GNOME, Security, