SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I went to ShieldsUp at www.grc.com and ran the tests to check the security on my laptop. I'm using guarddog to configure my firewall until the time I learn to use iptables probably. I failed the common ports probe, apparently because my computer returns ping requests. But I can't figure out what is returning them.
nmap localhost gives
Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-09 21:32 EST
Interesting ports on Hex.samwise.hex.org (127.0.0.1):
Not shown: 1694 closed ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp open auth
6000/tcp open X11
Nmap finished: 1 IP address (1 host up) scanned in 0.100 seconds
I commented out auth in /etc/inetd.conf and restarted but it's still there.
I use ping and find it useful. Is it much of a security risk? What process returns the ping?
Ping won't show up on nmap (well, not where you're looking).
Nmap looks at TCP and UDP ports. Ping is what's known as an ICMP message. If you don't want to respond to ping (which, by the way, is an incredibly useful thing to be able to do if you want to remote-access the PC... so much easier to ping it to see if it's working than to spend an hour figuring out that you can't even route to the machine itself) you can block ICMP with iptables, just the same way as any other type of packet:
Ping is not really any sort of security risk at all. It's basically the IP equivalent of "Are you there, yes or no?". There's nothing to compromise with ping. Other ICMP messages can do stuff but you'll find that they only really work for you and most of them are overridden by your ISP anyway.
I leave ping alone on my machine. The fact that my machine responds to ping is very useful to me and others (e.g. when I'm fixing someone's systems, I know that MY ip will always be up, so it's useful to ping it to check connectivity) and zero-risk. There are people that say that it "lets hackers know your machine is on", but they are generally paranoid idiots. Anyone who wants to attack your machine won't be put off by a hidden or faked ping response, the botnets tend to just brute-force try every IP and every port that they know they can attack on.
Some places won't even accept connections unless they can ping you back at your IP (some IRC networks spring to mind).
There is no "process" that returns a ping... it's part of the way Ethernet and networks operate - it's a fundamental part of the protocols involved. ICMP messagess such as ping are part of the way messages are routed over the Internet - in a very simplified explanation they basically say things like "Whoa, you're talking too fast", "Nope, that computer isn't talking to me", "The computer on the other end said that that port is closed" or "I have no CLUE about how to find that machine". Most ICMP messages are useful. Ping is one of those. It *can* be blocked (I know of a few places that block them routinely) but it's a bit pointless.
The places I know that do block them do so for traffic reasons because they are very high volume machines and, e.g. getting pings from a million client PC's when a DNS server goes down actually adds to the problem. To be honest, there's not even much point in that anyway, because by the time your machine has worked out that it's a ping message and decides whether or not to respond, you've ALREADY spent time and bandwidth to recieve it in the first place.
Well, there's your first problem. Steve Gibson is a moron who can't be counted on to tell the difference between a threat and a delusion.
Quote:
Originally Posted by samwise17
and ran the tests to check the security on my laptop. I'm using guarddog to configure my firewall until the time I learn to use iptables probably. I failed the common ports probe, apparently because my computer returns ping requests.
...and that right there would be one of the (many) reasons Mr. Gibson is a moron. There used to be a whole site devoted to why he's a moron--but there's only so long it makes sense to keep such a site up.
Quote:
Originally Posted by samwise17
But I can't figure out what is returning them.
nmap localhost gives
Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-09 21:32 EST
Interesting ports on Hex.samwise.hex.org (127.0.0.1):
Not shown: 1694 closed ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp open auth
6000/tcp open X11
Nmap finished: 1 IP address (1 host up) scanned in 0.100 seconds
I commented out auth in /etc/inetd.conf and restarted but it's still there.
I use ping and find it useful. Is it much of a security risk? What process returns the ping?
Ping is nothing to worry about.
Using nmap to scan localhost on the other hand, is pointless. (Even Fyodor will tell you it's the wrong tool for the job.)
ledow thats exactly the answer I was looking for. I do have a router so I'll check that. As for Steve Gibson, well I had no idea who he was, I just heard the shieldsup site was good. Looking at wikipedia he does appear to be paranoid.
edit: yes the router allows ping. I only got it so I could access the net with my laptop around the house wirelessly, set it up so I could get on the net and left it. Looking at the config page, I had no idea it could do all this stuff.
Running nmap against localhost tells you little of value. If you want to see which tcp/udp services are listening on which interfaces, use netstat -ltnu
You can run nmap from another box on your network, or you can use grc.com as you did.
Quote:
Originally Posted by samwise17
I use ping and find it useful. Is it much of a security risk?
Whether or not you use the ping program has nothing to do with your box responding to icmp echo requests. This can be disabled via a sysctl variable (or using a packet filtering firewall), but I'll basically concur with previous posts that state it's not a particular security risk in of itself.
You should be more focused on the results of that netstat command I provided and whether or not port scans from external machines show that you have services listening.
By the way, it's a tad harsh to call Gibson a moron, eh? He provides a free portscan service that is widely used. You just need to have enough knowledge to understand the results and draw your own conclusions.
I see I have hit a sensitive topic with steve gibson. Let's forget him for a moment. What's the difference between nmap and netstat?
Hi
Just do a 'man netstat' and 'man nmap' to see! You should be able to understand the operations of each.
BTW, the Steve Gibson issue has been on going for quite sometime. I use his site as a quick test of sites. You need to discern the information. Yes, he is paranoid about certain things but a good asm coder. He is very persistent and can be classed as an alarmist. Which some people take as self promoting. I just say 'judge as you be judged'!
By the way, it's a tad harsh to call Gibson a moron, eh? He provides a free portscan service that is widely used. You just need to have enough knowledge to understand the results and draw your own conclusions.
No, calling him a moron is giving him the benefit of the doubt. This is the man who "invented" SYN cookies, badly, about a year too late. This is the man who decided that having a set ceiling on the number of TCP connections for a given service results in a "vulnerability" and called CERT and several other institutions to report this, and then wondered aloud why they basically ignored him. This is the man who made claims that certain flaws in WMF were planned backdoors. This is the man who has a website that puts most televangelists to shame with the level of fear and brimstone it preaches about every little freaking thing (and let's face it, identd is nowhere near as serious as all that). This is the man that also makes SpinRite, the promotional materials for which are about half nonsense and half bad advice (what utter lunatic restores a failing drive back to itself?). Some guys pounded the crap out of his website for a couple of days some years back, and the dude acted like the world as we know it was coming to an end. I mean, seriously, the dude claimed that raw socket access in XP were basically going to allow hax0rs to bring down the interwebs. Raw sockets--nevermind the near absence of security in the operating system as shipped.
About the only thing the man has going for him is his long-windedness. He's living proof that if you talk nonsense long enough, enough fringe idiots will accumulate to almost make you look like you're not completely out of your head.
Last edited by evilDagmar; 10-13-2007 at 02:41 AM.
Raw sockets was the worst thing, cause Microsoft was influenced by this nonsense and actually implemented this in SP2 for XP -> no raw sockets in Windows now. It was so stupid, cause Microsoft didn't or didn't want to understand that "hax0rs" or how they call them do not use windows due to it's lack of shell availability, lame remote control and other tools. In addition, limitting access to hardware even for super-users (Administrators) is a totally wrong way to go.
He's living proof that if you talk nonsense long enough, enough fringe idiots will accumulate to almost make you look like you're not completely out of your head.
Ok, thanks for the Gibson story-hour.
To reiterate my point more clearly (and hopefully keep it relevant to the topic of this thread), the shields up service has value so long as you can understand the results. Hopefully by now OP has a grasp on the use/interpretation of netstat locally and port scans from external machines.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.