security

Tom Panning tpanning at vt.edu
Sun Oct 7 11:23:58 PDT 2001


> I don't know if I agree completely about the firewall thing... But,
> this is mostly because I don't know much about them. Here is what I
> am curious to know about...
>
> What if this dial-up (via PPP link?) machine has 0 (zero) ports
> listening for connections. In a situation like this, can a firewall
> serve any really useful purpose? Probably it can, but could you maybe
> give small example to illustrate?
>
> Of course, when a browser, e-mail/news client, etc. operate on this
> machine there will be some ports opened up to allow them to do their
> thing. Anyway, closing port 6000 is good, along with other suggestions
> to not run services you don't need.
>
> Any feedback on my firewall question up there?

My LFS box is serving as an IP-Masq box, so I had a bit more interest in
running a firewall on it. In the process of figuring out how to set up the
firewall, I found many interesting tidbits on why this can make a
difference, even if your box isn't doing IP-Masq.

(Note: all of the info about what script kiddies do and don't do is based
off what I have read, I've never actually met or been someone who gained
unauthorized access to a machine, so everything I say here is third-hand
info)

1) Every raw LFS box with networking responds to ping requests by default.
Script kiddies used to use ping to find running computers. From what I
understand, they can discern the basic OS-type that you're running from the
ping response.

2) Most script kiddies don't use ping anymore, because even the most basic
tripwire-clones set off an alarm when someone pings them. So instead they
attempt to connect to a port that isn't running anything. Your computer will
send a message back saying, "This port is not open." This is much less
likely to set off an alarm, and they can get almost as much info out of it
as they can out of a ping response.

The easiest way to prevent this is to run a iptables with the default policy
of dropping all incoming packets. Then write some rules that allow incoming
packets that are related to an existing outgoing connection. If you need
external access to ssh, then punch a hole for that. Make sure your welcome
message doesn't include any info about the OS or the software that you're
running.

Basically, the idea is to make your box disappear from the network as much
as possible. After all, if they don't know you exist, how can they crack
you? :-)

For working with iptables, read:
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.ht
ml

For all the nitty-gritty on what a firewall should do, and why you should
run one, I highly recommend "Linux Firewalls" from New Riders. Most of the
book is overkill for someone who isn't running an internal network, so you
might want to spend an afternoon at Borders or Barnes & Nobles and take
notes on the stuff that applies to you (that way you don't have to spend any
money :-) ).

If you really want to know the different things that a script kiddie can do
to gain access to your box, read "Hacking Exposed" (there's a new edition
that just covers Linux). Of course, the best way to get this kind of info
would be to get into the script kiddie community, but not all of us have the
time or immaturity required to do this ;-)

Hope that helps,
Tom

P.S. Don't be intimidated by the firewalling stuff, it doesn't have to be
very complicated, particularly with iptables. If you run into a problem
setting up iptables, I'll be happy to help.

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list