Slashdot Mirror

← Back to Stories (view on slashdot.org)

GNOME, Security, Linux, and Cable Modems?

Posted by Cliff on from the keeping-your-secure-box...secure dept.

beagle asks: "I just signed up for Time Warner's Road Runner service, and I'm concerned for security on my home machine now. As I started to crack down on my box over the weekend, I noticed that GNOME has about ten ports open in the range of 1030-1040, for such things as gpilotd, tasklist (sp?), and other similar apps. I shut off inetd, named, sendmail, and all other basic services except httpd. Of course, ssh is the only remote login method I support. However, I run Helix GNOME at home (I don't at work; I only ssh into the work machine - no console) and I don't want to stop using GNOME."

"I have always been more lax about security on my home Linux box than I have been on my public Linux box, but now that my home machine will be online all the time, security becomes more of an issue.

Are there any security concerns related to GNOME? Should I worry about all these ports that GNOME is using? Is there anything I can do to beef up security on the machine? (There are bunches of other UNIX sockets open too - ORBIT comes to mind - but I'm only worried about the TCP sockets.) Of course, I have Zone Alarm for when the machine is running Windows (once in a blue moon), but I don't know of anything like that for a single Linux box.

I know I could use a spare machine as a firewall and run Linux's IP masquerading. My only spare machine, however, is an old 486dx2-66 with an NE2000 ethernet card. Not exactly a speed demon, and speed is exactly why I got a cable modem. (Well, that and my wife is tired of me tying up the landline every night.)

So, what about it, gurus of Slashdot? Is my best option to go ahead and run IPFW and IP Masquerading on my old 32MB 486? Do I even need to worry about the ports GNOME is using at all?"

11 of 335 comments (clear)

  1. 10 minute solution: by Anonymous Coward · · Score: 4

    As others have mentioned, a 486 can easily route a T-1 or more with no performance hit. The easiest solution on the planet has to be Freesco. http://www.freesco.org. It runs off a floppy, can be easily migrated to the smallest hdd you have, and supports such niceties as dynaminc DNS and port forwarding...all without editing config files. Port forwarding will allow you to run Apache or ftp behind the Freesco box, even if you're using a private subnet. A huge benefit.

  2. Clarifications by Anonymous Coward · · Score: 4

    1. It's not called masq. It's called net address translation. It's been called that for 20 years. Then these linux kids come along and make up masq. Call it by it's technical name; not a developer's gimmick name.

    2.A 486 is more than up for the job. It will handle a saturated cable line and still not carry a heavy load.

    3. Safety first. Just because the 486 is more than enough power don't feel justified in making a stupid security mistake; keep the firewall clean.
    Linux is not as secure as BSD, as you are finding, because many chances are taken in user land apps with permissions. This makes the OS more cutting edge, but security is the price. (This is not a troll--how many weeks go by before another bugtraq post comes up about another linux exploit--every few weeks; how often for OpenBSD? Not for three years. Look, it's better than windows, OK, but linux is riddled with buffer overflows in user space, which in turn lead to LOCAL ROOT compromises.)
    So, DON'T LISTEN TO OTHERS WHO SUGGEST RUNNING OTHER SERVICES ON THE BOX.

    Don't do it.

    Run these other service (mail, httpd, etc.) off your interior boxes.
    Your absolutely want ipfilter or other socket filtration software to have a complete crack at packets; you don't want to make a nice firewall, and then junk it up with services. Keep the firewall clean and separate from user space. Hell, even remove ls from the freakin' firewall. Trash it so you have to admin by booting from a floppy. Don't leave your tools on the firewall; the hacker will only use them to compromise other machines on the LAN.

    4. Raise Hell About Gnome Security Issues.
    You should start asking loud, noisy questions about (a) what are these ports, (b) HAS THERE BEEN A SECURITY AUDIT OF THEM (answer: No), and (c) Are the really necessary (perhaps they are; could they instead be wrapped; are they suid? who owns that port? etc.).

  3. yes, excellent script! by DrSpoo · · Score: 4

    You have made a wonderful script Manuka, thanks for your hard work! I have made a quick security guide for my local users group, and this script is a big part of it.

    http://usmcug.usm.main e.edu/papers/linux_security_guide.html

    --
    Sig (appended to the end of comments you post, 120 chars)
    1. Re:yes, excellent script! by Karmageddon · · Score: 4
      initializing your ipchains via rc.local as you suggest leaves you highly vulnerable for a short period of time whenever you reboot. You need to run the script before the network is started

      if you look in /etc/rc.d/rc{3,5}.d/ you will see the SnnNetwork startup script. put a symbolic link named SnnFirewall to your firewall script. replace the nn with a smaller number than the network script uses.

  4. Get thee a firewall ... by Stan+Chesnutt · · Score: 4

    Over the weekend, I installed a firewall made by LinkSys:

    http://www.linksys.com/products/product.asp?prid =20&grid=5

    and it replaced a simple Linux machine that was running the usual ipchains/NAT software. Why use the LinkSys? Smaller, much less power consumption, no noise, very little heat. While a linux machine is a lot more powerful, the power simply isn't needed in this situation. The linksys allows port forwarding, supports DHCP, and a few more exotic features. The unit has gotten a lot of good reviews on epinions.com.

  5. Easier than any Linux solution by Weasel+Boy · · Score: 4

    If you have an old Mac, as I do, load it up with dual Ethernets, Open Transport 1.1.1 or better, and IPNetRouter. It does all the port mapping and filtering you need, and comes with excellent instructions.

    The same reason Macs were chosen by the U.S Army will make your old Mac a great firewall: Macs don't hardly have any open TCP/IP ports! Other than the ones you explicitly enable, of course.

    I loaded up IPNetRouter on my 6-yr-old Mac and used it both as a firewall for my house and as my primary workstation for over 9 months before I upgraded. It has been extremely reliable (uptimes on the order of weeks ain't bad considering all I do to it) and easy to maintain.

    Which is more than I can say for the Linux rig I used for my firewall previously.

  6. My experiences by benploni · · Score: 4

    I have a dsl line in my apartment. I have it connected to a dual NIC pentium 90 that is my ip-masq/firewall/dhcp server/samba/ssh/httpd server. That's right, a Pentium 90. Not as bad as a 486, but no great shakes. I VERY carefully bind vulnerable services to the inside NIC, and only have http and ssh available to the outside nic. ipchains rules do the masqing and firewalling.

    Te box has flawless uptimes, and speed is NOT an issue. It's very easy to saturate a cable or DSL line. CPU won't be your bottleneck.

    Things to watch out for:
    1) listening ports. do a "netstat -a" and check for "*:anything ... LISTEN". If you dont want it to be available to the outside world FIX it!
    2) NO X. Duh.
    3) understand ipchains. It's not hard, but not obvious either
    4) dont forget about UDP.

    Good luck,
    Ben Ploni

  7. Securing Linux by Kiro · · Score: 4
    Information sites on keeping your Linux box secured:

    http://www.linuxgazette.com/issue34/v ertes.html
    http://www.linu xworld.com/linuxworld/lw-1999-05/lw-05-ramparts_p. html
    http://www.secu rityfocus.com/focus/linux/articles/linux-securing. html
    http://www.isr.umd.edu/~dani elf/Linux/securinglinux.html
    http://www.gl.umbc.edu/~jjasen1/unix/ linux.html

    --
    Kiro

  8. Update your Gnome install by Mike+Hicks · · Score: 5

    I believe that these problems have largely been fixed in the recent versions of Helix Gnome. If you just run helix-update, you can download the new packages that use Unix sockets by default instead.

    I remember having similar frustration myself, and I was happy when it was fixed.
    --
    Ski-U-Mah!

  9. ipchains by Manuka · · Score: 5

    Simply run ipchains with a set of rules that firewall that individual machine. There is a script at http://firewall.langistix.com that I wrote which will do precisely that if only given one interface. Combined with intrusion detection, it can be a very powerful tool.

  10. The ports open. by miguel · · Score: 5

    Each port open is a CORBA connection from an application that supports being controlled through CORBA.

    To access those services you do have to know the secret password (which is generated once for each session) so it is basically as secure has being able to log into your computer.

    Now, we realized that this was a potential problem and some systems are shipping with ORBit CORBA sockets disabled (Helix GNOME ships with a disabled CORBA socket connection) as well as other distributions that have turned this feature off.

    If you want to play it safe (although no security holes are known to exist in ORBits incoming processing path) you can put this in your /etc/orbitrc:

    ORBIIOPUSock=1
    ORBIIOPIPv4=0
    ORBIIOPIPv6=0

    Miguel