Slashdot Mirror
GNOME, Security, Linux, and Cable Modems?
"I have always been more lax about security on my home Linux box than I have been on my public Linux box, but now that my home machine will be online all the time, security becomes more of an issue.
Are there any security concerns related to GNOME? Should I worry about all these ports that GNOME is using? Is there anything I can do to beef up security on the machine? (There are bunches of other UNIX sockets open too - ORBIT comes to mind - but I'm only worried about the TCP sockets.) Of course, I have Zone Alarm for when the machine is running Windows (once in a blue moon), but I don't know of anything like that for a single Linux box.
I know I could use a spare machine as a firewall and run Linux's IP masquerading. My only spare machine, however, is an old 486dx2-66 with an NE2000 ethernet card. Not exactly a speed demon, and speed is exactly why I got a cable modem. (Well, that and my wife is tired of me tying up the landline every night.)
So, what about it, gurus of Slashdot? Is my best option to go ahead and run IPFW and IP Masquerading on my old 32MB 486? Do I even need to worry about the ports GNOME is using at all?"
At home I run a 486sx33 with 20mb of RAM in it as my IPMasq, httpd, mail, and proxy server. It serves everything I have loaded on it without problems. (It does addmittantly only feed a 144kbps DSL link)
I regularly pull 700kbps/sec off it over the local net, most of which I attribute the speed to the generic ISA NE2000 clone card that I've got in there. (The rest of my home net is switched 100mbps)
A 486dx66 should be _more_ than plenty for what you're trying to do.. just watch the rulesets to make sure you're not doing anything overly complicated and you'll be just fine.
But if you want something more programmable, check out Coyote Linux. It's a micro distribution specifically for doing firewall/NAT on boxes like your 486.
I've used the freebie version and it's quite nice.
Whats with all this firewall talk?
If my money was sitting on my dashboard, I would not cover it with paper, I would put it someplace safe insted.
Turns out that all gnome apps are compiled with libwrap, so all you have to do is put an ALL in your hosts.deny (you did that already right??).
Furthrmore, most (all?) of them only listen on 127.0.0.1 so they shouldn't be a big concern on most desktops (i.e. you are mostly afraid of remtoe root)
I use a 486-50 with 8 megs of ram, and 2 Linksys NE2000 clone cards as a firewall (running OpenBSD).
I had a little trouble with the GENERIC kernal running out of memory, but after I stripped unneeded drivers (SCSI, NFS, PCI, etc..) out of the kernal it worked great!
It used to be a Linux (Slackware) system, which also worked well until someone got in through a buffer overflow in sshd a couple of months ago, and trashed the system.
--
Running a website off a cable modem or asymmetric DSL is like running a website off a 57K modem.
:-)
Not if you have a decent cable modem provider - I get a 10 megabit chunk of a 100 megabit backbone (there aren't many people on my node, so I get close to the full bandwidth most of the time) with some very liberal TOS (I've never had them enforce clause 10-C).
It's nice living in an area which was one of the inital testing areas for cable modems, and to still be on the prototype network for testing how much bandwith is possible over cable modems
--
Bill - aka taniwha
--
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
Urm, dont run it to block on default, if a person is funny, he/she will run a spoof'ed IP-scan on you, and you will end up blocking hosts that never did anything. Imagine someone spoofing an IP scan from slashdot, now you can't read slashdot anymore,
At least you know sombody scanned you that way. If /. gets blocked, just remove that rule from the chain and all is well again. If you do manually remove a rule, PortSentry WILL NOT re-add it unless you delete the address from it's list of already blocked addresses.
If that's a problem, you can always set it to just add the address to hosts.deny. That way, you can still contact the spoofed address, but no services will accept a connection from it (not a problem for /. or for the gateway).
Just for good measure in case the attacker knows you, set the IP you would be using to log in from work not to be blocked. That way you can always get in.
Getting mail about a scan is good, but kiddie screpts are often automated enough that you could be owned before the mail hits your box.
What kind of an admin would advertise his box like that? Are you sure your box is secure? Why not taunt people some more and find out.
It happens all the time. It's called a server. Many .coms spend millions of dollars advertising their boxes. All of them pay at least $35 to make it easy to find once you hear about it.
There comes a point where you have to go for it and hope you did enough, or use the 1 inch air gap method and defeat the whole point.
Given that a regular modem involves a CPU response to almost every single character (a DSL interface won't require that)
I believe that some cheap-ass NICs are almost as bad. 3COM's Parallel tasking chipset (in the 3C905B) is very good about not using your CPU to bring in data.
If you have a box on the net you really need to make sure that addresses coming in on an interface match the interface. There should be plenty of example firewall scripts that do just that. It is important to make sure people can't tunnel into your firewall and look like they are coming from inside your network.
As a rule, 127.* should only be accepted on loopback, if you use 192.168.*, only packets addressed to addresses in that range and coming from that range should be accepted.
Publicly accessible interfaces MUST drop all packets with destination and source addresses in the unroutable range.
--
Mike Mangino
Sr. Software Engineer, SubmitOrder.com
Mike Mangino
mmangino@acm.org
I'll try and remember that next time I update my kernel :-) [uptime in the 100+ days region now]
On a more serious note, wouldn't any attacker be immediately blocked as soon as the chains come up, or would his connection be allowed because it already exists? Behind my 64k link I can't see anyone doing much serious if the former is the case. But if the latter is the case, I would worry a bit more about it.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
Running old slackware. Works fine. Connected to DSL.
Check out this site of the guy who wrote the book
_Linux Firewalls_.
http://www.linux-firewall-tools.com/linux/
On my system at least, and I last updated Gnome 2 weeks ago. I hope this has been fixed since; using TCP sockets instead of unix sockets is odd enough, but those TCP sockets do *NOT* need to be listening on non-local ports without my say so. I don't care that they're not running as root; like most home users I make backups infrequently enough (yeah, like most home users make backups) that someone cracking my personal account would be a real PITA.
Yes, I'm ipchains proficient enough to block outside access to those ports... but I shouldn't have to; even if there's some functionality benefit I'm missing, I should have to change the default configuration just to open them up in the first place.
This ticks me off. We've got a linux machine outside the firewall at work; I carefully made sure that ssh was the only open port, even making sure that the X server and font server were local only. Now I have to add an ipchains ruleset too, to protect against every random app that wants to moon the rest of the internet?
It broke down: cable tv fees, $39.95 RR subscriber rate, PLUS "7 additional connections" each at an additional $39.95. My guess is the technical wizards they sent over to my home caught a glimpse of my LAN's nerve center in the basement and counted the number of ports on the hub... Needless to say, I didn't pay it, and when I called, they quickly realized their error and corrected it. Sheesh! Just a few words of caution, what with the story on @Home today and such.
I think you're missing the point. Placing a computer behind an NAT firewall is no safer than just running the firewall on the computer itself. Most all of the responses on this thread have been along the lines of "Dude, just NAT and firewall your box", which is pointless considering he only has one PC. An entire night to "bring it all together" seems like a waste of time when three or four firewall rules could do the trick just as nicely.
--
I think there is a world market for maybe five personal web logs.
My firewall is rather peculiar in that instead of blocking everything, it's open to the public *except* for my ISP's blocks. If you want, I can provide you with my script.
Can I just say that that's about the stupidest reason to have a firewall I've ever heard of. Besides irony, what exactly is such a device providing you with? Last I checked, Time Warner wasn't rooting peoples boxes, thrashing their hard drives, exploiting unpatched copies of Sendmail, or otherwise wreaking havoc. I get scanned once every two weeks on port 119, of all things, by my ISP. I get scanned approximately 3-4 times a day by random other hosts from around the world on pretty much every port between 1 and 1024. In my opinion your stance - "Your biggest threat won't be the script kiddies" - is highly naive.
--
I think there is a world market for maybe five personal web logs.
The open ports are used for CORBA communication within GNOME.
.orbitrc file in your home directory.
Just add the lines:
ORBIIOPIPv4=0
ORBIIOPIPv6=0
to the
This tells ORBit not to open TCP ports by default. You will not be able to run remote GNOME components if you do this.
Also, the newer Helix GNOME updates do this by default.
Sad, huh?
Read the ipchains HOWTO
Perhaps my firewall scripts may be a good starter:
For masq boxes, see
http://duckie.neep.net/firewall
For standallone boxes, see
http://duckie.neep.net/firewall1
For unprivileged ports, use ! -y to accept packets which aren't SYN packets. Be aware you might run into trouble with ftp. The client will get connections on unpriv'd ports in port mode, the server will get 'em in passive mode.
My masq box is a 486/66 with 32 MB as well and woopsie:
1:58am up 195 days, 23:58, 1 user, load average: 0.04, 0.06, 0.01
It's fast enough to do whatever masquerading you want. It'll even handle mail/ftp/http just fine. Though I'm not sure if it'll survive
Take your Ritalin Garth. Although I use OpenBSD on my site, I've found that a locked down slackware/debian box is no less secure than OpenBSD. The code audit / secure by default stuff is nice though.
A DX2-66? I think that's fast enough for a masquerading box, you just have to put in a second ethernet card. I have used a 50 Mhz 386 (8 MB RAM) as a IP Masquerading server for a long time. We only have 60KB/s downstream and 7K upstream though (also cablemodem)...
It's not like you're running Windows, so you don't necessarily need a PII and 128 MB of memory just to run IP masquerading...
Every expression is true, for a given value of 'true'
The second thing I have done is to get my system port scanned by an outside source. So far I have had no problems. I too use GNOME and have other services that are running, but only my web server is open to the outside and there are not forms with CGI that a user can access and slosh around with. I have a little php but that is it, nothing fancy.
I am not sure that everyone understands how the ports work, but they are only a problem if they are not behind the firewall or if someone gets behind your firewall. If you have no untrusted users on your machine ipchins shoudl be fine. IF you are worried that that is not enough try setting up a proxy firewall in conjunction with ipchains. You can do it on your host machine and contrary to some you will be fine.
Good luck. I hope that road runner is a good isp. AT&T cable went out for a day and a half this past week for me and I cannot imagine what I'd do if I had them as my ISP as well and not just mycable provider.
Don't put your egs in one basket, having cable, phone, and ISP may not be such a good thing. If one goes out you loose may service to all. ;-)
~~~~~~~~~~~~~~~~~~~~
I don't want a lot, I just want it all
Flame away, I have a hose!
Only 'flamers' flame!
It's just a little box like the Linksys one, but so much more protective and flexible! If you're gonna spend $150-200 for a POS, why not spend $350-400 for a real firewalling solution?
-- Bryan "TheBS" Smith
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
Performace? You can't beat the Switched 100mbit connction for local traffic. Sure it is 10mbit to the net but uhm, again this is soho and not rocket science or a T3, they don't advertise this to solve all your problems.
Again, i don't know what you mean by low performance.
On my ADSL i have an 8 person UT server, 5 pcs, web server and file server all connected. Got the ut on the DMZ zone, the fileserver, my box on the switch and the other port going to another hub for the rest of the network. No problems whatsoever. I'd never consider replacing it with a clunky pc or linux or ics or wingate or anything.
Don't buy what you read on slashdot either
You asked for it.
That box has since become a dedicated Unreal Tournament server and runs great behind my new $104.00 Linksys Switch/Router.
btw, it only takes 4 minutes to switch from ICS to Linksys and make my exisiting network work and add firewall features to protect services.
Not everyone buys a PC to run linux on everything. Some people buy a PC to run linux and applications and they don't want to waiste time worry about who's pinging them, they just like to know that being behind this little devices helps secure them, speeds up there network and makes life easier then maintaining a pc.
More points being this thing will stay up forever on UPS power, doesn't have a drive to fail, boots up in a snap should power burp, is easy to configure and only costs $104.00 to buy from outpost.com and have on your frontdoor.
Why would anyone want to maintain a linux box instead of a plugin simple solution is beyond me. And why anyone would call this a POS is wayyy beyond me.
It nats to 4 boxes on my network through its 100mbit switch which is very nice, the unreal tournament server plays away while i copy db files back and forth between two machines and the best part of all is i just don't have to worry.
Its the best 100 bucks i've spent. and damnit, Outpost.com is the best place to buy it from :)
(104 bucks)
Sorry had to one up again! :) I've got a 486/100 with 32MB memory and a 20GB HD (yes alot of computer but wait there is more).
:) (but hopefully will have new server before I have the database solution finished)
:)
But its acting as a Nat/firewall/SMB server for 25 clients pulling template,timesheet,and reports documents from it/Database hosting (ok its just hosting a database file that's accessed by said previous clients through microsoft access, havn't learned SQL yet/ and working on getting it to do peridoic backups through samba from the clients, to a CD-RW
Been running 2 years now without a hickup
Oh btw on a side note, and this one is to the Ask Slashdot question, I tried running a VPN (s/wan) on it a few months ago... EKK.. it was terribly slow :( Currently in the process of setting up ssl for testing :)
Extrapolate backwards... Cisco Pix Firewall has a Pentium II (266MHz I think) processor, and it's traffic throughput (with filtering) is rated at circa 170Mbps...
Open Source. Closed Minds. We are Slashdot.
/me rolls eyes...
The LinkSys box was designed specifically for the home-network situation where there are only a few machines. In its intended environment, class C is more than enough for the internal network.
Now, I have/use one of these, and I wouldn't be without it, but let's all say it together... "You get what you pay for." If you need to connect multiple subnets to a NAT box, you're gonna have to do an ipchains/ipfw/ipmasq box. Or you could talk to Cisco (or similar). I'm sure they've got something they'd be happy to sell you.
Where the value of X-Mailer: is the true measure of a man...
I have a 25MHz 486 box with 16Mb of RAM as the firewall/NAT box for my home network. I have my RedHat box, my wife's Win98 box and two NT boxen from work, all talking through the 486 to the cable modem, and also a dialup modem to the RAS server at work. The throughput of the 486 has not been an issue, even with my wife and I both doing large downloads. The biggest bottleneck is the 5 port hub, which gets a lot of collisions when I do a large download . Count the boxen - it's full.
--
--
E_NOSIG
DNS/NTP/SAMBA/realaudio are the most common services using UDP. If you have a client setup, you can safely DENY all UDP traffic to your net on ports 0-1023. in the ipchains way;
/sbin/ipchains -A input -l -i eth0 -p UDP -d $lan 0:1023 -j DENY
/sbin/ipchains -A output -l -i eth0 -p UDP -s $lan 0:1023 -j DENY
You should still read and understand the IPCHAINS-HOWTO
signatures pending - ansa@kos.to - (dont mail there)
Our local LUG has several members that swear by e-smith. They claim on their webpage that they only support pentiums, but it does work on a 486, it jsut needs a little tweaking to get the netcards installed (the isa drivers are not there). You can get it at www.e-smith.net? Another option is the linux router project.
;)
Personally, I am not sure you have to worry about those ports, but then again..
-- Who is the bigger fool? The fool or the fool who follows him? --
Masquerading has a nice side effect in that it is now "impossible" for machines on the Internet to connect directly to your machine. (Impossible without some serious configuration work.)
So use your 486 as a masquerade box, and as a nice side effect, if your wife gets a machine of her own, it's really easy to setup a tiny lan in your home so both of you can use the cable modem.
The only caveat is that the machine doing the masquerading had better be secured down. So, I suggest that you strip all the unnecessary cruft from the machine, like most userland programs with the exception of the bare essentials. Kill all daemons on the machine, and setup a firewall on the machine. Run tripwire, keep the database on another machine and periodically check, yadda yadda yadda.
But also, there's probably no reason why you couldn't setup ipchains on your main box. I think either solution would work well. You can simply tell ipchains to block all incoming tcp connections (except for specific ports that you want), and you'll have a lot more peace-of-mind.
I'm a leaf on the wind. Watch how I soar.
http://www.gnome.org/resources/mailing-lists.html
http://mail.gnome.org/pipermail/gnome-list/2000-Ju ne/039518.html
This is mainly an issue with ORBit and it's COBRA compliance. ORBit can be compiled to either listen to TCP sockets or UNIX pipes. From what I've heard, Debian is the only one to compile it with UNIX pipes. A fix for everyone else:
http://mail.gnome.org/pipermail/gnome-list/2000-Ju ne/039645.html
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
2.4 uses netfilter...as i recall FreeBSD/OpenBSD all use the same thing. i think the syntax is pretty much the same so you might try looking at their netfilter docs.
I've clock 1.5Mbps on a regular basis... Been using IPMasq for years without a detectable slowdown... My first Masq box was a 486/25 with 8meg of ram... I finally put in CoyoteLinux on a P100 with 32meg of ram, but I don't have to have a HardDrive in the thing anymore...
---- Proudly marching to the beat of a different kettle of fish.
My homebrew intrusion detection system would automatically generate a friendly form letter with the relevant ip addresses and times. Periodically (once a day) I would track down the offending sites and send them the letter. Most of the time the other admin would thank me for letting them know their machine had been compromised. BTW, these were friendly letters. I always assume the other admin had been rooted. This is usually the case.
Ryan
I don't know about the GNOME ports, but your 486/66 is a more than adequate machine. A low end 486 can easily flood a T1 or two, your cable modem isn't going to be a problem to route for. I'm using one right now for something quite similar!
Have you given any thought to making these settings the default config? Why not "play it safe" by default, and give people the oppurtunity to be dangerous on their own?
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
The point being, a 486 is more than adequate for a network gateway.
--
Scott Brady
Always, always, always set up firewall rules to deny everything, then allow only the service(s) you want (namely, ssh) Also, just out of habit, all packets with internal or localhost IP addresses coming in off the external ethernet should be logged and droped.
Check it out here
I can't speak for Linux as a firewall, but if you used that clunky old machine as an OpenBSD firewall, you'd be fairly secure. I have a Pentium-75 running OpenBSD 2.6, and I've noticed no speed dips at all. The load on the firewall sits at about 0.08, so I'd be surprised if your 486 fared much worse.
The best way to combat open TCP ports is to deny all incomming packets with the syn flag set by default, and then only let in the ones that I want. However, what do you do with UDP? I'm not even exactly sure what uses it. DNS? Some ICQ stuff? some echos? Any pointers in particular?
:)
Thanks
There's a good NetBSD based free firewall at www.dubbele.com if you have an old box lying around...
-John
If you're just talking about using ipmasq to protect and share any machines you have at home, the 486dx2-66 is definitely enough to handle the job.
It would just be handling tcp-sockets, and with only 1 or 2 machines behind it, that doesn't even require much memory.
I've had a 486sx25 hadnling it for me for 4 years now without a glitch. The case it's in is even older, it doesn't even have the "new" smaller power supply for a floppy drive...
That's nothing. I used a:
* cardboard box
* no screen
* Rubber band for power, using a trained mouse on a cartwheel
* storage was limited to the memory of the mouse.
Oh wait - that was my sister's pet cage, not my computer.
A great helix-code gnome using firewall program is firestarter, it configures a ipchain script through a wizard interface, and shows everyone who hits and how they are accessing yr machine.
http://firestarter.sourceforge.net/
You'll have trouble; the LC only has room for one card. That's not bad, considering the entire LC literally fits inside a medium pizza box, but a NAT/Firewall really works a lot better with two ethernet cards (one for the LAN, one for the outbound line).
On the cheap, you could try a secondhand Quadra ($80) with two NuBus cards ($35 each).We were using a 486-66 (32 megs of ram helped) for an ip masq box. It could easily pump out the 500 kilobytes per second that my cable modem pushes. Its not a bad thing.
Either way, be sure you setup sensible firewall rules. That is the key.
Using your sig line to advertise for friends is lame.
Also check out the Linux Administrator's Security Guide and Sec uring and Optimizing Linux: Red Hat Edition
Using your sig line to advertise for friends is lame.
There's a good book about security on Linux: "Linux Firewalls", by Robert Ziegler, New Riders editors. It talks about ipfw, ipchains and all that stuff about setting up a "formal" firewall. You might want to take a look at it.
One thing to note, the Linksys will lose its configuration if it ever loses power! Not so good.
This was for 10MB ethernet (thicknet mostly but some thinnet). Being a computer science department with everything on NFS, you can bet that we were willing and able to push these ethernets to their 10Mb limit sometimes.
This being before Linux was ready for prime time, I figured that it was one of the few good uses for an Intel box.
Free Software: Like love, it grows best when given away.
/sbin/ipchains -A input -p tcp -i eth0 -j ACCEPT ! -y
/sbin/ipchains -A input -p tcp -i eth0 --dport 22 -y -j ACCEPT
/sbin/ipchains -A input -p tcp -i eth0 -y -j DENY
I also have a line with exceptions from an ftp machine that is configured similarily (I can't do passive to it). If you want to log you can do a -l on the last one. You can easily add a port 80 allow as well.
The only catch with this is if you portscan yourself you'll see everything as open (well, stuff that is open) even though nobody else can.
As for security, I'm a big fan of portsentry and logsentry. And although I have never used Bastille Linux I've heard many good things about it.
But it is a whole lot easier to lock down and secure a firewall, than worry about what software on your desktop might expose you. You'll be glad you did.
Looking for a computer support specialist for your small business? Check out
...mine's a DEC 433dxLP 32MB RAM running IPMASQ / IPCHAINS / SSHD / TCPD & PORTFW. I downloaded FreeBSD 4.1 (~640MB) in 55 minutes last night while listening to the Red Sox via RealAudio, sending e-mail, web surfing etc. No noticeable latency...
Check out TrinityOS for a good start on locking you machine down
"Hatred is the coward's revenge for being intimidated"
You can find it here:
http://www.psionic.com/abacus/portsentry/
~~~Please pass the salt, I hate unsalted MD5s
ipchains --insert input --destination-port 1030:1040 --jump DENY
Of course, there is a lot more you can do with ipchains than that. I recommend you block all ports below 1024, except for the ones you need, block 6000-6010, and go ahead and block any GNOME ports if you don't know what they're for.
A more radical policy which many people use, is to block *all* incoming TCP connections, and UDP packets, *except* for ones explicitly allowed. You can do that too, but it may cause some problems (it won't cause any problems that wouldn't also be caused by using IP MASQ. In fact, this would be pretty much the functional equivalent of IP MASQ, but with only one computer.)
More info: ipchains(8), IPCHAINS-HOWTO.
Kernel 2.4 will change the entire way networking is adminstered, btw, so if you're using 2.4 those docs will be worthless. But everything you can do in 2.2 you can do in 2.4, so the same basic strategy applies.
Any chance of making scripts for 2.4/iptables? I know a long time ago it was announced you were working on it, but it has since disappeared from the site. I would like somewhere easy to start on the 2.4 firewall without having to use the ipchains-kludge included in 2.4
I have an old version of your scripts modified heavily to suit my needs on the 2.2 firewall, thanks!
Lars -
Don't turn on ftp *ever* - use scp.
And instead of anonymous FTP? Is there anonymous scp, or should I be using HTTP for world-readable files anyway?
<O
( \
XGNOME vs. KDE: the game!
Will I retire or break 10K?
PMFirewall is another ipchains script that's simple to use, a seems to generate a very useful set of rules. You can find it here.
Apparently Lokkit was written by Alan Cox hizzelf. It's another firewalling script/utility that may be of interest, and you can find it here.
I am currently running a 486/66 as my NAT and firewall for my cable modem. If there is a speed slowdown, it is not detectable. If I remember right the ISA/PCI bus is going to be saturated long before the processor limitaions show up.
The trick here is ipchains. There are many flavors, I'll paste a quick scipt in here (can be put in an RC script... best idea, if you ask me)
:-)
;;
;;
Once you have this up and running hit any of your favorite scanning sites and see if they can find you!
----------Start Code---------------
case "$1" in
start)
echo -n "'Engaging the Caterpillar Drive Captain.'"
## Not starting any real daemons (yet)
## configure IPCHAINS - I could use ipchains-restore, but that
## would make this _REALLY_ hard to manage.
# set up the input chain first
ipchains -P input DENY # this should always be your default
ipchains -A input -p icmp -j ACCEPT # I allow all icmp
ipchains -A input -p TCP ! -y -j ACCEPT #accept tcp replies
ipchains -A input -p UDP -j ACCEPT # need to fix this to only allow dns
# I don't do anything with forward as I'm not routing
# set up the output chain
ipchains -A output -d 199.95.207.0/24 -j REJECT #reject anything to
ipchains -A output -d 199.95.208.0/24 -j REJECT #doubleclick
#I assume that the user will see the screen output if one of these
#fails. Can't really imagine that happening, though
echo -e "$return"
stop)
echo -n "'Ok, now we just unzipped our fly...'"
# first, kill the ipchains rules
ipchains -F #flush ALL of the chains
ipchains -P input ACCEPT #back to normal 60's type sharing...
echo -e "$return"
------------End Code------------
Like I said, that's set up to put in an rc script - I call this the "caterpillar drive" as in "The Hunt for Red October" - notice the quotes.
If you really are planning on running a web server, you will have to add a rule to allow inbound tcp on port 80.
In any case, because I believe in never typing code blindly without understanding what it does, read the ipchains howto before using any of this, and make sure you understand what it is doing.
Politics, Culture, Food?
0.1MHz ZX81
1K RAM
Mono (But can't display an entire screen because dynamic screen to memory mapping doesn't have room)
External cassette deck
It took 9 years to compile LinuxLite, with much cassette swapping. It now NATS through a serial port card in the expansion slot, and out through the earphone. It doesn't saturate much, but no one can be bothered to hack it.
Tell kids that today and the wouldn't believe it
Special Relativity: The person in the other queue thinks yours is moving faster.
I'll one up you (I can't help myself!) ;-):
:-| ]
-- 386/DX40
-- 270 MB HDD using e2compr to compress ext2 on the fly
-- 8 MB RAM
-- TWO modems
-- Multilink connection
-- Hercules Graphics Card / Commodore Radar Green Phosphor monitor
-- Amazingly, sshd, httpd, and ftpd.
All that, and a network card + ipmasq/firewall... woah. And it all works no problem. With multilink on I get a full speed transfer (which, with my horrible 28.8kBps phone lines) of about 5-6kBps.
But, it gets worse, I decided to resurrect this POS last year:
-- 386 SX/16
-- 4 Mb SIPP RAM
-- 2x40 MB MFM HDD
-- Arcnet Card [I have a near unlimited supply... woooooo
-- Using NFS
-- 1.2 MB Floppy for booting
-- Same crappy Hercules/Commodore monitor combo.
And yes, it (woah!) booted Linux, and, I beleive X via the NFS mount (after about 1/2 hour of swapping to the XT HDD)... That was fun. Yes, there is an X server for Hercules cards. Yay.
Fortunately, nothing possibly gets worse than a 386 SX/16 for Linux.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
----
Try telling that to people who have been cracked in the past. When I lived in the dorms, I had a freeBSD box ravaged for no reason, just people being assholes.
With security, overkill is not a bad thing. I can brag about my '31337' firewall / masq gate I made for my office all I want, but all it takes is one hole, and I might as well be running an NT server as my router.
"obsolete" computers are easy to get.. most of mine were given away to me. It's well worth the effort to set up some extra security. You never know when you will need it.
The author of the article mentions that he has an extra 486 sitting around. What should be done with it? Should his wife use it to run windows 3.1 and play solitaire? At least my wife uses linux, so I don't need to argue over all the computers in the house. I set up the network, and she gets work done.
Firewall, Masq, filter, and firewall again.. make it harder to break. (ignore the irony in the sig.)
One future, two choices. Oppose them or let them destroy us.
386, 486, or old pentium lying around: stolen/borrowed/bought for $4 -- whatever.
IPv4 Masq gate (linux or OS of choice)
Mason - good firewall builder, very easy
Filter some ports
A copy of the TOS, so you know what you're violating.
some coffee (if that's your thing.)
priceless.
One future, two choices. Oppose them or let them destroy us.
Um... linux people were doing this years ago, is why there are so many. Yeah, this linksys boxlet is great and cheap today, but where was it last year? the year before? the year before that?
BTW, Windows 2000 can do this stuff now too, though it insists on being a DHCP server just like the Linksys... if you use Linux, you can used fixed IP.
As far as what you can do to improve security: spend @$150 for a Linksys router. (There are others, such as those made by Beadle, but LinkSys was cheapest last I knew). Besides allowing up to 255 computers to share the cable modem, it acts as a firewall to keep out hackers. It also can keep you out of trouble with RoadRuner. The RR Terms of Service forbids 'servers' (basically anything which can allow people out in the world at large access to files on your computer. So Napster would qualify, for example). If you're running any sort of Unixoid O/S, there's bound to be a 'server' or two by their definition. The last time I talked to RR, they weren't enforcing this provision of the TOS, but that may have changed, or could at any time. At any rate, a firewall just makes life easier, security-wise. Mine catches two or three port scan attempts per day.
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
Port scanning is ilegal. The fact that it's your own box doesn't change that.
No it isn't 'illegal'. It may be against the Terms of Service of a provider, but there's no law against it. And it isn't even against the TOS if you're doing it locally and not across the provider's network.
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
Before panicing, be sure that these ports really are open to the world.
Use netstat to see what network they are bound to.
A foreign address of *:* is a bad thing.
A foreign address of 127.0.0.1:* indicates that
the connection is restricted to localhost only. An attacker would have to spoof packets originating from 127.0.0.1 in order to connect to the port.
Any program which grabs a network socket and accepts connections from the outside world represents a potential threat from buffer overflows. Fortunately, I'm pretty certain all of these run with the permisstions of the user, so a successful crack would be limited to the user's account. Doesn't make me feel any safer though. It just doesn't make sense that the GNOME team would need open sockets for these services... why not just use a local named pipe down /tmp, for instance (which they do use)?
Can a competent GNOME hacker please chime in?
First, deny and log to syslog all inbound connections: ipchains -A input -p tcp -y -l -i eth0 -j REJECT
I'm pretty sure I got it right but I didn;t consult the manual. Use at your own risk.
Second, decide that you wish to always allow inbound SSH connections: ipchains -I input 1 -p tcp --dport ssh -i eth0 -j ACCEPT
And maybe a secure web server too: ipchains -I input 1 -p tcp --dport 443 -i eth0 -j ACCEPT
With the exception of Time Warner's Acceptable Use Policy (Mirrored verbatim from city to city), they don't probe users' systems.
I had someone get kicked off the network for having telnet open.. apparently it's "windows or mac only" - with a vengance.
A) I seriously doubt you got a user "kicked off" for simply having telnet open. I had RoadRunner for over a year with several services (including telnet) open, and Time Warner was full aware of it. I talked with a few techs there, and they knew what I was running. How? I told them. They never "scanned" me to find out.
B) Part of the reason of RoadRunner eliminating the Windows/Macintosh login program was to support users of other operating systems. It used to be that users of RoadRunner would have to log into the system using an authentication program for either Windows or Mac. This step has been eliminated, in part because of pressure from users of other systems.
The extent of Time Warner's involvement with users' security can be found here.
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
I'm pretty sure there was a bug in one of the Helix packages a while back that caused ORBit to listen on a TCP socket by default... This caused any gnome app exporting a CORBA interface to have an open socket. (gnome-terminal, panel, gpilot-applet, etc. - any applet and many apps)
At any rate, Helix fixed this in one of their updates, and the recent ORBit RPMs have this feature disabled by default. A simple upgrade should fix your troubles.
Just set up a quick ipchains ruleset to filter those ports IPCHAINS-HOWTO Thanks for bringing it to our attention though.
Dude! Linksys should be SMACKED for calling that POS a "firewall". Linux IPChains is MUCH, MUCH better! At least it has some REAL logging!
For $350, you can get the SonicWall SOHO/10. It is the only ICSA approved firewall you can find for under $500. It has excellent features, including one-to-one NAT (so you can let in certain ports), and logging is fairly good (nothing to complain about at that price). I've used these little babies on corporate networks.
-- Bryan "TheBS" Smith
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
Here's some Firewall info I've referred to many times.
Check out the Trinity OS Paper . It gives some excellent advice on Securing your Linux System. This paper also comes with various IPCHAINS Rule-Sets you can use. Don't try to print it out though. It's atleast 1,400 pages long and growing.
This Firewall Site allows you to configure an excellent firewall Script just by answering some simple questions. I know of many people who have used this site to configure their firewalls.
..!!in an intastella burst i am back to save the universe!!
Plus with the linksys you get a 4 port 100mbit SWITCH with Nat and routing and only 4 minutes to install. If there is a poweroutage no fs to rebuild and no parts to replace on a dead peecee should something happen.
Plus if your concerned about uptime and connectivity the Linksys uses alot less UPS power and will hide easily on a shelf and does make a hell of alot less noise then an old pc box.
Don't underestimate the power of theses devices.
Actually I came across this very same problem. I have @home Rogers Cable Access. I setup a Proxy server on my box so another computer could use the network and use that connection. But it seems to be as slow as a 14.4 modem (maybe worse). Servers me right for using a Windows Proxy program.
h tml
I came across a proxy/boot floppy setup which is perfect for your old 486 as long as you have 2 NIC cards installed.
Here is the address:
http://lightening.prohosting.com/~normr/index.s
Hopefully this guy doesn't suffer from the Slashdot affect after this post
Good Luck!
"Imagination is the only weapon in the war against reality." -Jules de Gautier
dhcpcd
dhcpd
ndc (not a requirement but you may benefit from having a local name server instead of using the slow @home ones)
pmfirewall
rc.firewall
You can find the rc.firewall script here. It sets up all your forwarding modules for your network.
dhcpd and dhcpcd are used to assign an IP address to your main machine. I use them because I am lazy and dont want to bother with setting a static address.
Your dhcpd.conf should probably look something like this for your type of two computer network. dhcpcd just has to be run on your main computer and it will get all the info it needs from the dhcpd on the firewall computer.
Finally, you need your firewall program. I use pmfirewall because it is easy to install and use. It is basically a frontend to ipchains and it takes all the nasty configuration out of setting up a firewall.
You can download it here.
The best thing about pmfirewall is how easy it is to allow complete access to one address (like your main computer) to everything you need and close off the important/scary ports to everyone else.
As long as your network cards are working, you should have no problems getting dhcpd to work and the rest of it installs very easily. As for your gnome ports, you can close those to everyone but you so you dont have to worry about screwing up gnome.
Hope that helps.
The Yellow Network Coalition takes old 486's and turns them into firewalls and IP masquerading servers they give away for free to people who have cable modems and DSL. I gave them my 486 when I moved. They also set up free public-access kiosks. These guys are inspired by the freely available yellow bicycles in Amsterdam.
They Need Your Donations of Old 486's and Other Hardware
The Forum on Risks to the Public in Computers and Related Systems discusses security holes, bugs in software, user and usability problems that cause such trouble as security problems, and carries security announcements.
The CERT Coordination Center carries authoritative announcements of security problems and what you can do to fix them; provides rapid response to security emergencies while they are in progress.
I've also heard BugTaq is good and better than CERT for timely information but don't have a URL handy.
-- Could you use my software consulting serv
2. A 486 is more than up for the job. A 486-DX2 running Linux kernel version 2.2.x with ISA NICs will become saturated at about the 3-4Mbit/sec mark. As long as you never see more than that much traffic, you'll be fine.
3. Safety first. I agree that keeping your firewall clean and efficient is very important. However, I find the claims that Linux is less secure than BSD more than a bit bogus. Almost all those server daemons that have had buffer overflows on Linux can be compiled and install into OpenBSD with the same buffer overflows. Security is a journey not a destination is true in ALL cases, even OpenBSD. An incompetent (or inexperienced) administrator can easily turn a secure machine into one that's wide open for anyone to break into.
Most people usually end up compromised because of services that they either never used or never knew about, and therefore didn't bother maintaining. Due to the shortsightedness of most Linux distributors, you'll probably end up "cleaning" dozens of packages out that are completely worthless. Ideally, your result should be a machine that's not listening to anything on the public interface.
4. Raise Hell About Gnome Security Issues. Absolutely! A TCP/IP port should never be opened unless there's a very good reason why this service needs to be advertised to the world. Most of the time, this is just lazy coding, and a place where other types of sockets would probably serve better.
I used up all my sick days, so I'm calling in dead.
Those are some pretty bad habits you're espousing. Don't turn on ftp *ever* - use scp.
Enumerate whatever services you are sporadicaly turning on and off, and either decide that they are vulnerable, and never use them, or leave them on and tighten what you can.
For example, you already decided to leave ssh on. That's an example of the second option. To continue on that line, tighten ssh by making sure rhosts is off, root cannot log in directly, and blank passowrds are disallowed.
An example of the first option would be disabling ftp for good, and learing how to use scp.
Ben Ploni
As others have mentioned, a 486 can easily route a T-1 or more with no performance hit. The easiest solution on the planet has to be Freesco. http://www.freesco.org. It runs off a floppy, can be easily migrated to the smallest hdd you have, and supports such niceties as dynaminc DNS and port forwarding...all without editing config files. Port forwarding will allow you to run Apache or ftp behind the Freesco box, even if you're using a private subnet. A huge benefit.
1. It's not called masq. It's called net address translation. It's been called that for 20 years. Then these linux kids come along and make up masq. Call it by it's technical name; not a developer's gimmick name.
2.A 486 is more than up for the job. It will handle a saturated cable line and still not carry a heavy load.
3. Safety first. Just because the 486 is more than enough power don't feel justified in making a stupid security mistake; keep the firewall clean.
Linux is not as secure as BSD, as you are finding, because many chances are taken in user land apps with permissions. This makes the OS more cutting edge, but security is the price. (This is not a troll--how many weeks go by before another bugtraq post comes up about another linux exploit--every few weeks; how often for OpenBSD? Not for three years. Look, it's better than windows, OK, but linux is riddled with buffer overflows in user space, which in turn lead to LOCAL ROOT compromises.)
So, DON'T LISTEN TO OTHERS WHO SUGGEST RUNNING OTHER SERVICES ON THE BOX.
Don't do it.
Run these other service (mail, httpd, etc.) off your interior boxes.
Your absolutely want ipfilter or other socket filtration software to have a complete crack at packets; you don't want to make a nice firewall, and then junk it up with services. Keep the firewall clean and separate from user space. Hell, even remove ls from the freakin' firewall. Trash it so you have to admin by booting from a floppy. Don't leave your tools on the firewall; the hacker will only use them to compromise other machines on the LAN.
4. Raise Hell About Gnome Security Issues.
You should start asking loud, noisy questions about (a) what are these ports, (b) HAS THERE BEEN A SECURITY AUDIT OF THEM (answer: No), and (c) Are the really necessary (perhaps they are; could they instead be wrapped; are they suid? who owns that port? etc.).
You have made a wonderful script Manuka, thanks for your hard work! I have made a quick security guide for my local users group, and this script is a big part of it.
http://usmcug.usm.main e.edu/papers/linux_security_guide.html
Sig (appended to the end of comments you post, 120 chars)
Over the weekend, I installed a firewall made by LinkSys:
d =20&grid=5
http://www.linksys.com/products/product.asp?pri
and it replaced a simple Linux machine that was running the usual ipchains/NAT software. Why use the LinkSys? Smaller, much less power consumption, no noise, very little heat. While a linux machine is a lot more powerful, the power simply isn't needed in this situation. The linksys allows port forwarding, supports DHCP, and a few more exotic features. The unit has gotten a lot of good reviews on epinions.com.
If you have an old Mac, as I do, load it up with dual Ethernets, Open Transport 1.1.1 or better, and IPNetRouter. It does all the port mapping and filtering you need, and comes with excellent instructions.
The same reason Macs were chosen by the U.S Army will make your old Mac a great firewall: Macs don't hardly have any open TCP/IP ports! Other than the ones you explicitly enable, of course.
I loaded up IPNetRouter on my 6-yr-old Mac and used it both as a firewall for my house and as my primary workstation for over 9 months before I upgraded. It has been extremely reliable (uptimes on the order of weeks ain't bad considering all I do to it) and easy to maintain.
Which is more than I can say for the Linux rig I used for my firewall previously.
I have a dsl line in my apartment. I have it connected to a dual NIC pentium 90 that is my ip-masq/firewall/dhcp server/samba/ssh/httpd server. That's right, a Pentium 90. Not as bad as a 486, but no great shakes. I VERY carefully bind vulnerable services to the inside NIC, and only have http and ssh available to the outside nic. ipchains rules do the masqing and firewalling.
... LISTEN". If you dont want it to be available to the outside world FIX it!
Te box has flawless uptimes, and speed is NOT an issue. It's very easy to saturate a cable or DSL line. CPU won't be your bottleneck.
Things to watch out for:
1) listening ports. do a "netstat -a" and check for "*:anything
2) NO X. Duh.
3) understand ipchains. It's not hard, but not obvious either
4) dont forget about UDP.
Good luck,
Ben Ploni
http://www.linuxgazette.com/issue34/v ertes.html. html . html
http://www.linu xworld.com/linuxworld/lw-1999-05/lw-05-ramparts_p
http://www.secu rityfocus.com/focus/linux/articles/linux-securing
http://www.isr.umd.edu/~dani elf/Linux/securinglinux.html
http://www.gl.umbc.edu/~jjasen1/unix/ linux.html
--
Kiro
I believe that these problems have largely been fixed in the recent versions of Helix Gnome. If you just run helix-update, you can download the new packages that use Unix sockets by default instead.
I remember having similar frustration myself, and I was happy when it was fixed.
--
Ski-U-Mah!
Simply run ipchains with a set of rules that firewall that individual machine. There is a script at http://firewall.langistix.com that I wrote which will do precisely that if only given one interface. Combined with intrusion detection, it can be a very powerful tool.
Each port open is a CORBA connection from an application that supports being controlled through CORBA.
/etc/orbitrc:
To access those services you do have to know the secret password (which is generated once for each session) so it is basically as secure has being able to log into your computer.
Now, we realized that this was a potential problem and some systems are shipping with ORBit CORBA sockets disabled (Helix GNOME ships with a disabled CORBA socket connection) as well as other distributions that have turned this feature off.
If you want to play it safe (although no security holes are known to exist in ORBits incoming processing path) you can put this in your
ORBIIOPUSock=1
ORBIIOPIPv4=0
ORBIIOPIPv6=0
Miguel