Securing Your Puppy Install

[SirDuncan]

With the creation of the new community website, I got a blog. I've never done any blogging before, but I want to do my part to help supply the RSS feed. I'm going to try to make one post a week with some piece of Puppy news, a how to, a review of another distro, a helpful Linux tip, or something like that.

Given that security is a topic that keeps cropping up on the forum, I decided that my first post would be on that. Here is the teaser:

You've all heard that Linux is one of the most secure OSes available, perhaps that is even the reason you came to Puppy, but did you know that there is more you can do to secure yourself? While this may seem overkill to some, others sleep better at night knowing that their system has teeth to go with that bark.

http://www.puppylinux.org/community/blo ... cure-puppy

If anyone thinks I missed something important, let me know. If people find it useful, I will add it to the wiki.

[Lobster]

Very conversational and hence easy to read.
You might want to bury the whole computer in a hole.
Sorry me giving advice on spelling

I would add a pic
(Tom has made it easy to upload a pic from your pc)
click the icon top far right
Maybe an armoured dog or some such . . .

Great first blog entry

[John Doe]

here is a post with some info on securing a frugal install:

http://www.murga-linux.com/puppy/viewtopic.php?&t=18639

[SirDuncan]

Very conversational and hence easy to read.
You might want to bury the whole computer in a hole.
Sorry me giving advice on spelling
. . .
Great first blog entry

I'm glad you like it. Yes, I meant hole. I have no idea where the "w" came from. It seems, though, that someone came through and edited my post for me, because it was gone by the time I read your post (the formatting between paragraphs was gone as well).

here is a post with some info on securing a frugal install:
http://www.murga-linux.com/puppy/viewtopic.php?&t=18639

I had not seen your post before. It reminded of a few things I may need to add, like the save file encryption. If you (or anyone else) has other security tips, I'll be glad to to hear them. When I post to the wiki, I'd like to be as comprehensive as possible.

EDIT: It appears that someone did edit my post, because when I tried to update it I got a message saying that it had been edited by another user and that my changes could not be saved. Seems strange that other people can edit my blog and I can't.

[HairyWill]

twas me
I only wanted to remove the w.
It looks like tinyMCE managed to screw around with the formatting at the same time, that is going to need some investigation.
I did place a comment against my edit but it looks like there is no revision tab so you wouldn't have been able to see it.

I'm learning, must be more careful or leave it alone.

As I said before, nice post.

[prehistoric]

I'm glad you like it. Yes, I meant hole. I have no idea where the "w" came from. It seems, though, that someone came through and edited my post for me, because it was gone by the time I read your post (the formatting between paragraphs was gone as well)...

EDIT: It appears that someone did edit my post, because when I tried to update it I got a message saying that it had been edited by another user and that my changes could not be saved. Seems strange that other people can edit my blog and I can't.

This must have been one of the several editors. It wasn't me, though I left a comment. It didn't occur to me that I might be able to edit your post. Since we know whom, isn't there some kind of history which would tell who?

As for where the "w" came from, it was the same place the extra "e" came from when I was caught in a lapse of "judgment". Posting on-line exposes you to ruthless critics. It's a puppy-eat-puppy world out there.

You did cause me to wonder if the Universe is a black whole.

Edit: Oops! concurrent posting shows up again.

[SirDuncan]

Will,
That's okay, I'm not familiar with the system either. Thanks for correcting my spelling.

Prehistoric,
I replied to your comment on the blog. Have a look.

[prehistoric]

@SirDuncan,

We have something weird here. I saw your comment on my comment on the blog, came here and saw your post. Next, I try to reproduce the results, even going so far as to add that line in rc.local and rebooting. At this point I'm not getting any change from the command. (BTW: you want to make it clear the "#" is a prompt, not part of the command. If someone copies that and pastes it in, it will become a comment. ) I'll try to set things up again and come back here.

Did you delete your comment?

[SirDuncan]

(BTW: you want to make it clear the "#" is a prompt, not part of the command. If someone copies that and pastes it in, it will become a comment. )

Ahh, yes, I had not intended to have '#' on the second mentioning. I did not, however, copy the '#' into rc.d, so the command is not a comment.

How exactly are you connecting to the internet?

If someone else would check port 113 from a new save file and again after securing the system, we could rule out some of the possible factors.

[prehistoric]

@SirDuncan,

This is being posted from a machine on a direct, Cat-5 cable to a Belkin 54G router which is connected to a cable modem provided by Bright House for Road Runner broadband. (Though the router is commonly called a wireless router, it is, of course, a wired router with a built-in wireless access point. This connection is entirely wired.) My account uses a dynamic IP address.

The behavior described on the laptop, using a wireless connection, also occurs here. More disturbing, when I execute the command it may not have any effect on the results. I'm going to try again.

This is a new frugal install to hard disk of Muppy 008.3c. The save file is only minutes old. The earlier tests were done with "Chihuahua" 3.02 alpha 6 and Puppy 3.01.

[SirDuncan]

Prehistoric,
I assume that you have been using the same connection for all tests, so we can rule out the machine but not your ISP/router/etc. I have also been using the same connection for all of my tests, so we cannot rule out that it is my router/campus firewall/etc.

The behavior described on the laptop, using a wireless connection, also occurs here. More disturbing, when I execute the command it may not have any effect on the results.

If it turns out that it doesn't have any effect, then we can probably blame your ISP/router/etc.

I know that if I run repeated scans on my system, I eventually fail the tests because either my system, or the university firewall, begins probing the scanner. This is probably because the system decides that being scanned that much indicates that the attacker knows the system is there and that it is best to identify the attacker.

[Philh]

To block a response to pings I always do the following
After you have run the Firewall Wizard.
Open rc.firewall in geany, (located in directory /etc/rc.d/)
Find the line
RFC_1122_COMPLIANT="yes"
Change to no

[prehistoric]

@Philh,

I just tried to edit rc.firewall by hand. Then, to make sure the firewall started in a clean environment, I rebooted. The latest test still says it returns pings.

[Aitch]

Wow I seem to have found this late in the day, it's full already

@SirDuncan

Very useful, thanks

@Lobster

You might want to bury the whole computer in a hole

Highlighting spellings/typos

Perhaps, in consideration of the forum, this is a perfect opportunity for the inclusion of spellchecker to be added to this excellent work by tombh, lest all the mis-spellings/typos go & ruin it!

Any support for this idea?

Aitch
Edit: Now that I have finished reading the thread, sorry, prehistoric for breaking the flow - makes my point look like an aside - purely unintentional I assure you
Ping away, chaps! [& chapesses if any present ]!
or not as the case maybe...........

[nipper]

While I do think it is reasonable to block answers to a ping, it only offers the least bit of security-by-obscurity.

Even when your box blocks all response to ping, as soon as you try to surf to a site there is a stream of packets from port 80 (http) of your IP address. No way to hide that or where it's coming from. Few exploits only try pingable ports these days. And, as has been mentioned, occasionally an ISP will drop connection if it doesn't get an answer to a ping from an IP it has assigned (I don't think it's too common).

[SirDuncan]

Any attack that comes from the outside must first know that you are there. If you cannot pinged, they dont' know you are there unless you contact them (like if your browser connects to his server).

Few exploits only try pingable ports these days.

It is far more common to trick users into infecting themselves, but some of the biggest infections have come from malware that spreads itself by scanning for machines (remember BlasterWorm?). Granted, most of these then use an exploit that requires you to have a particular port open. However, if you need that port open for some reason and don't yet know about the exploit in order to patch it, being hidden can save you.

Also, since Linux is not the target of most Malware at the moment, you are at more danger of being hacked than infected. In order to hack you they must know you are there.

Is your system going to get compromised if you reply to pings? Maybe, maybe not, but it's a simple thing to do that can protect you system.

[Last paragraph snipped for inaccuracy.]

[nipper]

Gosh SirDuncan, are you sure about that?

[SirDuncan]

Ahh, actually, you are right about port 80. The university is just doing it differently, and I assumed that was the norm. In fact, I have a paper sitting in front of me that says so, but my internet research indicates that is wrong. That will teach me to listen to professors. My faux pas.

I will edit my original poet so as not to confuse anyone reading this thread.

[nipper]

Ahh, actually, you are right about port 80.

If you would care to read further about it there is this (but it's pretty dry reading): RFC 2068 - Hypertext Transfer Protocol -- HTTP/1.1.

Since you have found out that part of what I wrote was correct, I hope you will reconsider the rest of what I wrote. If it was the same professor who told you that hiding from ping sweeps will give you any significant measure of protection from cracking, be suspect.

As soon as you make a request your IP address is active and thus it is known you are there. For what it's worth, I too disable ping acknowledgements, as security is like the layers of an onion, but I do not feel any false security by doing so.

One thing I have noticed in my logs lately is that there seems to be an increased number of TCP hits to port 22 (ssh). Something like that is of more interest to me than UDP hits to those low numbered 10xx ports, some of those are probably artifacts of dropped previous connections.

[Aitch]

......that there seems to be an increased number of TCP hits to port 22 (ssh).

more effects of the debian/ubuntu ssh fiasco, I suspect

In case you missed it

http://www.murga-linux.com/puppy/viewto ... dae7d41946

Aitch