I'm trying to keep our Linode as secure as possible and am looking at the various established network connections using netstat -a (we also use OSSEC HIDS).

I'm seeing a number of questionable NTP / other connections. Here's what I see using netstat -a:

udp 0 0 liXX.:37147 disorder.primate.ne:ntp ESTABLISHED
udp 0 0 liXX.:40025 173-203-122-111.vds:ntp ESTABLISHED
udp 0 0 liXX..:37540 dp.cx:ntp ESTABLISHED
udp 0 0 liXX.:34798 sulfur.mednor.net:ntp ESTABLISHED

I'm also seeing connections to localhost.localdom from / to port 4369. This is the port opened by eJabberD, and is expected, but the notes say that it should not be accessible outside the firewall. How can I block access to that port externally. And, I'm guessing the localhost.localdomain bindings are probably normal given that circumstance, correct?

Are these normal? If not, what is the vulnerability, and what can I do about that?

Those would be ntpd doing its business. You should be able to correlate these against ntpq -p. I find it a little odd that they are showing up there, since ntpd is normally really quick about disposing of sockets... do you have a firewall that might be blocking these? (If so, you're going to have a bad time.)

If 4369 is only listening on localhost, then it's only listening on localhost and isn't accessible externally. The -l option to netstat will specifically tell you what's listening where.

Also, the -n and -p options to netstat are quite handy.

_________________

/* TODO: need to add signature to posts */

Interesting - I don't have a firewall blocking these ports, so I'm wondering why they are persisting? Also, these are very strange domains - why is my machine binding to these (or it looks like the other way around - why are their NTP ports binding to my Linode)? The domains look suspicious, so I'm wondering how these are getting chosen for NTP binding?

I'll check out the netstat -l / -n / -p options as well.

Thanks!

Check /etc/ntp.conf. Odds are really good it will have something like

server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

(or something else involving pool.ntp.org). If so, those particular servers are somewhat randomly picked from a pool of ~2600 public NTP servers whenever ntpd starts.

If you do "ntpq -p" and all of the numbers under the "st" column are not 16 and the "refid" values are not .STEP., everything's working OK and there's probably nothing to worry about.

_________________

/* TODO: need to add signature to posts */

I don't seem to have the ntpq command or an /etc/ntp.conf file (running Ubuntu 10.04 LTS) -- what are the alternatives on Ubuntu?

Ah, you're likely running openntpd. Check /etc/openntpd/ntpd.conf. I see similar behavior on netstat -u as you do on a 10.04 machine with openntpd, so it's probably normal.

_________________

/* TODO: need to add signature to posts */