|
These are amusing:
Quote:
Quote:
To be honest I think you guys have it backwards. Running a firewall actually gives you the freedom to run services (especially vulnerable ones) on you're local network that would otherwise get hammered if you let them be exposed publicly. By limiting those who can or can't access a services, you're significantly reducing the risk of them being compromised while allowing those on your network to use all the services they want. So I don't get all this freedom crap you guys keep repeating. |
Wow there were alot of replies I didn't expect this kind of response. A few points:
1. Bringing up worms and other viruses designed to attack WINDOWS is irrelevant. Linux is immune from the blaster worm and any other Windows-specific attacks. 2. I am not aware of any anti-virus software that exists for Linux, most virus seem to be written to attack Windows. 3. There are NOT people constantly hammering at my system trying to get in. Even systems that are totally unsecured may not be hacked because maybe nobody will end up trying. If someone tries to hack my more secure system chances are they will give up. Statistically a reasonably secured home system is unlikely to be hacked. I do think Firewalls are useful for mission-critical and corporate applications, but not for home users. 4. I am not denying that security risks exist. The entire Half Life 2 source code was recently hacked from Valve. 5. Everyone can agree that Linux is at least SOMEWHAT more secure than Windows. Someone trying to do a DDoS will probably attempt to use Windows systems. In theory, security risks exist. But, in reality for a hobbyist using Linux at home that risk is statistically a minimum. |
Most of which are wrong:
1. But that doesn't make Linux immune from Linux-specific worms (slapper) 2. There are a bunch now, including mainstream AV providers like Kaspersky Lab and Symantec 3. You should turn on a packet sniffer like Ethereal or Snort. I don't know about you, but I get aggressively scanned at least several times per day, not including the abuse my webserver takes. New tools like parallel scanning auto-rooters allow the not so-subtle script kiddie to compromise machines at a tremendous rate, so as tools like these increase, so will the probability of you getting hacked. 4. Ok that's true. 5. Windows machines are more likely to be targeted to be dDOS clients simply because there are more of them out there and the aim of dDOS is to maximize the bandwidth you can project, but Linux boxes are more "prized" targets because they can be configured to do things that windows machines can't. So while someone might ignore a firewalled windows machine, they might stop and take a closer look at a open linux box they stumble upon. So I pose the question again: It's free, you can set it up yourself, it might keep you from getting hacked, so why not just use it? |
When I run snort most of the traffic or tcpdump or whatever most of the traffic I get is coming from my ISP's software doing some sort of check and such. If it's not from them it's random internet traffic, I have no evidence I'm being specifically targetted. Hundreds of 'transactions' go on most of which are not malicious. People get alarmed by all the traffic when the computer is idle, while alot of it is harmless. If you're running a webserver you may be specifically targetted more often.
I knew someone who installed Zonealarm on Windows and was shocked at how much it blocked..... but in the run of a day many of these dropped packets were from the exact same ip address, which is usually traced back to your ISP. |
21/tcp open ftp
At the least can allow warez kiddies to upload illegal material thus making you an accessory. At worst your box and can be rooted and your machine can be used to attack other sites (vulnerabilities in WuFTP, ProFTP, etc) 22/tcp open ssh Recent vulnerabilities in OpenSSH were remotely exploitable and could lead to root privilage 23/tcp open telnet Trivial to sniff the traffic and compile a list of user names and passwords. User credentials can be used to execute more attacks locally to get root, or simply use the reources available to a common users to form a DDoS or as a jumping off point to attack a highly protected system (concealing the origin) 25/tcp open smtp Potential for open relay, sendmail has a long history of possible root exploits, ingress point for viruses, possible mailbombs and other DoS type attacks. 37/tcp open time Can help timing attacks, such as those against Kerb4. 79/tcp open finger Trivial to compile a list of valid accounts to try brute force password guessing attacks on. Also reveals system information to narrow down the amount of exploits that need to be tried. 80/tcp open http Numerous weaknesses in web servers and modules. 110/tcp open pop-3 Plaintext protocol. Sniffing passwords is trivial, the same passwords can be used to login to a shell. 111/tcp open rpcbind You are truely an idiot if you leave portmapper open to the world. The possibilities here are endless. 113/tcp open auth Nothing that I'm aware of. 540/tcp open uucp Some times used to relay spam. UUCP isn't really maintained and any weakness in implementation is unlikely to be fixed. 587/tcp open submission This better not be open to the world (scan was on loopback so hopefully this is not bound to your external IP) 1241/tcp open nessus Poor passwords could let people use your Nessus server to scan others (conceals real source). 6000/tcp open X11 Too many things to go into. You know the reasons why Microsoft says you shouldn't use NetBIOS across the Internet? Same goes for X11, it's not nearly secure enough to be open to untrusted networks. Anyone who thinks they won't be cracked is deluding themself. The record time I've ever seen a box get hacked in was a Red Hat 7.2 box rooted 5 minutes after it was put on the Internet. The fact is it does not take great skill to run an exploit. It only takes a handful of really smart people to supply an army of script kiddies with point and click tools. Don't you read your Snort logs every day? There are constantly nmap scans crawling every netblock, and more than that there are the exploits themself just being blindly run against every IP on the Internet. If there's an automated exploit out there, you will get cracked eventually. The development cycle from the release of a vulnerability report to proof of concept code to an automated exploit tool is getting shorter and shorter. Many of the attacks this year have happened in less than 30 days after the vulnerability was noticed, and it takes vendors several days to get a patch out usually. The number of "zero day" exploits is on the rise, and fast. I'll also say this again, since some people do not seem to understand any box is valuable to a cracker for use in a DDoS. It's not how fast your machine is, and not even necessarily how much bandwidth you have. It's the overwhelming number of sources that makes DDoS attacks nearly impossible to defeat. This is the reason home users absolutely DO need firewalls. The vast unwashed masses out there are ignorant of security and their boxes are lying wide open to be used in DDoS attacks. In fact, there are published reports from the IT teams on university campuses that when they started requiring all student machines to be virus scanned before they were putting on the network, dozens were backdoor and trojan so many times that system recovery was nearly impossible. The same box being exploited by 3, 4, half a dozen different exploits and being used for multiple ill-deeds by zombie masters. One box on broadband is another 1.5Mbit pipe used to DDoS Amazon.com. On box on a university network could be a windfall (trivial local replication, and vast quantities of bandwidth). Now, the assertion that Linux is immune from worms and malware is just ignorant. The very first Internet worm (the Morris Worm) infected by some reports, 66% of the Internet hosts. The worm attacked systems running Berkley or Sun OSs and it exploited weaknesses in Sendmail and fingerd, and then additional exploited the trust relationship with the Berkley "r commands" (rsh, rexec, etc). There were worms before there was Windows, and there will be worms again that target OSs other than Windows. Linux is becoming much more popular in enterprises and somewhat more popular at home (particularly among the people likely to have broadband connections) so writing a Linux worm is looking more and more attractive. Add to that the fact that most Windows admins have finally realized they need to secure their boxes, while many Linux admins are blissfully ignorant to the vulnerabilities that exist on their platforms. The number one mistake everyone here is making (who is arguing against firewalls) is the assertion that security through obscurity works. NEWS FLASH security through obscurity is DEAD. In the modern age of high-speed Internet scanning utilities and scripted exploits, no one is obscure. You will be found, not because someone was specifically looking for you but because someone was looking for everyone. If you would read any books on security, take any courses, etc you would realize that security experts have long considered security by obscurity to not be an effective means of protection. As I illustrated above, you do not have to be storing Department of Defense secrets to be interesting to hackers. They could, with simple users privilages, launch a massive DDoS attack on the DoD with enough computers like yours, or they could use your computer as a proxy to conceal their cracking attempts at the DoD. Both of the above are not only possible, they happen quite frequently. In fact, it's been happening for a long time. Read Cliff Stoll's excellent book about his adventures tracking down a group of East German hackers back in the '80s. What I'm hearing from you firewall opponents is the collective sound of fingers being thrust into ears and a loud chorus of "LALALALALALALALA WE'RE NOT LISTENING IT DOESN'T REALLY EXIST". No ammount of denying a problem will make it go away. |
I see a significant number of probes and scans originating from ip blocks in China, Taiwan, South Korea, and Brazil. So unless Verizon has decided to relocate half-way around then planet, then I doubt they are my ISP or "random traffic". The university that I work at is even worse due to the high-bandwidth backbone we connect to (makes us nice targets).
|
Xylon said "there are no antivirus software for linux"
Xylon, have you ever visited freshmeat, the best website for free and open applications - ever? I mean, they got ads for antivirus software all the time - and dont think its for windows. Pfft, I suggest you get some know-how about what you're talking about before posting at a forum such as this. |
I knew I'd get misquoted....
If you are going to qoute what I say, please qoute correctly, I said, and also implied, "I think people have gone too far with this firewall bit" BUT yes, they can be quite useful. Further example, someone that logs in for maybe 30 minutes, surfs the web, checks his email, then logs out is not going to need super-duper full heavy duty protection like an up 24x7 Internet server is going to need. First of all, that first class doesn't announce they are there! The chances of getting found and over-taken in that 30 minutes is small. I post to USENET, daily. I make references to what I talk about on my server, many times people will then come and download whatever it was that I was talking about, be it a program I recommend, or whatever. Daily! Not "rooted" yet.... been up since the end of July (with this setup), offer those services I posted. I had a few idiots, a lot of scans, lots of worm probs, and 1-2 "hack" attempts. Did I run away? Lock down everything? Stop doing what I like? No. Because as I stated before, I do what is security-sensible, not security-fanatical. And that's the entire point to my posting. Now, about the services: Quote:
Quote:
COULD is key here. I COULD win the lottery tomarrow too. No proof of concept exists for this one, and all the advisories I've seen all say "maybe possible". Anyway, I had SSHD updated the same day the advisory came out. Quote:
hosts.deny: in.telnetd:ALL More scare tactics. So you expect me to belive, that somewhere, someone is sitting around, sniffing packets off my telnet sessions, just waiting for that one moment, so they can put my machine with other ones that they did the same with, so they can DDoS god knows what? And I'd never notice this? LOL.... I guess this guy has alot of time, lets see....no passwords yet trans mitted for the past 3.5 months! How many packets IS that? Any one what to do the math on that? FYI, there is a C proof-of-concept for logging telnet AND ssh sessions + sshd & telnetd child sessions using ptrace; it's called smokingtwojoints.c Quote:
Quote:
Viruses? All 2 of them? 3? ...that affect Linux/Unix with any degree of efficacy? All things considered, I'd say Linux Staog is the most effective virus for *nix platforms- and I've never seen it, well, at least in the wild. Quote:
Quote:
For example, a host from xyz IP sent a GET htp req. for /scripts/nsiislog.dll to my webserver today (popular MS IIS webserver exploit), so for the hell of it I scan'ed the host. MS-Win XP, SP1. Three times the services I run. With that info returned, I could run the DCOM RPC exploit with a good chance of sucess. I'd remove nmap before I'd remove finger. Yet no one mentioned that, why? From the in.fingerd man page: " If the -u option is given, requests of the form finger @host are rejected." Is this what is being implied? My passwords are in the neiborhood of 12-15 char's long. I ran John the Ripper against them for fun. It didn't hit with several dict's. It's a meaningless alphanumeric string. Care to guess? How much time do you have? If I don't notice all those login attempts of a messy bruteforce then I don't deserve to login, period. Quote:
Quote:
hosts.deny: popa3d:ALL takes care of it until I set it up in the near future, if not, I'll probably take it down. Quote:
There are a few services that will not properly operate if this is blocked. There are lots of things that connect as daemons, more than listed here, that I run, and are a normal part of a system. (gpm, nautilus, esd) This one shocked me too when first I saw it, I used amap and got the banner from it, it seemed strange because I had blocked it with iptables. So far no root compromises though. Quote:
Quote:
Quote:
Quote:
But that's down as of right now for an obvious reason. I had some one check me today for anon http proxy-ism. Same password rules here as in shells. Anyway, how many people out there have a Nessus client? Or even know what it is? It's only been the most recent version of nmap that will accurately show this service as what it is (the one that came with my distro didn't), and I added it to /etc/services. Quote:
Quote:
Quote:
-J |
I disagree with Xylon completly I lowered my iptables for ONE DAY so I could connect to the university file share server and had a hacker login as my basic user and write garbage to ALL of the remaining space of my hard drive making the system unstable and irrecoverable and was forced to format and reinstall EVERYTHING and lost days of work (both school & work) :-/
|
Well jayjwa, nearly all your answers indicate that you have indeed hardend your system, which is the basis for any bastion host/firewall. So while you rile against firewalls, in fact your box is pretty much firewalled for nearly all intents and purposes. If you have shut off nearly all your services to external access, that's exactly what a firewall does. The only difference is that a firewall will give you one added layer of protection in case you or one of your users screws up and turns something on by accident (or a malicious user or trojan tries to turn something on on purpose).
As for portmapper (sunrpc) I do not give a shit what services depend on it, it's just as vulernable as the Microsoft DCE endpoint mapper (of MS Blaster fame) and I won't expose it to the Internet. In fact, I have it turned off as I'm not running NFS (another insecure protocol that should never be allowed over the Internet). I don't know what your point is about 587/submission. Of course it's part of Sendmail, that's why I said you better not have it open to the world. The link you posted was how to disable it, which is exactly what you should do (so why is it running?). Again a bunch of your arguments rely on security through obscurity, which I've been telling you repeatedly has been rejected by security experts as a body. It's tought against in every security class you might take and any recent security book or publication will warn you not to rely on being obscure. Even the user who logs on for 45 minutes to surf, people actively seeking that one particular person out are going to have a hard time finding them, but haven't you read a single word I posted? I'm not talking about purposeful attacks aimed at individuals, I'm talking about random attacks aimed at any IP address that has a vulnerable service. If you happen to be logged on when the scan sweeps your subnet, you will be hit regardless of how small the time window is. If you get exploited and a trojan/worm is installed, it doesn't matter if you log off. The next time you log on it will be active and misbehaving. All your blustering about using plain text protocols pretty much falls under the "it won't happen to me" category. The truth is if someone tried, they could succeed. Why make it easy? By the way, the first OpenSSH exploit was verified by several people, including one on the Security Focus list who seccussfully ran it against several of his OpenBSD boxes. The flaws in the subsequent releases were not verified with proof of concept code. About X11, many people just do xhost + because it's easy and then forget about it. It's a very easy protocol to exploit in all kinds of devestating ways. If you lock it down, then that's a hardened system and you're actually acting in ways like a firewall designer. Again this is proving my point. About the port 80 exploits, mostly they're in modules although there were some cross site scripting problems with Apache (not a security risk to the site itself). PHP especially has been ridden with security problems. OpenSSL has also been problematic lately, but it usually runs on 443 (of course). So it looks like overall you agree with me, but on a few things you choose to deny that you will ever be exploited on the grounds of probability (banks during the '80s denied that DES could ever be cracked, too). I don't see why after all those security precautions you still have a problem with firewalls. It's not going to restrict you any more than you already are. Oh, one last thing if you're using the basic UNIX crypt() for password hashing, then only the first 8 characters are used in the DES hashed password. Passwords longer than 8 characters will not add any security (MD5 passwords may allow longer hashed strings, I can't remember). |
I concede that it is more likely than I originally thought that my computer will be targetted. A scanning of a huge number of IPs may reveal my computer has open services that are potentially vulnerable.
