I had some problems in the past with people loving very much to go in and out of my machine. So this time when I noted strange behavior, I went through \var\log\messages and found:
Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Loading service file /etc/avahi/services/sftp-ssh.service.
Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Loading service file /etc/avahi/services/ssh.service.
Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Network interface enumeration completed.
Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Registering HINFO record with values 'I686'/'LINUX'.
Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Server startup complete. Host name is linux-2c5j.local. Local service cookie is 974136706.
Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Service "linux-2c5j" (/etc/avahi/services/ssh.service) successfully established.
Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Service "SFTP File Transfer on linux-2c5j" (/etc/avahi/services/sftp-ssh.service) successfully established.
Feb 2 17:10:44 linux-2c5j modem-manager: Loaded plugin Sierra
Now I did not activate SFTP server or ssh server on my machine. Are they normally activated? Which program could be the one that activates these services, given a normal install. I had also suddenly following alterations on the machine. privoxy was deactivated, tor was deactivated.
The day before, umtsmon was crashing repeatedly. Unlike normally when it crashes (cellphone 3G attached) there was no interruption of the Internet - connection, like I would have expected.
Another anomaly was that although I did use luks encrypted home partition, the dm-crypt asks to input the password to access sda4 in order to access the drive, but if I cancel, I do not have any problem to access my data (as I would have expected, since I did input the right password at boot). All this leaves my a bit unsatisfied and not really reassured.
Is there any way to see if somebody goes in and out here?
Thanks.
usr@linux-2c5j:~> pa -ef | grep ftpd
bash: pa: command not found
user@linux-2c5j:~> pa -ef | grep ftpd
bash: pa: command not found
user@linux-2c5j:~> ps -ef | grep ftpd
user 5590 3866 0 18:02 pts/1 00:00:00 grep ftpd
user@linux-2c5j:~> ps -ef | grep sshd
user 5594 3866 0 18:03 pts/1 00:00:00 grep sshd
user@linux-2c5j:~> netstat -ltp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:privoxy *:* LISTEN -
tcp 0 0 localhost:ipp *:* LISTEN -
tcp 0 0 localhost:9050 *:* LISTEN -
tcp 0 0 localhost:ipp *:* LISTEN -
My settings in runlevel:
sshd : NO
xinetd: NO
cups: YES
tor: YES*
Privoxy: YES
(these 3 I did activate them, my printer does actually not print without cups). There where activated before the problem occurred but I did found them deactivated yesterday.
I do not understand why these servers are active. I have also trouble understanding what is pts/1.
No ftp server is setup in the runlevels…but apparently it runs.
Sorry about my typo: it is ps not pa, but yoy did find out that allready.
It seems that avahi is doing things. When you do not use the zero conf network (and when you have no Windows systems in the LAN that is pretty sure), you can switch off both avahi services in YaST > Systems > Systemserviceservices (runlevel).
There is no ftp deamon running because:
a) there is no process with a name that ends on ftpd (like sftpd)
b) more important, there is no program listening on port 21 (ftp) or 22 (ssh), thus there can be no ftp client ot ssh client make a connection to your system.
BTW you have a very clean list of open ports, only four, where one is for privoxy and two for cups (ipp). When you do the same netstat as root, you will see which program listens on the 9050 port. Looks very secure to me.
I “should” be very secure, but I have had really several troubles. Besides, this is what I do not understand: avahi IS deactivated. No zeroconf should be active. I had also trouble with the firewall. Automatically start the firewall was deactivated but the firewall was running. The command under root gives:
linux-2c5j:~ # netstat -ltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:privoxy *:* LISTEN 3201/privoxy
tcp 0 0 localhost:ipp *:* LISTEN 3211/cupsd
tcp 0 0 localhost:9050 *:* LISTEN 3206/tor
tcp 0 0 localhost:ipp *:* LISTEN 3211/cupsd
This again looks very good. But I am with you that the loging you show in the first post above is very strange then indeed. Did you check if avahi is running with ps?
I’m with Henk. If someone does come in, you should find an entry in /var/log/messages. At least one, if the attacker managed to disable log entries. Or, in the compressed bz file containing the old messages entries.
BTW, @stakanov: you know your 11.1 is past it’s life’s end? If your concern about your security still is as high as I remember, I suggest you upgrade to 11.3 or 11.4, that would at least give you an up to date system with the latest security features.
11.4 is on the plan after the last days as you can immagine. But I will not be able to do it right away when it comes out (due to organizational problems).
Please repeat this without the silly {p] at the end.
It should give the same under root as under a normal user, looking in the process table is not restricted to root.
And what about YaST > System > Systemservices (runlevel)? Are the two avahi services switched on there? Then switch them off.
LOL, no, it is that at this time of the day on a 12’’ I have a sight problem, so I did not mean to use a curly one, sorry. With the user account I did actually not repeat the error. Maybe I need glasses…or a bigger screen.
On 2011-02-24 17:36, stakanov wrote:
>
> I had some problems in the past with people loving very much to go in
> and out of my machine. So this time when I noted strange behavior, I
> went through \var\log\messages and found:
>
> Code:
> --------------------
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Loading service file /etc/avahi/services/sftp-ssh.service.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Loading service file /etc/avahi/services/ssh.service.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Network interface enumeration completed.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Registering HINFO record with values ‘I686’/‘LINUX’.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Server startup complete. Host name is linux-2c5j.local. Local service cookie is 974136706.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Service “linux-2c5j” (/etc/avahi/services/ssh.service) successfully established.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Service “SFTP File Transfer on linux-2c5j” (/etc/avahi/services/sftp-ssh.service) successfully established.
> Feb 2 17:10:44 linux-2c5j modem-manager: Loaded plugin Sierra
> --------------------
>
>
> Now I did not activate SFTP server or ssh server on my machine.
The SFTP I think stands for secure ftp, and thus it depends on the sshd
daemon. And obviously, avahi was running at that time, maybe you stopped
those services later. Probably it does not means that sshd/sftpd are
running, but that avahi awareness of them is enabled.
Run this as root:
for I in avahi-daemon avahi-dnsconfd sshd ; do chkconfig $I ; done
avahi-daemon is a difficult service to remove, the system will insist on
re-enabling/reinstalling it.
> Another anomaly was that although I did use luks encrypted home
> partition, the dm-crypt asks to input the password to access sda4 in
> order to access the drive, but if I cancel, I do not have any problem to
> access my data (as I would have expected, since I did input the right
> password at boot). All this leaves my a bit unsatisfied and not really
> reassured.
I don’t understand this. Could you explain again, please?
Let me see… I think you mean that the system asks for the password to
encrypted sda4, during the boot-up sequence. Later on something asks again
for the password, you cancel, and still you can access sda4.
Is that it? That would be a bug (not dangerous), which will not be solved
as 11.1 is EOL. The bug is that it does not verify that the partition is
already accessible.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)