topic Re: Port Scan, security? in Operating System - HP-UX

Port Scan, security?

HPP — Mon, 23 Apr 2001 11:56:45 GMT

Hi,
We are running HP-UX 10.20 and HP-UX 11.00. We have setup system level security and network security. Everyday some hacker tries to Scan the Ports on different servers. We have Klaxon deamon running on all these server and whenever somebody tries to Scan the port on any server, it sends out alert to system admin.
1.Is their way to track the outsider activities on the server apart from syslog, deamon.log?
2. Can someone explain more about Port Scan or give some link on web where i can learn more about Port Scan and Security.
3. Also we have BIND 9.1.1 running on HP-UX 10.20. How secure is BIND 9.1.1?
4. Any utilities available on HP-UX 10.20 and 11.00 for Security Checking. Any tips on making HP-UX more secure?

Please help.
Thanks in advance.

Re: Port Scan, security?

Barry O Flanagan — Mon, 23 Apr 2001 12:06:32 GMT

First things first: do you have a firewall? If so your firewall logs should tell you where traffic directed at certain machines is coming from. If you can get this info, do a WHOIS on the IP and you can work out where/who this person is. If you do have a firewall it might be worth checking what ports are open to which servers.

If you don't, or the port scan is internal then you need to harden your O/S see http://people.hp.se/stevesk/bastion11.html for how to harden your HP system, to make yourself more difficult to scan.

"nmap" is a good port scanner and you can use it yourself to scan your own systems after you harden them to show up any security holes.

Thats my 2 cents...

Re: Port Scan, security?

HPP — Mon, 23 Apr 2001 12:53:01 GMT

Barry O'Flanagan,
Thanks for your quick response. Where can i get "nmap" untility? Is it available from HP or its freeware?
The link you provided has good security stuff.

Thanks

Re: Port Scan, security?

Stefan Schulz — Mon, 23 Apr 2001 13:10:42 GMT

You can get nmap from the Software Porting Archive (http://hpux.connect.org.uk/). There is also another scanner available called "iss", and perhaps more. And yes, nmap is free.

You will also find a goot TCP sniffer called ethereal there. So you could analyze the ambigous TCP packets.

But my first thing would be to check the firewall. You have a firewall, don't you ;-)

Re: Port Scan, security?

Paul Hawkins — Mon, 23 Apr 2001 13:23:54 GMT

If your server security has been compromised then it may be difficult to track what the intruder has modified/changed/deleted/added etc... I use Tripwire (free software). You build a database of digital signatures of your system files (or any other files for that matter). If any of the files are changed, or files added to directories you will know about it.
This is obviously not a first line of defence measure but it is majorly important to know what has been interfered with after an attack.