LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-02-2007, 08:30 AM   #1
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Rep: Reputation: 15
My Firewall is having a ball blocking, some info needed


I decided to reinstall Ubuntu. I had some serious security concerns because of my lack of knowledge and screwing up the permissions of /var and /dev. I will never do any thing like that again until I do a lot of research and reading, I mean A LOT.

Now since I reinstalled Ubuntu 7.04 and I am using Firestarter (with the gui,) I am getting a lot of blocked incoming ip's and I mean a lot and the ip addresses vary but when I look them up they all mostly come from the same place, (below.) Not to long ago I did have XP installed. I can just imagine what was happening behind the scenes with that OS (even as secure as I had it.)

So can anyone give me any additional info on this? They seem to be trying to access ports 1028, 7212, 8763, 8000, 6588, 1434, 8080 (80 alternate) and the most serious threat Firestarter warned me about was at port 53 (protocol - TCP, service - DNS) which is the first on on the list below. This is more then annoying. I am hoping all my ports are being blocked. I am going to install some monitoring software (any good ones I should consider?,) and watch things closely. My computer is my baby, don't f**** with it, lol.


China
Hostmaster of Beijing Telecom corporation CHINA TELECOM
219.143.125.25
inetnum: 219.141.128.0 - 219.143.255.255

-------
Canada
OrgName: Shaw Communications Inc.
NetRange: 24.64.0.0 - 24.71.255.255

------------
China
CNC Group CHINA169 Heilongjiang Province Network
inetnum: 218.7.0.0 - 218.10.255.255


EDIT: Any other needed or optional security measures anyone can recommend would be helpful and greatly appreciated.

Last edited by Neo-Leper; 07-02-2007 at 08:37 AM.
 
Old 07-02-2007, 08:59 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
It's pretty normal for any Internet-connected host's firewall to get all kinds of connection attempts 24/7. As long as your firewall is doing its job, you're fine. Maybe configure the notification level (if you have such a thing) so that you don't get, well, notified so much about every single filtered packet.

There's websites that you can use which will scan common ports on your box to see if they are indeed firewalled, but do consider running your own scan using Nmap (from a remote box).

As for further suggestions, I'd say Tripwire. Of course, Tripwire would be something to install right after the OS is installed, before it's connected to any network.

Last edited by win32sux; 07-02-2007 at 09:03 AM.
 
Old 07-02-2007, 10:14 AM   #3
cybertaz
Member
 
Registered: Oct 2006
Distribution: SuSE 11.0
Posts: 118

Rep: Reputation: 15
Go to www.grc.com and do the port scan. it is called ShieldsUp!.
 
Old 07-02-2007, 10:48 AM   #4
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Thank you both. I am going to check those programs out and try a few things, well after I make another post about an annoying problem I am having with nautilus, lol.
 
Old 07-02-2007, 01:00 PM   #5
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
I have a quick question, well two. First, you said tripwire would work better as soon as the OS has been installed? I have had it installed for several hours, with a lot of programs and extras installed since then. Would it be useless to install it now?

Also, the link below for shields up, does this apply to Microsoft Windows or Linux as well?


https://www.grc.com/x/ne.dll?bh0bkyd2


EDIT: I think I answered my own question. All the ports I scanned where stealth. At first TruStealh kept failing until I changed that. Now everything is stealth, common ports and random ones I type in. Did I say today how much I love Linux? LOL. I am going to use that Shields Up on MS Windows computers, or send the link to friends and family. I really want to see the results of those scans.

Last edited by Neo-Leper; 07-02-2007 at 01:18 PM.
 
Old 07-02-2007, 01:18 PM   #6
cybertaz
Member
 
Registered: Oct 2006
Distribution: SuSE 11.0
Posts: 118

Rep: Reputation: 15
That would apply for any computer on the internet.
 
Old 07-02-2007, 01:45 PM   #7
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Thanks. I used Shields Up to make sure FireStarter was running without starting the GUI. I am so use to MS Windows and having to see that firewall icon in the system tray, lol. All works great now.
 
Old 07-02-2007, 02:23 PM   #8
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Can a remote computer use another computer with poor security as an unwilling proxy host, without that person knowing about it?
 
Old 07-02-2007, 02:42 PM   #9
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Linux 11 (Bullseye)
Posts: 3,407

Rep: Reputation: 141Reputation: 141
Is there some reason that you're not using an external router/firewall? I've used both Linksys and Netgear for several years and have never been compromised. It also helps that I use my.yahoo to access my email from my domain. Yahoo runs an anti-virus on the email before I even see it, so that any malware never even makes it to my machine.
 
Old 07-02-2007, 03:01 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Neo-Leper
I have a quick question, well two. First, you said tripwire would work better as soon as the OS has been installed? I have had it installed for several hours, with a lot of programs and extras installed since then. Would it be useless to install it now?
Well, it would defeat the purpose to a great extent. Whether it is useless or not is up to chance, as you have no way of knowing for sure if your box has been tampered with before Tripwire was installed. Usually a Tripwire install goes like this (regardless of distro):

1 - Unplug box from network
2 - Install/configure OS from trusted media
3 - Install updates from trusted media
4 - Install/configure Tripwire
5 - Plug box into network

Last edited by win32sux; 07-02-2007 at 03:05 PM.
 
Old 07-02-2007, 03:04 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Neo-Leper
Can a remote computer use another computer with poor security as an unwilling proxy host, without that person knowing about it?
It happens all the time, and it's only a grain of sand in the giant beach of things computers with poor security are constantly being used for.
 
Old 07-02-2007, 11:51 PM   #12
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
1 - Unplug box from network
2 - Install/configure OS from trusted media
3 - Install updates from trusted media
4 - Install/configure Tripwire
5 - Plug box into network

So if I only have one computer, as of right now, then it should be ok if I install it now? In the near future, a few months, I will have a wired home network set up as well as possibly two other computers remotely connected with the server/gateway, Small Business purposes, (totaling around 9 computers, at least.) So I really need to understand and get things into place. I personally wouldn't even attempt to try this if I didn't have the Linux or BSD option available, I don't trust other os's a whole lot.



The more I am learning, the more I am seeing no matter how secure I had XP, I am not sure that it was that secure. It was more secure then the average MS PC user though. I had AVG, Registrybot, Ccleaner, Zonealarm or Sygate (I bounced back and forth between the two,) Adaware, Spybot. I also had stand alone programs to like, Shoot the messenger, etc. Even with all of that I was still never comfortable with XP. And with all these programs, I really never learned as much as I needed to. Just install, see if it helps or works. See if XP acted buggy afterwards or crashed, (I use to hold my breath often when I had to reboot XP.) That was it. Before Linux I had no idea, for example, what iptables where, lol.

For a home network I plan on using an older computer as a router/gateway (SME maybe) and using a hub after that to go to the rest of the local network, (I still need to research that a bit more.) I have all the hardware for that now so I don't have to buy anything special except a few little things here and there, well I hope. Then we will have, as much as I hate the idea, two computers with XP. Then three computers with Linux, probably, Ubuntu 7.04 and CrossOver+VirtualBox. The XP computers are needed so I can get everyone use to the Ubuntu set up and Linux. After that they will have something on them, probably a Linux distro other then Ubuntu. I really want to set one up with LFS when I get the time. I know that alone will be a great learning experience all around.





I never realized, even though I knew to a certain extent, how dangerous and vulnerable computers where on the internet. I knew more then the average person, but I am learning a lot more in the last two days that it is scary, lol, and make me see that I didn't know as much as I thought I knew.

Thanks for the help, info and patience with me and getting things secure and set up, as well as understanding security issues and Linux.

Last edited by Neo-Leper; 07-02-2007 at 11:54 PM.
 
Old 07-03-2007, 12:20 AM   #13
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Linux 11 (Bullseye)
Posts: 3,407

Rep: Reputation: 141Reputation: 141
Quote:
For a home network I plan on using an older computer as a router/gateway (SME maybe) and using a hub after that to go to the rest of the local network, (I still need to research that a bit more.)
You would be a lot better off if you used a cheap dedicated router/firewall instead of trying to manage a firewall yourself on an old computer. It would also consume a lot less power.
 
Old 07-03-2007, 12:47 AM   #14
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Quakeboy02
You would be a lot better off if you used a cheap dedicated router/firewall instead of trying to manage a firewall yourself on an old computer. It would also consume a lot less power.
Thanks. I will look into that. I do have a wireless router now that I don't use. I just don't trust using them yet because of my lack of understanding wireless security issues. I hope to understand more in the near future.
 
Old 07-03-2007, 07:52 AM   #15
Neo-Leper
Member
 
Registered: Nov 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Trinity v3

I am finding this very interesting. Why? Well one ip address kept trying to access the same port, over and over. I got a bit angry and did some research on that address going to my port 32773. I found out this computer has Trinity v3 using port 32771 It is a Linux system, that much I am sure of.

So.... I am seeing why my computer is getting hit so much. I bet most of the time those ip addresses have no idea their computer is doing it. I also understand a lot more about the internet and security. There are many computers out there that have little or no security. I just hope my system is set up ok for now and even better in the near future.

(My computer does not have the files listed below.)

Trinity v3

http://xforce.iss.net/xforce/alerts/id/advise59


"Description:
Trinity is a Distributed Denial of Service tool that is controlled by IRC.
In the version that the X-Force has been analyzing, the agent binary is
installed on a Linux system at /usr/lib/idle.so. When idle.so is started,
it connects to an Undernet IRC server on port 6667."

and

"...Another binary found on affected systems is /var/spool/uucp/uucico. This
binary is not to be confused with the real "uucico", which resides in
/usr/sbin, or other default locations such as /usr/lib/uucp. This is a
simple backdoor program that listens on TCP port 33270 for connections.
When a connection is established, the attacker sends a password to get a
root shell. The password in the binaries that we have analyzed is "!@#".
When the uucico binary is executed it changes its name to "fsflush"."

Last edited by Neo-Leper; 07-03-2007 at 07:59 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall blocking Rekna Linux - Security 6 02-27-2007 06:03 PM
Bridge (with port blocking) needed! SWAT Linux - Newbie 11 01-06-2006 05:49 PM
Linux Advertisement Blocking Program Needed cousinlucky Linux - Newbie 17 12-22-2005 11:29 AM
compiling a tar ball - needed help please... lpriyamb Linux - Software 3 10-10-2003 04:33 AM
Firewall not blocking ports... bfloeagle Linux - Security 9 05-20-2003 02:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration