Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 19 Dec 2014, 08:31
All times are UTC - 4
 Forum index » House Training » Users ( For the regulars )
Net Security
Moderators: Flash, Ian, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 3 [35 Posts]   Goto page: Previous 1, 2, 3 Next
Author Message
Mic67

Joined: 30 Oct 2006
Posts: 478

PostPosted: Sat 18 Nov 2006, 13:58    Post subject:  

Well in my last post I suggested using the App."Network Superscanner" which is in the Menu>Network Tab in Puppy210. by inputting your assigned IP address this will scan your computer for open ports, port 6000 is open by default, which was the only one I had seen. After that post I decide to keep the scanner app. readly available for use while surfing. And from time to time perform a scan on to see if there were any other open ports. Whoaaa....on several occassions there were up to 4 other open ports also displaying "service unknown". While doing this I recommend using rxvt window and netstat -tcp which will display all tcp connections and you can compare the port numbers in use to those that are open. Then go figure...

Also using the rxvt type: netstat -s > then enter it will display>:
sh-3.00# netstat -s
Ip:
262858 total packets received
0 forwarded
0 incoming packets discarded
262837 incoming packets delivered
262890 requests sent out
Icmp:
6 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 6
21 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 21
Tcp:
131134 active connections openings
2 passive connection openings
0 failed connection attempts
1 connection resets received
0 connections established
262788 segments received
262826 segments send out
29 segments retransmited
0 bad segments received.
131083 resets sent
Udp:
37 packets received
6 packets to unknown port received.
0 packet receive errors
43 packets sent
TcpExt:
ArpFilter: 0
5 TCP sockets finished time wait in fast timer
5 time wait sockets recycled by time stamp
31 delayed acks sent
Quick ack mode was activated 9 times
270 packets header predicted
TCPPureAcks: 152
TCPHPAcks: 8
TCPRenoRecovery: 0
TCPSackRecovery: 0
TCPSACKReneging: 0
TCPFACKReorder: 0
TCPSACKReorder: 0
TCPRenoReorder: 0
TCPTSReorder: 0
TCPFullUndo: 0
TCPPartialUndo: 0
TCPDSACKUndo: 0
TCPLossUndo: 20
TCPLoss: 0
TCPLostRetransmit: 0
TCPRenoFailures: 0
TCPSackFailures: 0
TCPLossFailures: 0
TCPFastRetrans: 0
TCPForwardRetrans: 0
TCPSlowStartRetrans: 0
TCPTimeouts: 24
TCPRenoRecoveryFail: 0
TCPSackRecoveryFail: 0
TCPSchedulerFailed: 0
TCPRcvCollapsed: 0
TCPDSACKOldSent: 4
TCPDSACKOfoSent: 0
TCPDSACKRecv: 15
TCPDSACKOfoRecv: 0
TCPAbortOnSyn: 0
TCPAbortOnData: 1
TCPAbortOnClose: 1
TCPAbortOnMemory: 0
TCPAbortOnTimeout: 1
TCPAbortOnLinger: 0
TCPAbortFailed: 0
TCPMemoryPressures: 0
sh-3.00#
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Now to determine what is going on with your Firewall rules
sh-3.00# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
TRUSTED all -- anywhere anywhere state NEW

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID

Chain TRUSTED (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
sh-3.00#
>>>>>>>>>>>>>>>>>>>>>>.

Now some networking info:
sh-3.00# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
999.9.999.99 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 999.9.999.99 0.0.0.0 UG 0 0 0 ppp0
sh-3.00#
>>>>>>>>>
Note in the above example the IP 999 is ficticous but is representative of your gateway IP address
>>>>>>>>>
And here is something else that may be of assistance by doing the netstat -rpcinfo >:

sh-3.00# netstat -rpcinfo
netstat: invalid option -- f
usage: netstat [-veenNcCF] [<Af>] -r netstat {-V|--version|-h|--help}
netstat [-vnNcaeol] [<Socket> ...]
netstat { [-veenNac] -i | [-cnNe] -M | -s }

-r, --route display routing table
-i, --interfaces display interface table
-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP)
-M, --masquerade display masqueraded connections

-v, --verbose be verbose
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information
-p, --programs display PID/Program name for sockets
-c, --continuous continuous listing

-l, --listening display listening server sockets
-a, --all, --listening display all sockets (default: connected)
-o, --timers display timers
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB

<Socket>={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom
<AF>=Use '-A <af>' or '--<af>'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
sh-3.00#
>>>>>>>>>>>>>
This command netstat -l will show the open port 6000 (note that the l is not a one number but a not capital L
>>>>>>>>>>>>>>>>>>>
sh-3.00# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:6000 *:* LISTEN
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 2990 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 3473 /tmp/root-v2jg87/dpid.srs
unix 2 [ ACC ] STREAM LISTENING 3475 /tmp/root-v2jg87/bookmarks.dpi
unix 2 [ ACC ] STREAM LISTENING 3477 /tmp/root-v2jg87/cookies.dpi
unix 2 [ ACC ] STREAM LISTENING 3479 /tmp/root-v2jg87/datauri.filter.dpi
unix 2 [ ACC ] STREAM LISTENING 3481 /tmp/root-v2jg87/downloads.dpi
unix 2 [ ACC ] STREAM LISTENING 3483 /tmp/root-v2jg87/file.dpi
unix 2 [ ACC ] STREAM LISTENING 3485 /tmp/root-v2jg87/ftp.filter.dpi
unix 2 [ ACC ] STREAM LISTENING 3487 /tmp/root-v2jg87/hello.filter.dpi
unix 2 [ ACC ] STREAM LISTENING 3489 /tmp/root-v2jg87/https.filter.dpi
sh-3.00#
>>>>>>>>>>>>>
And you can use the the command in rxvt:

ifconfig

to determine your IP and other things
>>>>>>>>>>>>>>>>

Maybe this will give you something to think about or use.
Back to top
View user's profile Send private message 
Mic67

Joined: 30 Oct 2006
Posts: 478

PostPosted: Sat 18 Nov 2006, 14:50    Post subject:  

Here are some links that maybe of interest:
http://www.fs-security.com/
"
A Modern Linux Firewall

Linux security does not have to be complex,
and simplicity does not have to mean sacrificing power.

With Firestarter you will have a firewall up and running in minutes. After that it is up to you how deep you choose to go."

"Key Features

* Open Source software, available free of charge
* Easy to use graphical interface
* Suitable for use on desktops, servers and gateways
* Enables Internet connection sharing
* Allows you to define both inbound and outbound access policy
* Option to whitelist or blacklist traffic
* Sets up DHCP for a local network
* Real time firewall events view
* View active network connections, including any traffic routed through the firewall
* Advanced Linux kernel tuning features"
"This is a departure from your typical Linux firewall, which has traditionally required arcane implementation specific knowledge."

(It has a nice GUI on this page)^^^
>>>>>>>>>>>>>>
http://trinux.sourceforge.net/
"Trinux contains the latest versions of popular Open Source network security tools for port scanning, packet sniffing, vulnerability scanning, sniffer detection, packet construction, active/passive OS fingerprinting, network monitoring, session-hijacking, backup/recovery, computer forensics, intrusion detection, and more. "

It would be great if alot of these could be included in a puppy distro.

As there are distro's that specialize in hardened systems "Secure" Linux Distros>

http://www.linux-sec.net/Distro/#hardened
>>>>>>>>>>>>>
http://www.linux-sec.net/IDS/
Intrusion Detection Systems
>>>>>>>>>>>>>>>

http://www.linuxsecurity.com/content/view/125805/187/
Linux Advisory Watch: November 17th 2006
>>>>>>>>>>>>>
http://www.linux-sec.net/Harden/harden.gwif.html
Hardening and Tightening Security on Your Server/Network
>>>>>>>>>>>>
http://www.linux-sec.net/Firewall/
Linux-Sec.net/Firewall
>>>>>>>>>
http://www.dshield.org/
"Most Attacked Port: 1026"
This would primarly apply to Windows.
MY OPINION>>>>
There is a way to reduce this by configuring rules in your fire wall in windows. Or by simply starting your browser and closing it 6 to 12 times before logging on to the net. As each time you start and close your browser the next time you open the browser it will use the next higher port for starting from, so your loopback is not the standard port of 1026. There is alot more to write about this...

>>>>>>>>>>>>>>

http://www.linuxsecurity.com/content/view/125793/169/
Virtualization and Security
"Date: 16 November 2006
Security Itís a pity that discussions on the subject of security vulnerabilities associated with virtual servers tend to focus on Windows: If a virtual machine is running as a guest on a Windows host, an exploit on the guest VM can climb up to the Windows host, and then all hell can break loose. Thereís more to securing virtual servers than not running VMs as guests of a Windows host. If cyberfelons gain local or remote access to a VMware Virtual Center console, your world is their oyster. "

>>>>>>>>>>>>>>>>

http://dmoz.org/Computers/Software/Operating_Systems/Linux/Security/
>>>>>>>>>>
http://insecure.org/sploits_linux.html
Linux Section
Exploit world!
>>>>>>>>>>>

Is Linux really secure?

