Does anyone have experience with disabling the services in the /etc/services file? I'm trying to figure out what i need with what i'm doing. Essentially, i'm just trying to host a couple of web sites, so i just need to be able to ssh in, run apache and passenger, but there are a lot of services enabled, and i'd like to comment out the stuff i don't really need.

I'm just worried that if i don't comment something out my system will act a little wacky

Thanks,
John

The entries in that file don't "enable" a service. It is just a catalog of port numbers and service names. It is used by utilities like netstat to report what you're connected to so you don't have to remember every port number known to man. There is no harm in keeping that file in its distributed state, and it's actually recommended you do so.

so it probably makes more sense to do a port scan to see what's open? according to nmap i only have 3 ports open, so maybe i'm ok. I'm just worried about some intrusion... noticed a couple of fishy things in my auth.log file.

No, I'm saying it makes sense to just leave the file alone. An entry (or lack thereof) in that file has no bearing on whether a port is open.

right.

netstat -l will tell you what's listening on your box.

~JW

Thanks! i started getting a little paranoid after finding some oddness in a few of my logs. Probably should start looking into securing my environment.

What were the "suspicious" log entries? There are many that, to an untrained eye, could *look* suspicious when they're actually quite benign.

Like the gazillion (hopefully) unsuccessful ssh login attempts, or the gazillion and 2 (hopefully) unsuccessful relay attempts by spammers against your mail server.

looks like vulnerability scanners after doing a google search:

67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET HTTP/1.1 HTTP/1.1" 400 272 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /zen/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /zencart/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /zen-cart/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /cart/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /shop/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /store/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /E-commerce/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /e-commerce/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /commerce/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"

and some more :

218.107.132.124 - - [02/Oct/2009:06:12:19 +0000] "GET /rails/info/properties HTTP/1.0" 500 948 "-" "larbin_2.6.3 gqnmgsp@ruc.edu.cn"
208.80.193.27 - - [02/Oct/2009:06:18:53 +0000] "GET / HTTP/1.0" 500 948 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; YPC 3.2.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; yplus 5.3.03b)"
66.249.67.140 - - [02/Oct/2009:07:17:08 +0000] "GET /dudes.html HTTP/1.1" 500 585 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.67.140 - - [02/Oct/2009:07:17:19 +0000] "GET / HTTP/1.1" 500 585 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.67.179 - - [02/Oct/2009:07:39:23 +0000] "GET /images/showImg.png HTTP/1.1" 500 585 "-" "Googlebot-Image/1.0"
74.63.66.236 - - [02/Oct/2009:08:03:32 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 345 "-" "-"
208.80.193.30 - - [02/Oct/2009:08:20:46 +0000] "GET / HTTP/1.0" 500 948 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SIMBAR={7056D3EB-D11E-4d6c-958E-F3B9F21FFDCB}; .NET CLR 1.1.4322; Alexa Toolbar)"
65.55.115.154 - - [02/Oct/2009:08:39:24 +0000] "GET /robots.txt HTTP/1.1" 200 204 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
92.241.182.25 - - [02/Oct/2009:09:02:38 +0000] "GET /robots.txt HTTP/1.1" 200 204 "-" "Mozilla/5.0 (compatible; Tagoobot/3.0; +http://www.tagoo.ru)"
92.241.182.25 - - [02/Oct/2009:09:03:15 +0000] "GET / HTTP/1.1" 500 948 "-" "Mozilla/5.0 (compatible; Tagoobot/3.0; +http://www.tagoo.ru)"
24.196.156.163 - - [02/Oct/2009:09:09:40 +0000] "GET /robots.txt HTTP/1.1" 200 204 "-" "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/spider.html;) Gecko/2008032620"
24.196.156.163 - - [02/Oct/2009:09:09:40 +0000] "GET / HTTP/1.1" 500 585 "-" "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/spider.html;) Gecko/2008032620"
74.6.22.153 - - [02/Oct/2009:09:17:07 +0000] "GET /robots.txt HTTP/1.0" 200 167 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
74.6.22.153 - - [02/Oct/2009:09:17:08 +0000] "GET / HTTP/1.0" 500 585 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"

the auth.log is where i'd see login attempts right? it doesn't look like there have been too many attempts to ssh into my node.

Google search shows this as "all my love to the devil".

My current user agent blocks, which all get 404's if this text is found anywhere in the user agent string - and blocks this one:

'Scanner',
'diavola',
'mywbs.com',
'heritrix',
'turnitin',
'searchme.com',
'cuil',
'baidu',
'Yahoo! Slurp',
'GingerCrawler',
'80legs',
'plukkie',
'scoutjet'

zunzun,

Do you just do that in an .htaccess file? where do you place the file on the server (which directory)?

thanks,
John

See the section "How to Block by User Agent String" here:

http://www.thesitewizard.com/apache/blo ... cess.shtml

to use .htaccess.

James

Thanks, James. I'm going to take a look.