Net Security

Using applications, configuring, problems
Message
Author
Mic67

Net Security

#1 Post by Mic67 »

I am a new Puppy Linux user of less than a month.

I am not a Geek nor expert in the matters of Net Security. Alot of what I have to say is from my experiences in Win 9X and what I have learned using Puppy Linux.

I hope for this to be a mini-blog of sorts. If you have something to contribute or even make a correction please do so. It would be helpful if you provided URL links too.

Ok here is my 1st URL
http://www.grc.com/default.htm
Most of what is on this page is Windows related.
Scroll down to the section:
>>>>>>>>>>>>>>>>>
"ShieldsUP! 46,304,000 system tests
The Internet's quickest, most popular, reliable and trusted, free Internet security checkup and information service. And now in its Port Authority Edition, it's also the most powerful and complete. Check your system here, and begin learning about using the Internet safely."
>>>>>>>>>>>>>>>>>>>
Click on it.

It will begin to to some probing of your computer. Namely provide the reverse DNS of your IP address.

Normally it will provide your "machine name". But this is what it shows when I go there:
>>>>>>>>>>>>>>>>>>>>>>>
"Your Internet connection has no Reverse DNS

Many Internet connection IP addresses are associated with a DNS machine name. (But yours is not.) The presence of "Reverse DNS", which allows the machine name to be retrieved from the IP address, can represent a privacy and possible security concern for Internet consumers since it may uniquely and persistently identify your Internet account

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#2 Post by GuestToo »

a dns reverse lookup would give you the internet name corresponding to the ip address

for example, the internet name associated with 63.241.153.51 would be something like www.puppy.com

if you get the name associated with my ip address, it would be something like:

basic2-newark-28475486.dsl.verizon.com

that isn't my real ip name, or my isp ... but if it was, you would know at a glance where i was and the name of my isp, and there might be a serial number in the name which is associated with my address ... like a license plate on a car ... this is not very anonymous

but your ip address is not very anonymous anyway ... you can use proxies, like Tor, but it's usually slower

Mic67

#3 Post by Mic67 »

Humm...Well the name associated with somethinglike: basic2-newark-28475486.dsl.verizon.com
tells me that newark is probably the city and that you have dsl and verizon is the ISP.

Whereas no reverse DNS on a lookup on an IP at best will point to only the ISP or nothing at all depending the service or authority for reverse lookups you use.

Using "rxvt" and typing "ifconfig" will show>
sh-3.00# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ppp0 Link encap:Point-Point Protocol
inet addr:111.22.33.444 P-t-P:555.5.555.55 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:854 errors:1 dropped:0 overruns:0 frame:0
TX packets:791 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:736162 (718.9 KiB) TX bytes:128879 (125.8 KiB)


Now if I go to /var/log and open it in a text editor at the last few entries this is what I see:
pppd[9186]: local IP address 111.22.33.444
Nov 15 00:33:54 (none) daemon.notice pppd[9186]: remote IP address 555.5.555.55
Nov 15 00:33:54 (none) daemon.notice pppd[9186]: primary DNS address 666.66.666.66
Nov 15 00:33:54 (none) daemon.notice pppd[9186]: secondary DNS address 777.777.777.777

Now the 111.22.33.444 is confirmed to be the IP address assigned by the ISP as local

But the 555.5.555.55 "remote IP address" shown in the log points to IP addresses owned by the ISP as shown by doing a Whois lookup.

What and why is there this 555.5.555.55 "remote IP address" - ie what purpose does it serve? And is there some NAT translation going on? And the IP address that you are given by the ISP, is that a routed IP that is shared with other users? The same way that a home network would work with a router.

That "machine name" given by the ISP does serve a purpose, of which I do not know. I can make some guesses though - sort of like a netbios name?

All this specific networking stuff with an ISP is unknown to me and I have not been able to find any thing like the good tutorials that are provided by various linux sources. URL's anyone?

NOTE: the IP numeric address used in this example have been change to make it easier to understand.

