LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-05-2003, 11:16 AM   #31
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69

These are amusing:
Quote:
Originally posted by jayjwa
I for one am glad this firewall thing was brought up. People have gone firewall and security crazy.
<SNIP>
I do have a firewall now, because it does help bring peace of mind since I'm connected to the 'net 24x7 with all these services.
-Jay
Oh okay, so you're going to run a firewall, but you don't think everyone else should? That makes alot of sense.

Quote:
Originally posted by jayjwa
Coding those exploits, and even using them and knowing what to do with them requires more than just clicking the mouse on a "yes" box.
Not really. You can go to numerous blackhat websites and download prepackaged exploit code that only require a minimal amount of user know-how. So you have a relatively large number of "script-kiddies" running around with high-powered tools that can compromise you box in a heartbeat. Given what turns up in your nmap scan, it would probably be pretty trivial. If you think those people are few and far between, then you haven't actually "seen" what's out there on the internet..

To be honest I think you guys have it backwards. Running a firewall actually gives you the freedom to run services (especially vulnerable ones) on you're local network that would otherwise get hammered if you let them be exposed publicly. By limiting those who can or can't access a services, you're significantly reducing the risk of them being compromised while allowing those on your network to use all the services they want. So I don't get all this freedom crap you guys keep repeating.
 
Old 10-05-2003, 12:35 PM   #32
Xylon
Member
 
Registered: Sep 2003
Location: Newfoundland, Canada
Distribution: Slackware 9.0
Posts: 44

Original Poster
Rep: Reputation: 15
Wow there were alot of replies I didn't expect this kind of response. A few points:

1. Bringing up worms and other viruses designed to attack WINDOWS is irrelevant. Linux is immune from the blaster worm and any other Windows-specific attacks.

2. I am not aware of any anti-virus software that exists for Linux, most virus seem to be written to attack Windows.

3. There are NOT people constantly hammering at my system trying to get in. Even systems that are totally unsecured may not be hacked because maybe nobody will end up trying. If someone tries to hack my more secure system chances are they will give up. Statistically a reasonably secured home system is unlikely to be hacked. I do think Firewalls are useful for mission-critical and corporate applications, but not for home users.

4. I am not denying that security risks exist. The entire Half Life 2 source code was recently hacked from Valve.

5. Everyone can agree that Linux is at least SOMEWHAT more secure than Windows. Someone trying to do a DDoS will probably attempt to use Windows systems.

In theory, security risks exist. But, in reality for a hobbyist using Linux at home that risk is statistically a minimum.
 
Old 10-05-2003, 02:02 PM   #33
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Most of which are wrong:

1. But that doesn't make Linux immune from Linux-specific worms (slapper)

2. There are a bunch now, including mainstream AV providers like Kaspersky Lab and Symantec

3. You should turn on a packet sniffer like Ethereal or Snort. I don't know about you, but I get aggressively scanned at least several times per day, not including the abuse my webserver takes. New tools like parallel scanning auto-rooters allow the not so-subtle script kiddie to compromise machines at a tremendous rate, so as tools like these increase, so will the probability of you getting hacked.

4. Ok that's true.

5. Windows machines are more likely to be targeted to be dDOS clients simply because there are more of them out there and the aim of dDOS is to maximize the bandwidth you can project, but Linux boxes are more "prized" targets because they can be configured to do things that windows machines can't. So while someone might ignore a firewalled windows machine, they might stop and take a closer look at a open linux box they stumble upon.

So I pose the question again:

It's free,
you can set it up yourself,
it might keep you from getting hacked,
so why not just use it?
 
Old 10-05-2003, 02:24 PM   #34
Xylon
Member
 
Registered: Sep 2003
Location: Newfoundland, Canada
Distribution: Slackware 9.0
Posts: 44

Original Poster
Rep: Reputation: 15
When I run snort most of the traffic or tcpdump or whatever most of the traffic I get is coming from my ISP's software doing some sort of check and such. If it's not from them it's random internet traffic, I have no evidence I'm being specifically targetted. Hundreds of 'transactions' go on most of which are not malicious. People get alarmed by all the traffic when the computer is idle, while alot of it is harmless. If you're running a webserver you may be specifically targetted more often.

I knew someone who installed Zonealarm on Windows and was shocked at how much it blocked..... but in the run of a day many of these dropped packets were from the exact same ip address, which is usually traced back to your ISP.
 
Old 10-05-2003, 03:05 PM   #35
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
21/tcp open ftp
At the least can allow warez kiddies to upload illegal material thus making you an accessory. At worst your box and can be rooted and your machine can be used to attack other sites (vulnerabilities in WuFTP, ProFTP, etc)

22/tcp open ssh
Recent vulnerabilities in OpenSSH were remotely exploitable and could lead to root privilage

23/tcp open telnet
Trivial to sniff the traffic and compile a list of user names and passwords. User credentials can be used to execute more attacks locally to get root, or simply use the reources available to a common users to form a DDoS or as a jumping off point to attack a highly protected system (concealing the origin)

25/tcp open smtp
Potential for open relay, sendmail has a long history of possible root exploits, ingress point for viruses, possible mailbombs and other DoS type attacks.

37/tcp open time
Can help timing attacks, such as those against Kerb4.

79/tcp open finger
Trivial to compile a list of valid accounts to try brute force password guessing attacks on. Also reveals system information to narrow down the amount of exploits that need to be tried.

80/tcp open http
Numerous weaknesses in web servers and modules.

110/tcp open pop-3
Plaintext protocol. Sniffing passwords is trivial, the same passwords can be used to login to a shell.

111/tcp open rpcbind
You are truely an idiot if you leave portmapper open to the world. The possibilities here are endless.

113/tcp open auth
Nothing that I'm aware of.

540/tcp open uucp
Some times used to relay spam. UUCP isn't really maintained and any weakness in implementation is unlikely to be fixed.

587/tcp open submission
This better not be open to the world (scan was on loopback so hopefully this is not bound to your external IP)

1241/tcp open nessus
Poor passwords could let people use your Nessus server to scan others (conceals real source).

6000/tcp open X11
Too many things to go into. You know the reasons why Microsoft says you shouldn't use NetBIOS across the Internet? Same goes for X11, it's not nearly secure enough to be open to untrusted networks.

Anyone who thinks they won't be cracked is deluding themself. The record time I've ever seen a box get hacked in was a Red Hat 7.2 box rooted 5 minutes after it was put on the Internet. The fact is it does not take great skill to run an exploit. It only takes a handful of really smart people to supply an army of script kiddies with point and click tools.

Don't you read your Snort logs every day? There are constantly nmap scans crawling every netblock, and more than that there are the exploits themself just being blindly run against every IP on the Internet. If there's an automated exploit out there, you will get cracked eventually. The development cycle from the release of a vulnerability report to proof of concept code to an automated exploit tool is getting shorter and shorter. Many of the attacks this year have happened in less than 30 days after the vulnerability was noticed, and it takes vendors several days to get a patch out usually. The number of "zero day" exploits is on the rise, and fast.

I'll also say this again, since some people do not seem to understand any box is valuable to a cracker for use in a DDoS. It's not how fast your machine is, and not even necessarily how much bandwidth you have. It's the overwhelming number of sources that makes DDoS attacks nearly impossible to defeat. This is the reason home users absolutely DO need firewalls. The vast unwashed masses out there are ignorant of security and their boxes are lying wide open to be used in DDoS attacks. In fact, there are published reports from the IT teams on university campuses that when they started requiring all student machines to be virus scanned before they were putting on the network, dozens were backdoor and trojan so many times that system recovery was nearly impossible. The same box being exploited by 3, 4, half a dozen different exploits and being used for multiple ill-deeds by zombie masters. One box on broadband is another 1.5Mbit pipe used to DDoS Amazon.com. On box on a university network could be a windfall (trivial local replication, and vast quantities of bandwidth).

Now, the assertion that Linux is immune from worms and malware is just ignorant. The very first Internet worm (the Morris Worm) infected by some reports, 66% of the Internet hosts. The worm attacked systems running Berkley or Sun OSs and it exploited weaknesses in Sendmail and fingerd, and then additional exploited the trust relationship with the Berkley "r commands" (rsh, rexec, etc). There were worms before there was Windows, and there will be worms again that target OSs other than Windows. Linux is becoming much more popular in enterprises and somewhat more popular at home (particularly among the people likely to have broadband connections) so writing a Linux worm is looking more and more attractive. Add to that the fact that most Windows admins have finally realized they need to secure their boxes, while many Linux admins are blissfully ignorant to the vulnerabilities that exist on their platforms.

The number one mistake everyone here is making (who is arguing against firewalls) is the assertion that security through obscurity works. NEWS FLASH security through obscurity is DEAD. In the modern age of high-speed Internet scanning utilities and scripted exploits, no one is obscure. You will be found, not because someone was specifically looking for you but because someone was looking for everyone. If you would read any books on security, take any courses, etc you would realize that security experts have long considered security by obscurity to not be an effective means of protection.

As I illustrated above, you do not have to be storing Department of Defense secrets to be interesting to hackers. They could, with simple users privilages, launch a massive DDoS attack on the DoD with enough computers like yours, or they could use your computer as a proxy to conceal their cracking attempts at the DoD. Both of the above are not only possible, they happen quite frequently. In fact, it's been happening for a long time. Read Cliff Stoll's excellent book about his adventures tracking down a group of East German hackers back in the '80s.

What I'm hearing from you firewall opponents is the collective sound of fingers being thrust into ears and a loud chorus of "LALALALALALALALA WE'RE NOT LISTENING IT DOESN'T REALLY EXIST". No ammount of denying a problem will make it go away.

Last edited by chort; 10-05-2003 at 03:42 PM.
 
Old 10-05-2003, 03:06 PM   #36
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I see a significant number of probes and scans originating from ip blocks in China, Taiwan, South Korea, and Brazil. So unless Verizon has decided to relocate half-way around then planet, then I doubt they are my ISP or "random traffic". The university that I work at is even worse due to the high-bandwidth backbone we connect to (makes us nice targets).
 
Old 10-06-2003, 12:36 AM   #37
dekket
Member
 
Registered: Oct 2003
Location: sweden
Distribution: debian
Posts: 47

Rep: Reputation: 15
Xylon said "there are no antivirus software for linux"
Xylon, have you ever visited freshmeat, the best website for free and open applications - ever? I mean, they got ads for antivirus software all the time - and dont think its for windows. Pfft, I suggest you get some know-how about what you're talking about before posting at a forum such as this.
 
Old 10-06-2003, 01:16 AM   #38
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware64, LFS
Posts: 312

Rep: Reputation: 53
I knew I'd get misquoted....

If you are going to qoute what I say, please qoute correctly, I said, and also implied, "I think people have gone too far with this firewall bit" BUT yes, they can be quite useful. Further example, someone that logs in for maybe 30 minutes, surfs the web, checks his email, then logs out is not going to need super-duper full heavy duty protection like an up 24x7 Internet server is going to need. First of all, that first class doesn't announce they are there! The chances of getting found and over-taken in that 30 minutes is small. I post to USENET, daily. I make references to what I talk about on my server, many times people will then come and download whatever it was that I was talking about, be it a program I recommend, or whatever. Daily! Not "rooted" yet.... been up since the end of July (with this setup), offer those services I posted. I had a few idiots, a lot of scans, lots of worm probs, and 1-2 "hack" attempts. Did I run away? Lock down everything? Stop doing what I like? No. Because as I stated before, I do what is security-sensible, not security-fanatical. And that's the entire point to my posting.

Now, about the services:

Quote:
( post #35)

21/tcp open ftp
At the least can allow warez kiddies to upload illegal material thus making you an accessory. At worst your box and can be rooted and your machine can be used to attack other sites (vulnerabilities in WuFTP, ProFTP, etc)
Scare tactics. Heard of <LIMIT> and allow STOR? Warez dumps, to be useful, must allow READ and WRITE. Heard of Grime's Ping? It's what is commonly used to find r/w FTP servers. I have a copy. I know what the scan/tests look like.I had someone scan my FTP server when I ran Windows, way back when. No warez yet. If I see evidence, I'll slap on restrictions.

Quote:
22/tcp open ssh
Recent vulnerabilities in OpenSSH were remotely exploitable and could lead to root privilage
I'll assume you refer to the most current.
COULD is key here. I COULD win the lottery tomarrow too. No proof of concept exists for this one, and all the advisories I've seen all say "maybe possible". Anyway, I had SSHD updated the same day the advisory came out.

Quote:
23/tcp open telnet
Trivial to sniff the traffic and compile a list of user names and passwords. User credentials can be used to execute more attacks locally to get root, or simply use the reources available to a common users to form a DDoS or as a jumping off point to attack a highly protected system (concealing the origin)
hosts.allow: in.tellnetd: the.host.I.allowed.com
hosts.deny: in.telnetd:ALL

More scare tactics. So you expect me to belive, that somewhere, someone is sitting around, sniffing packets off my telnet sessions, just waiting for that one moment, so they can put my machine with other ones that they did the same with, so they can DDoS god knows what? And I'd never notice this? LOL.... I guess this guy has alot of time, lets see....no passwords yet trans mitted for the past 3.5 months! How many packets IS that? Any one what to do the math on that? FYI, there is a C proof-of-concept for logging telnet AND ssh sessions + sshd & telnetd child sessions using ptrace; it's called smokingtwojoints.c

Quote:
25/tcp open smtp
Potential for open relay, sendmail has a long history of possible root exploits, ingress point for viruses, possible mailbombs and other DoS type attacks.
Again, I'll assume you speak of the current one. Again- replaced same day.
Quote:
As of sendmail version 8.9, forwarding of SMTP messages is not permitted by default.
..straight off Sendmail.org's site. Sendmail is up to, as of right now, 8.12.10. I know the danger of open relay first hand, if you read that part of my original post, involved with writing one's own sendmail m4 file. Config'ing sendmail is not an easy task, and yes I made that mistake. But it was corrected before any damage was done, and I now have sendmail configured for no-relay, access db, and real-time blackhole listing. Had I sat with the default install, I would've been fine, but probably never learned to configure it. Win? Lose? I dunno....

Viruses? All 2 of them? 3? ...that affect Linux/Unix with any degree of efficacy? All things considered, I'd say Linux Staog is the most effective virus for *nix platforms- and I've never seen it, well, at least in the wild.

Quote:
37/tcp open time
Can help timing attacks, such as those against Kerb4.
Never heard of that, can't comment. Sounds kinda McGeyvor-ish, no?

Quote:
79/tcp open finger
Trivial to compile a list of valid accounts to try brute force password guessing attacks on. Also reveals system information to narrow down the amount of exploits that need to be tried.
You keep saying "open" as in wide-open-nothing-there. Well, in.fingerd sits there, actually inetd or xinetd. Nmap i s the biggest threat to the average joe's security because, while finger may show info about what project I'm coding, or my fav. shell, or my full first name (Jay), nmap will give someone the full low-down on what services, what versions of those services, and what OS version I'm running, now handily distributed with a GUI interface with each Linux distro.
For example, a host from xyz IP sent a GET htp req. for /scripts/nsiislog.dll to my webserver today (popular MS IIS webserver exploit), so for the hell of it I scan'ed the host. MS-Win XP, SP1. Three times the services I run. With that info returned, I could run the DCOM RPC exploit with a good chance of sucess. I'd remove nmap before I'd remove finger. Yet no one mentioned that, why?
From the in.fingerd man page: " If the -u option is given, requests of the form finger @host are rejected." Is this what is being implied? My passwords are in the neiborhood of 12-15 char's long. I ran John the Ripper against them for fun. It didn't hit with several dict's. It's a meaningless alphanumeric string. Care to guess? How much time do you have? If I don't notice all those login attempts of a messy bruteforce then I don't deserve to login, period.

Quote:
80/tcp open http
Numerous weaknesses in web servers and modules.
That's really a far stab in the dark! How many websites run Apache? Should we close all those? According to this, yes! Sorry everyone, no more sites, no more WWW. I'd bet this site here uses Apache....

Quote:
110/tcp open pop-3
Plaintext protocol. Sniffing passwords is trivial, the same passwords can be used to login to a shell.
Sure, it is possible to badly configure stuff. If you require passwords for anon ftp , it's possible to mess it up so that they can also login to a shell with the same user/pass combo.
hosts.deny: popa3d:ALL takes care of it until I set it up in the near future, if not, I'll probably take it down.

Quote:
111/tcp open rpcbind
You are truely an idiot if you leave portmapper open to the world. The possibilities here are endless.
Please see http://www.mail-archive.com/debian-s.../msg09590.html
There are a few services that will not properly operate if this is blocked.
There are lots of things that connect as daemons, more than listed here,
that I run, and are a normal part of a system. (gpm, nautilus, esd) This one shocked me too when first I saw it, I used amap and got the banner from it, it seemed strange because I had blocked it with iptables. So far no root compromises though.

Quote:
113/tcp open auth
Nothing that I'm aware of.
There are some sites that will deny access without this.Which ones? I don't know, I run this.

Quote:
540/tcp open uucp
Some times used to relay spam. UUCP isn't really maintained and any weakness in implementation is unlikely to be fixed.
Nope, no spam yet. Though they try like hell thru sendmail. I get about 3 pages of rejects a day (access db rules!), but all they get is a 550 access denied.

Quote:
587/tcp open submission
This better not be open to the world (scan was on loopback so hopefully this is not bound to your external IP)
I take it you don't run sendmail. See http://www.luni.org/mail-archive/Oct2000/0579.html

Quote:
1241/tcp open nessus
Poor passwords could let people use your Nessus server to scan others (conceals real source).
Then you'd love my http proxy ;p
But that's down as of right now for an obvious reason. I had some one check me today for anon http proxy-ism.
Same password rules here as in shells. Anyway, how many people out there have a Nessus client? Or even know what it is? It's only been the most recent version of nmap that will accurately show this service as what it is (the one that came with my distro didn't), and I added it to /etc/services.

Quote:
6000/tcp open X11
Too many things to go into. You know the reasons why Microsoft says you shouldn't use NetBIOS across the Internet? Same goes for X11, it's not nearly secure enough to be open to untrusted networks.
Again you say "open" like it's a free-for-all, which it clearly isn't. Go to the X web site and read "The Evolution of Connectivity". I've a friend that does some of the graphics for my site. I just can't stand to let him work with MS-Windows anymore.

Quote:
Anyone who thinks they won't be cracked is deluding themself. The record time I've ever seen a box get hacked in was a Red Hat 7.2 box rooted 5 minutes after it was put on the Internet. The fact is it does not take great skill to run an exploit. It only takes a handful of really smart people to supply an army of script kiddies with point and click tools.
Never said I wouldn't get "cracked". There are some truely gifted coders out there. All I said is let's not be fanatical about security to the point that it denies us legitamate users access to our own services. That would be like never getting in a car because you're afraid it may crash.

Quote:
Don't you read your Snort logs every day? There are constantly nmap scans crawling every netblock, and more than that there are the exploits themself just being blindly run against every IP on the Internet. If there's an automated exploit out there, you will get cracked eventually. The development cycle from the release of a vulnerability report to proof of concept code to an automated exploit tool is getting shorter and shorter. Many of the attacks this year have happened in less than 30 days after the vulnerability was noticed, and it takes vendors several days to get a patch out usually. The number of "zero day" exploits is on the rise, and fast.
Linux was made to be a server-system. That's what I do with it. I'm not a professional, I'm just a guy with a Linux system that enjoys running it and learning how things work. There will always be virus/exploits/vulnerabilities and whatnot- you realize them, plan for it, then take the proper level-headed course of action to minimize them. But the one thing you don't do is shut down everything out of shear terror or attempt to instill your ill-founded fears into others. Linux is a robust, secure, multi-user, multi-service, server-oriented system. If you want to shut out the world (both bad & good) and hide all by yourself, I suggest you invest in MS Windows, and pull the plug to the Internet.

-J
 
Old 10-06-2003, 01:33 AM   #39
markship
LQ Newbie
 
Registered: Sep 2003
Distribution: RH Fedora Severn Test #
Posts: 4

Rep: Reputation: 0
I disagree with Xylon completly I lowered my iptables for ONE DAY so I could connect to the university file share server and had a hacker login as my basic user and write garbage to ALL of the remaining space of my hard drive making the system unstable and irrecoverable and was forced to format and reinstall EVERYTHING and lost days of work (both school & work) :-/
 
Old 10-06-2003, 02:00 AM   #40
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well jayjwa, nearly all your answers indicate that you have indeed hardend your system, which is the basis for any bastion host/firewall. So while you rile against firewalls, in fact your box is pretty much firewalled for nearly all intents and purposes. If you have shut off nearly all your services to external access, that's exactly what a firewall does. The only difference is that a firewall will give you one added layer of protection in case you or one of your users screws up and turns something on by accident (or a malicious user or trojan tries to turn something on on purpose).

As for portmapper (sunrpc) I do not give a shit what services depend on it, it's just as vulernable as the Microsoft DCE endpoint mapper (of MS Blaster fame) and I won't expose it to the Internet. In fact, I have it turned off as I'm not running NFS (another insecure protocol that should never be allowed over the Internet).

I don't know what your point is about 587/submission. Of course it's part of Sendmail, that's why I said you better not have it open to the world. The link you posted was how to disable it, which is exactly what you should do (so why is it running?).

Again a bunch of your arguments rely on security through obscurity, which I've been telling you repeatedly has been rejected by security experts as a body. It's tought against in every security class you might take and any recent security book or publication will warn you not to rely on being obscure.

Even the user who logs on for 45 minutes to surf, people actively seeking that one particular person out are going to have a hard time finding them, but haven't you read a single word I posted? I'm not talking about purposeful attacks aimed at individuals, I'm talking about random attacks aimed at any IP address that has a vulnerable service. If you happen to be logged on when the scan sweeps your subnet, you will be hit regardless of how small the time window is. If you get exploited and a trojan/worm is installed, it doesn't matter if you log off. The next time you log on it will be active and misbehaving.

All your blustering about using plain text protocols pretty much falls under the "it won't happen to me" category. The truth is if someone tried, they could succeed. Why make it easy? By the way, the first OpenSSH exploit was verified by several people, including one on the Security Focus list who seccussfully ran it against several of his OpenBSD boxes. The flaws in the subsequent releases were not verified with proof of concept code.

About X11, many people just do xhost + because it's easy and then forget about it. It's a very easy protocol to exploit in all kinds of devestating ways. If you lock it down, then that's a hardened system and you're actually acting in ways like a firewall designer. Again this is proving my point.

About the port 80 exploits, mostly they're in modules although there were some cross site scripting problems with Apache (not a security risk to the site itself). PHP especially has been ridden with security problems. OpenSSL has also been problematic lately, but it usually runs on 443 (of course).

So it looks like overall you agree with me, but on a few things you choose to deny that you will ever be exploited on the grounds of probability (banks during the '80s denied that DES could ever be cracked, too). I don't see why after all those security precautions you still have a problem with firewalls. It's not going to restrict you any more than you already are.

Oh, one last thing if you're using the basic UNIX crypt() for password hashing, then only the first 8 characters are used in the DES hashed password. Passwords longer than 8 characters will not add any security (MD5 passwords may allow longer hashed strings, I can't remember).
 
Old 10-06-2003, 12:30 PM   #41
Xylon
Member
 
Registered: Sep 2003
Location: Newfoundland, Canada
Distribution: Slackware 9.0
Posts: 44

Original Poster
Rep: Reputation: 15
I concede that it is more likely than I originally thought that my computer will be targetted. A scanning of a huge number of IPs may reveal my computer has open services that are potentially vulnerable.

When running a firewall, everytime a program can't get access to the Internet I have to find out what port it's using and manually open that port. This is even more difficult for the average home user. It's not worth the trouble and in the end the ports are still open. And the user will run into these problems since firewalls usually blocks a lot of outgoing traffic too.

Quote:
Never said I wouldn't get "cracked". There are some truely gifted coders out there. All I said is let's not be fanatical about security to the point that it denies us legitamate users access to our own services. That would be like never getting in a car because you're afraid it may crash.
"That would be like never getting in a car because you're afriad it may crash." Thank you Jayjwa that is exactly my point.
 
Old 10-06-2003, 12:37 PM   #42
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
And the user will run into these problems since firewalls usually blocks a lot of outgoing traffic too.
Completely, totally, and in all other ways INCORRECT. All the consumer firewall appliances by default allow all outbound traffic. In fact, on most SoHo appliances you have very little ability to filter outbound traffic at all (short of completely blocking a specific IP). This is also true of commercial firewalls (especially PIX with their model of security zones). Unless you explicitly turn on blocking of outbound traffic, it will be allowed.

Also, most sample scripts for open source firewalls (like pf, iptables, etc) do not block outbound traffic by default. You must be referring to Zone Alarm (or some similar personal firewall), which does block outbound by default (at least, the version I tested), but even Zone Alarm tells you what program is trying to make the connection and gives you the chance to approve it (by default). Hell, even the Microsoft personal firewall that ships with WinXP allows all outbound traffic when you turn it on.

Really Xylon, I don't get it. In one post you retract earlier stupid statements and admit your ignorance, then turn around and make another completely ignorant and uninformed comment. Quit when you're ahead.
 
Old 10-06-2003, 04:11 PM   #43
h1tman
Member
 
Registered: Jul 2003
Distribution: Slackware 11
Posts: 439

Rep: Reputation: 30
theres not alot of experts talking right now, and i dont claim to be one. but i do have experience. listen, for the most part a advisory or exploit isnt posted on the web until like weeks or months after the author of the exploit/finder has come up wit the bug. so you can be patched all you want. but somebody today is gonna write some code to grant himself root access to a service you are running. there is no advisory and even worse no patch! feel safe?

alot of hackers/crackers have exploits that arent posted about, of if they are posted they had it for months already.

on one hand its like, whats your home computer matter?but on the other hand why not just firewall it, just in case you do get compromised you dont have to worry bout reinstalling,etc.
 
Old 10-07-2003, 11:25 PM   #44
twilli227
Member
 
Registered: May 2003
Location: S.W. Ohio
Distribution: Ubuntu, OS X
Posts: 760

Rep: Reputation: 30
quote:
but on the other hand why not just firewall it, just in case you do get compromised you dont have to worry bout reinstalling,etc.


Well I believe in firewalling, but if you do get compromised, then what? If you are not absolutely sure of the integredy of your files, then you better reinstall.
 
Old 10-08-2003, 06:39 PM   #45
Read_Icculus
Member
 
Registered: Oct 2002
Distribution: MDK 9.2, Debian
Posts: 74

Rep: Reputation: 16
Although you need to run rpc in order to run Gnome and Nautilus, unless you are using other software that needs to connect to 111 from outside the network/box that has port 111 open, there is no need to leave the port open. Gnome works just fine on various boxes I've run with 111 firewalled. You said that you had firewalled it off with iptables, which is definitely a good idea, but it still shows up as open via an nmap scan. This is probably because you did something like "nmap 127.0.0.1", instead of an "nmap 63.12.12.1". If you don't route nmap through a network interface then iptables won't be doing it's thing. To get the best info about what ports are open on your box you should port-scan from inside and outside your network, as well as using a web-based port scanner like grc.com or pcflank.com. With pcflank you can use their "advanced port scanner" to scan any or all of your ports. I'd run a scan on all of the ports that you have any doubts about to get some more information and find out if everything is firewalled correctly.

As for this firewall debate, why would running a firewall ever prevent you from using whatever software you want to use? That kind of attitude is just silly. Also the firewalled Windows box that wouldn't allow netscape to pass through the firewall sounds like a great setup to me, (other than favoring IE over NS). Per application filtering allows you to really implement detailed rules for your network. A setup of that nature is excellent for something like the following - allow a network to only use Mozilla as the browser instead of a possibly insecure version of IE that exists by default on all of your boxes and cannot be removed, or to make users be able to FTP except not with ftp.exe. Here's another example, lets say that a user installs a piece of spyware that contacts a server on port 80 and behaves in a similar fashion to a browser. If you allowed all "browser type" traffic through the firewall then the spyware has free reign to do whatever it pleases. Same goes for a trojan that could upload various files to an FTP server. An application based firewall of the type that you find on Windows would notify you of these malicious apps, a firewall that allows all outbound traffic or has loose rules would let those types of things through. Per application filtering is a great tool for network security.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Which services are unnecessary? revenant Linux - Security 4 03-28-2004 11:43 PM
Kernel 2.6 and Firewall's ghostwalker Linux - Security 4 01-26-2004 03:36 AM
unnecessary user accounts linen0ise Slackware 2 09-19-2003 09:27 AM
Firewall's and MSBlast qwijibow Linux - Security 15 08-26-2003 09:54 PM
Firewall's proxy settings. silverstriip Linux - Networking 1 08-20-2003 02:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration