Net Security

Using applications, configuring, problems
Message
Author
marksouth2000
Posts: 622
Joined: Wed 05 Apr 2006, 20:43

#21 Post by marksouth2000 »

PaulBx1 wrote:
Puppy has the goal of being a useful desktop for older machines and of leaving as small a footprint as possible.
That's the starting point, yes. Then everyone and their grandma around here take it and make different flavors of it. :)

I'm glad people are thinking about security, even if others have to roll their eyes.
I *am* rolling my eyes. And when I roll my eyes, the guy rolling his eyes has consulted on computer security to some of the biggest banks and telcos in the world.

There are operating systems that are designed from scratch to be secure. There are operating systems that are designed to be easy to use and to work on pretty much any kind of hardware. (Insert "Linux distro" in place of "operating system" if you like.) Trouble is that the goals are largely mutually exclusive. And even if you want to layer security onto something insecure, you need a good model for what you're trying to achieve.

I think what you guys are doing with encrypted pup_saves is brilliant. I think that a NOSWAP boot option would be an excellent idea.

I think that simply saying "Steve Gibson says we all need to break standards to keep ourselves hidden and then everything will be good" and posting links to randomly chosen sites is a hopeless endeavour. Which is why I suggested that the OP spend effort on helping you guys with your work, because one can EITHER start by developing a detailed security model (with the inevitable conclusion that Puppy would not be the starting point to choose - and I say this speaking as one of Puppy's greatest fans) OR one can work on building useful components of security mechanisms that can be added on as useful to individual users.

Finally, I am quite familiar with police states, I've lived in one that was such when I lived there (and is no longer) and in another that is well on its way. Which is why I prefer to be where I am now. Secure systems are a good thing. Puppy is not a secure system. Does that make Puppy a bad thing? Of course not. One judges systems by how well they conform to their design spec. For Puppy, that design spec was not based on security.

Cheers,
Mark

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#22 Post by PaulBx1 »

OK Mark, after we get the pup_save encrypted, and assuming the swap is off or otherwise dealt with, what do you see as Puppy's next most important vulnerability? BTW are you concerned about using only aes128 and cryptoloop, and can a respectable password make up for much of the shortcomings they have?

To me it looks like email security is next, e.g. Enigmail, but that's just a guess.

I had thought (completely as an amateur, of course) Puppy would be starting with some advantages already, since it is not windows and since it is a live CD and since it allows the user to take it (and his data) with him on a keychain and since it can be run on a system with no telltales left behind on a hard drive. Was that an incorrect assessment?

I'd like to know of other hardened OSs, particularly live CDs, if you have suggestions. I did take a look at Knoppix-MiB but it is no longer being supported.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#23 Post by Flash »

I'm running Puppy from a multisession DVD in a computer with no hard drive. As far as physical security of the work you do on the computer is concerned I don't know how you could beat that. Shut down the computer and remove the DVD, and there's no trace of you left on the computer.

Of course, once you're on a network, especially with a wireless connection, you have to worry about your communications being overheard. Plus, it's possible to embed a keystroke logger in a keyboard's microcode (most keyboards have their own little processor inside) and then send things like passwords to the mother ship, indetectably embedded in normal network traffic.

Face it, security, like world peace, is an unattainable ideal, something that cannot be achieved except perhaps for a fleeting instant. Blink and you'll miss it. :lol:

If you haven't already seen it, there's links to lots of useful security stuff here, under Security discussion

User avatar
Gn2
Posts: 943
Joined: Mon 16 Oct 2006, 05:33
Location: virtual - Veni vidi, nihil est adpulerit

#24 Post by Gn2 »

Sorry for any disclaimer - your efforts to enabling encryption are well respected -NOT a trivial task !

(My biases only - isn't it somewhat redundant ) ? ~

If :idea: removeable media is used for persistent storage - & Esp if outside access
is Tmp disabled when mounting/or making storage media visable in session !

IMHO - There is then no physical outside access to only (highly dubious) vulnerablilty ?

As Marksouth pointed out - Puppy is NOT the platform of choice when "Carrier Grade Security" IS Req'd !

On a normal hard drive install more precautions may be advisable
but it has been stressed many times :
It is the USER's own bad habits.... that aid any malware success.

Think of firewalls - a badly implemented FW rules Cfg - is worse than none at all.

A simile may be -the O/System may be blindly fast - but all is wasted CPU cycles due to user inability to task in step.

Please do not take that as any valid reason to abandon your efforts - the whole learning process itself... is not only highly valuable -
But very instructive for myself as example.
We just have different priorities at the moment ?

Thnx for the courtesy of allowing me to :oops: comment.

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#25 Post by PaulBx1 »

Yes, Flash, multi-session CD/DVD is another security plus for Puppy.

Puppy will never have to have the security that a bank has. It is for individual users. It just needs "good enough" security. What is "good enough"? When you have thwarted the government snoops well enough that they just give up the tech approach and send their JBTs (jack-booted thugs) around to beat you up to find out what you know. Security beyond that is clearly superfluous.

Obviously that will vary from country to country, so we just play it by ear on the level of security we put into Puppy. Those who need more can add it as they need it.

When you get to that level, and they are pounding on your door at 3AM, you stop fooling with the computer and pick up the rifle. :)

So no, we don't need perfect security.

Mic67

#26 Post by Mic67 »

LOL "I dont get this thread".

Yep there are about10 distro that cater to the security aspect of Linux as an OS, but not the same way Puppy does, particularly for older machines.

"The main security issue for Puppy is one of data security...". Humm...what they are doing seems like a good thing. In fact I believe that Vista has incorporated that as well. Go to www.grc.com and listen to podcast #65 Vista.

A couple of things with that. First without a secure system and your encryption may not be able to be read but that does not mean it can not be messed with particularly if on a HD that can be written to. If the encryption text is messed with, and when you try to decrypt it - was it the fault of the OS, app, hardware, file corruption or and intruder? You would probably least likely choose and intruder, right? After all it is Linux. There are alot of if's, and I dont know how it will all work - together. But I do for see a post like I suggest? Me personally I would not be use it, that doesnt mean that it should not be developed or used by others. In my view nework security comes first. Your network is your computer, period.

If an OS has no means to FULLY monitor the network you are on then you have very little way of knowing if your browser crashed from the software itself or you had a DOS. Lobster said Foxfire kept crashing on him and implied it was the app. or SW combination. Well if he was using the browser, likely he was on the net. Did he have a mean to determine what was occuring on the network, and was it sufficient?

Here are a couple of tips:

Know your system. That means look at the ram window and the cpu load window, use the xnetload monitor for throughput. Know what ought to be compared to what is. Java OFF>.

Netstat and all the options it affords is no less than amazing, not many use it to its full advantage nor necessarly understand all that it offers. But there are limitations. Humm... if you are suggesting a "secure puppy" distro that would be amazing, another niche.

Yep puppy has Iptables, thank you Barry. Now pretty much that is the current defacto standard for linux as I am aware. But many newbies, if not all wouldnt be able to config. it beyond the wizard and it badly need to be configured beyond what the wizard offers. But that if definately beyond any newbies ability, thus a "front end" gui.

How many configure the FW beyond what the wizard offers? Anyone out there? And if so what mods do you make?

It can be configured for:
syn-flood protection
port scanners
DOS
And become more stateful in it defense of your computer.

How to use the many FW templetes on the net - that will do this is or should be simple to incorporate in Puppy (but the users, even a dot pup), although I cant give any advice yet on how to do that expect by manually entering them into iptables - each rule that is.

Default puppy FW does not do all that it can. That is left up the the user for compatibility sake, and probably rightly so.

Although I dont like that port 6000 is listening by default and is an open port. How do you stop this other than a FW config. rule?

In rxvt type:

netstat -tulp

press enter

I havent figured out how to configure the logging of Iptables yet.

If the FW isnt easy to configure then it wont happen. After all its Linux, right. Yet there are alot of URL about linux security and the like, if security is not an issue than why bother?

Linux is more secure than windows, yes, but the more I learn as a newbie and from experiences in windows there are issues and necessary concerns. Now from the sounds of it Vista's implementation of security sounds pretty impressive if it really ends up working, on a 3Ghz 2 meg ram as min. specs. No thanks. Which is equalvant to Puppy on a P2 400 with 512 ram.

Humm.. no swap option, thats an idea but many systems, particularly older ones may need it. What is on swap stays on swap on shut down and boot up. Security concern, you bet, possibility of a TSR (from that and in ram), you bet.

Its nice to know that some may have understood raw sockets in both windows and linux but most dont. There were no random links and were there as a reference of sorts.

"start by developing a detailed security model" now that seems like an idea. And puppy would be the best starting point than another other by far. But I really believe (as a newbie) that it would not take much to have the tools to provide the means for a more secure puppy. I cant write SW, although I can edit it to an extent or maybe understand how it works. I cant DL any Linux applications and try then on puppy without compiling or modification, as I understand it. But I have looked at the apps. in other distro's to try and understand those apps.

"Secure systems are a good thing. Puppy is not a secure system. "

So it follows that for Puppy to be a "good thing" it ought to be a "secure system". I believe Puppy is a secure system if used in the right way. But the network security can be significantly improved.

"Does that make Puppy a bad thing? Of course not."
Your joking, right? This is too much of a contradiction.

Like many have said and will continue to say Puppy is a good thing, including me.

By improving the security of the Puppy OS it will help in the development of the OS itself by making any issues with the malicious things than can and do happen regularly on a network.

Any OS that can not be written to and limited to a Compact Disk type medium is secure unto itself.

Most who come to puppy from windows look to the FW, well there is nothing to see and little to config. from.

I dont know all the linux security apps out there but 2 essential things are a network monitor (ip address, protocol, port, etc) and log (with "watch -n s tail /var/log/messages), that are understandable and configurable, this is a minimum. A means to terminated unwanted connections would be better than having to log off. Pretty much this is standard in a windows firewall.
Surely there is a linux app. out there like that.

Suggestions anyone?

"One judges systems by how well they conform to their design spec. For Puppy, that design spec was not based on security."

LOL, sorry for laughing so much, but you are joking again right?

I could care less how it conforms to any design spec. other than it is small, fast and works. There are puppys of all different sizes and function. Please tell me which OS (entity or user) judges their system by their design spec. conformity? For the most part I dont care if puppy conforms to it own design spec. or not? Why should I, its not mine. But I do choose to use it, and it is for more than just design spec.. It has been said in one post in "puppy for teens" is that they could care less what the OS is so long as it can do what they want.

"I'd like to know of other hardened OSs, particularly live CD"

http://www.livecdlist.com/?pick=All&sho ... sort=&sm=1
"Currently displaying 25 LiveCD/DVDs"
http://www.livecdlist.com/

"Face it, security, like world peace, is an unattainable ideal"

There is no such thing as a secure computer. The day that politicians will allow voting by home networked computer will be the first day of secure computers and the system will be called "CHAD" made in florida.

http://www.murga-linux.com/puppy/viewto ... =4548#4548

http://www.goosee.com/puppy/wikka/Security
The requested URL /puppy/wikka/Security was not found on this server.
http://bcheck.scanit.be/bcheck/choosetests.php
Sorry, the test won't work without Javascript. Please enable it and come back. Read the FAQ for explanation why we need Javascript for the test.

"Why do you want me to enable Javascript for the test? Do you want me to lower my security?

You are more secure without Javascript than with Javascript. A lot of browser security problems are problems in Javascript implementation. However there are some bugs that can be exploited even when Javascript is disabled. "

Enough said on that.

"Think of firewalls - a badly implemented FW rules Cfg - is worse than none at all"

Humm... badly implemented FW rules is worse than none at all in that it provides a false sense of security.











A simile may be -the O/System may be blindly fast - but all is wasted CPU cycles due to user inability to task in step. "

Working together to a more secure Network Puppy.

marksouth2000
Posts: 622
Joined: Wed 05 Apr 2006, 20:43

#27 Post by marksouth2000 »

PaulBx1 wrote:OK Mark, after we get the pup_save encrypted, and assuming the swap is off or otherwise dealt with, what do you see as Puppy's next most important vulnerability? BTW are you concerned about using only aes128 and cryptoloop, and can a respectable password make up for much of the shortcomings they have?
Indeed, Paul, you ask a lot of very good questions. Let's start with some specifics and move to the general, OK?

Cryptoloop and AES128: when you implemented these, did you do it in such a way that other methods would be easy to slot in? I assume that you did - must get round to trying out your contributions myself. If so, then I have no concerns there, because harder encryption can be put in place. Choosing passphrases is always a toughie. I would suggest that using stacked keys would make it harder for the police state to recover the info they need to crack the system. Put your pup_save on a usb stick, have another stick that contains a long key needed to unlock the first one, etc.

Another idea would be to use steganography to hide the real pup_save inside an innocent one, like keep a music or photographs folder inside the fake pup_save with the real secure data steganised inside them.

With regard to the swap issue, what about at shutdown doing a wipe of swap if you have used it? Even a

Code: Select all

dd if=/dev/random
would help.
To me it looks like email security is next, e.g. Enigmail, but that's just a guess.
I'd suggest browser anonymising (tor etc) and autoclearing all traces of browsing activity come ahead of that. Email security is also good though.
I had thought (completely as an amateur, of course) Puppy would be starting with some advantages already, since it is not windows and since it is a live CD and since it allows the user to take it (and his data) with him on a keychain and since it can be run on a system with no telltales left behind on a hard drive. Was that an incorrect assessment?
Puppy does start with the advantages of a liveCD. That gives us a certain degree of tracelessness and a large degree of protection of the running system, since this is renewed at each boot. However, the running system can still be compromised by the effects of unionfs, right? So maybe a secure puppy should have unionfs turned off OR generate immediate alarms upon changes to certain parts of the union.

If intrusion defence is important, one then needs to think about how to detect activity, like trippping on certain kinds of log entry and so on, or changes to executables being made that would be saved back to the pup_save file.

The firewall is a key component of this, and better than having user configuration, one could write a decently hard configuration for it to be set to by default. Not much work there, and it would address the legitimate concerns of the OP - maybe he could be persuaded to do some work on it?
I'd like to know of other hardened OSs, particularly live CDs, if you have suggestions. I did take a look at Knoppix-MiB but it is no longer being supported.
OpenBSD is one of the paradigmatic hardened systems, where everything is off by default, common services are run with low privileges and chrooted (apache, sendmail, for example) and any code that connects outside is heavily audited. And it's not a lab project, but a real running system.

This shows up one of the problems about starting from Puppy for a true secure system. You first have to strip out all code not needed. then you have to check that no exploits are possible upon other remaining code, like gxine can't be compromised remotely. How do you do that? The answer is, it's like building the pyramids. (Easy, just keep cutting big stones and piling them up till you have a pyramid.)

So I think that we can work out a way in which Puppy can have good data security, and low traceability, but I doubt it will be worth the effort to try to build secure servers out of it, or harden it against attack. But one has to choose the most suitable between yin and yang, and Puppy has some flexibility between the two.

Thanks for the well-thought-out questions.

Cheers,
Mark 8)

User avatar
Gn2
Posts: 943
Joined: Mon 16 Oct 2006, 05:33
Location: virtual - Veni vidi, nihil est adpulerit

#28 Post by Gn2 »

Mic67
"I'd like to know of other hardened OSs, particularly live CD"
Your list of liveCD's :? is NOT a selection of full O/Systems - it is a listing of dedicated liveCDs containing varied security tools !
NTIM - I can be pragmatic -since both have - & use some)
Suqgestions anyone?
Below is main top contender = SEL - to be employed on hardrive install
RUNNING ENTIRELY IN RAM - renders MOST security concerns in this entire thread >> redundant
Turn off persistent storage while on-line - :evil: ALL of this entire thread - Including Encryptions - is redundant !

Use an onion Router + masked proxy = UNTRACEABLE !
Who then cares if all ports are open ?

http://www.nsa.gov/selinux/papers/inevitability/

http://www.gentoo.org/proj/en/hardened/ ... erview.xml

http://www.gentoo.org/proj/en/hardened/ ... ndbook.xml

Why don't you close ports if so security concious ?

Code: Select all

netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:ipp                   *:*                     LISTEN      9020/cupsd
udp        0      0 *:bootpc                *:*                                 8996/dhcpcd
udp        0      0 *:ipp                   *:*                                 9020/cupsd
Mic67 ~ You come from a Windows environment.

All others ~ Are not running entirely in RAM/live mode now - and have hard drive access
~ Have little concept of how fingerprinting methods are employed !
~ Have already been "socially engineered".
= Change the incentive -MAKE it WORTHWHILE..... (are already well on road to being rooted) !

Please NOTE > if you re-read the suggested "Conditions of Use: Puppy in Secure Mode" -
it is Impossible to get rooted !

Mic67 - You have been patiently replied to in detail .... yet ???
Please pause a moment in your enthusiam to pursue & reflect : > Your posts are a "Generic" linux topic - (belong in Misc ) ? -
AFAICS : Are neither a specific Puppy query, - nor addresses any Puppy Pkge/How to install non-PUP Apps.
Let alone specifics of configuring any.

You do have a right to express - but where & dealing in fact - not suppositions

TIA

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#29 Post by GuestToo »

You have been patiently replied to in detail .... yet ???
this thread does have a slight trollish feel to it
SEL ... renders MOST security concerns in this entire thread >> redundant
yes, SEL basically is a more powerful and flexible permissions system than the standard root/unprivileged-user permissions system ... if it's set up properly, it doesn't matter if you are running as spot or root or nobody ... BUT ... it can be tricky to configure the SEL permissions properly ... Fedora core had a number of releases that were twitchy because the SEL permissions were not quite right ... it took them a while to get things to work more or less right

and whatever the permission system, if it's not configured properly, it can easily be less safe than Puppy running as root

there are a few machines running SEL that you can connect to ... as root ... as a demo of how safe it is
I dont like that port 6000 is listening by default and is an open port
i am running Puppy 212 which by default runs Xorg with the -nolisten tcp option ... see /usr/X11R7/bin/xwin ... if you are running Xvesa, and it doesn't have the -nolisten tcp option, you can put it in the /etc/xextraoptions ... either edit it directly or use the video wizard

if you use the -nolisten tcp option, port 6000 will be closed, but i think that you will not be able to run X apps if you chroot to another OS

on my default Puppy 212:

# netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:8118 *:* LISTEN 3974/privoxy

the only open port i have is Privoxy 3.0.6, and it is only accessible locally, on this machine

you can run the standard default Puppy for months without any firewall rules set up ... there is nothing for a worm to connect to

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#30 Post by PaulBx1 »

Cryptoloop and AES128: when you implemented these, did you do it in such a way that other methods would be easy to slot in?
Mark, it is a stretch to say I implemented anything. Not being that good with software, my role has been that of chief nagger, trying to keep things going along. :lol: However I did just finish a rework of kirk's Encrypt-pupsave script, so I'm not completely worthless, ha ha.

I believe it is possible to add aes256 and maybe other encryptions relatively simply; just need to ask Barry to add them to the zdrv repository I think. As to replacing cryptoloop, we went back and forth with that (me being a proponent of replacement) and I was finally convinced it would be a fair amount of work, so for now I think we will just go with what we've got and deal with things like swap and email and maybe firewall enhancements/logging next. Browser anonymizing is yet another thing to look at; I never thought of it.

We talked about a simple dd of swap at shutdown but that seems rather thin. Anyone who is serious is going to buy more memory, but there may be other alternatives that work as well.
However, the running system can still be compromised by the effects of unionfs, right? So maybe a secure puppy should have unionfs turned off OR generate immediate alarms upon changes to certain parts of the union.
Sounds like a great idea Mark. Can we rope you into doing it? :)
you can run the standard default Puppy for months without any firewall rules set up ... there is nothing for a worm to connect to
Add this to the list of security plusses for Puppy.
if you use the -nolisten tcp option, port 6000 will be closed, but i think that you will not be able to run X apps if you chroot to another OS
Guest Too, I'm interested in turning this off, but I don't understand the ramifications. Is chrooting to another OS something that normal people do? :) In other words, is that something that happens in the background during browsing, or anything like that? I want to know if I can dispense with it. Maybe there is some way to run with it off normally, only turning port 6000 listening on in a script at those rare times when you need it on?