Also what I do in"rxvt" which I open before logging on to the ISP>

I type "netstat -tcp" (without the quotes) so it can show me all that is happening, sort of like that in the application called "TCPVIEW" for windows by SystemInternals.

What this command will do is show all your TCP connection with Foreign Addresses and be rapidly updated in the window < this I like. Example:

ESTABLISHED 22426/seamonkey-bin
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 1 0 111.22.33.444:52701 murga.org:80 CLOSE_WAIT 22426/seamonkey-bin
tcp 0 0 111.22.33.444:41621 72.14.207.99:80 ESTABLISHED

Now this is from a fresh logon to the the INTERNET and then going straight to the Puppy forum and nothing else. Do a reverse DNS on 72.14.207.99:80

And the NetName for this IP is GOOGLE with the NetHandle: NET-71-14-192-0-1 and the NameServer: NS1.GOOGLE.COM

What and why is this happening?

From my experience in the other OS, win9X, google was always doing this and alot of other things and goings on. The one thing I was able to determine is that, it is not liked when your machine does not show a reverse DNS "machine name". The other thing I found in 9X was that upon immediate logon to the net I would get an immediate router name request or probe from some Arpin authority, before even typing any URL.

It is clear to me that there is more to the "net name" or "machine name" purpose.

Cheers.

Mic67

#4 Post by Mic67 »

Update:

Ok I just did a test.

I logged on to the Internet with "netstat -tcp" running prior to logging on and being updated every second or so, showing no foreign address the instant the logon was completed an instant connection was established with the Google IP address I previously mentioned, as shown by the netstat -tcp window while watching it, and absolutely doing nothing but watching that TCP window.
72.14.207.99:80

IP is GOOGLE with the NetHandle: NET-71-14-192-0-1 and the NameServer: NS1.GOOGLE.COM

Now this establish connection persisted for about or at least 90 seconds+

Go figure???

Is there any way to configure viewing the IPTABLE logs and if so how to find them and increase the kb size of that firewall log? To show me more of what is going on. Puppy210

TIA

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#5 Post by GuestToo »

you are probably connecting to a Google server, because this forum helps to pay for itself with Google Adsense advertising ... the connections probably stay connected for a long time, because the Google server is probably connecting using persistent connections

you can probably block the connection to the google server by putting this line in /etc/hosts:

127.0.0.1 NS1.GOOGLE.COM

in ifconfig, the 111.22.33.444 would be the ip address of your computer ... your computer connects to and uses a computer belonging to your isp for your gateway to the internet ... that computer's ip address is 555.5.555.55 in your example ... (both ip addresses are fictitious, of course)

the "machine names" are hostnames/domain names ... the internet mostly uses the numerical ip addresses, which is why there needs to be DNS servers to convert addresses like www.puppy.com to 63.241.153.51

one use for the hostnames are with virtual servers ... you can set up a web server on your machine to use virtual addresses (Monkey can do this) ... and put something like this in /etc/hosts:

127.0.0.1 localhost puppypc
127.0.0.1 www.mysite1.com
127.0.0.1 www.mysite2.com

if you type www.mysite1.com in the address bar of your browser, you will see the web page you configured for www.mysite1.com ... if you type www.mysite2.com in the address bar of your browser, you will see the web page that you setup for www.mysite2.com ... they can be the same web page, or different ones

this is using the domain name to display different web pages when you connect to the same ip address ... the same thing can be done on the internet

you can edit /etc/rc.d/rc.firewall, if you are using that firewall script, to enable logging ... i think log messages will be written to /var/log/messages

http://en.wikipedia.org/wiki/Reverse_dns
http://en.wikipedia.org/wiki/Domain_Name_System

Mic67

#6 Post by Mic67 »

"you are probably connecting to a Google server, because this forum helps to pay for itself with Google Adsense advertising"

I might agree with this in the first example I gave, but the second example I gave. Namely:

"I logged on to the Internet with "netstat -tcp" running prior to logging on and being updated every second or so, showing no foreign address the instant the logon was completed an instant connection was established with the Google IP address I previously mentioned, as shown by the netstat -tcp window while watching it, and absolutely doing nothing but watching that TCP window.
72.14.207.99:80

IP is GOOGLE with the NetHandle: NET-71-14-192-0-1 and the NameServer: NS1.GOOGLE.COM"

The TCP window showed NO TCP connection before logging on to the Internet and if the instant I logged on an instant connection being established to google with Zero action on my part (and no persistant previous connection prior to logging on, which would be shown in the TCP window), would have nothing to do with with the Google advertizing on this forum. There is another reason for this which, in part, has to do with a lack of "machine name" and no reverse DNS to the IP. I say this also based on my win 9X experience because as I saw a brute force attempt by google to determine that reverse DNS name (the IP number alone didnt seem to satisfy), this was determine by the machine name (a real long and descriptive one) IP address that Google was using to do this by and not just an IP number address.

When GRC.com says that it "But no such lookups are possible with your current Internet connection address (xxx.xx.xx.xxx). That's generally a good thing." But does not go futher to say why that is, makes me want to understand why that is.

Your answer for "one use for the hostnames are with virtual servers" gave me more to think about, thanks.

The Links:
http://en.wikipedia.org/wiki/Reverse_dns
http://en.wikipedia.org/wiki/Domain_Name_System
were a good resource.

I'll add:
http://en.wikipedia.org/wiki/Hostname
http://en.wikipedia.org/wiki/IP_address
http://en.wikipedia.org/wiki/PTR_record
very good

http://en.wikipedia.org/wiki/Virtual_hosting
http://en.wikipedia.org/wiki/DNS_cache_poisoning

I have looked in the /var/log/messages and while it can tell you alot there are no firewall logs in it.

I figure the firewall script needs to be edited to create a log (doesnt seem to exist by default) and the size of that log. How to do that and where the log (and it size) and whether a reboot is necessary or whether to just reconfigure the firewall with the wizard is only necessary, if either is required at all.

I think that the Puppy distro's could use a firewall front end like:
http://security.linux.com/security/04/1 ... 100&tid=35
Firestarter
Shoreline Firewall

http://www.enterprisenetworkingplanet.c ... hp/3638441
"Live iptables Monitoring
Want to see your iptables firewall in action, in real-time? Use the iptstate command. (this is only possible if this app. is installed and not just by using the command line) This shows all activity in a top-style display"

Thanks

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#7 Post by Flash »

If you are worried about botnets and the like, here's an article on the latest attack: Zombies try to blend in with the crowd

Mic67

#8 Post by Mic67 »

No, but it is nice to know what and why there is a connection to your machine and have the ability like in many win9X firewalls to terminate any unknown or malicious connections. Particularly when there is a connection that was not initiated by the user. I dont believe there is a way to do that in Puppy (210 or ?) other than logoff.

A basic quote sums it up: "your network is your computer". And networking is intergral to computing.

Puppy Linux provide alot more security by virture of the fact that it is a live CD - a fresh OS every boot. And more security is provided when not using a HD. Although there are possibilities or potential means of being compromised, but those arent necessarly related to the OS it self.

"it is problem but not a big one"
http://news.com.com/5208-7349-0.html?fo ... 4&start=-1

"For SOHO market there is no problem you can spot unwanted connections if you have even average firewall with logging capabilities."

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#9 Post by GuestToo »


Mic67

#10 Post by Mic67 »

Awesome!! Thanks, hummm... was this a recent addition to the dot pups? it would be great to be included in all the distro's. Also a front end for configuring the firewall would be great too. I will later post the reasons why.

Heres what this app "IPTState" shows when there is no "machine name":
IPTState - IPTables State Top
Version: 2.1 Sort: SrcIP b: change sorting h: help
Source Destination Proto State TTL
56.0.0.0 999.99.99.99 unknown 119:22:17
56.0.0.0 888.88.88.888 unknown 119:20:08
56.0.0.0
>>>>>>>>>>>>>>

Ok this is an example of what this app. is showing although it may not be graphically formatted correctly. This is my machine online but doing nothing. The 56.0.0.0 is my machine (the actual IP number shown in this IPTState app. - in idle state) The 999 and 888 version IP addresses are just representations of real IP addresses. Interestingly iptstate is showing network activity while the network icon at the bottom of the screen is showing NO network activity. The Proto is unknown but that is also what is shown when as the protocol when the IP address number is that of my ISP's DNS server, and in that instance I know the proto is UDP. But when I surf the protocol is also unknown when I know for the most part it is actually TCP. Again this is with no reverse DNS name to my IP.

Now compare this to
http://www.phildev.net/iptstate/screenshot.shtml

Under win9X I had someone trying to use ESP to link to my machine, ESP does not mean Extra Stupid Perception but Encapsulate Secure Protocol. There was no initiated reason for this, and I expect it was a "tunneling" effort to compromise my machine.

Thanks again.

marksouth2000
Posts: 622
Joined: Wed 05 Apr 2006, 20:43

#11 Post by marksouth2000 »

The sheer length of this thread is a fine tribute to how Steve Gibson's sustained misinformation campaign has spread paranoia among Internet users.

If you use Windows you have nothing to lose by being paranoid.

If you use Linux or BSD it's better to adhere to the standards.

Next thing we'll be hearing that our hard disks will die unless we all rush out and buy a copy of SpinRite.... :roll:

User avatar
Gn2
Posts: 943
Joined: Mon 16 Oct 2006, 05:33
Location: virtual - Veni vidi, nihil est adpulerit

#12 Post by Gn2 »

Interesting comments - If somewhat confused Re how any security concerns personally may be applicable (who isn't)

Yes.: S. Gibson slants "colours" data to encourage usage of (own S/W) to own benefits -
All vendors of own products do !

It would seem nothing definitive will ever agreeded upon here - & as such it may be suggested -
Limit "general views" on security to only Puppy related:

For overall concerns, use home pages of dedicated Reliable Official Security sites.

The main sources have been posted in Puppy Forum

How they may apply is up to user, IMHO esoteric niceties are far beyond scope of any "general use" distro.

Example -This header is devoted to Puppy user query/solution topics vs a sounding board of non- distro specific generalities.
Not to taken as any critisism towards OP's intent - but perhaps it was better if posted to Misc ?

(That's only my biases towards enhancing the forum usefulness - to further PUPPY goals )

- Thank you for patience & Best of Regards to all

Mic67

#13 Post by Mic67 »

In response to the claim of Steve Gibson's sustained misinformation campaign":

Actually if you listen to all 65 of his podcasts (btw many podcasts have some sponsor or commercial interest) he infact recommended a freeware disk utility - thank you for reminding me of that it was of significant help (steve mentions it in one of the podcasts).

Also at one time he did recommend Zone Alarm for windows but now he recommends Kerio - a most excellent application.

If fact there was nothing that I have seen regarding any of GRC's materials that I consider "misinformation". Maybe you might consider stating what the misinformation is, it might help us all.

I have done fairly extensive research on net security but am no expert nor uber Geek. I can relate to most all of the net security issues he addresses in Windows and have experienced most of them.

In Windows there is a GNU app. called Proxomitron it's sort of a web filter alla Web Washer sort of. In Proxo, depending on the filters you use, the amount of VB, java, activeX, etc that it filters is no less than amazing. This filtering can be shown in a window from Proxo.

Linux may not have many viriji but it is not any less affected by Java et al. Even in Puppy Linux my "shadow bios" is getting written to all the time.

I have Pup 210 and if it loads the OS to ram and I have 385 of ram why after booting do I only have 122 megs left before using anything if the 210 OS should only occupy 128 meg? No HD present (swap or other wise).

Btw anyone still using Windows I suggest a free Firewall version (statefull) called Jetico. It took about 10 days to get use to it and configuring it, google "jetico forums" first. YMMV.

Having host list (a basic ad block of sorts) it a really good idea and GRC.COM has a podcast on that to I believe.

I use the Dillo browers alot in PUP210 no Java thank you.

Thanks again.
Puppy is like amazing!!

