Intrusion safetyForum: Networking Topic: Intrusion safety started by: meo Posted by meo on May 01 2007,16:20
Hi Y'all!How safe is DSL when it comes to intruders? I use rc.firewall but is there more that can be done to make it safe? I read a little about snort but it seems way ower my head to try to install what is needed and configure it. Any other suggestions? All ideas appreciated. Have fun out there, meo Posted by lucky13 on May 01 2007,22:51
Depends how you use DSL. Live CD? No problem -- it's read only. Installed to hard drive? It could be a little dicier depending on what you do, what you add, etc. (e.g., see the apple sucks category of my blog -- < http://lucky13.blogsavy.com > -- if you run QuickTime via a browser plug-in with Java enabled). DSL is very tight by default. You're at greater risk, though, if you're careless with setting up various services in certain ways or if you run something that's exploitable (apple sucks). And you're susceptible to even more risk if you run as root when networked.You can try a port scan, either yourself or use one you find from a trusted website. I've used this one since Symantec shut down Sygate's scan (only works with Win and Mac now): < http://probe.hackerwatch.org/probe/ > If you want to check your own ports (etc.), download the nmap/nmapfe extension from MyDSL. I've run the hackerwatch scan with and without the MyDSL rc.firewall extension. Like I said above, DSL is pretty tight by default, but the firewall keeps your computer from responding to probes. I've done a few things like reassigning certain ports to make my computer a little safer, and done a few other things as well. Okay, I was waiting for this to finish so I could show you the results. I just ran the hackerwatch simple probe again and this is the output WITH rc.firewall on (differences italicized):
And this is with rc.firewall stopped:
The latter is based on DSL's default (plus a couple changes that didn't figure in to their simple scan). You shouldn't feel vulnerable, but you shouldn't get complacent about it, either. My blog has been up and down. Check back periodically or look up the following at Google news: gartner quicktime browser java I almost posted a warning here about this yesterday since it could affect so many computers and there are people here who use Windows and Macs, but Mozilla's Linux products and Dillo don't have QuickTime plug-ins (I don't know if the API in MPlayer with QuickTime codecs can be used to launch the same kind of exploit, but I'm going to assume this mostly affects Mac and Windows computers). The quickest remedy if you do have a QuickTime plug-in on any computer is to either disable/remove QuickTime plug-ins or completely disable Java in your browser until Apple gets their act together. (Edited blog link.) Posted by curaga on May 03 2007,14:35
I use grc.com, it's got many types of security scans...
Posted by dougp on Aug. 02 2007,23:36
Thanks for the tips on rc.firewall and the link to HackerWatch, they were enormously useful to this newb. Next I'll try automating rc.firewall start at boot using the scripts provided here. For all that Linux is inherently more secure than that other OS, I've had some nasty experiences lately. I don't know what it was but I made the mistake of setting up a remote access server with what was clearly an insecure password that was easily cracked. The result was (I suspect) a corrupted MBR that opened a remote access session each time I booted the system. It completely de-fanged my firewall (shorewall) and caused all kinds of headaches. I didn't even dare read my webmail for fear a keylogger would record my password, etc. To make a long story short I ran rkhunter with nothing detected. However, when I went to HackerWatch's tests I discovered my Telnet and HTTP ports were wide open and accepting incoming connections! Fired up the aptly named firewall and all ports were reported as secure (invisible on the 'net). I'll be sleeping alot better!
Posted by lucky13 on Aug. 03 2007,12:39
Don't put too much trust in rkhunter. It's a good tool to use, but it's a reactive measure that's a step (or two or three) behind what malicious attackers are doing.I don't subscribe to the belief that operating systems are inherently secure, period. Some are just harder for certain people to keep secure than others; there will always be vulnerabilities and people who will try to exploit them. Linux can be run as unsafely as Windows is perceived to be and Windows can be run safer than Linux is generally perceived to be. It boils down to how any particular system is set up, run, and maintained. Posted by muskrat on Aug. 04 2007,01:59
The general rule of thumb is if your linux box is compromised/hacked. There is no way you can be 100% sure of having it cleaned without a freash install.On another point, Live CD's are often said to be super secure because they are a read only system. That is true, except one item which I see is never addressed. All (almost all) Live CDs are running on PCs that have a HD install of another OS on them, and the current running system is in ram and is read writable. Which tells me, IF your current session of your Live CD is hacked, your HD OS could be hacked without your knowledge, True you reboot and your next sesion is fresh and new, But what has been done to your HD OS? That's one reason I quite using Puppy, it runs as root all the time. |