My O'Reilly Linux Security Cookbook (a good resource by the way) notes that you can "create a chroot cage by running the GNU chroot program instead of the service." We're already there, aren't we?

Of course maybe this is being paranoid, since we apparently don't even need a firewall. I guess that is the point you were making.

marksouth2000
Posts: 622
Joined: Wed 05 Apr 2006, 20:43

#31 Post by marksouth2000 »

PaulBx1 wrote: Mark, it is a stretch to say I implemented anything. Not being that good with software, my role has been that of chief nagger, trying to keep things going along. :lol: However I did just finish a rework of kirk's Encrypt-pupsave script, so I'm not completely worthless, ha ha.
OK, I by "you" I meant "plural-you", does that work? :-)
...go with what we've got and deal with things like swap and email and maybe firewall enhancements/logging next. Browser anonymizing is yet another thing to look at; I never thought of it.
That sounds like the most realistic way to take it forward.
We talked about a simple dd of swap at shutdown but that seems rather thin. Anyone who is serious is going to buy more memory, but there may be other alternatives that work as well.
I was thinking about 2 factors. One is that you may want to run this on a machine belonging to someone else, if you cannot guarantee not to have touched their swap then you need to do something about it, and the other is that doing a full nuke a la DBAN takes one hell of a long time. The dd thing does not make the info unrecoverable, but it does make it less evident.

ASIDE: anyone want to report some performance tests on how long it takes to write zeroes to some swap partitions?
(effects of unionfs)
Sounds like a great idea Mark. Can we rope you into doing it? :)
Well, I can offer to nag you to do it :) :) :)
you can run the standard default Puppy for months without any firewall rules set up ... there is nothing for a worm to connect to
Add this to the list of security plusses for Puppy.
This is one of the things that Windows users will not get. You can have all the ports open if there is nothing answering on any of them. (Of course, this is never the case on Windows.)
if you use the -nolisten tcp option, port 6000 will be closed, but i think that you will not be able to run X apps if you chroot to another OS
Guest Too, I'm interested in turning this off, but I don't understand the ramifications. Is chrooting to another OS something that normal people do?
It is something one does only in a trusted environment. Remote access to X should be off by default and turned on specifically, most Linux distros have this the wrong way round.

Keep up the good work guys (otherwise I will have to na-ag!)

Mark 8)

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#32 Post by GuestToo »

if you are using Xvesa, you can edit /etc/xextraoptions, and put "-nolisten tcp" in the list of X options ... it might look like this:

-nolisten tcp -shadow

if you are running Xorg, it is probably already running with tcp disabled ... like this:

... .xinitrc -- -br -nolisten tcp > /tmp/xerrs.log ...

you could easily copy xwin to say, xwin2, edit xwin2 to remove the -nolisten tcp option, then anytime you like, you could shut down X, then type xwin2 to restart X without the -nolisten tcp option

if you have another Linux distro installed on your hard drive, you can run it from Puppy using chroot ... for example:

chroot /mnt/hda9

then you can run any programs installed in that other Linux operating system ... if you want to run any X applications, -nolisten tcp will probably prevent it from working ... the X app will try to connect to the X server using tcp

Mic67

#33 Post by Mic67 »

This post is not to seek attention or be contraversal but to be one of informational relevant discussion. If it appears to be or have a trolling feel to it, it would help to know how that is so that it can be avoided.

"if you are running Xvesa, and it doesn't have the -nolisten tcp option, you can put it in the /etc/xextraoptions ... either edit it directly or use the video wizard "

Ok if I
netstat -tulp

then shows:
sh-3.00# netstat -tlup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:6000 *:* LISTEN 1991/X
sh-3.00#

Now go to Process Listner look for 1991under File colum it shows:
1991 root 7336 <X :0 -mode 0x0017 -shadow -mouse /dev/mouse,5

Now try to terminate that process and (my) the system freezes.

What about using RXVT and:
startx --nolisten tcp
press enter?
Shows>
>>>>>>>>>>>>>>
sh-3.00# startx --nolisten -tcp
This script will run X windows for you...

It seems that last time X ran, the computer hung and you had to reboot.

Have now dropped down to the commandline. If you want to run the Xorg
Video Wizrd, type "xorgwizard", and after configuring /etc/X11/xorg.conf
(hopefully correctly this time!) type "xwin" to start X.
sh-3.00#
>>>>>>>>>>>>>>>>
In the windowmanager file it shows --nolisten.

Ok now I go and do:
netstat -tulp
And it shows:
sh-3.00# netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:6000 *:* LISTEN 1991/X
sh-3.00#

It seems this method does not work.
So I put and saved:
-nolisten tcp in the /ect/extraoptions

Then netstat -tulp again without reboot (using a live CD) and it still shows the port 6000 listening.

Does it need to be rebooted, if so is there another way to turn it off without rebooting or does the
-nolisten tcp need to be --nolisten tcp (that is with 2 (- -) rather than one?

............................

"This is one of the things that Windows users will not get. You can have all the ports open if there is nothing answering on any of them. (Of course, this is never the case on Windows.) "

That is the work of a correctly config. FW. And that doesnt mean that a DOS can not happen or other such things.

I made some rules in my FW as I believe I was being DOS / flood (at one point I had up to 25 megs of packets) the rules help significantly as determined by the cpu usage and bandwith throughput.

Previously in this thread - these are excerpts:
sh-3.00# netstat -s

Icmp:
6 ICMP messages received

ICMP output histogram:
destination unreachable: 21
(doesnt this sent a response to the creator to that icmp, as opposed to being dropped)

Udp:
37 packets received
6 packets to unknown port received.

Now, how can there be an "unknown port"?

Also in this meaningful thread I said that by using SupperScan on your own IP address you can scan all your ports from 0 to 65535 and as standard shows that port 6000 is open. Ok. But when you have netstat -tcp open and updating every second or so and compare the open ports on that with what the scanner is showing as open ports and the result being that there open ports that dont relate to anything and it stated that the "service is unknown", how and why is that? Now this does not always happen and that is why I keep the scanner ready for random scans on my own IP and had 4 open ports that corresponded to an idle system with no supposed tcp activity/or persistant connection.

To my understanding default debian many services start on boot and is up to you to turn them off.

FWIW I think the linux kernel 2.4 supported over 124 different protocols, now if there is a protocol other than tcp/udp/icmp will that be able to be monitored by any means in the current puppy 210 or other versions and does the FW with with other than those protocols tcp/udp/icmp?

Now in the app. recently and graciouly provied by Guest Too it appeared to me that I had up to 14 outside IP address directly connecting to various applications (partly in a earlier post). Some weird things were happening with the networking which I am still working on and interpertation of those results. Maybe its nothing but I will assume the opposite until I determine a reason otherwise.

>>>>>>>>>>>>>>
"Remote access to X should be off by default and turned on specifically, most Linux distros have this the wrong way round. "

YEP.

sh-3.00# xhost
access control enabled, only authorized clients can connect
INET:localhost
LOCAL:
sh-3.00#

And without any network monitoring apps. you can not really know what is going on.

Cheers.

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#34 Post by GuestToo »

if you are using the Xvesa X server, i think the correct syntax would be like this in the file /etc/xextraoptions:

-nolisten tcp -shadow

you must restart X to have it take effect ... you can press ctrl+alt+backspace if you like, then type startx ... or type xwin

startx and xwin are the same script, it doesn't matter which you type ... startx is not exactly the same program that other distros have to startx, Puppy has a simpler script to start X ... the only parameter that xwin takes is the executable you want to run as the window manager ... for example:
startx jwm
startx icewm
startx fluxbox

if you setup the default firewall, it is configured to block all incoming traffic, so incoming traffic to port 6000 should be blocked by default anyway
how can there be an "unknown port"?
i don't know ... it seems to be a common occurrence ... udp packets do not have much error checking and udp packets can easily arrive damaged or corrupted

Mic67

#35 Post by Mic67 »

