Would a firewall prevent Sasser worm?

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <ib1g90t8b2ss2bupq09aukvbervjchlvjt@4ax.com>, steevo@my-
deja.com says...
> http://www.senderbase.org/ calculates comcast.net / attbi.com is
> spewing over 1.5 billion e-mails per day, from 45889 hosts of
> which only a handful are legitimate mail relays.

Legit relays require authentication or they are "open" relays and are
not really legit then.

> Are most of those machines trojaned? Being abused by spammers?
> Yes, and if those users had even a $20 NAT firewall this would be
> less, lots less. Would it be eliminated by a NAT firewall? No. But
> it would be a fraction of what it is now.

It doesn't even cost $20, most vendors (ISP's) cable/dsl modem devices
can provide NAT, nothing to purchase - they won't do it because they
don't want too.

Would it eliminate open relays and worms - yes. If you don't port
forward to an infected machine it can't be used as a relay.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley <pmakley@mail.com> wrote:

>If I had a firewall would that prevent the Sasser worm infecting my
>PC?
>
>I mean, if another infected system cannot see my ports because they
>are stealthed then presumably Sasser could not infect me?

Yes. Provided the ports in question are closed, a firewall will prevent
infection.

---
LAWYER, n. One skilled in circumvention of the law.

- Ambrose Bierce

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 04 May 2004 18:11:22 GMT, Leythos <void@nowhere.com> wrote:

>I put this back on the ISP's - they provide a open connection and don't
>warn the unsuspecting public about the risk/problems. If they just
>enabled NAT by default on their routers (DSL or Cable) most of this
>problem would go away.

The problem will not go away.
Look at my case. My ISP (FastWeb in Itay) has implemented a somewhat
weird solution: I am connected to their router which has NAT enabled.
This it is not a safety choice but a must since behind their router
they use IPs not allocated by APNIC
This looks at first sight a safe approach.
However if i look at the log of MY own hardware router is full of
attempts to reach port 135, 136, 137, 138, 139, 445, etc.
They are from other users like me which are behind the same ISP
router and are all scanning in the range of IPs assigned by the ISP's
DHCP.
Most of this guys are infected by warms, virus, etc. , but they don't
know it. All is needed is one infected computer behind the ISP router
and it will spread the problem pretty fast.

While writing I am checking my router log. Between 21:31 and 21:37 I
see the following attempts (in sequence) : port 445, 135, 445, 135,
445, 445. Roughly one a minute.

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Micheal Robert Zium wrote:

> Lars M. Hansen wrote:
>
>
>>"Vulnerable by default"? What the F*** does that mean? Does that mean
>>when the next vulnerability for linux are discovered, the Microsoft camp
>>can claim that linux are "vulnerable by default"?
>
>
> Gosh, I can't remember the last remote vulnerability for Linux. Can
> you? I've been swept away by the flood of Winders vulnerabilities.
> Linux would really have to get on the ball if it's going to catch the
> MotherShip.
>

I truly am surprised as well. I just recently re-installed Windows XP
on this machine. Not thinking at all, I never unplugged my internet
modem. By the time I installed avast! anti-virus (approximately 30
minutes after installing Windows), it was reporting an infection. I
installed the BlackICE defender to prevent further infection and removed
the worm, so it's clear now, but it spread at an alarming rate. I was
rather interested however at the fact that it has fairly slow self
prorogation. It took so long for it to create copies of itself. Are
there any destructive actions taken by the worm other than spreading
itself? I'm curious to learn...

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

"Lars M. Hansen" wrote:
>
> On Tue, 4 May 2004 18:07:15 +0000 (UTC), phn@icke-reklam.ipsec.nu
> spoketh
>
> >In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:

> >> Why is port 445 open on his system in the first place?
> >
> >Becouse microsoft has it enabled and vulnerable by default.
>
> "Vulnerable by default"? What the F*** does that mean?

A default environment is one which is in effect if no substitute is
explicitly selected. Vulnerability means the presence of a weakness which is
exposed to attack. I'm leaving it to you to combine these definitions.

F***s set.

Thor

--
http://thorweb.anta.net/ IRCnet #areena

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

"Bill Unruh" <unruh@string.physics.ubc.ca> wrote in message
news:c78mat$4ps$1@string.physics.ubc.ca...
>
> ?? Again, why is port 445 open anyway? You advocate that the user gets
a
> firewall. Surely it would be easier just to close port 445 or any
ports
> not absolutely needed than it would be to get and properly set up a
> firewall. Or are you saying it is impossible to close many ports on a
> Win machine?
> This is like an exchange "I've got some dirt on my face" "Buy a
skimask so people
> cannot see the dirt". Why not just wash? If you cannot wash for some
> reason then maybe a skimask would be an option, but surely advocating
it
> as the first thing to do is silly.
>
> "Close all ports that you do not absolutely need on your machine"
> should surely be the first bit of advice. Then after you have done
that
> also install a firewall for that extra bit of protection.
>

I think it's because the OS is used by both home users and by business
users.

For a home user the ports are of no value, but for a business user the
ports are often required for communication within the LAN where the
system resides.

Obviously with the OS being used by both types of users. I think it's
believed to be easier to ship with the ports open and utilize a firewall
at the perimeter as opposed to shipping with the ports closed which no
doubt results in a deluge of phone calls asking how to open the ports to
allow network communication to occur.

Just my .02

--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Lars M. Hansen <badnews@hansenonline.net> wrote:
> On Tue, 4 May 2004 18:07:15 +0000 (UTC), phn@icke-reklam.ipsec.nu
> spoketh

>>In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:
>>> Lars M. Hansen <badnews@hansenonline.net> writes:
>>
>>> ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>>
>>> ]>If I had a firewall would that prevent the Sasser worm infecting my
>>> ]>PC?
>>> ]>
>>> ]>I mean, if another infected system cannot see my ports because they
>>> ]>are stealthed then presumably Sasser could not infect me?
>>
>>> ]Yes, any firewall that blocks incoming port 445 will prevent infection
>>> ]by the Sasser worm.
>>
>>> Why is port 445 open on his system in the first place?
>>
>>Becouse microsoft has it enabled and vulnerable by default.

> "Vulnerable by default"? What the F*** does that mean? Does that mean

It means the ordinary thing "Its enabled by your vendor, who in their infinite
wizdom thinks that this port should be left open".

The opposit is examplified with FreeBSD that has zero externally reachable
ports outside the box after a "default install" ( default install
is defined as one where all suggestions is accepoted without changes)


> when the next vulnerability for linux are discovered, the Microsoft camp
> can claim that linux are "vulnerable by default"?

You should think before writing.

> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Lars M. Hansen <badnews@hansenonline.net> wrote:
> On 4 May 2004 17:02:25 -0500, Micheal Robert Zium spoketh

>>Lars M. Hansen wrote:
>>
>>>"Vulnerable by default"? What the F*** does that mean? Does that mean
>>>when the next vulnerability for linux are discovered, the Microsoft camp
>>>can claim that linux are "vulnerable by default"?
>>
>>Gosh, I can't remember the last remote vulnerability for Linux. Can
>>you? I've been swept away by the flood of Winders vulnerabilities.
>>Linux would really have to get on the ball if it's going to catch the
>>MotherShip.

> No, the last remote access vulnerability I recall was some SSH related
> issue about a year ago.

> The reason I had an issue with the statement was that it sounded like
> Microsoft intentionally left something vulnerable in their OS, which is
> preposterous.

Still it's true. Winessed bu a million infected hosts today, all infected
by the same sasser

> I consider every computer vulnerable after the initial OS installation,
> regardless of OS. Its only after patches have been applied and services
> properly configured (or removed as the case may be) that the computer
> becomes less of a security risk. Unfortunately, unless programmers
> become perfect, we'll always have imperfect software. Windows have had a
> couple of big issues in the past few months (DCOM and now LSASS), and
> unfortunately, people are not good at patching their computer.

The above is correct if the only OS tried is windows. If you ever tried
anything else you might experience that there exists thinks like secure
OS designed to be as safe as possible even in in-experienced users hands.

The fact that "proffessional admins" has been running on MS-classes and
has their machines infected while Linux admins is self-educated and has
no such infectiions might give you a clue ?

> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Wed, 5 May 2004 06:13:22 +0000 (UTC), phn@icke-reklam.ipsec.nu
spoketh


>
>> I consider every computer vulnerable after the initial OS installation,
>> regardless of OS. Its only after patches have been applied and services
>> properly configured (or removed as the case may be) that the computer
>> becomes less of a security risk. Unfortunately, unless programmers
>> become perfect, we'll always have imperfect software. Windows have had a
>> couple of big issues in the past few months (DCOM and now LSASS), and
>> unfortunately, people are not good at patching their computer.
>
>The above is correct if the only OS tried is windows. If you ever tried
>anything else you might experience that there exists thinks like secure
>OS designed to be as safe as possible even in in-experienced users hands.
>
>The fact that "proffessional admins" has been running on MS-classes and
>has their machines infected while Linux admins is self-educated and has
>no such infectiions might give you a clue ?
>

I don't think you have any idea what I have tried and what I have not
tried. I have installed several systems with Linux, and many installs
all sorts of junk that you cannot easily get rid of without spending
hours resolving package interdependencies. It is virtually impossible
today to install RH8 or RH9 KDE or Gnome and without sun-rpc, because
there are so many gnome packages dependent on sun-rpc.

As for the professionalism of admins; I've never had an outbreak on my
network. One computer once did get a virus, but since we weren't using
Outlook at the time, the virus was contained. Funny how the
"professional linux admin" in our sister organization had to deal with a
couple of hacked mail servers ...

Applying your logic now, it looks like Windows admins are good, and
linux admins are bad. So, just because some percentage of Windows admins
haven't been doing a good job at something, that doesn't make all of
them bad, and equally, just because some linux admins are very good at
what they do, there's still some idiots out there that have no idea how
to secure they computers...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <c7a0m2$bgg$5@nyheter.ipsec.se>, phn@icke-reklam.ipsec.nu
says...
> The fact that "proffessional admins" has been running on MS-classes and
> has their machines infected while Linux admins is self-educated and has
> no such infectiions might give you a clue ?

With the exception of BSD (possibly) every version of a home install of
Linux has flaws that requires the user to update/patch in order to
secure their system. The only difference between Linux and Windows is
the number installed systems and the fact that more users of Linux based
systems have some technical understanding than those of the Windows
platform.

Imagine installing RH 9, doing a full install, and putting that system
on the net, it would be compromised in short too.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <c7a0m2$bgg$5@nyheter.ipsec.se>, phn@icke-reklam.ipsec.nu
says...
> The fact that "proffessional admins" has been running on MS-classes and
> has their machines infected while Linux admins is self-educated and has
> no such infectiions might give you a clue ?

This is to wrong - I experience with Fortune 100 companies which have
their entire web presence based on the MS IIS platform and have never
been hacked. I've managed over 100 sites personally that run on IIS
(since version 4) that were never compromised.

Both platforms are easy to secure if you have taken the time to
understand the security issues, taken the time to secure them, and
understand more than you can read in some classroom book.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Tue, 4 May 2004 18:07:15 +0000 (UTC), phn@icke-reklam.ipsec.nu
> spoketh
>
>
>>In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:
>>
>>>Lars M. Hansen <badnews@hansenonline.net> writes:
>>
>>>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>>
>>>]>If I had a firewall would that prevent the Sasser worm infecting my
>>>]>PC?
>>>]>
>>>]>I mean, if another infected system cannot see my ports because they
>>>]>are stealthed then presumably Sasser could not infect me?
>>
>>>]Yes, any firewall that blocks incoming port 445 will prevent infection
>>>]by the Sasser worm.
>>
>>>Why is port 445 open on his system in the first place?
>>
>>Becouse microsoft has it enabled and vulnerable by default.
>
>
> "Vulnerable by default"? What the F*** does that mean? Does that mean
> when the next vulnerability for linux are discovered, the Microsoft camp
> can claim that linux are "vulnerable by default"?
>

They will no doubt be stupid enough to do that, although it will most likely
be totally unjustified.

If some misguided distro. builder includes a package which by default was
enabled and had a vulnerability in it then that distro only would be
vulnerable, not "Linux".

The vast majority of sensible Linux distros. these days enable no network
services which might be attacked when the system is first installed, and the
better ones install a firewall with a high security setting. Often the
default is to allow no incoming connections. If you need network connections
you have to read up on how to enable them, and hopefully at the same time
you will read what that implies in terms of security.

The problem with Windows is that Microsoft put user convenience before user
security. Therefore, far too many network ports are open by default. The
general user probably has no conception of what a network port is never mind
what exploit it might be used for and how to close it.

Thankfully, it seems that MS are beginning to see the light, and SP2 should
have a much better firewall, enabled by default. Although, I have no doubt
that this will end up putting them back in court as the vendors of
firewalling products file anti-trust suits against them...

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Wed, 5 May 2004 06:13:22 +0000 (UTC), phn@icke-reklam.ipsec.nu
> spoketh
>
>
>
>>>I consider every computer vulnerable after the initial OS installation,
>>>regardless of OS. Its only after patches have been applied and services
>>>properly configured (or removed as the case may be) that the computer
>>>becomes less of a security risk. Unfortunately, unless programmers
>>>become perfect, we'll always have imperfect software. Windows have had a
>>>couple of big issues in the past few months (DCOM and now LSASS), and
>>>unfortunately, people are not good at patching their computer.
>>
>>The above is correct if the only OS tried is windows. If you ever tried
>>anything else you might experience that there exists thinks like secure
>>OS designed to be as safe as possible even in in-experienced users hands.
>>
>>The fact that "proffessional admins" has been running on MS-classes and
>>has their machines infected while Linux admins is self-educated and has
>>no such infectiions might give you a clue ?
>>
>
>
> I don't think you have any idea what I have tried and what I have not
> tried. I have installed several systems with Linux, and many installs
> all sorts of junk that you cannot easily get rid of without spending
> hours resolving package interdependencies. It is virtually impossible
> today to install RH8 or RH9 KDE or Gnome and without sun-rpc, because
> there are so many gnome packages dependent on sun-rpc.
>

There is no sun-rpc package in RH8 or RH9· Are you sure you've really
installed them?

If you actually meant the portmap package then that is only required by fam.
Since fam is monitoring local filesystems there is no need to open port 111
to anything other than the loopback interface. No vulnerability whatsoever.

You should not equate Linux with Windows. Just because RPC on Windows is a
security hole does not mean that RPC in Linux is also.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Wed, 05 May 2004 14:11:14 +0100, Nigel Wade spoketh

>
>There is no sun-rpc package in RH8 or RH9· Are you sure you've really
>installed them?
>
>If you actually meant the portmap package then that is only required by fam.
>Since fam is monitoring local filesystems there is no need to open port 111
>to anything other than the loopback interface. No vulnerability whatsoever.
>
>You should not equate Linux with Windows. Just because RPC on Windows is a
>security hole does not mean that RPC in Linux is also.

Cut from my /etc/services file on my RH8 box:

sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP

You were saying?

As for RPC being an issue on Linux, well, there may not be any known
issues at this time, but there has been in the past, and who knows
what's around the corner...


Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Leythos <void@nowhere.com> wrote:

> Imagine installing RH 9, doing a full install, and putting that system
> on the net, it would be compromised in short too.

If you use the default firewall settings, the probability of it
getting compromised is pretty much zero. It will only get insecure as
people specifically add additional things to the install, and
customize the configuration in insecure ways.

On the other hand, if you do a Windows 2000 Server default install,
you're open to an untold number of vulnerabilities. Setting up
honeypots, I have never had a W2K server (default install) go longer
than 12 hours without being compromised. Maybe that's not a fair
statistic, since the default W2K server installs a buggy IIS, which is
exploited by zillions of script-kiddie tools, but the fact remains:
*default* W2K installs tend to be insecure, and *default* RH9 installs
tend to be (more) secure. You have to muck with a RH9 box to make it
insecure, and you have to muck with a W2K box to make it secure.

Things may have changed since the Windows 2000 days -- I've honestly
never worked on a Windows XP system, so don't know if they're better.
However, the prevalence of Sasser, and the fact that a reasonable
default software firewall setting would have prevented this (the
default ruleset of the RH9 firewall would have prevented Sasser, even
if the underlying service were there), makes me think it's not a whole
lot better.

--

That's News To Me!
newstome@comcast.net

 

[obiwan]

Archived from groups: comp.security.firewalls (More info?)

> Cut from my /etc/services file on my RH8 box:
>
> sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
> sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
>
> You were saying?
>
> As for RPC being an issue on Linux, well, there may not be any known
> issues at this time, but there has been in the past, and who knows
> what's around the corner...

Yes, the real problem is that although there have been many
hacks/exploits against *nix boxes, not everything was "tested
and explored" so it's possible that there are undiscovered
holes in *nix which may be exploited, also, from some stuff I
was reading time ago, many folks working on *nix in the IT
industry fear that we'll probably see a bunch of *nix "viruses"
in the next months due to the wider diffusion of Linux desktops
and to the fact that some distros have a loose security .. just
to ease the initial impact with the O/S ... 😛

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b01a88a95d1538b98a4ce@news-server.columbus.rr.com...
> In article <c78mat$4ps$1@string.physics.ubc.ca>,
> unruh@string.physics.ubc.ca says...
> > "Close all ports that you do not absolutely need on your machine"
> > should surely be the first bit of advice. Then after you have done that
> > also install a firewall for that extra bit of protection.
>
> The problem is that most people don't have a clue as to how to close
> ports, setup IPSec rules, etc... Most people don't even know to enable
> the ICF on their machines.
>
> The best thing people can do is purchase a cheap router with NAT and use
> it from the moment they get their computer. This lets them download the
> updates, install and update the AV software, etc... before they have a
> chance to get hacked.
>
> I put this back on the ISP's - they provide a open connection and don't
> warn the unsuspecting public about the risk/problems. If they just
> enabled NAT by default on their routers (DSL or Cable) most of this
> problem would go away.

NAT by itself doesn't do much for you - because safety depends on who is on
your side of the router.

In a SOHO environment then NAT is pretty damn good - because you know all
the people behind the NAT router and you don't expect them to hack you
(although one PC with a worm behind your NAT router can gut all the other
local PCs). Safest is one PC behind a NAT router - nobody else to compromise
you.

If an ISP has a NAT router then (unless I am missing something) all the
other customers (at least those served by your particular router) will also
be your side of the router, and able to port scan you anytime they want.

I think that most ISPs will have firewalls between their own customers and
the Internet - if only to protect their own machines and routers.

It is the customers within your ISP who are likely to threaten your PC - and
I don't think having NAT on an ISP router would help much.

Having each port on the router firewalled against incoming traffic would be
nice - most ISPs already block port 25 to prevent open email relays and
presumably other ports could be blocked also.

However there will always be someone who wants unusual ports open for
incoming traffic (PTP probably) so administration could be a nightmare.

Buy your own NAT router and don't rely on a 3rd party.

Cheers
Dave R

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <fo8mc.36781$Ik.2315088@attbi_s53>, newstome@comcast.net
says...
> On the other hand, if you do a Windows 2000 Server default install,
> you're open to an untold number of vulnerabilities. Setting up
> honeypots, I have never had a W2K server (default install) go longer
> than 12 hours without being compromised. Maybe that's not a fair
> statistic, since the default W2K server installs a buggy IIS, which is
> exploited by zillions of script-kiddie tools,

On the other hand, with a zillion articles on how to secure a Windows
platform, including IIS, NT 4, Windows 2000, Windows XP, Windows 2003,
it's almost negligent that they are not secured. As I've said before,
there are a few fortune 100 companies that have run IIS as their web
server platform for more than 5 years I that I've had contact with. I've
had my own IIS servers and Exchange, and FTP, and etc... servers running
on Windows platforms as well as Linux platforms (and AIX). Not one of
those servers has been compromised when configured by anyone with half-
a-clue.

Anyone that would put any platform directly on the net, without some
protection, without proper configuration, isn't doing a smart thing.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
nospam@talk21.com says...
> If an ISP has a NAT router then (unless I am missing something) all the
> other customers (at least those served by your particular router) will also
> be your side of the router, and able to port scan you anytime they want.
>
> I think that most ISPs will have firewalls between their own customers and
> the Internet - if only to protect their own machines and routers.

I wasn't talking about the ISP doing a NAT for their network, I was
talking about the ISP enabling NAT on the Cable/DSL modem at each
customers location. Free, works great, blocks uninvited inbound.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b02f4f6dd8e767f98a4d9@news-server.columbus.rr.com...
> In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
> nospam@talk21.com says...
> > If an ISP has a NAT router then (unless I am missing something) all the
> > other customers (at least those served by your particular router) will
also
> > be your side of the router, and able to port scan you anytime they want.
> >
> > I think that most ISPs will have firewalls between their own customers
and
> > the Internet - if only to protect their own machines and routers.
>
> I wasn't talking about the ISP doing a NAT for their network, I was
> talking about the ISP enabling NAT on the Cable/DSL modem at each
> customers location. Free, works great, blocks uninvited inbound.

Ah - yep that makes more sense 🙂

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Leythos <void@nowhere.com> wrote:
> In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
> nospam@talk21.com says...
>> If an ISP has a NAT router then (unless I am missing something) all the
>> other customers (at least those served by your particular router) will also
>> be your side of the router, and able to port scan you anytime they want.
>>
>> I think that most ISPs will have firewalls between their own customers and
>> the Internet - if only to protect their own machines and routers.
>
> I wasn't talking about the ISP doing a NAT for their network, I was
> talking about the ISP enabling NAT on the Cable/DSL modem at each
> customers location. Free, works great, blocks uninvited inbound.

???? What does this mean ????

I'm not aware of any Cable modem with an IP stack, so they simply
wouldn't be capable of doing NAT. I imagine DSL modems are the same.

The ISP could provide a NAT-enabled router of some sort in addition to
the Cable/DSL modem, but that would be an extra cost....

--

That's News To Me!
newstome@comcast.net

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Lars M. Hansen <badnews@hansenonline.net> wrote:
> On Wed, 5 May 2004 06:13:22 +0000 (UTC), phn@icke-reklam.ipsec.nu
> spoketh


>>
>>> I consider every computer vulnerable after the initial OS installation,
>>> regardless of OS. Its only after patches have been applied and services
>>> properly configured (or removed as the case may be) that the computer
>>> becomes less of a security risk. Unfortunately, unless programmers
>>> become perfect, we'll always have imperfect software. Windows have had a
>>> couple of big issues in the past few months (DCOM and now LSASS), and
>>> unfortunately, people are not good at patching their computer.
>>
>>The above is correct if the only OS tried is windows. If you ever tried
>>anything else you might experience that there exists thinks like secure
>>OS designed to be as safe as possible even in in-experienced users hands.
>>
>>The fact that "proffessional admins" has been running on MS-classes and
>>has their machines infected while Linux admins is self-educated and has
>>no such infectiions might give you a clue ?
>>

> I don't think you have any idea what I have tried and what I have not
> tried. I have installed several systems with Linux, and many installs
> all sorts of junk that you cannot easily get rid of without spending
> hours resolving package interdependencies. It is virtually impossible
> today to install RH8 or RH9 KDE or Gnome and without sun-rpc, because
> there are so many gnome packages dependent on sun-rpc.

You are talking about redhat as equivalent with linux. It's not.
And gnome is not needed, it's unly used for those who
prefer gnome as window-manager, but no appluícations care about
which window-manager that is used.

FreeBSD OpenBSD are examples of systems where no ports are
open unless choosen to.

> As for the professionalism of admins; I've never had an outbreak on my
> network. One computer once did get a virus, but since we weren't using
> Outlook at the time, the virus was contained. Funny how the
> "professional linux admin" in our sister organization had to deal with a
> couple of hacked mail servers ...

I Admit that it was un unfair example.

> Applying your logic now, it looks like Windows admins are good, and
> linux admins are bad. So, just because some percentage of Windows admins
> haven't been doing a good job at something, that doesn't make all of
> them bad, and equally, just because some linux admins are very good at
> what they do, there's still some idiots out there that have no idea how
> to secure they computers...

Agree. Thats why examples, bad or good, often is off target.



> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Leythos <void@nowhere.com> wrote:
> In article <c7a0m2$bgg$5@nyheter.ipsec.se>, phn@icke-reklam.ipsec.nu
> says...
>> The fact that "proffessional admins" has been running on MS-classes and
>> has their machines infected while Linux admins is self-educated and has
>> no such infectiions might give you a clue ?

> With the exception of BSD (possibly) every version of a home install of
> Linux has flaws that requires the user to update/patch in order to
> secure their system. The only difference between Linux and Windows is
> the number installed systems and the fact that more users of Linux based
> systems have some technical understanding than those of the Windows
> platform.

> Imagine installing RH 9, doing a full install, and putting that system
> on the net, it would be compromised in short too.

Luckliy enough RedHat has removed that possibility. They have
priced themself out of the market.
Maybe the above problems occur in fedora, but i assume that
most users has moved away, and most of the alternate distros
are better(securitywize).

> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

newstome@comcast.net wrote:
>
> In comp.security.misc Leythos <void@nowhere.com> wrote:

> > I was
> > talking about the ISP enabling NAT on the Cable/DSL modem at each
> > customers location. Free, works great, blocks uninvited inbound.

> I'm not aware of any Cable modem with an IP stack, so they simply
> wouldn't be capable of doing NAT. I imagine DSL modems are the same.

DSL modems often include a router. For an example, look at the Cisco 827.

Thor

--
http://thorweb.anta.net/ IRCnet #areena

 

[Guest]

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> writes:

>On Wed, 05 May 2004 14:11:14 +0100, Nigel Wade spoketh

>>There is no sun-rpc package in RH8 or RH9· Are you sure you've really
>>installed them?

>>If you actually meant the portmap package then that is only
>>required by fam. Since fam is monitoring local filesystems there
>>is no need to open port 111 to anything other than the loopback
>>interface. No vulnerability whatsoever.

>>You should not equate Linux with Windows. Just because RPC on
>>Windows is a security hole does not mean that RPC in Linux is
>>also.

>Cut from my /etc/services file on my RH8 box:

>sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
>sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP

/etc/services is only for documentation and reference.

No way are the 8000+ other services dosumented *running* on most
Linux boxes.

SuSE ships with all ports effectively turned off. I wouldn't use the
"default" installation for firewalling anyway because a GUI (X) is
just asking for trouble when exposed to the Internet. SuSE also
ships with an easily configurable "personal" firewall suitable for
home PC deployment... (setting up a modem/DSL connection starts the
firewall by default) and one where you have to get down to the
nitty-gritty for more serious use such as building a stand-alone
firewall for firewalling a LAN.

>You were saying?

>As for RPC being an issue on Linux, well, there may not be any known
>issues at this time, but there has been in the past, and who knows
>what's around the corner...

Here's a note provided by SuSE for the latest kernel security patch:

- A buffer overflow in panic(). Although there seems no way to
trigger this bug, it has been fixed.

Looks like there's plenty of pro-active code review and patching.
A great proportion of possible vulnerabilities can be mechanically
located and then manually reviewed.

--
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ / ASCII ribbon campaign | I'm a .signature virus!
X against HTML mail | Copy me into your ~/.signature
/ \ and postings | to help me spread!