Relative to Windows...YES, it implements raw sockets differently, I believe...
http://linuxchix.org/content/courses/security/raw_sockets
"Raw mode is basically there to allow you to bypass some of the way that your computer handles TCP/IP. Rather than going through the normal layers of encapsulation/decapsulation that the TCP/IP stack on the kernel does, you just pass the packet to the application that needs it. No TCP/IP processing -- so it's not a processed packet, it's a raw packet. The application that's using the packet is now responsible for stripping off the headers, analyzing the packet, all the stuff that the TCP/IP stack in the kernel normally does for you."

NOTE: Reeeview my previous post and data therein provided

http://www.grc.com/dos/sockettome.htm
http://www.theregister.co.uk/2001/06/25/steve_gibson_really_is_off/

http://linux.sys-con.com/read/34589_1.htm
"Sysadmin
Linux Raw Socket Programming - What Lies Beneath a Socket?"

http://www.interact-sw.co.uk/iangblog/2004/08/12/norawsockets
Raw Sockets Gone in XP SP2
XXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX
http://www.schneier.com/blog/archives/2005/01/linux_security_1.html
" Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised.

This is much greater than that of Windows systems, which have average life expectancies on the order of a few minutes."

XXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXX

http://seclists.org/nmap-hackers/2005/0004.html
Nmap Hackers: Microsoft Tightens the Noose on Raw Sockets

XXXXXXXXXXXXXXXXXXXXXXXXXXXxx

Alot of things to think about in any LINUX Distro....
Back to top
View user's profile Send private message 
marksouth2000

Joined: 05 Apr 2006
Posts: 620

PostPosted: Mon 20 Nov 2006, 05:58    Post subject:  

I have to confess I just don't get this thread.

Security is a complex issue. People building hardened servers and handling military secrets on laptops have different issues and ways of approach to the problem. There are many distros that cater specifically to them.

Puppy has the goal of being a useful desktop for older machines and of leaving as small a footprint as possible.

The main security issue for Puppy is one of data security, and there are some guys working hard on that in the "encrypted pup_save" thread. anyone who has security concerns and expertise would be doing best by helping there.

For the sake of accuracy, though, I will point out that Linux has a choice of one firewall. Iptables is part of the kernel. The other stuff is just management software that makes it easier to configure iptables.
Back to top
View user's profile Send private message 
Gn2


Joined: 16 Oct 2006
Posts: 936
Location: virtual - Veni vidi, nihil est adpulerit

PostPosted: Mon 20 Nov 2006, 10:17    Post subject:  

What is complex - If paranoid:
Pull plug on Web access -
Don't let anyone touch computer - (Esp. owner)
Take up knitting - loop a few loose ends there >
Things still get unravelled

Aside: ~ Military now has new approach - Pre-emptive Defense.

Or run Puppy in Ram, store sv3_fs (when will default Cfg. of file type be expanded) on removable media & relax !

IMHO It isn't security that is greatest danger to Twisted Evil borking O/System.
Back to top
View user's profile Send private message 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Mon 20 Nov 2006, 12:43    Post subject:  

Quote:
Puppy has the goal of being a useful desktop for older machines and of leaving as small a footprint as possible.


That's the starting point, yes. Then everyone and their grandma around here take it and make different flavors of it. Smile

I'm glad people are thinking about security, even if others have to roll their eyes. To paraphrase an old saying, "It's better to have security and not need it, than to need it and not have it." Some of us live in budding police states and don't like being under a microscope. I'm encouraged that Britons lately have made a sport of destroying their roadside speeding cameras. Cool

Unless I missed it in this thread, getting a firewall running is as simple as putting this:

Code:
if [ -x /etc/rc.d/rc.firewall ]; then
  /etc/rc.d/rc.firewall start
fi
...inside your /etc/rc.d/rc.local file. Newbies need to be aware of this. Of course that won't be enough for some folks, who will want to fiddle the settings. That's fine, they should do that if they want.

I am in the process of extending kirk's Encrypt_pupsave script. It should be ready for 2.13, and Barry is going to put this encrypted pup_save into that revision if we are ready by then. Another thing that needs to be worked on is encrypting the swap. Currently there is no way to get around that problem except by 1) using a large memory and running without swap, or 2) getting some scrub program loaded to clean it up when you shutdown. Hmm, I wonder if you could just run another loop device for swap, just like we do with the pup_save? That might be an option too.

Let's keep chewing on this, security fans...
Back to top
View user's profile Send private message 
marksouth2000

Joined: 05 Apr 2006
Posts: 620

PostPosted: Mon 20 Nov 2006, 15:58    Post subject:  

PaulBx1 wrote:
Quote:
Puppy has the goal of being a useful desktop for older machines and of leaving as small a footprint as possible.


That's the starting point, yes. Then everyone and their grandma around here take it and make different flavors of it. Smile

I'm glad people are thinking about security, even if others have to roll their eyes.


I *am* rolling my eyes. And when I roll my eyes, the guy rolling his eyes has consulted on computer security to some of the biggest banks and telcos in the world.

There are operating systems that are designed from scratch to be secure. There are operating systems that are designed to be easy to use and to work on pretty much any kind of hardware. (Insert "Linux distro" in place of "operating system" if you like.) Trouble is that the goals are largely mutually exclusive. And even if you want to layer security onto something insecure, you need a good model for what you're trying to achieve.

I think what you guys are doing with encrypted pup_saves is brilliant. I think that a NOSWAP boot option would be an excellent idea.

I think that simply saying "Steve Gibson says we all need to break standards to keep ourselves hidden and then everything will be good" and posting links to randomly chosen sites is a hopeless endeavour. Which is why I suggested that the OP spend effort on helping you guys with your work, because one can EITHER start by developing a detailed security model (with the inevitable conclusion that Puppy would not be the starting point to choose - and I say this speaking as one of Puppy's greatest fans) OR one can work on building useful components of security mechanisms that can be added on as useful to individual users.

Finally, I am quite familiar with police states, I've lived in one that was such when I lived there (and is no longer) and in another that is well on its way. Which is why I prefer to be where I am now. Secure systems are a good thing. Puppy is not a secure system. Does that make Puppy a bad thing? Of course not. One judges systems by how well they conform to their design spec. For Puppy, that design spec was not based on security.

Cheers,
Mark
Back to top
View user's profile Send private message 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Mon 20 Nov 2006, 20:45    Post subject:  

OK Mark, after we get the pup_save encrypted, and assuming the swap is off or otherwise dealt with, what do you see as Puppy's next most important vulnerability? BTW are you concerned about using only aes128 and cryptoloop, and can a respectable password make up for much of the shortcomings they have?

To me it looks like email security is next, e.g. Enigmail, but that's just a guess.

I had thought (completely as an amateur, of course) Puppy would be starting with some advantages already, since it is not windows and since it is a live CD and since it allows the user to take it (and his data) with him on a keychain and since it can be run on a system with no telltales left behind on a hard drive. Was that an incorrect assessment?

I'd like to know of other hardened OSs, particularly live CDs, if you have suggestions. I did take a look at Knoppix-MiB but it is no longer being supported.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11180
Location: Arizona USA

PostPosted: Mon 20 Nov 2006, 21:57    Post subject:  

I'm running Puppy from a multisession DVD in a computer with no hard drive. As far as physical security of the work you do on the computer is concerned I don't know how you could beat that. Shut down the computer and remove the DVD, and there's no trace of you left on the computer.

Of course, once you're on a network, especially with a wireless connection, you have to worry about your communications being overheard. Plus, it's possible to embed a keystroke logger in a keyboard's microcode (most keyboards have their own little processor inside) and then send things like passwords to the mother ship, indetectably embedded in normal network traffic.

Face it, security, like world peace, is an unattainable ideal, something that cannot be achieved except perhaps for a fleeting instant. Blink and you'll miss it. Laughing

If you haven't already seen it, there's links to lots of useful security stuff here, under Security discussion
Back to top
View user's profile Send private message 
Gn2


Joined: 16 Oct 2006
Posts: 936
Location: virtual - Veni vidi, nihil est adpulerit

PostPosted: Mon 20 Nov 2006, 22:26    Post subject:  

Sorry for any disclaimer - your efforts to enabling encryption are well respected -NOT a trivial task !

(My biases only - isn't it somewhat redundant ) ? ~

If Idea removeable media is used for persistent storage - & Esp if outside access
is Tmp disabled when mounting/or making storage media visable in session !

IMHO - There is then no physical outside access to only (highly dubious) vulnerablilty ?

As Marksouth pointed out - Puppy is NOT the platform of choice when "Carrier Grade Security" IS Req'd !

On a normal hard drive install more precautions may be advisable
but it has been stressed many times :
It is the USER's own bad habits.... that aid any malware success.

Think of firewalls - a badly implemented FW rules Cfg - is worse than none at all.

A simile may be -the O/System may be blindly fast - but all is wasted CPU cycles due to user inability to task in step.

Please do not take that as any valid reason to abandon your efforts - the whole learning process itself... is not only highly valuable -
But very instructive for myself as example.
We just have different priorities at the moment ?

Thnx for the courtesy of allowing me to Embarassed comment.
Back to top
View user's profile Send private message 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Tue 21 Nov 2006, 02:45    Post subject:  

Yes, Flash, multi-session CD/DVD is another security plus for Puppy.

Puppy will never have to have the security that a bank has. It is for individual users. It just needs "good enough" security. What is "good enough"? When you have thwarted the government snoops well enough that they just give up the tech approach and send their JBTs (jack-booted thugs) around to beat you up to find out what you know. Security beyond that is clearly superfluous.

Obviously that will vary from country to country, so we just play it by ear on the level of security we put into Puppy. Those who need more can add it as they need it.

When you get to that level, and they are pounding on your door at 3AM, you stop fooling with the computer and pick up the rifle. Smile

So no, we don't need perfect security.
Back to top
View user's profile Send private message 
Mic67

Joined: 30 Oct 2006
Posts: 478

PostPosted: Tue 21 Nov 2006, 03:50    Post subject:  

LOL "I dont get this thread".

Yep there are about10 distro that cater to the security aspect of Linux as an OS, but not the same way Puppy does, particularly for older machines.

"The main security issue for Puppy is one of data security...". Humm...what they are doing seems like a good thing. In fact I believe that Vista has incorporated that as well. Go to www.grc.com and listen to podcast #65 Vista.

A couple of things with that. First without a secure system and your encryption may not be able to be read but that does not mean it can not be messed with particularly if on a HD that can be written to. If the encryption text is messed with, and when you try to decrypt it - was it the fault of the OS, app, hardware, file corruption or and intruder? You would probably least likely choose and intruder, right? After all it is Linux. There are alot of if's, and I dont know how it will all work - together. But I do for see a post like I suggest? Me personally I would not be use it, that doesnt mean that it should not be developed or used by others. In my view nework security comes first. Your network is your computer, period.

If an OS has no means to FULLY monitor the network you are on then you have very little way of knowing if your browser crashed from the software itself or you had a DOS. Lobster said Foxfire kept crashing on him and implied it was the app. or SW combination. Well if he was using the browser, likely he was on the net. Did he have a mean to determine what was occuring on the network, and was it sufficient?

Here are a couple of tips:

Know your system. That means look at the ram window and the cpu load window, use the xnetload monitor for throughput. Know what ought to be compared to what is. Java OFF>.

Netstat and all the options it affords is no less than amazing, not many use it to its full advantage nor necessarly understand all that it offers. But there are limitations. Humm... if you are suggesting a "secure puppy" distro that would be amazing, another niche.

Yep puppy has Iptables, thank you Barry. Now pretty much that is the current defacto standard for linux as I am aware. But many newbies, if not all wouldnt be able to config. it beyond the wizard and it badly need to be configured beyond what the wizard offers. But that if definately beyond any newbies ability, thus a "front end" gui.

How many configure the FW beyond what the wizard offers? Anyone out there? And if so what mods do you make?

It can be configured for:
syn-flood protection
port scanners
DOS
And become more stateful in it defense of your computer.

How to use the many FW templetes on the net - that will do this is or should be simple to incorporate in Puppy (but the users, even a dot pup), although I cant give any advice yet on how to do that expect by manually entering them into iptables - each rule that is.

Default puppy FW does not do all that it can. That is left up the the user for compatibility sake, and probably rightly so.

Although I dont like that port 6000 is listening by default and is an open port. How do you stop this other than a FW config. rule?

In rxvt type:

netstat -tulp

press enter

I havent figured out how to configure the logging of Iptables yet.

If the FW isnt easy to configure then it wont happen. After all its Linux, right. Yet there are alot of URL about linux security and the like, if security is not an issue than why bother?

Linux is more secure than windows, yes, but the more I learn as a newbie and from experiences in windows there are issues and necessary concerns. Now from the sounds of it Vista's implementation of security sounds pretty impressive if it really ends up working, on a 3Ghz 2 meg ram as min. specs. No thanks. Which is equalvant to Puppy on a P2 400 with 512 ram.

Humm.. no swap option, thats an idea but many systems, particularly older ones may need it. What is on swap stays on swap on shut down and boot up. Security concern, you bet, possibility of a TSR (from that and in ram), you bet.

Its nice to know that some may have understood raw sockets in both windows and linux but most dont. There were no random links and were there as a reference of sorts.

"start by developing a detailed security model" now that seems like an idea. And puppy would be the best starting point than another other by far. But I really believe (as a newbie) that it would not take much to have the tools to provide the means for a more secure puppy. I cant write SW, although I can edit it to an extent or maybe understand how it works. I cant DL any Linux applications and try then on puppy without compiling or modification, as I understand it. But I have looked at the apps. in other distro's to try and understand those apps.

"Secure systems are a good thing. Puppy is not a secure system. "

So it follows that for Puppy to be a "good thing" it ought to be a "secure system". I believe Puppy is a secure system if used in the right way. But the network security can be significantly improved.

"Does that make Puppy a bad thing? Of course not."
Your joking, right? This is too much of a contradiction.

Like many have said and will continue to say Puppy is a good thing, including me.

By improving the security of the Puppy OS it will help in the development of the OS itself by making any issues with the malicious things than can and do happen regularly on a network.

Any OS that can not be written to and limited to a Compact Disk type medium is secure unto itself.

Most who come to puppy from windows look to the FW, well there is nothing to see and little to config. from.

I dont know all the linux security apps out there but 2 essential things are a network monitor (ip address, protocol, port, etc) and log (with "watch -n s tail /var/log/messages), that are understandable and configurable, this is a minimum. A means to terminated unwanted connections would be better than having to log off. Pretty much this is standard in a windows firewall.
Surely there is a linux app. out there like that.

Suggestions anyone?

"One judges systems by how well they conform to their design spec. For Puppy, that design spec was not based on security."

LOL, sorry for laughing so much, but you are joking again right?

I could care less how it conforms to any design spec. other than it is small, fast and works. There are puppys of all different sizes and function. Please tell me which OS (entity or user) judges their system by their design spec. conformity? For the most part I dont care if puppy conforms to it own design spec. or not? Why should I, its not mine. But I do choose to use it, and it is for more than just design spec.. It has been said in one post in "puppy for teens" is that they could care less what the OS is so long as it can do what they want.

"I'd like to know of other hardened OSs, particularly live CD"

http://www.livecdlist.com/?pick=All&showonly=Security&sort=&sm=1
"Currently displaying 25 LiveCD/DVDs"
http://www.livecdlist.com/

"Face it, security, like world peace, is an unattainable ideal"

There is no such thing as a secure computer. The day that politicians will allow voting by home networked computer will be the first day of secure computers and the system will be called "CHAD" made in florida.

http://www.murga-linux.com/puppy/viewtopic.php?p=4548#4548

http://www.goosee.com/puppy/wikka/Security
The requested URL /puppy/wikka/Security was not found on this server.
http://bcheck.scanit.be/bcheck/choosetests.php
Sorry, the test won't work without Javascript. Please enable it and come back. Read the FAQ for explanation why we need Javascript for the test.

"Why do you want me to enable Javascript for the test? Do you want me to lower my security?

You are more secure without Javascript than with Javascript. A lot of browser security problems are problems in Javascript implementation. However there are some bugs that can be exploited even when Javascript is disabled. "

Enough said on that.

"Think of firewalls - a badly implemented FW rules Cfg - is worse than none at all"

Humm... badly implemented FW rules is worse than none at all in that it provides a false sense of security.











A simile may be -the O/System may be blindly fast - but all is wasted CPU cycles due to user inability to task in step. "

Working together to a more secure Network Puppy.
Back to top
View user's profile Send private message 
marksouth2000

Joined: 05 Apr 2006
Posts: 620

PostPosted: Tue 21 Nov 2006, 05:16    Post subject:  

PaulBx1 wrote:
OK Mark, after we get the pup_save encrypted, and assuming the swap is off or otherwise dealt with, what do you see as Puppy's next most important vulnerability? BTW are you concerned about using only aes128 and cryptoloop, and can a respectable password make up for much of the shortcomings they have?

Indeed, Paul, you ask a lot of very good questions. Let's start with some specifics and move to the general, OK?

Cryptoloop and AES128: when you implemented these, did you do it in such a way that other methods would be easy to slot in? I assume that you did - must get round to trying out your contributions myself. If so, then I have no concerns there, because harder encryption can be put in place. Choosing passphrases is always a toughie. I would suggest that using stacked keys would make it harder for the police state to recover the info they need to crack the system. Put your pup_save on a usb stick, have another stick that contains a long key needed to unlock the first one, etc.

Another idea would be to use steganography to hide the real pup_save inside an innocent one, like keep a music or photographs folder inside the fake pup_save with the real secure data steganised inside them.

With regard to the swap issue, what about at shutdown doing a wipe of swap if you have used it? Even a
Code:
dd if=/dev/random
would help.

Quote:
To me it looks like email security is next, e.g. Enigmail, but that's just a guess.

I'd suggest browser anonymising (tor etc) and autoclearing all traces of browsing activity come ahead of that. Email security is also good though.

Quote:
I had thought (completely as an amateur, of course) Puppy would be starting with some advantages already, since it is not windows and since it is a live CD and since it allows the user to take it (and his data) with him on a keychain and since it can be run on a system with no telltales left behind on a hard drive. Was that an incorrect assessment?

Puppy does start with the advantages of a liveCD. That gives us a certain degree of tracelessness and a large degree of protection of the running system, since this is renewed at each boot. However, the running system can still be compromised by the effects of unionfs, right? So maybe a secure puppy should have unionfs turned off OR generate immediate alarms upon changes to certain parts of the union.

If intrusion defence is important, one then needs to think about how to detect activity, like trippping on certain kinds of log entry and so on, or changes to executables being made that would be saved back to the pup_save file.

The firewall is a key component of this, and better than having user configuration, one could write a decently hard configuration for it to be set to by default. Not much work there, and it would address the legitimate concerns of the OP - maybe he could be persuaded to do some work on it?

Quote:

I'd like to know of other hardened OSs, particularly live CDs, if you have suggestions. I did take a look at Knoppix-MiB but it is no longer being supported.

OpenBSD is one of the paradigmatic hardened systems, where everything is off by default, common services are run with low privileges and chrooted (apache, sendmail, for example) and any code that connects outside is heavily audited. And it's not a lab project, but a real running system.

This shows up one of the problems about starting from Puppy for a true secure system. You first have to strip out all code not needed. then you have to check that no exploits are possible upon other remaining code, like gxine can't be compromised remotely. How do you do that? The answer is, it's like building the pyramids. (Easy, just keep cutting big stones and piling them up till you have a pyramid.)

So I think that we can work out a way in which Puppy can have good data security, and low traceability, but I doubt it will be worth the effort to try to build secure servers out of it, or harden it against attack. But one has to choose the most suitable between yin and yang, and Puppy has some flexibility between the two.

Thanks for the well-thought-out questions.

Cheers,
Mark Cool
Back to top
View user's profile Send private message 
Gn2


Joined: 16 Oct 2006
Posts: 936
Location: virtual - Veni vidi, nihil est adpulerit

PostPosted: Tue 21 Nov 2006, 06:15    Post subject:  

Mic67
Quote:
"I'd like to know of other hardened OSs, particularly live CD"
Your list of liveCD's Confused is NOT a selection of full O/Systems - it is a listing of dedicated liveCDs containing varied security tools !
NTIM - I can be pragmatic -since both have - & use some)
Quote:
Suqgestions anyone?
Below is main top contender = SEL - to be employed on hardrive install
RUNNING ENTIRELY IN RAM - renders MOST security concerns in this entire thread >> redundant
Turn off persistent storage while on-line - Evil or Very Mad ALL of this entire thread - Including Encryptions - is redundant !

Use an onion Router + masked proxy = UNTRACEABLE !
Who then cares if all ports are open ?

http://www.nsa.gov/selinux/papers/inevitability/

http://www.gentoo.org/proj/en/hardened/rsbac/overview.xml

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml

Why don't you close ports if so security concious ?
Code:
netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:ipp                   *:*                     LISTEN      9020/cupsd
udp        0      0 *:bootpc                *:*                                 8996/dhcpcd
udp        0      0 *:ipp                   *:*                                 9020/cupsd

Mic67 ~ You come from a Windows environment.

All others ~ Are not running entirely in RAM/live mode now - and have hard drive access
~ Have little concept of how fingerprinting methods are employed !
~ Have already been "socially engineered".
= Change the incentive -MAKE it WORTHWHILE..... (are already well on road to being rooted) !

Please NOTE > if you re-read the suggested "Conditions of Use: Puppy in Secure Mode" -
it is Impossible to get rooted !

Mic67 - You have been patiently replied to in detail .... yet ???
Please pause a moment in your enthusiam to pursue & reflect : > Your posts are a "Generic" linux topic - (belong in Misc ) ? -
AFAICS : Are neither a specific Puppy query, - nor addresses any Puppy Pkge/How to install non-PUP Apps.
Let alone specifics of configuring any.

You do have a right to express - but where & dealing in fact - not suppositions

TIA
Back to top
View user's profile Send private message 
GuestToo
Puppy Master

Joined: 04 May 2005
Posts: 4078

PostPosted: Tue 21 Nov 2006, 07:12    Post subject:  

Quote:
You have been patiently replied to in detail .... yet ???

this thread does have a slight trollish feel to it

Quote:
SEL ... renders MOST security concerns in this entire thread >> redundant

yes, SEL basically is a more powerful and flexible permissions system than the standard root/unprivileged-user permissions system ... if it's set up properly, it doesn't matter if you are running as spot or root or nobody ... BUT ... it can be tricky to configure the SEL permissions properly ... Fedora core had a number of releases that were twitchy because the SEL permissions were not quite right ... it took them a while to get things to work more or less right

and whatever the permission system, if it's not configured properly, it can easily be less safe than Puppy running as root

there are a few machines running SEL that you can connect to ... as root ... as a demo of how safe it is

Quote:
I dont like that port 6000 is listening by default and is an open port

i am running Puppy 212 which by default runs Xorg with the -nolisten tcp option ... see /usr/X11R7/bin/xwin ... if you are running Xvesa, and it doesn't have the -nolisten tcp option, you can put it in the /etc/xextraoptions ... either edit it directly or use the video wizard

if you use the -nolisten tcp option, port 6000 will be closed, but i think that you will not be able to run X apps if you chroot to another OS

on my default Puppy 212:

# netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:8118 *:* LISTEN 3974/privoxy

the only open port i have is Privoxy 3.0.6, and it is only accessible locally, on this machine

you can run the standard default Puppy for months without any firewall rules set up ... there is nothing for a worm to connect to
Back to top
View user's profile Send private message 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Tue 21 Nov 2006, 12:07    Post subject:  

Quote:
Cryptoloop and AES128: when you implemented these, did you do it in such a way that other methods would be easy to slot in?


Mark, it is a stretch to say I implemented anything. Not being that good with software, my role has been that of chief nagger, trying to keep things going along. Laughing However I did just finish a rework of kirk's Encrypt-pupsave script, so I'm not completely worthless, ha ha.

I believe it is possible to add aes256 and maybe other encryptions relatively simply; just need to ask Barry to add them to the zdrv repository I think. As to replacing cryptoloop, we went back and forth with that (me being a proponent of replacement) and I was finally convinced it would be a fair amount of work, so for now I think we will just go with what we've got and deal with things like swap and email and maybe firewall enhancements/logging next. Browser anonymizing is yet another thing to look at; I never thought of it.

We talked about a simple dd of swap at shutdown but that seems rather thin. Anyone who is serious is going to buy more memory, but there may be other alternatives that work as well.

Quote:
However, the running system can still be compromised by the effects of unionfs, right? So maybe a secure puppy should have unionfs turned off OR generate immediate alarms upon changes to certain parts of the union.

Sounds like a great idea Mark. Can we rope you into doing it? Smile

Quote:
you can run the standard default Puppy for months without any firewall rules set up ... there is nothing for a worm to connect to


Add this to the list of security plusses for Puppy.

Quote:
if you use the -nolisten tcp option, port 6000 will be closed, but i think that you will not be able to run X apps if you chroot to another OS

Guest Too, I'm interested in turning this off, but I don't understand the ramifications. Is chrooting to another OS something that normal people do? Smile In other words, is that something that happens in the background during browsing, or anything like that? I want to know if I can dispense with it. Maybe there is some way to run with it off normally, only turning port 6000 listening on in a script at those rare times when you need it on?

My O'Reilly Linux Security Cookbook (a good resource by the way) notes that you can "create a chroot cage by running the GNU chroot program instead of the service." We're already there, aren't we?

Of course maybe this is being paranoid, since we apparently don't even need a firewall. I guess that is the point you were making.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 3 [35 Posts]   Goto page: Previous 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » House Training » Users ( For the regulars )
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.2323s ][ Queries: 12 (0.0363s) ][ GZIP on ]