Thanks for the tip Guest Too. I give it a try

Here are some links:
Just for starters and thoughts

http://www.linux-sec.net/FW/Examples/
Example Firewall Scripts

http://www.simonzone.com/software/guarddog/#screenshots
300k to 900k
nice gui looks relatively current

http://www.bastille-linux.org/
" The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works."????????
http://www.securityfocus.com/infocus/1414
Bastille Linux: A Walkthrough
Jay Beale 2000-06-06

http://www.linux.org/apps/all/Networking/Firewalls.html
Hummm seem pretty current fairly large list

http://www.cerias.purdue.edu/about/hist ... #firewalls
Firewall Tools
Below is a list of programs that can be used in conjunction with a firewall or create to a firewall. A firewall can be any of the many different methods of protecting a network from untrusted networks.

http://www.cerias.purdue.edu/about/hist ... teg50.html
Large page of network apps with good discriptions

ftp://coast.cs.purdue.edu/pub/tools/unix/
http://www.syrlug.org/contrib/soho-netw ... ltydistros

http://cheops.anu.edu.au/~avalon/ipfil-flow.html
IP Filter Flow
Diagram illustrating the flow of TCP/IP packets through the various stages introduced by IP Filter. Check out this diagram.
IPF 4.x runs on Linux. Recent versions even run on 2.6.x kernels.

http://users.pandora.be/stes/ipmenu.html
Netfilter/IPtables Rule Editor
Intersting but looks dated 8/2/2001
About a 26k tar.gz


"What is ipmenu ?
It's a user interface to Netfilter/iptables and Linux policy routing or traffic control, allowing you to edit firewall rules and configure the firewall to "mark" packets for policy routing or for class based queueing (CBQ)."

http://www.ifi.unizh.ch/ikm/SINUS/firew ... shots.html

http://cs-www.ncsl.nist.gov/tools/tools.htm#firewall
Internal Vulnerability Scanning Tools
This DRAFT was compiled by Stephen Quinn at
The National Institute of Standards and Technology

http://www.nblug.org/firewall/
NBLUG Linux Firewalls Page looks interesting

http://www.linux-sec.net/Firewalls/Scripts/
USE AT YOUR OWN RISK!!!!!!!!!!

http://www.linuxguruz.com/iptables/
GOOD BUNCH OF HOW TO'S

http://www.roseindia.net/linux/linux-firewall.shtml
http://www.freefire.org/tools/
large list
http://www.linuxsecurity.com/docs/colsfaq.html
comp.os.linux.security FAQ dated

http://users.dhp.com/~whisper/mason/nmap-services
# This list of services is from the
# Nmap security scanner ( http://www.insecure.org/nmap/ )
#
# For a HUGE list of services (including these and others),
# see http://www.graffiti.com/services

http://products.enterpriseitplanet.com/ ... 09137.html
Off topic of sorts but interesting Webwasher is available as a software offering for Linux,

http://home.nc.rr.com/woodsmall/UNIX.htm
COMPLETE LINUX / UNIX Info - David Woodsmall
11/18/2006 - Optimized for Firefox 2.0
COPYRIGHT 1992 thru 2006
HUGE LIST OF LINKS WOW

http://rootprompt.org/article.php3?article=931
Feature: Amateur Fortress Building in Linux Part 2
http://yolinux.com/TUTORIALS/LinuxTutor ... teway.html
http://www.rocketaware.com/comm/imp/security/

http://www.webservertalk.com/archive89- ... 77132.html
you are browsing with Firefox under linux OS, do you need a firewall?
If so, why?
"Yes! A firewall is required to prevent a local host from a variety of
exploits. Firewalls do little in preventing exploit by web browsers in
the nix environment however the idea is only to expose ports externally
those hosts you wish to communicate with and block all others. There
is little overhead in nix firewalls and well worth the effort in
protection from various worms and other potential exploits. While web
browsing is one point of exploitation, it is not the only method of
exploitation. If one watches their network external interface, one will
see frequent probes on a specific IP address. A firewall is only one
layer of security. Depending on local system configuration their are a
number of potential entry points in a typical nix configuration. It is
easy to make an "opps" in configuring a system, especially for a newbie,and a firewall will help protect you from yourself."


Disclaimer:
This information is provided in the hopes that you will find it useful and instructive. However, it is provided with ABSOLUTELY NO WARRANTY OF ANY KIND.

Post Reply