Subsequent posts shall be regarding Net Security only.

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#14 Post by GuestToo »

RE: IPTstate: was this a recent addition to the dot pups?
yes, i didn't know about it, so i compiled it and made a package for Puppy .... nice program

i use the old Kerio 2.1.15 firewall (no longer supported) ... i've never had any problems with it ... i tried Jetico once, it kept crashing so i went back to Kerio

i rarely run Windows anyway, mostly i use Linux, and most of the time, Puppy

i use Firefox mostly, with adblock+ NoScript, CustomizeGoogle and TorButton ... NoScript disables Java and Javascript, unless i choose to enable it on a site by site basic

Privoxy is similar to Proxomitron, there is a Privoxy dotpup package for Puppy ... there's a new beta version, i should update the package

i don't really care whether i "pass" the grc test or not ... at the moment, i do, my machine is completely "stealthed"

on the other hand, for a long time Puppy did not include a firewall ... you can run standard Puppy for months without a firewall without needing to worry about it

Puppy should not touch your bios, shadow or otherwise ... i don't think it even sets the hardware clock to the system clock when it shuts down

i don't block ads in my hosts file
if it loads the OS to ram and I have 385 of ram why after booting do I only have 122 megs left before using anything if the 210 OS should only occupy 128 meg?
the Linux kernel (vmlinuz) has a memory management system that does a pretty good job of using your memory efficiently ... this means that quite soon after booting, almost all of the ram should be "used" ... ram that is not being used is ram that is being wasted, there is no point in having ram and not using it ... the kernel will use the ram for buffers and caching ... it is normal and a good thing to have all but a small amount of ram allocated and being used ... a useful tool to see what your memory is being used for is Xosview ... http://www.murga.org/~puppy/viewtopic.php?t=12538

there's a lot of debate about whether "stealthing" your ports is beneficial or not ... here's one thread:
http://www.dslreports.com/shownews/78863
there are many others

Mic67

#15 Post by Mic67 »

Interesting I had issues with Kerio 2.1.15 but not Jetico. Previous to that I had Norton OEM and old version and was getting compromised through the logs that it kept and quite possible through their VPN for their update code.

No Script is great, no port to linux exist to my knowledge. There is a dillo type browser for windows call "off by One", I think.

I got the privoxy dot pup but it cam with Tor and I only wanted to install the privoxy part, that didnt get too far though.

Actually in my orig. post you can test which ports are open by using "Superscan network scanner" in the network menu tab.
Determine your IP of your computer, put that IP number in the Host box under Port Scanner side and the "start point" box but 0{zero} and in the "end port" put 6535, then press start. This will scan all the port of your IP and display the open ones. Now you will find Port 6000 open on the stock Puppy 210. I think there is a post about this port 6000 somewhere in the forums. I have my own take on it the I will write about another time.

The stealth at GRC only scans the lower ports 0 -1030 or so. But it will allow you other options as well.

Humm.. as far as stealthing ports go I concur with GRC on that, there is a discussion of that in the podcasts. And I previously read those posts on DSL reports.

As for the shadow bios thing, as I understand the ROM gets loaded in the high memory ram as shadow bios as it is faster access than from the rom itself. That said the system calls from that ram and that ram could be written to. In the bios setting I set the power management totally off but the monitor still goes on save mode.

The thing about the security of ram and even swap disk is for another post. But using puppy has got me interested in other distributions both to help me more understand puppy and linux itself - which is the 2nd greatest benefit after using puppy itself. I dont recall which distro but I do recall there was a distro that one security feature was that an app never got written to the sam memory block twice - go me thinking....

I have really only been interested in the LIVECD distros at this point. And like I said there supposely arent many virjii for linux but there arent many scanners for linux either.

But if your OS is on a HD and you get compromised via network linux is easy to compromise by writing to the SW and changing things.

(That is why network security is soooo important if the SW is written or tamper with no AV scanner will help with that integrety of the OS) In window my OS was getting written to like the sunday new york times. Actually I use to watch the hackers hack my system with code and then blue screen my monitor app of what they were doing. I sure learned alot,,,


The possibly of that happening with a "closed" CD OS and a NO HD leave only memory and buffers and shadowed code to work with. Reboot and you got a fresh OS. EXCEPT for any TSR which will remain even if you power off and unplug the computer totally!!! Humm another post...

Many of the live CD distro discourge from putting them to the HD like knoppix. I totally see their point. In that by doing so you loose the benefit of a livecd.

BTW you have broadband and a MAC address that even if your IP changes your MAC address does not, another post.

Then there are the http headers sent by your browser that shows the OS and browser you are using. In mozilla those can be change by doing the "about:config" in the URL box and entering the real config of the browser. Humm another post? In foxfire there is a plugin called "Agent switcher"? that gives you a GUI to make those changes. Windows only....??

In Pup 210 from the menu . control panel >Xproc - system info app > click Memory tab will give the memory distribution, dont forget the FS tab too!

In that tab it show 101meg cache memory 18 meg buffers and free memory of 224meg. Humm the cached memory would that be a duplicate of the OS in memory? Populating of the memory does make sense except when you are NOT using a HD. Then there are memory leaks and releasing of ram all become more of an issue when there is no HD swap which is sort of the way the system was designed.

Thanks again.

Mic67

#16 Post by Mic67 »

Well in my last post I suggested using the App."Network Superscanner" which is in the Menu>Network Tab in Puppy210. by inputting your assigned IP address this will scan your computer for open ports, port 6000 is open by default, which was the only one I had seen. After that post I decide to keep the scanner app. readly available for use while surfing. And from time to time perform a scan on to see if there were any other open ports. Whoaaa....on several occassions there were up to 4 other open ports also displaying "service unknown". While doing this I recommend using rxvt window and netstat -tcp which will display all tcp connections and you can compare the port numbers in use to those that are open. Then go figure...

Also using the rxvt type: netstat -s > then enter it will display>:
sh-3.00# netstat -s
Ip:
262858 total packets received
0 forwarded
0 incoming packets discarded
262837 incoming packets delivered
262890 requests sent out
Icmp:
6 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 6
21 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 21
Tcp:
131134 active connections openings
2 passive connection openings
0 failed connection attempts
1 connection resets received
0 connections established
262788 segments received
262826 segments send out
29 segments retransmited
0 bad segments received.
131083 resets sent
Udp:
37 packets received
6 packets to unknown port received.
0 packet receive errors
43 packets sent
TcpExt:
ArpFilter: 0
5 TCP sockets finished time wait in fast timer
5 time wait sockets recycled by time stamp
31 delayed acks sent
Quick ack mode was activated 9 times
270 packets header predicted
TCPPureAcks: 152
TCPHPAcks: 8
TCPRenoRecovery: 0
TCPSackRecovery: 0
TCPSACKReneging: 0
TCPFACKReorder: 0
TCPSACKReorder: 0
TCPRenoReorder: 0
TCPTSReorder: 0
TCPFullUndo: 0
TCPPartialUndo: 0
TCPDSACKUndo: 0
TCPLossUndo: 20
TCPLoss: 0
TCPLostRetransmit: 0
TCPRenoFailures: 0
TCPSackFailures: 0
TCPLossFailures: 0
TCPFastRetrans: 0
TCPForwardRetrans: 0
TCPSlowStartRetrans: 0
TCPTimeouts: 24
TCPRenoRecoveryFail: 0
TCPSackRecoveryFail: 0
TCPSchedulerFailed: 0
TCPRcvCollapsed: 0
TCPDSACKOldSent: 4
TCPDSACKOfoSent: 0
TCPDSACKRecv: 15
TCPDSACKOfoRecv: 0
TCPAbortOnSyn: 0
TCPAbortOnData: 1
TCPAbortOnClose: 1
TCPAbortOnMemory: 0
TCPAbortOnTimeout: 1
TCPAbortOnLinger: 0
TCPAbortFailed: 0
TCPMemoryPressures: 0
sh-3.00#
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Now to determine what is going on with your Firewall rules
sh-3.00# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
TRUSTED all -- anywhere anywhere state NEW

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID

Chain TRUSTED (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
sh-3.00#
>>>>>>>>>>>>>>>>>>>>>>.

