Non-Puppy comment: I use free "Zone Alarm" to do this in Windows.miriam wrote:One point I'd like to learn more about is configuring the firewall to deny all programs, except certain ones I trust, access to the net.
firewall useless for puppy
Firewall blocking what my computer sends.
System Threat
One last thought in this thread for this morning:
It's often not one specific thing (get through my firewall) that creates a threat. Here's an example where individual non-threat pieces built into enough of a threat that I secured my system.
I enabled the Haiwatha web server. Even opened up to respond to all IP addresses (like a honey pot, I was interested who was on the hotel network and would choose to browse into my computer).
Then I enabled the Puppy personal blog. All okay, until I READ the default files served up by the server and the blog. In the blog default post, it gives the password for the "secure" spot account. Well, that file is intended to only be read by the local user at 127.0.0.1. But, by opening my web server up, the blog program now provided that password to everybody.
So, anybody could admin my blog, dump whatever they want there and as a minimum bury my computer in downloaded trash. That will crash any hard drive when it becomes full. Or the database will die first.
So... I went back and turned off the web server. OR, what I could have done is install a firewall so that only packets from within my local network could get to the web server Puppy. In this case, the firewall ~would~ have protected me. That's a pretty tangible example, I think. However, I solved the problem a different way.
However, I still run the Puppy firewall because it's overhead is a simple XOR statement against a port or IP number. Takes about a microsecond. I can afford that cost to cover my ~other~ braindead actions such as web serving my own blog post that gives my own password to the world.
It's often not one specific thing (get through my firewall) that creates a threat. Here's an example where individual non-threat pieces built into enough of a threat that I secured my system.
I enabled the Haiwatha web server. Even opened up to respond to all IP addresses (like a honey pot, I was interested who was on the hotel network and would choose to browse into my computer).
Then I enabled the Puppy personal blog. All okay, until I READ the default files served up by the server and the blog. In the blog default post, it gives the password for the "secure" spot account. Well, that file is intended to only be read by the local user at 127.0.0.1. But, by opening my web server up, the blog program now provided that password to everybody.
So, anybody could admin my blog, dump whatever they want there and as a minimum bury my computer in downloaded trash. That will crash any hard drive when it becomes full. Or the database will die first.
So... I went back and turned off the web server. OR, what I could have done is install a firewall so that only packets from within my local network could get to the web server Puppy. In this case, the firewall ~would~ have protected me. That's a pretty tangible example, I think. However, I solved the problem a different way.
However, I still run the Puppy firewall because it's overhead is a simple XOR statement against a port or IP number. Takes about a microsecond. I can afford that cost to cover my ~other~ braindead actions such as web serving my own blog post that gives my own password to the world.
I think that should be brought to Barry K's attention somewhat urgently, as a security bug!increa wrote:In the blog default post, it gives the password for the "secure" spot account. Well, that file is intended to only be read by the local user at 127.0.0.1. But, by opening my web server up, the blog program now provided that password to everybody.
Aitch
About Hiawatha:
I would think that anyone who runs a web server on their local machine would know that it should have a password set before it will start or at least give some warning if a password isn’t set.
I have no experience using the Hiawatha web server in Puppy Linux so I don’t know if it has a default password set up or not. If not then that may be a problem if the user starts it and no warning is given.
I would think that anyone who runs a web server on their local machine would know that it should have a password set before it will start or at least give some warning if a password isn’t set.
I have no experience using the Hiawatha web server in Puppy Linux so I don’t know if it has a default password set up or not. If not then that may be a problem if the user starts it and no warning is given.
-
- Posts: 94
- Joined: Tue 19 Apr 2011, 11:53
After doing research, i have found the solution for the flash cookies. There is actually an extension for firefox called "Betterprivacy"(essential). It is made specially for deleting super cookies and is very easy customizable. If your worried about javascript then theres "noscript"(nonessential). Another firefox add-on. Something else you can do is go into your about:config and look for dom.storage.enabled and set the value to false.
I also tried to find warning threads about malware. I searched other big distros like ubuntu forums, and nothing of course. This is linux i don't think the word "malware" exist in linux yet. You might want to include your sources when you make big claims like that bernie.
When html5 becomes a standard, then you can ditch flash
I also tried to find warning threads about malware. I searched other big distros like ubuntu forums, and nothing of course. This is linux i don't think the word "malware" exist in linux yet. You might want to include your sources when you make big claims like that bernie.
When html5 becomes a standard, then you can ditch flash
- Bernie_by_the_Sea
- Posts: 328
- Joined: Wed 09 Feb 2011, 18:14
Exactly what “bigSimpleWater wrote:I also tried to find warning threads about malware. I searched other big distros like ubuntu forums, and nothing of course. This is linux i don't think the word "malware" exist in linux yet. You might want to include your sources when you make big claims like that bernie.
[color=green]Frugal[/color]: Knoppix 6.4.4 DVD
[color=blue]USB[/color]: DSL 4.4.10
[color=red]Full[/color]: WinXP Pro
Puppy (Feb. 4 - May 12, 2011) led me back to Linux.
[color=blue]USB[/color]: DSL 4.4.10
[color=red]Full[/color]: WinXP Pro
Puppy (Feb. 4 - May 12, 2011) led me back to Linux.
rc.firewall built with default config
I tried to mod rc.firewall to pass shieldsup common ports test
But cannot stealth: 135, 139, 445
I probably could find out how via iptables directly but can it be done
via rc.firewall?
with
I tried to mod rc.firewall to pass shieldsup common ports test
But cannot stealth: 135, 139, 445
I probably could find out how via iptables directly but can it be done
via rc.firewall?
with
Code: Select all
########################################
# -- Advanced Configuration Options -- #
########################################
# ** DO NOT ** modify anything below unless you know what you are doing!!
# See online documentation at: http://projectfiles.com/firewall/config.html
DENY_OUTBOUND=""
ALLOW_INBOUND=""
BLACKLIST=""
STATIC_INSIDE_OUTSIDE=""
PORT_FORWARDS=""
PORT_FWD_ALL="yes"
PORT_FWD_ROUTED_NETWORKS="yes"
ADDITIONAL_ROUTED_NETWORKS=""
TRUST_ROUTED_NETWORKS="yes"
SHARED_INTERNAL="yes"
FIREWALL_IP=""
TRUST_LOCAL_EXTERNAL_NETWORKS="no"
DMZ_INTERFACES=""
NAT_EXTERNAL="yes"
ADDITIONAL_NAT_INTERFACES=""
IGNORE_INTERFACES=""
LOGGING="no"
REQUIRE_EXTERNAL_CONFIG="no"
############################################
# -- Advanced Firewall Behavior Options -- #
############################################
# The default settings provide the suggested firewall configuration.
NO_RP_FILTER_INTERFACES=""
INTERNAL_DHCP="yes"
RFC_1122_COMPLIANT="no"
DROP_NEW_WITHOUT_SYN="yes"
DUMP_TCP_ON_INIT="no"
TTL_STEALTH_ROUTER="yes"
LOG_LIMIT="1/minute"
LOG_BURST="5"
LOG_LEVEL="notice"
###########################################################
# -- Nothing below this point should need modification -- #
###########################################################
# Set version information.
VERSION="2.0rc9"
Scoobs.. adjust these two. If no good, inspect your ISP's configuration page.
Hey, and if not there either, you could always take a look through Arno's.
Hey, and if not there either, you could always take a look through Arno's.
# The default settings provide the suggested firewall configuration.
NO_RP_FILTER_INTERFACES=""
INTERNAL_DHCP="yes"
RFC_1122_COMPLIANT="yes"
DROP_NEW_WITHOUT_SYN="no"
DUMP_TCP_ON_INIT="no"
TTL_STEALTH_ROUTER="no"
LOG_LIMIT="1/minute"
LOG_BURST="5"
LOG_LEVEL="notice"
- Attachments
-
- 528_sfw.jpg
- (20.62 KiB) Downloaded 341 times
>>> Living with the immediacy of death helps you sort out your priorities. It helps you live a life less trivial <<<
with your configuration I get even worse results
see below
What do you mean check ISP?
*edit*
tried arnos with exactly the same result
135, 139, 445 closed and not stealthed?
------------------------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2014-07-24 at 10:32:08
Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000
0 Ports Open
13 Ports Closed
13 Ports Stealth
---------------------
26 Ports Tested
NO PORTS were found to be OPEN.
Ports found to be CLOSED were: 135, 139, 445, 1002, 1024, 1025,
1026, 1027, 1028, 1029, 1030,
1720, 5000
Other than what is listed above, all ports are STEALTH.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
see below
What do you mean check ISP?
*edit*
tried arnos with exactly the same result
135, 139, 445 closed and not stealthed?
------------------------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2014-07-24 at 10:32:08
Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000
0 Ports Open
13 Ports Closed
13 Ports Stealth
---------------------
26 Ports Tested
NO PORTS were found to be OPEN.
Ports found to be CLOSED were: 135, 139, 445, 1002, 1024, 1025,
1026, 1027, 1028, 1029, 1030,
1720, 5000
Other than what is listed above, all ports are STEALTH.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
Last edited by Scooby on Thu 24 Jul 2014, 10:58, edited 1 time in total.
Worse is fine, you go back. I think the difference is in your ISP's configuration page.
For me it's http://192.168.1.1/
Don't you have some type of hw between your box and the internet?
445's Samba, no?
Not knowing what iptables might be missing, try here.
For me it's http://192.168.1.1/
Don't you have some type of hw between your box and the internet?
445's Samba, no?
Not knowing what iptables might be missing, try here.
>>> Living with the immediacy of death helps you sort out your priorities. It helps you live a life less trivial <<<
I like your philosophySemme wrote:Worse is fine, you go back.
doesn't respondSemme wrote: For me it's http://192.168.1.1/
Nope I have optical fiber connection straight to my wallSemme wrote: Don't you have some type of hw between your box and the internet?
will try other stuff, btw with arnos I got the same result
Samba.. Do you share a connection with other computers in your household?
Does *htop* show it as running? Otherwise >> ps -aux
For Arno's >> iptables -L
LOTS rtn'd..
==
Now because of translation, it's better you ask your ISP if such a configuration page exists.
Does *htop* show it as running? Otherwise >> ps -aux
For Arno's >> iptables -L
LOTS rtn'd..
==
Now because of translation, it's better you ask your ISP if such a configuration page exists.
- Attachments
-
- my-isps-advanced-config.jpg
- (17.75 KiB) Downloaded 307 times
>>> Living with the immediacy of death helps you sort out your priorities. It helps you live a life less trivial <<<
NopeSemme wrote:Samba.. Do you share a connection with other computers in your household?
NopeSemme wrote: Does *htop* show it as running? Otherwise >> ps -aux
I tried with a different ISP over wlan with the same config
and now shieldsup showed a different set of ports as closed
,https and ssh, so for sure ISP
I am allright with it now, thanks for your help
This older thread seemed to be appropriate, sorry for digging it up.
One of the things I've encountered along the way is the combination of modem/router and ISP before the Firewallstate pup. A recent case occured for me when ShieldsUp discovered ports 0 and 1 closed rather than stealthed. Of course being two years since last tinkered, I forgot my access PSWD, and had to reset the M/R. So a correct setup reveals that my ISP wants my creds established again. In the meantime I notice that ALL ports arre closed except 21, 22, 23, 80, and 443 (stealthed). So my ISP is not a shall we say good neighbor, but does stealth the basic 5 used ports: the other 65530 are closed.
I don't expect too much from M/R manufacturers in terms of help, but I went to mine, and their webpages. Buried in there is the way to stealth "all" ports by using a DMZ and pointing to a particular address. I did this, and not "all" ports were stealthed. It seems 0 and 1 are closed, and the remainder are indeed stealthed according to grc_com. So just a note here that my M/R manufacturer forced me to go on-line with these 65530 ports "closed" to obtain the secret code to get all but two of them stealthed.
That brings me finally to firewallstate in puppy Slacko-5.7 nonpae, and my purpose... Does it stealth ports 1 and 0?
One of the things I've encountered along the way is the combination of modem/router and ISP before the Firewallstate pup. A recent case occured for me when ShieldsUp discovered ports 0 and 1 closed rather than stealthed. Of course being two years since last tinkered, I forgot my access PSWD, and had to reset the M/R. So a correct setup reveals that my ISP wants my creds established again. In the meantime I notice that ALL ports arre closed except 21, 22, 23, 80, and 443 (stealthed). So my ISP is not a shall we say good neighbor, but does stealth the basic 5 used ports: the other 65530 are closed.
I don't expect too much from M/R manufacturers in terms of help, but I went to mine, and their webpages. Buried in there is the way to stealth "all" ports by using a DMZ and pointing to a particular address. I did this, and not "all" ports were stealthed. It seems 0 and 1 are closed, and the remainder are indeed stealthed according to grc_com. So just a note here that my M/R manufacturer forced me to go on-line with these 65530 ports "closed" to obtain the secret code to get all but two of them stealthed.
That brings me finally to firewallstate in puppy Slacko-5.7 nonpae, and my purpose... Does it stealth ports 1 and 0?
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."