Networking :: Intrusion safety



Hi Y'all!

How safe is DSL when it comes to intruders? I use rc.firewall but is there more that can be done to make it safe? I read a little about snort but it seems way ower my head to try to install what is needed and configure it. Any other suggestions? All ideas appreciated.

Have fun out there,
meo
Depends how you use DSL. Live CD? No problem -- it's read only. Installed to hard drive? It could be a little dicier depending on what you do, what you add, etc. (e.g., see the apple sucks category of my blog -- http://lucky13.blogsavy.com -- if you run QuickTime via a browser plug-in with Java enabled). DSL is very tight by default. You're at greater risk, though, if you're careless with setting up various services in certain ways or if you run something that's exploitable (apple sucks). And you're susceptible to even more risk if you run as root when networked.

You can try a port scan, either yourself or use one you find from a trusted website. I've used this one since Symantec shut down Sygate's scan (only works with Win and Mac now):
http://probe.hackerwatch.org/probe/

If you want to check your own ports (etc.), download the nmap/nmapfe extension from MyDSL.

I've run the hackerwatch scan with and without the MyDSL rc.firewall extension. Like I said above, DSL is pretty tight by default, but the firewall keeps your computer from responding to probes. I've done a few things like reassigning certain ports to make my computer a little safer, and done a few other things as well.

Okay, I was waiting for this to finish so I could show you the results. I just ran the hackerwatch simple probe again and this is the output WITH rc.firewall on (differences italicized):
Quote
Traffic Sent

Packets were successfully sent to your computer.  The server was unable to obtain a connection or any traffic from your computer.  This generally indicates that your firewall blocked the traffic successfully.

If you did not see an event warning it may indicate that the traffic did not reach your computer at all.

This could be due to any of the following reasons:

   * You are connecting to the Internet through a proxy server.  When we attempted to connect back to the IP address your web traffic came from we actually were connecting to the proxy server, not your computer.
   * You are behind a corporate firewall which is redirecting traffic in an unexpected manner.
   * You are connecting to the Internet through a NAT (network address translator).  When we attempted to connect back to the IP address your web traffic came from we actually were connecting to the proxy server, not your computer.

In any of these cases you will not see an event notification on your computer because our connection attempt did not reach your computer.  In any case, your computer is secure.


And this is with rc.firewall stopped:
Quote
Packets were successfully sent to your computer.  You should be aware that we were able to get a response from the computer at the IP address your traffic is originating from.

This could be due to any of the following reasons:

   * You are connecting to the Internet through a proxy server.  When we attempted to connect back to the IP address your web traffic came from we actually were communicating the proxy server, not your computer.
   * You are behind a corporate firewall which is redirecting traffic in an unexpected manner.
   * You are connecting to the Internet through a router behaving as a NAT (network address translator).  When we attempted to connect back to the IP address your web traffic came from we actually were communicating with the NAT, not your computer.
   * Your firewall is not running.

In any of these cases you will not see an event notification on your computer because either our connection attempt did not reach your computer or the firewall is not operating.  If you are in a corporate LAN, or using a cable or DSL router you are behind another firewall/proxy or NAT and your computer is secure.


The latter is based on DSL's default (plus a couple changes that didn't figure in to their simple scan). You shouldn't feel vulnerable, but you shouldn't get complacent about it, either.

My blog has been up and down. Check back periodically or look up the following at Google news:
gartner quicktime browser java

I almost posted a warning here about this yesterday since it could affect so many computers and there are people here who use Windows and Macs, but Mozilla's Linux products and Dillo don't have QuickTime plug-ins (I don't know if the API in MPlayer with QuickTime codecs can be used to launch the same kind of exploit, but I'm going to assume this mostly affects Mac and Windows computers). The quickest remedy if you do have a QuickTime plug-in on any computer is to either disable/remove QuickTime plug-ins or completely disable Java in your browser until Apple gets their act together.

(Edited blog link.)
I use grc.com, it's got many types of security scans...
Thanks for the tips on rc.firewall and the link to HackerWatch, they were enormously useful to this newb. Next I'll try automating rc.firewall start at boot using the scripts provided here. For all that Linux is inherently more secure than that other OS, I've had some nasty experiences lately. I don't know what it was but I made the mistake of setting up a remote access server with  what was clearly an insecure password that was easily cracked. The result was (I suspect) a corrupted MBR that opened a remote access session each time I booted the system. It completely de-fanged my firewall (shorewall) and caused all kinds of headaches. I didn't even dare read my webmail for fear a keylogger would record my password, etc. To make a long story short I ran rkhunter with nothing detected. However, when I went to HackerWatch's tests I discovered my Telnet and HTTP ports were wide open and accepting incoming connections! Fired up the aptly named firewall and all ports were reported as secure (invisible on the 'net). I'll be sleeping alot better! :)
Don't put too much trust in rkhunter. It's a good tool to use, but it's a reactive measure that's a step (or two or three) behind what malicious attackers are doing.

I don't subscribe to the belief that operating systems are inherently secure, period. Some are just harder for certain people to keep secure than others; there will always be vulnerabilities and people who will try to exploit them. Linux can be run as unsafely as Windows is perceived to be and Windows can be run safer than Linux is generally perceived to be. It boils down to how any particular system is set up, run, and maintained.
Next Page...
original here.