Linode Forum

johnonlinode · Joined: 05 Aug 2009 Posts: 10 Location: Sunnyvale,Ca

Does anyone have experience with disabling the services in the /etc/services file? I'm trying to figure out what i need with what i'm doing. Essentially, i'm just trying to host a couple of web sites, so i just need to be able to ssh in, run apache and passenger, but there are a lot of services enabled, and i'd like to comment out the stuff i don't really need.

I'm just worried that if i don't comment something out my system will act a little wacky

Thanks,
John

nivex · Joined: 30 Sep 2008 Posts: 15 Location: Carrboro, NC, US

The entries in that file don't "enable" a service. It is just a catalog of port numbers and service names. It is used by utilities like netstat to report what you're connected to so you don't have to remember every port number known to man. There is no harm in keeping that file in its distributed state, and it's actually recommended you do so.

johnonlinode · Joined: 05 Aug 2009 Posts: 10 Location: Sunnyvale,Ca

so it probably makes more sense to do a port scan to see what's open? according to nmap i only have 3 ports open, so maybe i'm ok. I'm just worried about some intrusion... noticed a couple of fishy things in my auth.log file.

nivex · Joined: 30 Sep 2008 Posts: 15 Location: Carrboro, NC, US

No, I'm saying it makes sense to just leave the file alone. An entry (or lack thereof) in that file has no bearing on whether a port is open.

johnonlinode · Joined: 05 Aug 2009 Posts: 10 Location: Sunnyvale,Ca

right.

JshWright · Joined: 27 Oct 2008 Posts: 173

netstat -l will tell you what's listening on your box.

~JW

johnonlinode · Joined: 05 Aug 2009 Posts: 10 Location: Sunnyvale,Ca

Thanks! i started getting a little paranoid after finding some oddness in a few of my logs. Probably should start looking into securing my environment.

anderiv · Joined: 27 Apr 2004 Posts: 187

What were the "suspicious" log entries? There are many that, to an untrained eye, could *look* suspicious when they're actually quite benign.

mwalling · Joined: 10 Dec 2007 Posts: 335

anderiv wrote: What were the "suspicious" log entries? There are many that, to an untrained eye, could *look* suspicious when they're actually quite benign.

Like the gazillion (hopefully) unsuccessful ssh login attempts, or the gazillion and 2 (hopefully) unsuccessful relay attempts by spammers against your mail server.

johnonlinode · Joined: 05 Aug 2009 Posts: 10 Location: Sunnyvale,Ca

looks like vulnerability scanners after doing a google search:

Code: 67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET HTTP/1.1 HTTP/1.1" 400 272 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /zen/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /zencart/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /zen-cart/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /cart/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /shop/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /store/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /E-commerce/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /e-commerce/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /commerce/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"

and some more :
Code:
218.107.132.124 - - [02/Oct/2009:06:12:19 +0000] "GET /rails/info/properties HTTP/1.0" 500 948 "-" "larbin_2.6.3 gqnmgsp@ruc.edu.cn"
208.80.193.27 - - [02/Oct/2009:06:18:53 +0000] "GET / HTTP/1.0" 500 948 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; YPC 3.2.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; yplus 5.3.03b)"
66.249.67.140 - - [02/Oct/2009:07:17:08 +0000] "GET /dudes.html HTTP/1.1" 500 585 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.67.140 - - [02/Oct/2009:07:17:19 +0000] "GET / HTTP/1.1" 500 585 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.67.179 - - [02/Oct/2009:07:39:23 +0000] "GET /images/showImg.png HTTP/1.1" 500 585 "-" "Googlebot-Image/1.0"
74.63.66.236 - - [02/Oct/2009:08:03:32 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 345 "-" "-"
208.80.193.30 - - [02/Oct/2009:08:20:46 +0000] "GET / HTTP/1.0" 500 948 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SIMBAR={7056D3EB-D11E-4d6c-958E-F3B9F21FFDCB}; .NET CLR 1.1.4322; Alexa Toolbar)"
65.55.115.154 - - [02/Oct/2009:08:39:24 +0000] "GET /robots.txt HTTP/1.1" 200 204 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
92.241.182.25 - - [02/Oct/2009:09:02:38 +0000] "GET /robots.txt HTTP/1.1" 200 204 "-" "Mozilla/5.0 (compatible; Tagoobot/3.0; +http://www.tagoo.ru)"
92.241.182.25 - - [02/Oct/2009:09:03:15 +0000] "GET / HTTP/1.1" 500 948 "-" "Mozilla/5.0 (compatible; Tagoobot/3.0; +http://www.tagoo.ru)"
24.196.156.163 - - [02/Oct/2009:09:09:40 +0000] "GET /robots.txt HTTP/1.1" 200 204 "-" "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/spider.html;) Gecko/2008032620"
24.196.156.163 - - [02/Oct/2009:09:09:40 +0000] "GET / HTTP/1.1" 500 585 "-" "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/spider.html;) Gecko/2008032620"
74.6.22.153 - - [02/Oct/2009:09:17:07 +0000] "GET /robots.txt HTTP/1.0" 200 167 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
74.6.22.153 - - [02/Oct/2009:09:17:08 +0000] "GET / HTTP/1.0" 500 585 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"

the auth.log is where i'd see login attempts right? it doesn't look like there have been too many attempts to ssh into my node.

zunzun · Posted: Fri Oct 02, 2009 12:00 pm Post subject:

johnonlinode wrote: looks like vulnerability scanners after doing a google search:

[code]67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET HTTP/1.1 HTTP/1.1" 400 272 "-" "Toata dragostea mea pentru diavola"

Google search shows this as "all my love to the devil".

My current user agent blocks, which all get 404's if this text is found anywhere in the user agent string - and blocks this one:

'Scanner',
'diavola',
'mywbs.com',
'heritrix',
'turnitin',
'searchme.com',
'cuil',
'baidu',
'Yahoo! Slurp',
'GingerCrawler',
'80legs',
'plukkie',
'scoutjet'

johnonlinode · Joined: 05 Aug 2009 Posts: 10 Location: Sunnyvale,Ca

zunzun,

Do you just do that in an .htaccess file? where do you place the file on the server (which directory)?

thanks,
John

zunzun · Posted: Fri Oct 02, 2009 1:54 pm Post subject:

johnonlinode wrote: Do you just do that in an .htaccess file?

See the section "How to Block by User Agent String" here:

http://www.thesitewizard.com/apache/block-bots-with-htaccess.shtml

to use .htaccess.

James

johnonlinode · Joined: 05 Aug 2009 Posts: 10 Location: Sunnyvale,Ca

Thanks, James. I'm going to take a look.

which /etc/services actually needed?