Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a new install of Slackware 8.1 and I decided with this new install I would try using gShield as my firewall. The Linux box sits inside a LAN that runs off a single cable connection through a Linksys router. I have opened up most service ports to the Linux box as I use that for a DNS caching server, mail, server, etc. I have noticed that my syslog is indicating a lot of activity in the firewall. I just wanted to make sure this is safe. I assue the "default drop" listed below means the access was denied to the Incoming IP. Is this correct? Note the Linux box LAN IP is 192.168.1.130 as listed below.
Guess you're right, haven't looked at Gshield too close but I guess grepping its (output?) script for the policies (-P) should tell what it's default policies are.
*Btw, MAC addresses are unique, but don't carry beyond the LAN, so stripping 'em ain't really necessary. Stripping non-LAN IP addresses is good if you wanna.
Obviously, how gShield handles intruders depends on how you've setup /etc/firewall/gShield.conf. But in this case, 167.181.31.35's inquiry was dropped with no response from your box going back to him. If you need to look at iptables rules, as set by gShield, do iptables -L. -mk
I just wanted to know whether people are getting in or not,
I am a bit worried (aka paranoid) as I compiled and ran the Saint intrusion detection system and it indicated - specifically the "Evidence of penetration:
* Fresh install of Slackware 8.1
* gShield firewall - basically default setting
* qmail mail server
* cable connection behind Linksys router
Evidence of Penetration
* linux.macvoodoo.lan: Possible Trinity portshell detected
* linux.macvoodoo.lan: Possible mstream handler detected
* linux.macvoodoo.lan: Possible shaft handler detected
* linux.macvoodoo.lan: Possible stacheldraht handler detected
BROWNPossible Vulnerabilities
* linux.macvoodoo.lan: Is your Kerberos secure? (CVE 2000-0389 2000-0390 2000-0391)
* linux.macvoodoo.lan: possible vulnerability in Linux lpd
BROWNLimit Internet Access ?
* linux.macvoodoo.lan: rlogin is enabled
* linux.macvoodoo.lan: pop receives password in clear
* linux.macvoodoo.lan: rexec is enabled and could help attacker
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.