LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-17-2001, 06:58 AM   #1
Wazza
Member
 
Registered: Dec 2000
Location: South Australia
Distribution: RedHat 7.2
Posts: 55

Rep: Reputation: 15
grc.com


Hi.
Just been looking over at grc.com, and tried the Firewall Leakage test.
I failed, as it said that my firewall was penetrated.
Doing a bit of reading there, it seems that the program poses itself as an FTP client, and connects that way.
I disabled outgoing traffic to port 21, and the leakage tester was no longer able to connect to grc.com (so I think I understand it right?)
Are there any Trojans or backdoors out there that do this in the real world?????
How would you protect your internal network from a program like this in Linux, as the author talkes about a firewall's ability to filter by program ID, not just ports?

Wazza
 
Old 07-17-2001, 07:18 AM   #2
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
What Steve Gibson's site is doing it just a basic port scan - there are loads of programs out there for port scanning, nmap from www.insecure.org being one of the most popular. The way to protect yourself is to either disable any programs that are listening on the ports, or use ipchains/iptables to deny (external) access to the ports.

As for filtering on program ID - he's refering to Windows based (its a purely Windows targetted site incase you hadn't realised) 'personal' firewalls that can deny program access to the internet when they are running on your Windows box. The idea being that if you were to run a trojan that would attempt to connect to a website and download something nice for you, like sub7 or back orifice then you get a popup box saying "program XXX is attempting to access the internet, do you wish to allow this to happen"

cheers

Jamie...
 
Old 07-17-2001, 08:50 AM   #3
Wazza
Member
 
Registered: Dec 2000
Location: South Australia
Distribution: RedHat 7.2
Posts: 55

Original Poster
Rep: Reputation: 15
HI again.
Thanks for the reply,, I must admit, I didnt explain my question very well.
This "leak test" is installed on one of my windows comps, which is behind a Linux firewall. So the program is trying to connect "out" by pretending to be an FTP client (I think?), and as I have the firewall config to allow packets out destined for FTP, its allowed.
I dont know the ins and outs of the thing, but I was wondering how you would overcome this prob in Linux if it was indeed a real infection, given that IPchains can not block data by the specific program sending it, which as you point out.... some Windows based firewalls can.
(Tiny's Personal to name one)
The Shields up port scan on the other subject, shows all ok, except for the few services I have running, and someone here a while ago gave a URL to a Nmap scanner, which showed up ok at this end.
I'm learning every day, I assumed that a trojan had to open a port to be connected to, but if I understand the basics of this thing, it gets info back into the host by sending "out" information to a common port destination first.(which fools my firewall)
Also... because it has made the initial connection, I guess that means MASQ will pass it.
Thats if I understand it correctly??

Wazza
 
Old 07-17-2001, 09:05 AM   #4
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Sorry - I misunderstood.

Yeah, the leak test establishes an out going connection so wouldn't be stopped by your linux firewall or any other firewall that isn't running locally and monitoring the Windows processes. There are trojans that do this in the real world, those that establish an out going connection will still cause you problems, any that open a port on your windows box won't be a problem as they'll never get an incomming connection.

I don't know of any linux programs that monitor what ports processes are trying to send out on. I imagine it must be possible. I'm sure that Raz will know more

cheers

Jamie...
 
Old 07-17-2001, 09:11 AM   #5
bako
Member
 
Registered: Sep 2000
Location: Haarlem, The Netherlands
Distribution: Freesco, RedHat, Debian
Posts: 41

Rep: Reputation: 15
The main thing GRC neglects to tell everybody with that leak test is the following:

It is aimed especially at personal firewalls, because it is a program installed on a client and will initiate the connection itself...

Now actually the only prevention from these sort of trojans is:

a. don't connect your clients to the internet....

b. install up to date virusprotections software on every client and teach your users the "dangers" of installing unknown software...

Basicly you were the problem here, you installed leaktest without thinking about what it could do... (I could write a little program that deletes your entire harddisk and call it agenda.exe, and all I have to do is mail it to somebody stupid enough to try, and voila we have a trojan)
Now most anti virus programs that are up to date will detect 99% of all trojans and keep your machine safe, that 1% (if really that big) is made up of programs like leaktest (and your lucky it doesn't do you harm )

So basicly your Linux (packet filtering) firewall is security item number one, and an up to date virusscanner on all your clients should be number two... I see no need for personal firewalls because I have my users educated (My girlfriend and I are the only users behind the firewall, and she doesn't install programs sent by mail and doesn't just download anything from the net )

And with these measures I dare to say my local net is safe from the big bad outside world.... My firewall denies unwanted acces from outside-in and we deny unwanted acces from inside-out ourselfs...
(no personal firewall can beat common sence )

Last edited by bako; 07-17-2001 at 09:15 AM.
 
Old 07-17-2001, 11:00 AM   #6
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
This is also a good time to stress the importatnce of monitoring the logs in your firewall box as this can give away the presence of offending trojans on the werkstations in your network.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
checking security at www.grc.com STARHARVEST Linux - Security 2 11-29-2005 09:22 AM
grc error !!! abunsair Linux - Security 1 07-15-2005 02:43 AM
Fedora Core 3, GRC port scan says ports arestealthed but responds to icmp ping IraB Linux - Security 7 12-10-2004 12:18 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration