Yes, if configured correctly.

Quote:

Im a bit confused at the settings. What setiings do I have to configure in order to have the greatest security??

You have a desktop machine, so you probably don't run a WWW or mail server. If that's true you may close all ports (in fact, it's more complicated, but that what's the configuration program offer). And that's what you should do.

Quote:

Ports, like for example, 139, 445, 135. are vulnerable to attacks including the NetBios. In Linux, where are these settings located in order for me to close them manually??

They're still 139, 445 and 135. The difference is that they're closed (if you're not using Samba) and the NetBios attacks don't work for a Linux machine. If you choose to close all ports, they will be closed by the firewall.

Im a bit confused at the settings. What setiings do I have to configure in order to have the greatest security??

I set the firewall config to "Higher". Will this provide the greatest security?

In the Services section, most of them I do not know what they mean. Could you please or someone help me on what to remove and what not?

Like I said, its just basic computing. I will not use Samba, PHP, MySQL or anything like that.

I don't know how to set the firewall settings in mandrake... I've never used that distro myself. But the best way to protect yourself is to not keep sensetive data on your computer. Don't store passwords or credit information. That is still the most common use of hacking: information.

A good tip is to watch your packet flow. If there are too many packets flying when you're idle, you should be on alert. But don't watch TOO closely either. Packets fly continually even when you're idle. Sometimes it may look as if you have an active connection, and it's simply the remote server sending a ping or some type of ambiguous packet.

If you want "greatest security" then have a dedicated firewall. For purposes of a desktop system though, the firewall that comes with Mandrake is sufficient. Turn off all unecessary services. What services are running? While I think you would be better served by researching the subject yourself, the obvious ones to turn off would be sshd, httpd, any ftp server, samba, nfsd, and sendmail. If you are using Cups for printing then don't disable the service but block incoming connections to port 631.

An easy way to find out what is active is to use nmap or nmapfe on your outward facing interface (the modem in your case) In my (extreme) case the only port open on my external interface is 6000 (X11) and that is blocked by the firewall. Since I do not use xinetd, anything else I need I activate when I need it.

If you really wanted to lock it down there are additional security patches out there to harden kernel, etc. But that is beyond what can be explained in a forum post and would serve no purpose for a desktop system. (Some would disagree with this last statement I suppose, but it is still silly in my opinion for a desktop.)

I'm not convinced that GNU/Linux is inherently safe from virii/trojan/spyware...there are some pretty freaking brilliant people out there looking for exploits.
Keeping these problems to a minimum, however, seems to be much easier in Linux than in some other OSs.
As mentioned, using root privileges should be done only when absolutely necessary...this is a huge step toward system security. This includes being careful about giving root access to users through sudo. If you run as user, but have sudo access to critical system files, it's no safer than running as root.

I agree, though with proper precautions you can keep the threat to a minimum. As of this moment Linux users can bask in the glory of not being the primary target for such things. What is a more prevalent threat at the moment is script kiddies trying to penetrate the system. (How many boxes out there allow remote root using sshd with a plain English password?) It eventually becomes a question though of to what extent you need to lock down you system. In this case we are talking about a Desktop user on a modem, which puts it outside the primary targeted area for kiddies (always on connection, static IP hosting services). This does not mean that it is not a target, merely not a primary one.

A determined attacker with enough time and talent can penetrate almost any system. The good news is most attackers are not talented and have the attention span of a newt. Far easier for them to use automated scanners and see what comes up. If you are reasonably configured though a script kiddie will pass you over. Even if they decide to pick on you the connection is likley to be closed before they get anywhere.

Ok, I went to www.grc.com (Shield's Up) and tested both Common Ports and the File Sharing. The results were disasterous!!!! See the results below. This IS NOT good.

File Sharing Test Results:

Preliminary Internet connection established!
Your computer has accepted an anonymous connection from another machine it knows nothing about! (That's not good.) This ShieldsUP! web server has been permitted to connect to your computer's highly insecure NetBIOS File and Printer Sharing port (139). Subsequent tests conducted on this page, and elsewhere on this website, will probe more deeply to determine the extent of this system's vulnerability. But regardless of what more is determined, the presence and availability of some form of Internet Server HAS BEEN CONFIRMED within this machine . . . and it is accepting anonymous connections!

The rest of this website explains the implications and dangers of your present configuration and provides complete and thorough instruction for increasing the security of this system. At the moment, any passing high speed Internet scanner will quickly spot this computer as a target for attack. (When this page has completely finished displaying, you might wish to sneak a quick peek at these two pages to see what lies ahead at this website: Scanner1 & Scanner2)

The phrase you must remember is:
"My port 139 is wide OPEN!"

Remotely connected to your NetBIOS system!
This computer is exposing its internal NetBIOS networking protocol over the Internet. This is called "NetBIOS over TCP/IP" or "NBT" for short. This is a security risk because it gives anyone in the world a point of entry to your system. Connecting to your computer is NOT something that anyone on the Internet should be allowed to do . . . but we've just done it! The following pages provide information about the consequences and your options for increasing your system's security.
Your computer's name is: LOCALHOST / Samba Server 2.2.7a.
This is an example of some of the information about you and your computer that is leaking out onto the Internet and is openly available to anyone. Such information is commonly used as a starting point for guessing your name and/or your passwords and learning more about who you are.
Your computer is exposing 2 shared resources!
The following 2 "shares" (file system directories or printers) are being actively exposed and advertised by the Hidden Internet Server now running inside your computer:

Your System's Internet Connection Security Synopsis:
This system's silent NetBIOS over TCP/IP (NBT) Internet Server is actively advertising its existence across the Internet and thus inviting equally silent connection and intrusion into your system. We were just now able to connect to your computer and establish a dialog with it, asking for its name and other information. That is the first step in breaking into a system. Automated "hacking tools" already exist to scan the Internet looking for computer targets exactly like this one . . . and then silently cracking any passwords you may be using to "protect" those resources.

All of your system's shared resources are password protected. That's good! But as you can see, their names and the fact of their existence is still completely exposed and dangling out there on the Internet for everyone to see. This could cause intruders to wonder what they might contain . . . and what their passwords might be. Sophisticated password cracking utilities are readily available to anyone who might be curious about the contents of these exposed shared resources.

Your computer's private resources are being served
up to the entire Internet by software which identifies
itself as: Microsoft Windows Network


Common Port Test Results:

GRC Port Authority Report created on UTC: 2004-08-22 at 23:01:02

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

3 Ports Open
23 Ports Closed
0 Ports Stealth
---------------------
26 Ports Tested

NO PORTS were found to be STEALTH.

Ports found to be OPEN were: 80, 139, 443

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
------------------------------------------------------------------------

Now, what should I do to improve my results? I set the built-in Firewall to "High" when it did these tests.

On my Windows 2000, it always showed everything as good all across the board.

What services do I need to disable?

Sounds like no firewall. You need to get into the mandrake control center and enable the firewall as it doesn't appear to be enabled. These are the filesharing results on my mixed linux/windows network with shared files etc:

Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

You should also be getting all ports stealthed (except maybe 113) in the common ports test.

Just disable Samba. and httpd if it is running and follow the advice given earlier. Also remember that services like this are more than a little alarmist, they want to sell you something. This is not to sat that they have no value, merely extremist. As an example I ran this test on a couple of my machines. On one of them I have a SMTP server that only accepts authenticated traffic from specified addresses. Shields Up warned me that the SMTP server could be used as a spam gateway and that steps needed to be taken to lock it down. Which is complete bollocks as it is already locked down and I monitor the load so would know if it were being used as a spam gateway.

Oh yeah, and activate your firewall if you have not already. If you don't have one get one. (Gaurddog or firestarter are good for newbies)

EDIT: having read the message again, unless you are using it turn off your Web Server. No reason to leave it on and it attracts unecessary attention. (At least you don't have an FTP server running)

In order.

1. Yes, Mandrake and in fact ALL Linux distributions are venerable to malicious code.
The only SECURE computer is one that does not work, thats rule #1 of computer security.
That said, Linux is not a popular Desktop OS, by that I mean an OS everyday people get and use to browse the web,
etc.. Therefore, targetiing it for a virus infection is not as useful as a more mainstream OS like Windows. Put simply,
until linux gains a helluva lot more popularity as a desktop OS, or virus writters decide to watse thier time and infect a
minimal amount of machines, you're, BSD users, BeOS users, and MacOS users are going to be fine.

2. This doens't matter much for viruses, and 9 time out of 10 a virus infection is the result of user stupidity. Running that
exe attacked to your E-mail, not updating your OS with the most recent patches, or the more popular method, distributed
in the warez your using. These can be just as devastating under Linux as windows, so DON'T DO IT.

3. No you should not have to get AV software yet, in another 10 years, probably.

4. Possibly, if the distrubution somehow kept you up to date on patches better, it would be less likley to be victimized by
published security flaws. But for the most part, no. Mandrake versus Redhat using the same kernal and same
patched software = no difference. until someone figures out how to use the splashscreen images anyway. [That's a joke]

Ok, I went to Mandrake Control Center/Security/ and I went to the Firewall Config Wizard.

Ok, theres a selection and and it ask you "Which services would you like the Internet to connect to?"

It has the following selections:

Everthing (No Firewall)
Web Server
Domain Name Server
SSH
FTP
Mail Server
POP and IMAP
CUPS ( which is the only one checked).

Now what do I do from here???

I want to have a good report in GRC nextime I do test, I need to know what to do from here. Just please explain on whats to be running/stopped in the services list. I would be appreciate it.

I went to services and I stopped HTTPD from running. But, Samba is not listed. I dont know why. Should Network be stopped??? If thats the one.

And what just noticed under Services that the iptables is stopped. I tried to click on Start but will not do anything.

Just untick everything and you should be fine. If you need to open a port for P2P or some other service you can do that later (with advanced option)

If that doesn't help then shorewall isn't working... Frankly I had probs with it and always editted the config files directly...

You may need to check if it's really running... I'll do some test here. I used it last year temporarily, but lately I went back to a separate smoothwall firewall box (old P166mmx)

Actually as you run through the wizard you will be prompted for the interface (ppp or eth1 etc) and whether you want to install shorewall - if it's not installed...

Which one are you talking about to untick??? The firewall or the Services list??

And how can could tell my firewall is working? You mean that Shorewall is built-in? because Im not running Shorewall Im using the Mandrakes firewall.

Everything is unticked except CUPS.

I unticked CUPS and reloaded the Wizard but CUPS was re-checked. Why does it do this?

Shorewall is the built in firewall.

I would try unticking everything and click okay. That should bring up the interface dialog, where you would select ppp. Then you hit okay again.

That will then ask you to install the firewall if it's not already installed.

if running you should get a result from

/etc/init.d/shorewall status

wth details of the firewall.