When running a firewall, everytime a program can't get access to the Internet I have to find out what port it's using and manually open that port. This is even more difficult for the average home user. It's not worth the trouble and in the end the ports are still open. And the user will run into these problems since firewalls usually blocks a lot of outgoing traffic too. Quote:
|
Quote:
Also, most sample scripts for open source firewalls (like pf, iptables, etc) do not block outbound traffic by default. You must be referring to Zone Alarm (or some similar personal firewall), which does block outbound by default (at least, the version I tested), but even Zone Alarm tells you what program is trying to make the connection and gives you the chance to approve it (by default). Hell, even the Microsoft personal firewall that ships with WinXP allows all outbound traffic when you turn it on. Really Xylon, I don't get it. In one post you retract earlier stupid statements and admit your ignorance, then turn around and make another completely ignorant and uninformed comment. Quit when you're ahead. |
theres not alot of experts talking right now, and i dont claim to be one. but i do have experience. listen, for the most part a advisory or exploit isnt posted on the web until like weeks or months after the author of the exploit/finder has come up wit the bug. so you can be patched all you want. but somebody today is gonna write some code to grant himself root access to a service you are running. there is no advisory and even worse no patch! feel safe?
alot of hackers/crackers have exploits that arent posted about, of if they are posted they had it for months already. on one hand its like, whats your home computer matter?but on the other hand why not just firewall it, just in case you do get compromised you dont have to worry bout reinstalling,etc. |
quote:
but on the other hand why not just firewall it, just in case you do get compromised you dont have to worry bout reinstalling,etc. :scratch: Well I believe in firewalling, but if you do get compromised, then what? If you are not absolutely sure of the integredy of your files, then you better reinstall. |
Although you need to run rpc in order to run Gnome and Nautilus, unless you are using other software that needs to connect to 111 from outside the network/box that has port 111 open, there is no need to leave the port open. Gnome works just fine on various boxes I've run with 111 firewalled. You said that you had firewalled it off with iptables, which is definitely a good idea, but it still shows up as open via an nmap scan. This is probably because you did something like "nmap 127.0.0.1", instead of an "nmap 63.12.12.1". If you don't route nmap through a network interface then iptables won't be doing it's thing. To get the best info about what ports are open on your box you should port-scan from inside and outside your network, as well as using a web-based port scanner like grc.com or pcflank.com. With pcflank you can use their "advanced port scanner" to scan any or all of your ports. I'd run a scan on all of the ports that you have any doubts about to get some more information and find out if everything is firewalled correctly.
As for this firewall debate, why would running a firewall ever prevent you from using whatever software you want to use? That kind of attitude is just silly. Also the firewalled Windows box that wouldn't allow netscape to pass through the firewall sounds like a great setup to me, (other than favoring IE over NS). Per application filtering allows you to really implement detailed rules for your network. A setup of that nature is excellent for something like the following - allow a network to only use Mozilla as the browser instead of a possibly insecure version of IE that exists by default on all of your boxes and cannot be removed, or to make users be able to FTP except not with ftp.exe. Here's another example, lets say that a user installs a piece of spyware that contacts a server on port 80 and behaves in a similar fashion to a browser. If you allowed all "browser type" traffic through the firewall then the spyware has free reign to do whatever it pleases. Same goes for a trojan that could upload various files to an FTP server. An application based firewall of the type that you find on Windows would notify you of these malicious apps, a firewall that allows all outbound traffic or has loose rules would let those types of things through. Per application filtering is a great tool for network security. |
| All times are GMT -5. The time now is 06:44 PM. |