[ale] firewalls on cd (was [ale] unidentified processes)

John Wells jbwellsiv at yahoo.com
Tue Dec 18 16:18:40 EST 2001


Dow,

Thanks for your reply, and for everyone who has helped
on my first iptables outing.

Running a bootable CD sounds like a great idea...and
there seems to be quite a few options out there.  Does
anyone have recommendations on which to use?  I've run
across Sentry Firewall CD...what others are available?

Thanks,
John


--- Dow Hurst <dhurst at kennesaw.edu> wrote:
> John,
> Even though James email is funny, he is absolutely
> correct in the
> approach.  The portmapper and rpc.statd are RPC
> based processes along
> with NFS and NIS (RPC uses UDP traditionally instead
> of TCP
> connections).  The portmapper advertises what RPC
> services are available
> on particular ports to remote requests.  rpc.statd
> lets remote
> applications and remoted machines "know" what the
> status, of the local
> machine or application that is RPC enabled, is. 
> Both services are
> easily spoofed, cracked, and known cracks are
> available for both.  Since
> you have had those running, as well as ftpd, you
> should reload from
> scratch and choose to format your partitions too. 
> This is faster and
> less prone to mistakes than working thru proving the
> machine is clean. 
> (Even though that would be very educational!)  No
> service should be run
> directly on a firewall machine that doesn't have to
> be.  That is why it
> is recommended that you have a server inside your
> network for services
> like Samba, NFS, and appletalk and not combine your
> firewall server with
> that machine.  Running your firewall from a CD
> filesystem is a beautiful
> suggestion.  Your cracker is limited even more by
> not being able to
> change the read only system.  I need to look into
> that!
> 
> One major difficulty in setting up a firewall for
> people not intimate
> with Linux, or any OS that is used, is that default
> choices during
> install can leave you quite vulnerable and your not
> even aware of it til
> you learn more.  Use "netstat -an" to prove that you
> have *only* sshd
> advertising a service on port 22 before you hook
> back up to the
> Internet.  You don't even have to have that, except
> it is convenient and
> secure for remote admin. 
> 
> Here is an excerpt from an email Bob sent me just
> the other day:
> "Btw, we just put up the first of 4 firewalls at
> this client (in
> Europe).
> It took only one hour and 34 minutes for someone to
> discover it and
> start
> breaking into it.  Within 20 minutes after that, a
> second cracker joined
> in."
> 
> So you see it doesn't take long for a scan to find
> you and start to
> reveal possible entry points.  I would just reload
> to be on the safe
> side.  With more experience and a good "dd" backup,
> you can quickly
> identify differences in a file system to see if your
> hacked.  At my
> workplace, we have been recovering from a several
> crackers for the past
> year.  Nov. 2000 we had the telnetd hole exploited
> on most of our SGIs. 
> We don't have much manpower to rebuild systems and
> keep our work moving
> along, so it has taken all year to work on
> rebuilding machines.  Hope
> this helps,
> Dow
> 
> 
> John Wells wrote:
> > 
> > In addition to ftp and ssh, I have two processes
> > running on ports 111 and 1024.  They both seem to
> work
> > with rpc, and are the portmapper and rpc.statd
> > respectively.
> > 
> > Can I disable these processes without any effect
> to my
> > system?  If so, I assume I just remove the links
> to
> > the startup scripts from my runlevel's startup
> > directory.
> > 
> > Also, how insecure is it to run ftp on my
> > router/firewall box?
> > 
> > Thanks,
> > John
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Check out Yahoo! Shopping and Yahoo! Auctions for
> all of
> > your unique holiday gifts! Buy at
> http://shopping.yahoo.com
> > or bid at http://auctions.yahoo.com
> > 
> > ---
> > This message has been sent through the ALE general
> discussion list.
> > See http://www.ale.org/mailing-lists.shtml for
> more info. Problems should be
> > sent to listmaster at ale dot org.
> 
> -- 
>
__________________________________________________________
> Dow Hurst                   Office: 770-499-3428
> Systems Support Specialist  Fax:    770-423-6744
> 1000 Chastain Rd.
> Chemistry Department SC428 
> Email:dhurst at kennesaw.edu
> Kennesaw State University        
> Dow.Hurst at mindspring.com
> Kennesaw, GA 30144
> *********************************
> *Computational Chemistry is fun!*
> *********************************
> 
> ---
> This message has been sent through the ALE general
> discussion list.
> See http://www.ale.org/mailing-lists.shtml for more
> info. Problems should be 
> sent to listmaster at ale dot org.
> 


__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list