If there are no services listening on any port & if Nftables is enabled can I still get hacked ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
we could send you a payload. If the payload is executed on your system, it could theoretically setup a service and start it and then connect to it back. Correct me, if I'm wrong.
Sorry for the late reply. I don't know why but I didn't receive any email notification for this thread.
Quote:
Originally Posted by syg00
How did you make this post ?. And how do you read this response ?.
Yes I understand what you are saying. Sorry I should have written first 1000 ports. Some ports needs to be open to allow (at least) web traffic but those ports are opened only temporarily. I say temporarily coz I tested all ports using Nmap using the command
Code:
nmap -p- 192.168.xxx.xx
I found some ports open but when I repeated the same test just a moment after the first test it showed a different (open) port.
Quote:
Originally Posted by maw_walker
Need more info: server or desktop? When you say "hacked", what do you mean, at the web app level (server) or at the OS level (desktop)?
Its a desktop. By hacked I meant someone intruding into my system & viewing my personal files as if he is the owner.
Quote:
Originally Posted by A-Okay
we could send you a payload. If the payload is executed on your system, it could theoretically setup a service and start it and then connect to it back. Correct me, if I'm wrong.
Can you me teach what this "payload" is ? I mean under Windows executable ends with exe but under Linux it differs from distro to distro. Like for Debian & derivatives its .deb. For RPM based distros its .rpm. While browsing the web I have never found any site trying to push a .deb or .rpm so I am curious how does this payload which targets Linux looks like.
Payload is any executable delivered by a successful attack, but only if it is suitable for the architecture. APT and RPM are not executables even if the do contain executables. Any given program has to be compiled specially for the specific type of hardware in order to be able to run once it gets into the system, otherwise it is just a stream of harmless bytes. The type of hardware would be x86 (Intel/AMD) or MIPS or Arm or POWER or even less comnon architectures. One example of that kind of thing was the Carna Botnet from 2012.
If you are talking about a desktop system, then the weak point would be the browser especially if you allow javascript-infected web pages to fetch and run javascript on your machine. A malicious actor could try many things, successfully, including Rowhammer JS, to jump from the browser into a privileged account within the system. There are really only two browsers these days, Firefox and the Chromiun-based ones. Both are full of more holes than Swiss cheese, since development is focused far away from improving the code.
If you want to mitigate the risk, then work out a custom SELinux or AppArmor profile and severely restrict what filesystem access the browser can have.
@Turbocapitalist
Thanks for that explanation. I am using a Corei3 Intel processor. I was using Firefox but now I am using LibreWolf. Despite being paranoid about security & privacy the one thing that I failed to do was cope with the Noscript addon. I mean I kept whitelisting scripts on various pages days after days & finally gave up. I am not using SELinux or AppArmor but I am running LibreWolf under Firejail. In your opinion is Firejail as good a SELinux or AppArmor in terms of the level of protection it provides ?
Well with any x86 processor there is almost nothing which can be done beyond some of the more basic counter measures. If you want to know more about why x86 is a totally lost cause and beyond repair, see scholarly works about Spectre(r) and Meltdown(r) brand categories of speculative execution attacks. The use of speculative execution was ruled out as a bad idea in the 1980s, but Intel (followed by others) decided somewhat more recently to use it anyway to cheat on performance. The result is that x86 cannot be properly secured. That's an oversimplification but covers the main points.
Quote:
Originally Posted by hifi100
In your opinion is Firejail as good a SELinux or AppArmor in terms of the level of protection it provides ?
With any of those the results are 100% dependent on how your configuration allows or denies access. So the answer is, it depends entirely on what you have configured any of those to do. If they are configured to let the browser run amok, the browsers will potentially do so.
Last edited by Turbocapitalist; 07-27-2021 at 09:57 AM.
Well with any x86 processor, there is almost nothing which can be done beyond some of the more basic counter measures. If you want to know more about why x86 is a totally lost cause and beyond repair, see scholarly works about Spectre(r) and Meltdown(r) brand categories of speculative execution attacks. The use of speculative execution was ruled out as a bad idea in the 1980s, but Intel (followed by others) decided somewhat more recently to use it anyway to cheat on performance. The result is that x86 cannot be properly secured. That's an oversimplification but covers the main points.
Frankly that's extremely depressing. As far as I know the majority of computer users all over the world are using x86. So suppose if I put a very secure perimeter firewall like OpenBSD in front of an x86 desktop will it gain any improvement ? I am asking this question simply out of frustration. In super secure environments where people cannot afford to get hacked, which architecture do they use ?
Quote:
Originally Posted by Turbocapitalist
With any of those the results are 100% dependent on how your configuration allows or denies access. So the answer is, it depends entirely on what you have configured any of those to do. If they are configured to let the browser run amok, they browsers will potentially do so.
Firejail is made keeping average user in mind. As an example the default profile for Firefox is made in such a way that only /home/username/Downloads can be accessed & access to stuff like /boot cannot be reached. I am not Firejail expert but this is what I have found about Firejail so far.
All home LANs should have some sort of firewall, be it hardware or software. Your router should have a built in firewall. Most cyber criminals are not going to bother with a single desktop because there is little or nothing to gain but some "script kiddie" might. You should still secure your system though. I have software firewalls running on all my systems, plus the firewall on my router set to "stealth" and no ports open inbound.
Keep in mind that all outbound traffic originating from your desktop will come back: that's how networking works. You can close all inbound ports on a firewall but not all outbound or you effectively isolate the machine you are trying to protect and you won't be able to access the Internet.
Last edited by maw_walker; 07-27-2021 at 10:33 AM.
That has zero to do with LAN security. If you install something that takes advantage of those vulnerabilities then all bets are off but having a vulnerable CPU does not mean your LAN is less secure. The attack vector from those vulnerabilities on a desktop involves having unpatched operating systems or other installed software that can leak data.
Those unpatchable holes are relevant to the LAN and the original question because the browser may be going out and bringing in scripts or worse into a LAN-connected system and thus provide a level of exposure. Both categories of hardware holes are design-level and, futhermore, unpatchable. There are a handful of mitigations to lower the risk but nothing to eliminate it, not even updated microcode, except to leave x86 behind.
So far, most of the world has chosen to shrug their shoulders and pretend that neither category of problem is there for those still left on x86.
The browser itself has bugs, some of which get discovered before they are patched, some of those turn out to be exploitable. There the solution is twofold. First try to keep the software up to date / patched. Second use Firejail, AppArmor, or SELinux to ensure that the browser can only access a few directories and not dig around in either system files or sensitive account data. Also, not letting the browser run javascript reduces the attack surface greatly.
No single step will block all the attack vectors. See "layered security" or "defense in depth".
Last edited by Turbocapitalist; 07-27-2021 at 11:58 AM.
Reason: corrected link
Agree and I thought about that when I posted. The javascript advice is good but sadly, that breaks about 90% of the Internet. Personally I hate javascript because there are so many terrible implementations of it out there but it's not going away any time soon unfortunately.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.