So just to be clear, that kind of exploit has nothing to do with firewalls? Because that's what we are discussing here.Bernie_by_the_Sea wrote:Cracking ALL Puppies, not just a specific one, via javascript from a web site, is quite easy for any competent hacker who's interested enough. For Science! I am not about to demonstrate such a hack. This type of cracking can only be prevented by (1) having no javascript or (2) staying off that site.
firewall useless for puppy
-
Bernie_by_the_Sea
- Posts: 328
- Joined: Wed 09 Feb 2011, 18:14
Correct... except that one way to stay off that site is to block it specifically with a firewall.rcrsn51 wrote:So just to be clear, that kind of exploit has nothing to do with firewalls? Because that's what we are discussing here.Bernie_by_the_Sea wrote:Cracking ALL Puppies, not just a specific one, via javascript from a web site, is quite easy for any competent hacker who's interested enough. For Science! I am not about to demonstrate such a hack. This type of cracking can only be prevented by (1) having no javascript or (2) staying off that site.
Gotcha. If I knew in advance that a site had been attacked by some SQL injection technique and its home page was about to hit me with a malicious script, I could update my firewall to block it.Bernie_by_the_Sea wrote:Correct... except that one way to stay off that site is to block it specifically with a firewall.
I don't see why a number of the people here are annoyed at sickgut for asking this question. It seems quite a reasonable one to me. I've often wondered about it myself and I'm glad to have someone ask it aloud.
That said, I think he may be wrong to think the firewall is unnecessary. I keep the firewall running and block the secureshell port from being accessed from outside my machine. I don't ever access my machine from outside. I guess I could achieve the same result by disabling my secureshell (/usr/bin/ssh) by renaming or deleting it. I also ensure every Puppy I run has its password changed from the default. Can Puppy be logged into from outside on an ordinary insecure shell? I don't know enough to answer, but I'd like to know.
I don't think the only problem is someone cracking your computer simply to do damage inside it. As someone mentioned, much of that problem can be shrugged off by rebooting a live-CD-based system. There is another problem that few people seem to give consideration to: zombies quietly using people's computers for nefarious purposes has become a real problem out there on the net. They use them for denial of service attacks and I think for distributed brute-force login attacks. These attacks don't hurt your computer, but use it for nasty purposes against others.
I've tried learning about iptables and Linux firewalls, but have become confuzzled each time. I'll try again and again until I succeed in understanding. At that point I'll understand whether it really is needed, but at my current state of knowledge I think it might be better to have one than not.
I would be very interested in any demonstration of whether Puppy's firewall makes it more secure or not. Surely someone here can reasonably answer sickgut's question... can't they?
If not, then that is kinda an answer itself isn't it...
That said, I think he may be wrong to think the firewall is unnecessary. I keep the firewall running and block the secureshell port from being accessed from outside my machine. I don't ever access my machine from outside. I guess I could achieve the same result by disabling my secureshell (/usr/bin/ssh) by renaming or deleting it. I also ensure every Puppy I run has its password changed from the default. Can Puppy be logged into from outside on an ordinary insecure shell? I don't know enough to answer, but I'd like to know.
I don't think the only problem is someone cracking your computer simply to do damage inside it. As someone mentioned, much of that problem can be shrugged off by rebooting a live-CD-based system. There is another problem that few people seem to give consideration to: zombies quietly using people's computers for nefarious purposes has become a real problem out there on the net. They use them for denial of service attacks and I think for distributed brute-force login attacks. These attacks don't hurt your computer, but use it for nasty purposes against others.
I've tried learning about iptables and Linux firewalls, but have become confuzzled each time. I'll try again and again until I succeed in understanding. At that point I'll understand whether it really is needed, but at my current state of knowledge I think it might be better to have one than not.
I would be very interested in any demonstration of whether Puppy's firewall makes it more secure or not. Surely someone here can reasonably answer sickgut's question... can't they?
If not, then that is kinda an answer itself isn't it...
[color=blue]A life! Cool! Where can I download one of those from?[/color]
The program /usr/bin/ssh is CLIENT software. Renaming or deleting it has zero effect on your security. The secure shell SERVER program isn't in Puppy. If it isn't running, then Port 22 isn't open, so blocking it with the firewall also has zero effect on your security.miriam wrote:That said, I think he may be wrong to think the firewall is unnecessary. I keep the firewall running and block the secureshell port from being accessed from outside my machine. I don't ever access my machine from outside. I guess I could achieve the same result by disabling my secureshell (/usr/bin/ssh) by renaming or deleting it. I also ensure every Puppy I run has its password changed from the default. Can Puppy be logged into from outside on an ordinary insecure shell? I don't know enough to answer, but I'd like to know.
I should have realised that the server was the important part, and of course it is not running by default.Now I am not only severely confused but even delightly confuzzled too.rcrsn51 wrote:On the contrary. I think that sickgut's premise is correct. In fact, one could make the argument that turning on the firewall by default is actually a bad thing because it gives users a false sense of security.miriam wrote:I guess we still don't have an answer to sickgut's original question.
But everybody tell us to use a firewall. What am I supposed to do then.
Some tell me to run FireFox as spot and that would give me added security. is that at least true then?
Re injected codes on sites. BBC and IDG and other reliable? sources says that each week some 100,000 new sites get infected by such and some get cleaned but a lot of private innocent looking sites have webmasters not aware of the problem.
So that is serious as I get it. What one would want is a injection detector program that run in the back ground and that one freeze the download with a warning this site is infected.
Google has such on their search page. it warn rather often.
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
One thing at a time:nooby wrote:Now I am not only severely confused but even delightly confuzzled too.
But everybody tell us to use a firewall. What am I supposed to do then.
Some tell me to run FireFox as spot and that would give me added security. is that at least true then?
Re injected codes on sites. BBC and IDG and other reliable? sources says that each week some 100,000 new sites get infected by such and some get cleaned but a lot of private innocent looking sites have webmasters not aware of the problem.
1) Linux firewalls usually protect servers. On a desktop computer, they may not work very well. Someone mentioned Kerio 2.15 for Windows (maybe in another topic, I don't remember). That firewall is excellent for desktops because it lets you block access to all executables in your machine except the ones you want. So if a worm/malware tries to connect to the outside, the firewall blocks it and shows you a warning immediately. And it provides an easy way for you to know where the offending executable is. Also, you can block access to Internet Explorer, because it has always had security issues and, due to the Windows internal structure, IE can be run invisibly. In other words, when you run Windows, IE can be contacting a remote location and sending out data, all invisibly, you don't see the IE window. Kerio fixes that.
No firewall works like that in Linux, and that's because Linux is made for servers, not for desktops. A lot of the transition from server to desktop is still incomplete. And we likely will never have this kind of adequate firewall because Linux is arrogant, iptables is deemed the only good and unbeatable firewall Linux can have, the Linux community won't listen to requests for another firewall in the same way they believe we don't need a defragmentation tool.
2) Running the browser as another user, not root, is a very good measure. We are root in Puppy, we can do anything, that means the applications we run (as root) can also do anything. Firefox running as root can do anything. Infected Firefox running as root can do anything. See the problem? Infected Firefox running as root could attack any file in your computer, and it could turn your computer into a zombie in a DDOS attack. Firefox running as a restricted user can do a lot less damage to your computer or anything.
HTH.
Very good explanation. Yes I have noticed the thing about defrag too.
I guess one can use Hiren or something like that. I don't want to use Ms Windoes every again.
I have to learn Spot then. I hate to start all over again. So steep learning curve. I only risk to hit stumble upon stumble and I create a thread in Beginners and none will answer because very few use Spot and they think the answers are obvious. I would end up feeling worthless and go down the drain in despair something. I fear the worse would happen if I try Spot.
I remember how hopeless it was to get Slax to get a an IP table firewall. Search the internet 8 hours a day for several days but found nothing on my low level of getting text. only texts for teh geeks.
Read the manual. But that is written on a level one fail to get.
I should do spot it seems reasonable.
I guess one can use Hiren or something like that. I don't want to use Ms Windoes every again.
I have to learn Spot then. I hate to start all over again. So steep learning curve. I only risk to hit stumble upon stumble and I create a thread in Beginners and none will answer because very few use Spot and they think the answers are obvious. I would end up feeling worthless and go down the drain in despair something. I fear the worse would happen if I try Spot.
I remember how hopeless it was to get Slax to get a an IP table firewall. Search the internet 8 hours a day for several days but found nothing on my low level of getting text. only texts for teh geeks.
Read the manual. But that is written on a level one fail to get.
I should do spot it seems reasonable.
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
-
Bernie_by_the_Sea
- Posts: 328
- Joined: Wed 09 Feb 2011, 18:14
DSL doesn’t come with a firewall. You can add one (rc.firewall) via mydsl but you still have to activate it every time you boot up.
The latest Knoppix on CD comes with the firewall off and its firewall is not persistent even with a persistent save file. You have to activate it every time you boot up. (It may be persistent with a full HD install but that’s not how Knoppix is intended to be used.)
After thinking a bit more I guess both of these do have iptables but default to accept all. Of course DSL does come with Dillo as its only browser.
The latest Mepis 8.5 does not come with a firewall but in the fine print recommends one:
I see discussions in most distros about the value of firewalls. Here’s one from Ubuntu:
In my opinion, running a browser in spot is totally unnecessary but if you want to do it you don't have to know a thing about spot -- just use it.
Everybody in the Windows Wide World but not everybody in Linuxville...nooby wrote:But everybody tell us to use a firewall. What am I supposed to do then.
DSL doesn’t come with a firewall. You can add one (rc.firewall) via mydsl but you still have to activate it every time you boot up.
The latest Knoppix on CD comes with the firewall off and its firewall is not persistent even with a persistent save file. You have to activate it every time you boot up. (It may be persistent with a full HD install but that’s not how Knoppix is intended to be used.)
After thinking a bit more I guess both of these do have iptables but default to accept all. Of course DSL does come with Dillo as its only browser.
The latest Mepis 8.5 does not come with a firewall but in the fine print recommends one:
I ran Mepis about three weeks before I realized it had no firewall. Most of that time I was running as root, logging in as root because su/sudo or giving a password every time I want to do something irritates me.Although MEPIS Linux does not come with a software firewall preinstalled and configured, it is recommended you use one as a safety precaution.
I see discussions in most distros about the value of firewalls. Here’s one from Ubuntu:
For home users firewalls in Linux seem to be disappearing. Guarddog was abandoned in 2006 and Firestarter has had no development since 2005. The only major active firewall development is in Ubuntu, ufw/gufw, and the 'buntu people are trying to imitate Windows.Re: Firewall for Linux
The default install of Ubuntu has no running services that would listen for incoming network connections, so there really isn't anything for a firewall to do. You only need to set up a firewall if you install some server application and whnt to restrict access to it in more detailed way than the apps own configuration allows, or if you want to limit what sites the users of your system can access.
But if you still want to set up a firewall, use UFW (Installed by default) or install Gufw if you want a graphical tool.
What comes to antivirus apps, those only scan for Windows viruses. And I don't really think there even is an antispyware app for Linux, I've never heard of an malware for Linux...
I'm not really interested in convincing you to not install any of these things, since it's a topic that has been discused again and again so many times you should easily find more detailed information about it than anybody cares to type to forum posts any more. I'm just telling you that you don't need any of those programs.
From http://ubuntuforums.org/showpost.php?p= ... ostcount=2
In my opinion, running a browser in spot is totally unnecessary but if you want to do it you don't have to know a thing about spot -- just use it.
[color=green]Frugal[/color]: Knoppix 6.4.4 DVD
[color=blue]USB[/color]: DSL 4.4.10
[color=red]Full[/color]: WinXP Pro
Puppy (Feb. 4 - May 12, 2011) led me back to Linux.
[color=blue]USB[/color]: DSL 4.4.10
[color=red]Full[/color]: WinXP Pro
Puppy (Feb. 4 - May 12, 2011) led me back to Linux.
>Luluc
Your analysis is very correct, but partial.
Well security is a business : anti-virus, firewall, encryption, etc.
What we wish from a good firewall, for instance, is to be warned if a application is trying to access the web.
Well, it can warn us of a new app, but will NOT warn us of application which is tunneling via a legitimate application !
"it can warn us of a new app" : even that, is not bulled proof, years ago I had pratical experience with a crafty trojan.
What is definelly more efficient.
1/ To know any running process and know if this is process you agree on. A keyboard logger is under 50K and uses virtually no RAM & CPU, nothing to compare with today's apps !
2/ Use sandboxing, this is a minimum requirement in critical enviromnement, Chrome based Browsers are the only browsers to offer such a requirement. Last year attack on Google, did really wake them up.
3/ You might want to revert to an old browser.
For instance Opera 3.52 without Java has no implementation of VBScript, ActiveX or Java, all it can execute is HTML 4 & JavaScript 1.x
This is a serious limitation, Firefox let's you the possibility to turn off such execution, but a security flaw or add-on might turn them on. Here code can't be run by opera.
>the Linux community won't listen to requests for another firewall in the same way they believe we don't need a defragmentation tool.
We share lived experiences
Your analysis is very correct, but partial.
Well security is a business : anti-virus, firewall, encryption, etc.
What we wish from a good firewall, for instance, is to be warned if a application is trying to access the web.
Well, it can warn us of a new app, but will NOT warn us of application which is tunneling via a legitimate application !
"it can warn us of a new app" : even that, is not bulled proof, years ago I had pratical experience with a crafty trojan.
What is definelly more efficient.
1/ To know any running process and know if this is process you agree on. A keyboard logger is under 50K and uses virtually no RAM & CPU, nothing to compare with today's apps !
2/ Use sandboxing, this is a minimum requirement in critical enviromnement, Chrome based Browsers are the only browsers to offer such a requirement. Last year attack on Google, did really wake them up.
3/ You might want to revert to an old browser.
For instance Opera 3.52 without Java has no implementation of VBScript, ActiveX or Java, all it can execute is HTML 4 & JavaScript 1.x
This is a serious limitation, Firefox let's you the possibility to turn off such execution, but a security flaw or add-on might turn them on. Here code can't be run by opera.
>the Linux community won't listen to requests for another firewall in the same way they believe we don't need a defragmentation tool.
We share lived experiences
Thanks to both of you.
My naive thought. We would need two Devs that know and trust each other and them take turn to try to break into each others gears unless their ISP has monitor about such and shut down their account for doing such.
Ideally both should work at some institution like University and do it from their IT department so they are legally covered in case some over lord is watching.
But that is the only way to solve this for now to get a fair assessment what is Tinfoil thinking and realistic threats.
I am a pessimist. Think of all these people who get money taken from their accounts. The Bank want to seen as secure so they keep silent about how often it happens and them tell their customer to keep silent or they take measures against them being too careless by chosing too lose password or something.
or all the 100,000 of sites that get injection code attacks weekly. Why would they do such if it did not work for them to get money that way?
My naive thought. We would need two Devs that know and trust each other and them take turn to try to break into each others gears unless their ISP has monitor about such and shut down their account for doing such.
Ideally both should work at some institution like University and do it from their IT department so they are legally covered in case some over lord is watching.
But that is the only way to solve this for now to get a fair assessment what is Tinfoil thinking and realistic threats.
I am a pessimist. Think of all these people who get money taken from their accounts. The Bank want to seen as secure so they keep silent about how often it happens and them tell their customer to keep silent or they take measures against them being too careless by chosing too lose password or something.
or all the 100,000 of sites that get injection code attacks weekly. Why would they do such if it did not work for them to get money that way?
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
Yes they say that if the webmasters should use better tools and maybe that is beyond very many that set up such sites. They either use a software that are two old or they don't know how to protect it.
But that is not what we talks about now I have no say in how they set them up. And I have no way of knowing it is injected either unless Google say so.
What we talk about is if a firewall is useless for puppy and I have no idea if it is or not. It feels better to have it on
But that is not what we talks about now
I have no say in how they set them up. And I have no way of knowing it is injected either unless Google say so. What we talk about is if a firewall is useless for puppy and I have no idea if it is or not. It feels better to have it on
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
Yes I do that using Noscript but then Expressen.se and even murga-linux.com have scripts they want to run.
So it is not easy at all. A lot of discussion forums have some ten or more scripts they insist one run. They get payed by the ads on the forum and if one shut them down the editing of posts fails. Same here at Murga forum.
Making a quote fail if I don't allow the script .
So it is not easy at all. A lot of discussion forums have some ten or more scripts they insist one run. They get payed by the ads on the forum and if one shut them down the editing of posts fails. Same here at Murga forum.
Making a quote fail if I don't allow the script .
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
