| Author |
Message |
rexreed
Joined: 30 Oct 2011
Posts: 3
|
| Posted: Sun Oct 30, 2011 8:58 am Post subject: Unusual NTP / other connections? |
|
|
I'm trying to keep our Linode as secure as possible and am looking at the various established network connections using netstat -a (we also use OSSEC HIDS).
I'm seeing a number of questionable NTP / other connections. Here's what I see using netstat -a:
udp 0 0 liXX.:37147 disorder.primate.ne:ntp ESTABLISHED
udp 0 0 liXX.:40025 173-203-122-111.vds:ntp ESTABLISHED
udp 0 0 liXX..:37540 dp.cx:ntp ESTABLISHED
udp 0 0 liXX.:34798 sulfur.mednor.net:ntp ESTABLISHED
I'm also seeing connections to localhost.localdom from / to port 4369. This is the port opened by eJabberD, and is expected, but the notes say that it should not be accessible outside the firewall. How can I block access to that port externally. And, I'm guessing the localhost.localdomain bindings are probably normal given that circumstance, correct?
Are these normal? If not, what is the vulnerability, and what can I do about that? |
|
| Back to top |
|
hoopycat
Joined: 30 Aug 2008
Posts: 1294
Location: Rochester, New York
|
| Posted: Sun Oct 30, 2011 10:42 am Post subject: |
|
|
Those would be ntpd doing its business. You should be able to correlate these against ntpq -p. I find it a little odd that they are showing up there, since ntpd is normally really quick about disposing of sockets... do you have a firewall that might be blocking these? (If so, you're going to have a bad time.)
If 4369 is only listening on localhost, then it's only listening on localhost and isn't accessible externally. The -l option to netstat will specifically tell you what's listening where.
Also, the -n and -p options to netstat are quite handy. |
|
| Back to top |
|
rexreed
Joined: 30 Oct 2011
Posts: 3
|
| Posted: Mon Oct 31, 2011 8:10 am Post subject: |
|
|
Interesting - I don't have a firewall blocking these ports, so I'm wondering why they are persisting? Also, these are very strange domains - why is my machine binding to these (or it looks like the other way around - why are their NTP ports binding to my Linode)? The domains look suspicious, so I'm wondering how these are getting chosen for NTP binding?
I'll check out the netstat -l / -n / -p options as well.
Thanks! |
|
| Back to top |
|
hoopycat
Joined: 30 Aug 2008
Posts: 1294
Location: Rochester, New York
|
| Posted: Mon Oct 31, 2011 6:40 pm Post subject: |
|
|
Check /etc/ntp.conf. Odds are really good it will have something like
Code: server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
(or something else involving pool.ntp.org). If so, those particular servers are somewhat randomly picked from a pool of ~2600 public NTP servers whenever ntpd starts.
If you do "ntpq -p" and all of the numbers under the "st" column are not 16 and the "refid" values are not .STEP., everything's working OK and there's probably nothing to worry about. |
|
| Back to top |
|
rexreed
Joined: 30 Oct 2011
Posts: 3
|
| Posted: Mon Oct 31, 2011 10:13 pm Post subject: |
|
|
| I don't seem to have the ntpq command or an /etc/ntp.conf file (running Ubuntu 10.04 LTS) -- what are the alternatives on Ubuntu? |
|
| Back to top |
|
hoopycat
Joined: 30 Aug 2008
Posts: 1294
Location: Rochester, New York
|
| Posted: Mon Oct 31, 2011 11:23 pm Post subject: |
|
|
| Ah, you're likely running openntpd. Check /etc/openntpd/ntpd.conf. I see similar behavior on netstat -u as you do on a 10.04 machine with openntpd, so it's probably normal. |
|
| Back to top |
|
| |
