There is a recent case whereby it was reported that one of the production servers was hacked on port 1521. However, I am not sure how this was possible, as I checked that the OS firewall (iptables) is on :
Code:
[root@fmsproddb satellite]# /etc/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Port 1521 not open :
Code:
[root@fmsproddb satellite]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 23 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@fmsproddb satellite]#
I assume it is listening because the application is turned on, and thus the service related to port 1521 turned on and that is why it is listening on this port?
Even if the network firewall (physical) is open, if the iptables is running in the server, it should not allow port 1521 to be open/listening?
I can't think of any other way how people can hack the server on port 1521. Please help clear my doubt.
I want to write a server application that would accept HTTP requests from client.
The server would be on a machine that has no connection to the INTERNET.
The clients that would be posting their HTTP requests would be doing so through webbrowser .Thus it would be sort of intranet application.... (0 Replies)
Hi,
i think someone has hacked my server, the following rules used to come which i haven't put. Please help me i couldnt find out how this rules are apply,
i think someone has put an script which generates enables the rules.
But after restarting the iptables everything seems to be working... (0 Replies)
Just got old ATT server (10 base T)shipped and want to connect to Windows using com port. Got hardware to connect RJ45 from windows box & serial on ATT. I added XP static ip to host file but get no ping return. Do I have to open unix com port? How? (2 Replies)
Hello there,
I have a big problem, and I hope somebody can help me. I try to realize a port forward over three server. Here is a picture...
Client Server1 | Server2
------- ------- | -------
|...... | |...... | | |...... ... (2 Replies)
One of the most important ways to keep tou machine secure is to know when it has been broken into. The less time hackers have on your system, the less they can do to it, and the greater you chancens of kicking them off and repairing the damage.
The more sophisticated the hacker, the less likely... (8 Replies)
Hello!
First of all: I am a newbie. :o :(
I have a CentOS 64bit server with Plesk Panel 8.6.
And have been hacked. :mad:
After many tries and support tickets, I am configuring a new server, with Suse 11 and Plesk 9.2.
I know that Plesk 8.6 have a backup utility (Parallels Plesk Control... (3 Replies)
Hi Guys,
My certificate in /etc/ssh is different to what is on port 22.
username@server:~$ ssh-keyscan -p 22 127.0.0.1 > /tmp/rsa.tmp
# 127.0.0.1 SSH-1.99-OpenSSH_33.33
username@server:~$ ssh-keygen -lf /tmp/rsa.tmp
1024 46:something..................... 127.0.0.1... (0 Replies)
please find the below o/p for your reference
bash-3.00# fcinfo hba-port
HBA Port WWN: 21000024ff295a34
OS Device Name: /dev/cfg/c2
Manufacturer: QLogic Corp.
Model: 375-3356-02
Firmware Version: 05.03.02
FCode/BIOS Version: BIOS: 2.02; fcode: 2.01;... (3 Replies)
Discussion started by: sb200
3 Replies
LEARN ABOUT DEBIAN
shorewall-routestopped
SHOREWALL-ROUTESTOP(5) [FIXME: manual] SHOREWALL-ROUTESTOP(5)NAME
routestopped - The Shorewall file that governs what traffic flows through the firewall while it is in the 'stopped' state.
SYNOPSIS
/etc/shorewall/routestopped
DESCRIPTION
This file is used to define the hosts that are accessible when the firewall is stopped or is being stopped.
Warning
Changes to this file do not take effect until after the next shorewall start or shorewall restart command.
The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in
the alternate specification syntax).
INTERFACE - interface
Interface through which host(s) communicate with the firewall
HOST(S) (hosts) - [-|address[,address]...]
Optional. Comma-separated list of IP/subnet addresses. If your kernel and iptables include iprange match support, IP address ranges are
also allowed.
If left empty or supplied as "-", 0.0.0.0/0 is assumed.
OPTIONS - [-|option[,option]...]
Optional. A comma-separated list of options. The order of the options is not important but the list can contain no embedded whitespace.
The currently-supported options are:
routeback
Set up a rule to ACCEPT traffic from these hosts back to themselves. Beginning with Shorewall 4.4.9, this option is automatically
set if routeback is specified in shorewall-interfaces[1] (5) or if the rules compiler detects that the interface is a bridge.
source
Allow traffic from these hosts to ANY destination. Without this option or the dest option, only traffic from this host to other
listed hosts (and the firewall) is allowed. If source is specified then routeback is redundant.
dest
Allow traffic to these hosts from ANY source. Without this option or the source option, only traffic from this host to other listed
hosts (and the firewall) is allowed. If dest is specified then routeback is redundant.
notrack
The traffic will be exempted from conntection tracking.
PROTO (Optional) - protocol-name-or-number
Protocol.
DEST PORT(S) (dport) - service-name/port-number-list
Optional. A comma-separated list of port numbers and/or service names from /etc/services. May also include port ranges of the form
low-port:high-port if your kernel and iptables include port range support.
SOURCE PORT(S) (sport) - service-name/port-number-list
Optional. A comma-separated list of port numbers and/or service names from /etc/services. May also include port ranges of the form
low-port:high-port if your kernel and iptables include port range support.
Note
The source and dest options work best when used in conjunction with ADMINISABSENTMINDED=Yes in shorewall.conf[2](5).
EXAMPLE
Example 1:
#INTERFACE HOST(S) OPTIONS PROTO DEST SOURCE
# PORT(S) PORT(S)
eth2 192.168.1.0/24
eth0 192.0.2.44
br0 - routeback
eth3 - source
eth4 - notrack 41
FILES
/etc/shorewall/routestopped
SEE ALSO
http://shorewall.net/starting_and_stopping_shorewall.htm
http://shorewall.net/configuration_file_basics.htm#Pairs
shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)NOTES
1. shorewall-interfaces
http://www.shorewall.net/manpages/shorewall-interfaces.html
2. shorewall.conf
http://www.shorewall.net/manpages/shorewall.conf.html
[FIXME: source] 06/28/2012 SHOREWALL-ROUTESTOP(5)