You know, to tell you the truth, on several of my own machines, if someone broke into it and vandalized it, etc, I wouldn't care really as I don't really have anything important on it. I have other machines I would care if they got broken into, destroyed, deleted files, etc.

But keep in mind, just cause you don't have anything important doesn't mean others don't either. Also a good secure machine also will prevent others to use your machine to attack others on a network/internet, etc.

Though I can say there are some paranoid people out there, but in the end, there isn't anything wrong with that.

Do you lock the doors to your house when you leave? How about your car doors when you park it in a parking lot? I bet you do most of the time and to me, that's just the same concept in keeping your computer secure.

ok, here is another take on it....

Why do universities and businesses put up firewalls? Because not every person knows how to secure their box.

Imagine putting out small security holes on hundreds or thousands of pc's ( and PC is the corporate standard, running M$ no less) even for a day or two after a security hole has been found! The mess we would have on our hands would be a headache to make SARS look like the 24hr bug.

WE are here because we either know computers, or have the desire to learn more about them; and i hope we are each here for both. However, john j. putz goes home, watches the Bears, knicks or whatever, has a few beers, bangs the wife and goes to bed rather than spending some time, preferably replacing the Knicks- not the wife, learning about internet security. I would not want him exposing a part of my network if i could help it through unnecessary access or open ports so he can play a game at lunch or use some untested software for his enjoyment. And while at work, those extra services can be made available for the sake of productivity as needed, but not just to have them available.

I run firewall appliances at home and work. I proxy , filter and cache the web. I strip attachments from emails, prohibit downloading, quelch IM, disable activeX, and regularly update my machines and I apply security fixes as soon as I am aware of them. Hotmail, Yahoo, and other web based email is blocked, as are FTP transactions. I trust my network and walk out of work knowing I have done everything I can to keep it secure. And, if ever something was to happen, i would surely be able to explain every step taken to provide a secure network with confidence, something I would not be able to do without these paranoid measures in place.

Strict security policies are far more cost effective as a stopgap between the advances of hacker and the resolutions provided by engineers. The bane of my existance is every laptop that some user brings home, connects to his wide-open broadband and opens to the world, only to return to the network the next day.

So, if you want to give up the time with the wife and the beers when your shit goes down because you were cocky about linux, security and hackers, so be it. Good for you! I'd rather be paranoid, employed, and satisfied.

You are assuming that all crackers do is surf www.cert.org and when they see a new exploit they go off lookin' for unpatched boxes to crack. Many crackers are quite capable of finding their own exploits. And when they do, do you think they report them to cert? Nobody hears about these exploits because they are the ones that leave your box totally trashed to the point where the average Linux user has to do a wipe and reinstall. This means that the forensics gets wiped too so nobody is going to be able to identify the method of the crack untill they hit a much smarter more capable user. Probably only 1 in 10000 Linux users are able to take a totally trashed system and retrieve the evidence needed for the forensics people to be able to identify the method of attack.

You mentioned a fresh Slackware install and seem to think it is pretty secure without worrying about a firewall. Go look at the list of Security Advisories for 2003. There are currently 31! It's only the beginning of October! And like I said these are security advisories the "Good Guys" found out about, either through forensics or through rigorous testing of software.

Obviously you are pretty confident they have found and patched every single hole there is. I'm not.

Here is a very interesting statistic from cert. There were 82,000 incidents reported in 2002, so far in the 1 & 2 quarter this year there have been 76,000. It seems cracking is up this year. Do you think any of those 76000 people kept their software updated?

Good Luck.

Xylon you are absolutely out of your mind stupid. You admit right up front that you're NOT a security expert, then you proceed to tell everyone that they don't need a firewall and offer all kinds of ridiculous advice like saying all you need to protect your system is strong passwords. THIS MENTALITY WILL RESULT IN YOU BEING HACKED EARLY AND OFTEN

You don't care about the contents of your machine? Fine, no one says you have to protect your own data. That's the same as if your hard drive dies, and there's no security outcry about hard drives failing. What there is a security outcry about is idiot home users allowing their PCs to be used as zombies in DDoS attacks. It's exactly because of careless and stupid people not running firewalls, relying on security by obscurity, relaying on soft protection methods like passwords, and either not updating their software, or simply assuming that all updated software is secure, that DDoS attacks of the magnitude that they take down major Internet sites are possible.

Do not make the mistake of thousands of newbies and think that Linux is invulnerable, either. True the operating model of Linux is inherintly safer than that of Windows, but there are a ton of things you can do with simple user privilages that can harm the Internet (if massively coordinated). It's also very possible to "root" a Linux box and thus have just as much control (more actually) than on a Windows system. Look at the exploits for Sendmail, OpenSSH, OpenSSL, kernel information leaks via network drivers, web administration interfaces for many services, etc.

Firewalls are not a panacea, that's the one thing you're right about; however firewalls do provide a valuable choke point for traffic, allowing you to do easy analysis, intrusion detection, outbound filtering, etc. Firewalls aren't only to protect your systems from inbound traffic, a good firewall should also limit outbound traffic to make sure you're being a good netizen and not allowing your computers to be used to attack other sites. Firewalls that do packet reassembly can prevent dangerous traffic from slipping through even on ports that you allow. Firewalls can limit your exposure to DoS attacks. Firewalls prevent trojans that have setup their own servers from being accessible remotely. I could go on and on, but clearly there are many benefits to firewalls which you have dismissed out of hand.

As for passwords being all the defense you need, that is just short sighted and ignorant. It is possible to brute force any password given enough time. Strong passwords are not invulnerable. Besdies, if no encryption is being used and there's no firewall in place, it's much easier for an attack to gain access to sniff traffic on plain text protocols so they can see what password you're using. There's no need to brute force if they already have the password, and then it doesn't matter how strong it is.

Even if you're using encryption, it's not impossible to crack it. Look at the recent e-mails on the MIT encryption list revealing the weaknesses in CIPE and several other open source VPN applications. Remember that DES was considered uncrackable for decades until the EFF put together a Linux cluster and cracked it in 3 days.

Good protection is based on layers. Even a home users should follow as many of these as possible. First and foremost, implement a firewall. It's the easiest step and quite possibly the most effective. If you don't have the time to build one (which really isn't that difficult) buy one of the consumer appliances from Linksys, D-Link, Netgear, etc. They're much better than nothing.

Second, all software should be patched for security updates. This doesn't mean always run the very leastest version of everything, because often it's the new releases which introduce security flaws where older more mature versions of the software are not vulnerable.

Have a strong security policy and make sure all users are trained on it. Don't open e-mails that you weren't expecting, especially if they contain attachments. Don't allow scripts to run in your browser unless you're very familiar with the web site and it's trusted. Don't visit sites that offer warez software, free porn, or other such enticing offers. Often they contain malicious scripting or trojaned software. Don't allow P2P software to be used, as it can often introduce trojans. Etc, etc... reference any of the many on-line examples of security policies for more tips.

Use VPN software to tunnel sensative connections across the web. Never allow access to highly sensative protocols or information across the web without encryption.

Use public keys or smartcard tokens whenever possible for authentication. Don't rely simply on passwords, as they can be guessed or retrieved (passwords taped to monitor, in someones wallet, etc).

Don't allow access to unsafe protocols from the Internet or other untrusted networks. Make sure protocols like Microsoft networking, database protocols, printer protocols, etc cannot be accessed from the Internet. They should be firewalled off and also not listening on any external interfaces, and additionally configured to refuse connections from any non-local IP addresses.

Implement intrusion detections on all your network segments and on all your hosts if possible. Certainly any Internet-facing machines should have Host IDS in addition to whatever Network IDS is running.

All systems should be protected by Anti-Virus software. If possible maintain multiple layers at the Internet gateway, on all application servers, and also on every desktop machine. Multiple vendors will strengthen your defense and hedge against a late update from your primary vendor.

Good secure involves a cocktail approach as you can see. For home users some of the above are realistically out of reach, but it's certainly possible to have a firewall, anti-virus software, and to warn all your users about safe Internet practices.

Last, if you're NOT a security expert DO NOT GIVE ANY SECURITY RELATED ADVICE TO OTHER USERS. The last thing the Internet needs is a bunch of idiots running around with horrible security practices and putting the rest of us at risk. It's not just your data, it's the Internet at a whole that's put at risk because every Internet-attached machine can be used to launch attacks on any other.

By the way, yes I am a security expert. I work at an e-mail and messaging security company and I've recently passed the CISSP exam.

ftp service is running in the default install of slackware so u are not safe dude

Fear: Fear is a powerful motivator in enforcing conformity, obedience and making people submit to authority. Historically, inducing and manipulating fear or masked terror has always been a key policy and practice in all fascist regimes, such as Italy under Mussolini, Nazi Germany under Hitler, and the Soviet Union under Stalin - in fact, under any dictatorship. The threat of punishment, torture and the threat of being killed is enough to cause fear, panic, and terror if most of us. We do as we're told or else.

There is nothing wrong with being responsible, but much of the security being foisted upon us is nothing but hype. As I previously said, I agree with Xylon's original premise, that in many cases firewalls are unecessay and certainly over-hyped. (As a matter a fact, I don't lock the doors to my house or my car. I also do not carry a pistol or a hand grenade, though I suppose there are circumstances that would protect me.)

Before you call me stupid or a crackpot, I'll just give you a quote by Benjamin Franklin, who was neither: They who would give up an essential liberty for temporary security, deserve neither liberty or security. Yes, security is important, and as a matter a fact, I run a firewire (a bare minimum), I monitor local scans (and block unauthorised users), do not run services I do not need, and certainly keep an eye on what is going on. I use gpg for email (when the other end is aware). And more. P2P software, however is essential, so is a mail server (with closed relays). I begin with the notion of an open system and then provide protection. What I am guessing that Xylon was feeling (or at least what I feel), is that security emphasis today seems to be close everything down and then open things up just a peep. All based on for the most part, unwarranted fear.

what about the built in firewall in items such as hubs/switches???? are they any good at all?

Unwarrented fear??? SQL Slammer infected hundreds of thousands of hosts and cost business around the global untold millions, probably billions. I know one bank alone that lost millions each day it's ATM network was incapacitated, and millions more in fines to the Federal government because they had gauranteed uptime. MS Blaster infected over one million hosts and again cost millions of dollars. Sobig.F brought down or crippled the mail systems at many of the largets sites on the Internet (as well as unknown numbers of smaller sites). Sobig.F is also highly suspected of having planted the trojan which is being used to DDoS many popular RBL anti-spam sites. A DDoS attack earlier this year took out nearly enough of the DNS root servers to cause a near total Internet outage. How much more warrented do you want???

I agree in principal that those who give up essential liberty for temporarity security deserve neither, BUT that statement refers to governments not sensible protection. I doubt very much that Ben Franklin would have been against installing door locks and keeping valuables in a safe. What he was referring to was the kind of hysteria that causes people to give up basic freedoms, such as the right to privacy and free speech. Incidantally, those very same rights are being given up en-mass right now to the Department of Homeland Scary. What John Ashcroft is doing rightly falls under the realm of Mr. Franklin's statement, but taking prudent procautions to guard your own property and the proptery of others is not giving up any freedom. I challenge you to tell me one basic right that a personal firewall violates.

The notion that the Internet is some kind of global commune and it should be free from any restrictions or responsibility is ludicrous. If you choose to be a member of the global on-line society, you have an obligation to every other member to protect the society from harm. By refusing to install even basic protection you're conciously allowing malicious people to exploit your system to attack others. That's what open proxies and open relays do. An open box with no guard against exploits is little more than offering up your computing power and bandwidth to any one who wants to use it.

Look, I'm very much a Libertarian and I hold dear liberty and personal freedoms, but what good are they if the Internet is controlled from behind the scenes by a group of shady criminals that can bend the computing power of the world to their will? If you haven't researched any of the recent worm attacks, I suggest you start digging. As far back as the Morris worm the Internet was being threatened as a whole by worm attacks, yet no one is taking the threat seriously.

The Internet security "hype" is not an overreaction, it's an under reaction. Software vendors are not taking security seriously. Operating system vendors are not taking security seriously. Users and corporations alike are not taking security seriously. Most of the supposed "security" measures being taken by software vendors and the entertainment industry is actually measures to protect their profits and shelter monopolies and unfair business practices. Very few general consumers take security seriously, and some of those who supposedly care about security merely switch operating systems and assume they can continue acting irresponsibly with their networked machines. Drive around any neighborhood with a wireless sniffer and you'll see what I mean. As for corporations, their management thinks that CISOs are just another whiney officer begging for budgets for their pet projects.

Our best chance to avoid massive Federal restrictions is to proactively implement security devices and policies. If things get out of hand to the point where the operation of the Internet is threatened, you better believe the US government will step in and take over. That is the last thing anyone wants. Then the quote about giving up essential liberty will very much apply. We have the chance right now to get a handle on security the access points to the Internet and make sure we aren't making exploits irresistably easy.

Has anyone hear ever worked for a giant service provider that got DDoS'd? I have. Has anyone worked for a large corporation or carrier that got spam flooded with millions of messages? I have. Has anyone ever seen 20,000 virus e-mails caught in one hour? Guess who. If I sound urgent it's because I've seen the attacks that are happening. For those of you in your own little worlds running an FTP server and swapping MP3s you have no idea what's going on out there. You don't understand the risks that corporations run every day by having their business connected to the Internet, and you don't realize how often private information is compromised.

I'm not asking everyone to unplug their computer and start using an abbacus, I'm just saying take reasonable procautions. There's no reason an average person cannot buy and install a firewall. You can get them for less than $100, which is about 2 months worth of broadband service, or eating out 3 times. I ran one of those firewalls for months in it's default configuration (besides changing the password) and never had any problems surfing the Internet, getting e-mail, playing on-line games, etc. It's not like I'm telling people to wiretap themselves and send the tapes to the government. Anti-Virus software is $30, that's like 6 mochas from Starbucks. I don't think that's going to deprive anyone from food or shelter.

By the way, it's not fear mongering to tell people the facts. Thus far not enough Internet users have taken their responsibility seriously and that's why experts are making a big deal out of the consequences. Obviously no one has been motivated by an appeal to reason so it's time to give examples. If you want to sit around and call it over-hype than that's your right, but you better not be complaining when something you care about is affected in a major way because of a lack of security.

chort, I run a secure system and believe people should. Yes, keeping one's system secure can slow the Federal government and the BFEE from increasing restrictions on internet use. And, even though my personal computer was not itself affected by the Blaster and other viruses (being immune from that run), certainly my bandwidth was. But I do stand by my assertion that security is over-hyped, but agree it is probably under-implemented. Security should be enabling, not disabling, and that is my problem.

FYI, my router comes with a firewall. The computer I sit at here is DMZ'ed though, though I use iptables. The other computers sit behind the firewall - they have nothing to "serve". Mostly I depend for the DMZ'ed, perhaps foolishly, on portsentry (being no longer in active development for the opensource community, having been bought out by CISCO) to block particular hosts after a scan. I like to see who is trying what. So far nothing serious, and I would know. I also keep a mirror within my quadruple boot computer, so if I ever do get cracked, I will be able to immediately restore it, and also tell what happened. But probably I am the 1 of 10000 who could do so.

Oh, also, did I say I shared mp3's? I believe I said I run a p2p server, and as I am sure you are aware, these can be used to share many types of files. Most of the files I share are actually pdf's (and I prefer ogg's for music in any case), one example being files related to the http://blackboxvoting.org research on security risks involved in electronic voting systems by Diebold (which I believe run on a MS-Windows operating system). There is a system with real security risks.

In any case, I think this discussion is useful. Ultimately society will come to a consensus on what will work and we must come at it from all directions. My philosophy is similar to the "Take Back the Night" efforts of the woman's movement. That rhetoric behind that sys, "we have every right to be on the streets at night, and will not be victims remaining in our houses behind locked doors." No, we can't be naive, but I don't like hiding behind locked doors (or firewalls).

You might find this article interesting.

fsbrooks
You just admitted you use a firewall. And on your DMZ computer you use portsentry. That puts you on our side of the argument. Portsentry while not a firewall, is like sticking a sentry at all the cracks in the fort wall and they wait for an intruder to stick their head through then they chop it off.

The argument here is that firewalls are unnecessary and restrictive. Yes I agree they are not absolutely necessary, however; I totally disagree that they are restrictive. You use portsentry "to block particular hosts after a scan", this is opposed to a firewall blocking the scan. Which is more restrictive? After the initial scan using portsentry the host is now in hosts.deny so it is banned forever. But with a firewall (depending upon how you set it up) you could allow the host to continue surfing your web pages or connect via ftp and still download files or conduct other normal business.

Sure you can setup portsentry to be less restrictive, just like a firewall

The article linked by fsbrooks is well worth the time to read. I'm only about 2/3 of the way through, but already I've learned things about Al Gore's involvement with the Internet and the infamous Morris Worm that I had not been able to locate previously.

By the way, the Diebold voting system does use Microsoft Windows NT (and now 2000, I assume) and apparently an Access database. Not exactly the stuff you want our voting to take place with. Hats off to anyone mirroring the blackboxvoting.org content. I understand that a rabid army of lawyers has temporarily restricted it.

It's really funny to listen to Democrats getting concerned about illegal voting practices.

After all 9 out of 10 dead Chicagoans vote Democrat! hehe haha

I for one am glad this firewall thing was brought up. People have gone firewall and security crazy. For example, I saw a moment ago a post from someone that said "Oh my god, my finger port is open!!!!" Enough is enough. Yes, there are malicious users, but I think they are far and few between. Most problems can be avoided by just knowing what you're doing and keeping up to date on your services. Some may remember I posted quite a while back about a mail problem, well now that I have had time to learn, I realized what had happend, which was I was being used as an open relay. I realized after a short time and shut it down, and by that happening, I now know how to configure a mail server. But it was someone relaying. Or other timesmaybe a worm thinking that my webserver is a IIS webserver and trying to do that default.ida?XXXX exploit. But it's not some "hacker" "exploiting" his way in with some "shellcode-buffer overflow". That stuff is just too over-hyped up. Coding those exploits, and even using them and knowing what to do with them requires more than just clicking the mouse on a "yes" box. And those that are intellegent enough to have the ability, are intellegent enough to spend their time doing more constructive things. I think there are very few truely evil people in the world, people that would break in and just total everything. If there are that many evil people, and this is what the world has come to, then we better all hide in our houses behind steel doors and 20 locks.
I think it's real shame that people are affaid to use network services like finger or talk. Read the man page for in.fingerd- see why it was made up, what it was intended for (on Slackware man page it has this info) it says qoute: "Finderd is a simple daemon based on RFC1196 that provides an interface to the "finger" program at most network sites. The program is supposed to return a friendly, human-oriented status report on either the system at the moment, or a particular person in depth". So some "hacker" is just hanging around all day long, trying to run finger on systems, to find out your name? Ah Ha! There's Bob! & Jimmy! Got'em now!
I'm not trying to single out one person, what I am saying is that while it's good to be protected, it shouldn't be taken to a gross extreme- one that places more limits on what legitamate users do than what unauthorized ones do. My system is not a place to launch attacks from, or that is a place of disorder and a danger to the internet at large. I read up on what I run, check for security news each day, check logs several times a day, and follow general good practices. But I'm not going to deny myself or those that do use the services with respect. To date , the worst thing that has happened is a user attempted to login as 'administrator', 'test', and finally 'root' on my FTP server.. It's an anonymous server, and of course I don't allow any root login from any place but this chair I now sit in. This goes for SSH as well. He tried about 10 times, and now that domain is banned. But that doesn't mean I will stop FTP service for everyone else that doesn't do that.
I myself run FTP, Apache, a mail server, uucp, a POP3 server (soon to be used, but not in use right at this moment ) SSH, have Telnet installed (for someone that doesn't have ssh) but not in use, Finger (complete with .plan & .project), ntalk, comsat & biff, Identd, and even X I'll let run clients for someone that I know who has XThin for Windows. I ran about 2-3 weeks with no firewall while I was in the process of getting one (pre-made script) and learning iptables. No worms, no virus, no hackers. Like was said, there's not really much on this system, and what is here is available by anon FTP anyway. People download stuff all the time, and visit my pages. Linux is free. If a hacker wants to get a system so bad, he can download it like I did. I do have a firewall now, because it does help bring peace of mind since I'm connected to the 'net 24x7 with all these services. I use Libwrap, and that's been great. I allow whoever to use the services, unless they are monkeying around, then they get banned.
And if someone does by chance de-root me? Well then they deserve to be root and not me. I have to my left the power cord, and to my right the original CD-RW I burned Linux on, so even that wouldn't be a big deal. I know IP addresses are logged, so I'll at least most likely get a scan out of this and if I happen to get poked at and you DO find a way to total me, then if someone feels that's what needs to be done, do it. They will have to live with their evil selves, not me. I'll re-install and use that as a reason t o move up to Slack 9.1 anyway
.....oh, and I forgot the nessus daemon on port 1241 & I'm thinking about starting up huntd, if I can find some players.

Interesting ports on localhost (127.0.0.1):
(The 1197 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
79/tcp open finger
80/tcp open http
110/tcp open pop-3
111/tcp open rpcbind
113/tcp open auth
540/tcp open uucp
587/tcp open submission
1241/tcp open nessus
6000/tcp open X11

-Jay

You just said you are using a firewall and it is not restricting you from running anything you want to run! You have just made my point! Thank you.

There are silly extreme people on both sides of the argument. Who's silliest the one screaming "Oh my god my finger ports open, what ever shall I do" or the one yelling " Crack my system - I think Firewall's are unnecessary"?