Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 29 Mar 2015, 03:44
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Bash "Shell Shock"
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [12 Posts]  
Author Message
Kester

Joined: 25 Sep 2014
Posts: 13

PostPosted: Thu 25 Sep 2014, 15:27    Post subject:  Bash "Shell Shock"
Subject description: Potential security threat - what should home computer users do.?
 

This is my first post after rejoining the forum on the day I read about the Bash problem.

I have a dual boot desktop computer with a frugal installation of Puppy Precise 5.7.1 and XP Pro SP3. I also have a Windows 7 desktop computer which I occasionally boot with a Puppy Slacko 5.7 live DVD (a Puppy save file etc. is stored on the Windows 'C' drive).

Having just read of the potential threats concerning Bash, could the Puppy Linux experts who frequent this forum offer any advice to a relative beginner as to what steps can be taken to alleviate any possible problems.

Thank you.
Back to top
View user's profile Send private message 
Ted Dog


Joined: 13 Sep 2005
Posts: 3058
Location: Heart of Texas

PostPosted: Thu 25 Sep 2014, 15:53    Post subject:  

sadly puppylinux is mostly glued together as root with shellscripts. Some apps are just really complex scripts. But the way the flaw works requires some really old internet methods. which I do not think are used here. Needs fixing and should be easy replacement when its fixed.
Back to top
View user's profile Send private message 
cimarron

Joined: 30 May 2013
Posts: 170

PostPosted: Thu 25 Sep 2014, 15:56    Post subject:  

see this thread:
http://www.murga-linux.com/puppy/viewtopic.php?t=95819
Back to top
View user's profile Send private message 
Smithy


Joined: 12 Dec 2011
Posts: 495

PostPosted: Fri 26 Sep 2014, 02:36    Post subject:  

The BBC News was shrieking that it was a virus.
Shorely shome mistake there.
I heard facebook has been absolutely compromised at server level.
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1338

PostPosted: Fri 26 Sep 2014, 04:48    Post subject:  

Don't we already have a simpler shell like ash, which is not vulnerable, in Puppy distributions? Inserting calls to ash in the few places where scripts call programs which directly interpret data from the Internet would provide a tested solution while waiting for tested patches to bash. This reduction in capability of the shell launching Internet programs should not have any adverse effect on the remainder of the system, and offers protection from scripting exploits we haven't even thought about.
Back to top
View user's profile Send private message 
Kester

Joined: 25 Sep 2014
Posts: 13

PostPosted: Sat 27 Sep 2014, 08:41    Post subject: Bash "Shell Shock"  

Hi,

I've followed some of the links provided by posters on this thread, downloaded and installed some recommended packages and tested Bash using the terminal. The results appear to have created a fix for the time being at least.

However, as a typical home PC user who can use the computer but is not necessarily completely au fait with what goes on underneath, I am still a bit apprehensive. I would appreciate advice in simple layman's language as to my best approach to be as secure as possible when using Puppy.

Thanks.
Back to top
View user's profile Send private message 
Moose On The Loose


Joined: 24 Feb 2011
Posts: 572

PostPosted: Wed 01 Oct 2014, 10:05    Post subject: Re: Bash "Shell Shock"  

Kester wrote:

However, as a typical home PC user who can use the computer but is not necessarily completely au fait with what goes on underneath, I am still a bit apprehensive. I would appreciate advice in simple layman's language as to my best approach to be as secure as possible when using Puppy.

Thanks.


If you are not running a web server etc, you don't have to deal with most of the security issues because someone outside your house doesn't really even know there is a computer to be targeted.

If you have a home router, think about its security first. This is what is connected to the outside.

Disable remote administration and use a wired connection for administration.
Change the password, write it down on something.
Enable the routers firewall

On your PC, follow all the usual advice about not going to dodgy web sites.
Back to top
View user's profile Send private message 
sheldonisaac

Joined: 21 Jun 2009
Posts: 469
Location: Philadelphia, PA

PostPosted: Wed 01 Oct 2014, 11:47    Post subject: Re: Bash "Shell Shock"  

parts were snipped
Moose On The Loose wrote:
Kester wrote:
I would appreciate advice in simple layman's language as to my best approach to be as secure as possible when using Puppy.

If you have a home router, think about its security first. This is what is connected to the outside.

Disable remote administration and use a wired connection for administration.
Change the password, write it down on something.
Enable the routers firewall

Finally!!
Thanks a lot, Moose On The Loose!

There are lots of settings in my Actiontec router (from Verizon) that say: Leave this alone unless you know what you're doing; or some such verbiage.
I did check that it was set according to your instructions.

Thanks again,
Sheldon

_________________
Dell E6410: LuPu Super 2 & various Puppys;Dell D610: Windows XP, Puppy Linux 5.2, 'lina-lite;
Intel D865GBF: Windows XP, Puppy Linux 5.2;
Acer Aspire One: Windows XP, Puppy Linux 5.2; ASUS P5A: MS-Windows 98SE, Puppy Linux 2.14X
Back to top
View user's profile Send private message 
Kester

Joined: 25 Sep 2014
Posts: 13

PostPosted: Wed 01 Oct 2014, 14:08    Post subject: Bash "Shell Shock"  

Hi Moose,

Glad you were on the loose so you could offer that useful advice.

I do not use the wireless facility of my ADSL Modem/Router so that part has not been set up and remains 'Off' - my only connections are via wired ethernet links - I don't even have my two desktops networked but transfer files, when necessary, via usb devices. The firewall is set in it's default setting which blocks outside networks accessing my system. I've not reset the password as yet so I will look into that now that I have downloaded the manual for my model (my ISP did not provide one when they replaced my previous defunct non-wifi device). My ISP tells me that firmware is updated automatically from their end and I need do nothing - they assure me that bash patches have been included in the recent firmware updates.

Other than the password issue, which should be resolved shortly, I think my setup meets the standards you advise but please let me know if you think I've missed something.

Thanks for your interest and help, Kester.
Back to top
View user's profile Send private message 
bigpup


Joined: 11 Oct 2009
Posts: 5908
Location: Charleston S.C. USA

PostPosted: Wed 01 Oct 2014, 16:20    Post subject:  

Quote:
If you have a home router, think about its security first. This is what is connected to the outside.

Change the password, write it down on something.

That is the first and most important thing to do.
CHANGE THE PASSWORD!!!!!!!

The easiest way to compromise a system. Use the manufactures password to gain access.
All the manufactures hardware comes setup with a default password that is easy to find. Go to Google search.

Example:
For most NETGEAR devices, except ReadyNAS products and Fully Managed Switches, the following are default the username and password :

Username = admin
Password = password
( For older devices, Password = 1234 )

So, Change The Password when you get the hardware.

_________________
I have found, in trying to help people, that the things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected Shocked
Back to top
View user's profile Send private message 
Kester

Joined: 25 Sep 2014
Posts: 13

PostPosted: Thu 02 Oct 2014, 04:59    Post subject:  

@bigpup and moose,

Router password changed successfully - thanks for the nudges.

I was surprised that ZyXEL only accepted letters and numerals in the password. My password creation system includes non-numeric/non letter symbols at its higher security level - I had to fall back to a lower security level to get my password to work.

Anyway, all done now, cheers, Kester.
Back to top
View user's profile Send private message 
bark_bark_bark

Joined: 05 Jun 2012
Posts: 1102
Location: USA

PostPosted: Tue 23 Dec 2014, 21:50    Post subject:  

Shellshock Is Still a Risk, Even for Patched Machines

Ionut Ilascu wrote:
Systems that have been immunized against Shellshock are still vulnerable to exploits for this vulnerability in Bash command interpreter, under certain conditions.
The attack would have to be carefully planned and multi-layered, but an experiment carried out by security researchers at Trend Micro shows that it can be done, unless preventative security solutions are in place.

_________________
Intellectual Property isn't Real Property. Smart people know that.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [12 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0785s ][ Queries: 11 (0.0066s) ][ GZIP on ]