Now some networking info:
sh-3.00# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
999.9.999.99 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 999.9.999.99 0.0.0.0 UG 0 0 0 ppp0
sh-3.00#
>>>>>>>>>
Note in the above example the IP 999 is ficticous but is representative of your gateway IP address
>>>>>>>>>
And here is something else that may be of assistance by doing the netstat -rpcinfo >:

sh-3.00# netstat -rpcinfo
netstat: invalid option -- f
usage: netstat [-veenNcCF] [<Af>] -r netstat {-V|--version|-h|--help}
netstat [-vnNcaeol] [<Socket> ...]
netstat { [-veenNac] -i | [-cnNe] -M | -s }

-r, --route display routing table
-i, --interfaces display interface table
-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP)
-M, --masquerade display masqueraded connections

-v, --verbose be verbose
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information
-p, --programs display PID/Program name for sockets
-c, --continuous continuous listing

-l, --listening display listening server sockets
-a, --all, --listening display all sockets (default: connected)
-o, --timers display timers
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB

<Socket>={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom
<AF>=Use '-A <af>' or '--<af>'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
sh-3.00#
>>>>>>>>>>>>>
This command netstat -l will show the open port 6000 (note that the l is not a one number but a not capital L
>>>>>>>>>>>>>>>>>>>
sh-3.00# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:6000 *:* LISTEN
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 2990 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 3473 /tmp/root-v2jg87/dpid.srs
unix 2 [ ACC ] STREAM LISTENING 3475 /tmp/root-v2jg87/bookmarks.dpi
unix 2 [ ACC ] STREAM LISTENING 3477 /tmp/root-v2jg87/cookies.dpi
unix 2 [ ACC ] STREAM LISTENING 3479 /tmp/root-v2jg87/datauri.filter.dpi
unix 2 [ ACC ] STREAM LISTENING 3481 /tmp/root-v2jg87/downloads.dpi
unix 2 [ ACC ] STREAM LISTENING 3483 /tmp/root-v2jg87/file.dpi
unix 2 [ ACC ] STREAM LISTENING 3485 /tmp/root-v2jg87/ftp.filter.dpi
unix 2 [ ACC ] STREAM LISTENING 3487 /tmp/root-v2jg87/hello.filter.dpi
unix 2 [ ACC ] STREAM LISTENING 3489 /tmp/root-v2jg87/https.filter.dpi
sh-3.00#
>>>>>>>>>>>>>
And you can use the the command in rxvt:

ifconfig

to determine your IP and other things
>>>>>>>>>>>>>>>>

Maybe this will give you something to think about or use.

Mic67

#17 Post by Mic67 »

Here are some links that maybe of interest:
http://www.fs-security.com/
"
A Modern Linux Firewall

Linux security does not have to be complex,
and simplicity does not have to mean sacrificing power.

With Firestarter you will have a firewall up and running in minutes. After that it is up to you how deep you choose to go."

"Key Features

* Open Source software, available free of charge
* Easy to use graphical interface
* Suitable for use on desktops, servers and gateways
* Enables Internet connection sharing
* Allows you to define both inbound and outbound access policy
* Option to whitelist or blacklist traffic
* Sets up DHCP for a local network
* Real time firewall events view
* View active network connections, including any traffic routed through the firewall
* Advanced Linux kernel tuning features"
"This is a departure from your typical Linux firewall, which has traditionally required arcane implementation specific knowledge."

(It has a nice GUI on this page)^^^
>>>>>>>>>>>>>>
http://trinux.sourceforge.net/
"Trinux contains the latest versions of popular Open Source network security tools for port scanning, packet sniffing, vulnerability scanning, sniffer detection, packet construction, active/passive OS fingerprinting, network monitoring, session-hijacking, backup/recovery, computer forensics, intrusion detection, and more. "

It would be great if alot of these could be included in a puppy distro.

As there are distro's that specialize in hardened systems "Secure" Linux Distros>

http://www.linux-sec.net/Distro/#hardened
>>>>>>>>>>>>>
http://www.linux-sec.net/IDS/
Intrusion Detection Systems
>>>>>>>>>>>>>>>

http://www.linuxsecurity.com/content/view/125805/187/
Linux Advisory Watch: November 17th 2006
>>>>>>>>>>>>>
http://www.linux-sec.net/Harden/harden.gwif.html
Hardening and Tightening Security on Your Server/Network
>>>>>>>>>>>>
http://www.linux-sec.net/Firewall/
Linux-Sec.net/Firewall
>>>>>>>>>
http://www.dshield.org/
"Most Attacked Port: 1026"
This would primarly apply to Windows.
MY OPINION>>>>
There is a way to reduce this by configuring rules in your fire wall in windows. Or by simply starting your browser and closing it 6 to 12 times before logging on to the net. As each time you start and close your browser the next time you open the browser it will use the next higher port for starting from, so your loopback is not the standard port of 1026. There is alot more to write about this...

>>>>>>>>>>>>>>

http://www.linuxsecurity.com/content/view/125793/169/
Virtualization and Security
"Date: 16 November 2006
Security It

marksouth2000
Posts: 622
Joined: Wed 05 Apr 2006, 20:43

#18 Post by marksouth2000 »

I have to confess I just don't get this thread.

Security is a complex issue. People building hardened servers and handling military secrets on laptops have different issues and ways of approach to the problem. There are many distros that cater specifically to them.

Puppy has the goal of being a useful desktop for older machines and of leaving as small a footprint as possible.

The main security issue for Puppy is one of data security, and there are some guys working hard on that in the "encrypted pup_save" thread. anyone who has security concerns and expertise would be doing best by helping there.

For the sake of accuracy, though, I will point out that Linux has a choice of one firewall. Iptables is part of the kernel. The other stuff is just management software that makes it easier to configure iptables.

User avatar
Gn2
Posts: 943
Joined: Mon 16 Oct 2006, 05:33
Location: virtual - Veni vidi, nihil est adpulerit

#19 Post by Gn2 »

What is complex - If paranoid:
Pull plug on Web access -
Don't let anyone touch computer - (Esp. owner)
Take up knitting - loop a few loose ends there >
Things still get unravelled

Aside: ~ Military now has new approach - Pre-emptive Defense.

Or run Puppy in Ram, store sv3_fs (when will default Cfg. of file type be expanded) on removable media & relax !

IMHO It isn't security that is greatest danger to :twisted: borking O/System.

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#20 Post by PaulBx1 »

Puppy has the goal of being a useful desktop for older machines and of leaving as small a footprint as possible.
That's the starting point, yes. Then everyone and their grandma around here take it and make different flavors of it. :)

I'm glad people are thinking about security, even if others have to roll their eyes. To paraphrase an old saying, "It's better to have security and not need it, than to need it and not have it." Some of us live in budding police states and don't like being under a microscope. I'm encouraged that Britons lately have made a sport of destroying their roadside speeding cameras. 8)

Unless I missed it in this thread, getting a firewall running is as simple as putting this:

Code: Select all

if [ -x /etc/rc.d/rc.firewall ]; then
  /etc/rc.d/rc.firewall start
fi
...inside your /etc/rc.d/rc.local file. Newbies need to be aware of this. Of course that won't be enough for some folks, who will want to fiddle the settings. That's fine, they should do that if they want.

I am in the process of extending kirk's Encrypt_pupsave script. It should be ready for 2.13, and Barry is going to put this encrypted pup_save into that revision if we are ready by then. Another thing that needs to be worked on is encrypting the swap. Currently there is no way to get around that problem except by 1) using a large memory and running without swap, or 2) getting some scrub program loaded to clean it up when you shutdown. Hmm, I wonder if you could just run another loop device for swap, just like we do with the pup_save? That might be an option too.

Let's keep chewing on this, security fans...

Post Reply