENT
tcp 0 0 xx.xx.x.xxx:44767 194.134.7.195:6660 TIME_WAIT
tcp 0 1 xx.xx.x.xxx:44807 207.172.156.252:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44832 207.172.156.252:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44763 207.172.156.252:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44747 207.172.156.252:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44745 207.172.156.252:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44791 207.172.156.252:6667 SYN_SENT
tcp 0 0 xx.xx.x.xxx:54530 161.53.178.240:6667 ESTABLISHED
tcp 0 1 xx.xx.x.xxx:44762 195.204.1.130:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44749 195.204.1.130:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44822 195.47.220.2:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44820 195.47.220.2:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44788 195.47.220.2:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44829 195.204.1.130:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44812 195.204.1.130:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44833 195.204.1.130:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44811 195.204.1.132:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44789 195.68.221.221:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44814 195.204.1.130:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44824 195.197.175.21:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44830 195.197.175.21:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44768 195.197.175.21:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44796 195.197.175.21:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44753 195.197.175.21:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44782 207.172.156.252:6660 SYN_SENT
tcp 0 0 xx.xx.x.xxx:22 24.93.197.203:3572 ESTABLISHED
udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED
when i do netstat -n i get output below
now there are bunch of 6667 and 6660 ports which is IRC
now is this a connection from my server to the irc server
or is someone running an irc server on my server. I'm really not sure
so thats why I'm asking
root@hosting [~]# netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 xx.xx.x.xxx:80 67.161.234.95:3967 ESTABLISHED
tcp 0 0 xx.xx.x.xxx:80 67.161.234.95:3965 TIME_WAIT
tcp 0 0 xx.xx.x.xxx:80 67.161.234.95:3964 TIME_WAIT
tcp 0 0 xx.xx.x.xxx:46323 161.53.178.240:6667 ESTABLISHED
tcp 0 0 xx.xx.x.xxx:80 203.144.143.7:1646 FIN_WAIT2
tcp 0 1 xx.xx.x.xxx:44825 69.16.172.34:6660 SYN_SENT
tcp 0 0 xx.xx.x.xxx:46811 161.53.178.240:6667 ESTABLISHED
tcp 0 1 xx.xx.x.xxx:44769 69.16.172.34:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44793 69.16.172.34:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44797 195.54.102.4:6667 SYN_SENT
tcp 0 0 xx.xx.x.xxx:80 203.144.143.7:1640 FIN_WAIT2
tcp 0 1 xx.xx.x.xxx:44748 195.54.102.4:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44831 216.152.77.10:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44828 216.152.77.10:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44765 216.152.77.10:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44766 66.197.0.145:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44785 66.197.0.145:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44815 66.197.0.145:6660 SYN_SENT
tcp 0 0 xx.xx.x.xxx:44767 194.134.7.195:6660 TIME_WAIT
tcp 0 1 xx.xx.x.xxx:44807 207.172.156.252:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44832 207.172.156.252:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44763 207.172.156.252:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44747 207.172.156.252:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44745 207.172.156.252:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44791 207.172.156.252:6667 SYN_SENT
tcp 0 0 xx.xx.x.xxx:54530 161.53.178.240:6667 ESTABLISHED
tcp 0 1 xx.xx.x.xxx:44762 195.204.1.130:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44749 195.204.1.130:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44822 195.47.220.2:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44820 195.47.220.2:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44788 195.47.220.2:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44829 195.204.1.130:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44812 195.204.1.130:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44833 195.204.1.130:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44811 195.204.1.132:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44789 195.68.221.221:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44814 195.204.1.130:6660 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44824 195.197.175.21:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44830 195.197.175.21:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44768 195.197.175.21:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44796 195.197.175.21:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44753 195.197.175.21:6667 SYN_SENT
tcp 0 1 xx.xx.x.xxx:44782 207.172.156.252:6660 SYN_SENT
tcp 0 0 xx.xx.x.xxx:22 24.93.197.203:3572 ESTABLISHED
udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED
Anyone ?? 
Hard to tell with that.
Are you the only one with access to your server?
Are you the only one with access to your server?
I'm the only one with root access
but i have a few hosting accounts
but i have a few hosting accounts
It rather looks like your server is sending SYN packets to a number of IRC servers... and I wonder if your server is running malicious software that is participating in a DDOS against those IRC servers.
I suggest you have someone familiar with linux security check out your server to make sure it's not running malicious software.
Check your /tmp and /var/tmp for suspicious scripts... as well as checking carefully through the full process list.
I suggest you have someone familiar with linux security check out your server to make sure it's not running malicious software.
Check your /tmp and /var/tmp for suspicious scripts... as well as checking carefully through the full process list.
Thank You
I Found it
there was a folder vin /var/tmp/vip
it was a IRC bot
But shouldn't APF block this kind of activity ???
I Found it
there was a folder vin /var/tmp/vip
it was a IRC bot
But shouldn't APF block this kind of activity ???
maybe... if you have egress checking enabled (it's not by default)
QUOTE (dezignguy)
maybe... if you have egress checking enabled (it's not by default)
I enabled egress checking
and deleted all the folders that shouldn't be there
so hopefully everything will be ok, because it would suck if i have to backup all the accounts and then do OS Reload
You need to get someone to run through your server checking it for rootkits, etc. Also need to get someone if you can't do it yourself, to secure tmp. It's very risky to run a server after it's been exploited without reloading the os.
Run some rkhunter scans and chkrootkit scans...see if there are any rootkits it finds.
Run some rkhunter scans and chkrootkit scans...see if there are any rootkits it finds.
I installed CHKROOTKIT and RKHunter
With help of this lil tutorial
http://forums.servermatrix.com/viewtopic.php?t=4909 it comes back clean
also i ran Vulnerability Scan from orbit
that comes back clean too
With help of this lil tutorial
http://forums.servermatrix.com/viewtopic.php?t=4909 it comes back clean
also i ran Vulnerability Scan from orbit
that comes back clean too
Good, still would be a good idea to higher a security tech to check out the server for any form of a rootkit, or security flaws..there might be. If they got in with an IRC service..nothing is stopping them from getting in again.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.