Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-02-2007, 08:30 AM
|
#1
|
Member
Registered: Nov 2006
Posts: 141
Rep:
|
My Firewall is having a ball blocking, some info needed
I decided to reinstall Ubuntu. I had some serious security concerns because of my lack of knowledge and screwing up the permissions of /var and /dev. I will never do any thing like that again until I do a lot of research and reading, I mean A LOT.
Now since I reinstalled Ubuntu 7.04 and I am using Firestarter (with the gui,) I am getting a lot of blocked incoming ip's and I mean a lot and the ip addresses vary but when I look them up they all mostly come from the same place, (below.) Not to long ago I did have XP installed. I can just imagine what was happening behind the scenes with that OS (even as secure as I had it.)
So can anyone give me any additional info on this? They seem to be trying to access ports 1028, 7212, 8763, 8000, 6588, 1434, 8080 (80 alternate) and the most serious threat Firestarter warned me about was at port 53 (protocol - TCP, service - DNS) which is the first on on the list below. This is more then annoying. I am hoping all my ports are being blocked. I am going to install some monitoring software (any good ones I should consider?,) and watch things closely. My computer is my baby, don't f**** with it, lol.
China
Hostmaster of Beijing Telecom corporation CHINA TELECOM
219.143.125.25
inetnum: 219.141.128.0 - 219.143.255.255
-------
Canada
OrgName: Shaw Communications Inc.
NetRange: 24.64.0.0 - 24.71.255.255
------------
China
CNC Group CHINA169 Heilongjiang Province Network
inetnum: 218.7.0.0 - 218.10.255.255
EDIT: Any other needed or optional security measures anyone can recommend would be helpful and greatly appreciated.
Last edited by Neo-Leper; 07-02-2007 at 08:37 AM.
|
|
|
07-02-2007, 08:59 AM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
It's pretty normal for any Internet-connected host's firewall to get all kinds of connection attempts 24/7. As long as your firewall is doing its job, you're fine. Maybe configure the notification level (if you have such a thing) so that you don't get, well, notified so much about every single filtered packet.
There's websites that you can use which will scan common ports on your box to see if they are indeed firewalled, but do consider running your own scan using Nmap (from a remote box).
As for further suggestions, I'd say Tripwire. Of course, Tripwire would be something to install right after the OS is installed, before it's connected to any network.
Last edited by win32sux; 07-02-2007 at 09:03 AM.
|
|
|
07-02-2007, 10:14 AM
|
#3
|
Member
Registered: Oct 2006
Distribution: SuSE 11.0
Posts: 118
Rep:
|
Go to www.grc.com and do the port scan. it is called ShieldsUp!.
|
|
|
07-02-2007, 10:48 AM
|
#4
|
Member
Registered: Nov 2006
Posts: 141
Original Poster
Rep:
|
Thank you both. I am going to check those programs out and try a few things, well after I make another post about an annoying problem I am having with nautilus, lol.
|
|
|
07-02-2007, 01:00 PM
|
#5
|
Member
Registered: Nov 2006
Posts: 141
Original Poster
Rep:
|
I have a quick question, well two. First, you said tripwire would work better as soon as the OS has been installed? I have had it installed for several hours, with a lot of programs and extras installed since then. Would it be useless to install it now?
Also, the link below for shields up, does this apply to Microsoft Windows or Linux as well?
https://www.grc.com/x/ne.dll?bh0bkyd2
EDIT: I think I answered my own question. All the ports I scanned where stealth. At first TruStealh kept failing until I changed that. Now everything is stealth, common ports and random ones I type in. Did I say today how much I love Linux? LOL. I am going to use that Shields Up on MS Windows computers, or send the link to friends and family. I really want to see the results of those scans.
Last edited by Neo-Leper; 07-02-2007 at 01:18 PM.
|
|
|
07-02-2007, 01:18 PM
|
#6
|
Member
Registered: Oct 2006
Distribution: SuSE 11.0
Posts: 118
Rep:
|
That would apply for any computer on the internet.
|
|
|
07-02-2007, 01:45 PM
|
#7
|
Member
Registered: Nov 2006
Posts: 141
Original Poster
Rep:
|
Thanks. I used Shields Up to make sure FireStarter was running without starting the GUI. I am so use to MS Windows and having to see that firewall icon in the system tray, lol. All works great now.
|
|
|
07-02-2007, 02:23 PM
|
#8
|
Member
Registered: Nov 2006
Posts: 141
Original Poster
Rep:
|
Can a remote computer use another computer with poor security as an unwilling proxy host, without that person knowing about it?
|
|
|
07-02-2007, 02:42 PM
|
#9
|
Senior Member
Registered: Nov 2006
Distribution: Debian Linux 11 (Bullseye)
Posts: 3,407
Rep:
|
Is there some reason that you're not using an external router/firewall? I've used both Linksys and Netgear for several years and have never been compromised. It also helps that I use my.yahoo to access my email from my domain. Yahoo runs an anti-virus on the email before I even see it, so that any malware never even makes it to my machine.
|
|
|
07-02-2007, 03:01 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by Neo-Leper
I have a quick question, well two. First, you said tripwire would work better as soon as the OS has been installed? I have had it installed for several hours, with a lot of programs and extras installed since then. Would it be useless to install it now?
|
Well, it would defeat the purpose to a great extent. Whether it is useless or not is up to chance, as you have no way of knowing for sure if your box has been tampered with before Tripwire was installed. Usually a Tripwire install goes like this (regardless of distro):
1 - Unplug box from network
2 - Install/configure OS from trusted media
3 - Install updates from trusted media
4 - Install/configure Tripwire
5 - Plug box into network
Last edited by win32sux; 07-02-2007 at 03:05 PM.
|
|
|
07-02-2007, 03:04 PM
|
#11
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by Neo-Leper
Can a remote computer use another computer with poor security as an unwilling proxy host, without that person knowing about it?
|
It happens all the time, and it's only a grain of sand in the giant beach of things computers with poor security are constantly being used for.
|
|
|
07-02-2007, 11:51 PM
|
#12
|
Member
Registered: Nov 2006
Posts: 141
Original Poster
Rep:
|
1 - Unplug box from network
2 - Install/configure OS from trusted media
3 - Install updates from trusted media
4 - Install/configure Tripwire
5 - Plug box into network
So if I only have one computer, as of right now, then it should be ok if I install it now? In the near future, a few months, I will have a wired home network set up as well as possibly two other computers remotely connected with the server/gateway, Small Business purposes, (totaling around 9 computers, at least.) So I really need to understand and get things into place. I personally wouldn't even attempt to try this if I didn't have the Linux or BSD option available, I don't trust other os's a whole lot.
The more I am learning, the more I am seeing no matter how secure I had XP, I am not sure that it was that secure. It was more secure then the average MS PC user though. I had AVG, Registrybot, Ccleaner, Zonealarm or Sygate (I bounced back and forth between the two,) Adaware, Spybot. I also had stand alone programs to like, Shoot the messenger, etc. Even with all of that I was still never comfortable with XP. And with all these programs, I really never learned as much as I needed to. Just install, see if it helps or works. See if XP acted buggy afterwards or crashed, (I use to hold my breath often when I had to reboot XP.) That was it. Before Linux I had no idea, for example, what iptables where, lol.
For a home network I plan on using an older computer as a router/gateway (SME maybe) and using a hub after that to go to the rest of the local network, (I still need to research that a bit more.) I have all the hardware for that now so I don't have to buy anything special except a few little things here and there, well I hope. Then we will have, as much as I hate the idea, two computers with XP. Then three computers with Linux, probably, Ubuntu 7.04 and CrossOver+VirtualBox. The XP computers are needed so I can get everyone use to the Ubuntu set up and Linux. After that they will have something on them, probably a Linux distro other then Ubuntu. I really want to set one up with LFS when I get the time. I know that alone will be a great learning experience all around.
I never realized, even though I knew to a certain extent, how dangerous and vulnerable computers where on the internet. I knew more then the average person, but I am learning a lot more in the last two days that it is scary, lol, and make me see that I didn't know as much as I thought I knew.
Thanks for the help, info and patience with me and getting things secure and set up, as well as understanding security issues and Linux.
Last edited by Neo-Leper; 07-02-2007 at 11:54 PM.
|
|
|
07-03-2007, 12:20 AM
|
#13
|
Senior Member
Registered: Nov 2006
Distribution: Debian Linux 11 (Bullseye)
Posts: 3,407
Rep:
|
Quote:
For a home network I plan on using an older computer as a router/gateway (SME maybe) and using a hub after that to go to the rest of the local network, (I still need to research that a bit more.)
|
You would be a lot better off if you used a cheap dedicated router/firewall instead of trying to manage a firewall yourself on an old computer. It would also consume a lot less power.
|
|
|
07-03-2007, 12:47 AM
|
#14
|
Member
Registered: Nov 2006
Posts: 141
Original Poster
Rep:
|
Quote:
Originally Posted by Quakeboy02
You would be a lot better off if you used a cheap dedicated router/firewall instead of trying to manage a firewall yourself on an old computer. It would also consume a lot less power.
|
Thanks. I will look into that. I do have a wireless router now that I don't use. I just don't trust using them yet because of my lack of understanding wireless security issues. I hope to understand more in the near future.
|
|
|
07-03-2007, 07:52 AM
|
#15
|
Member
Registered: Nov 2006
Posts: 141
Original Poster
Rep:
|
Trinity v3
I am finding this very interesting. Why? Well one ip address kept trying to access the same port, over and over. I got a bit angry and did some research on that address going to my port 32773. I found out this computer has Trinity v3 using port 32771 It is a Linux system, that much I am sure of.
So.... I am seeing why my computer is getting hit so much. I bet most of the time those ip addresses have no idea their computer is doing it. I also understand a lot more about the internet and security. There are many computers out there that have little or no security. I just hope my system is set up ok for now and even better in the near future.
(My computer does not have the files listed below.)
Trinity v3
http://xforce.iss.net/xforce/alerts/id/advise59
"Description:
Trinity is a Distributed Denial of Service tool that is controlled by IRC.
In the version that the X-Force has been analyzing, the agent binary is
installed on a Linux system at /usr/lib/idle.so. When idle.so is started,
it connects to an Undernet IRC server on port 6667."
and
"...Another binary found on affected systems is /var/spool/uucp/uucico. This
binary is not to be confused with the real "uucico", which resides in
/usr/sbin, or other default locations such as /usr/lib/uucp. This is a
simple backdoor program that listens on TCP port 33270 for connections.
When a connection is established, the attacker sends a password to get a
root shell. The password in the binaries that we have analyzed is "!@#".
When the uucico binary is executed it changes its name to "fsflush"."
Last edited by Neo-Leper; 07-03-2007 at 07:59 AM.
|
|
|
All times are GMT -5. The time now is 12:41 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|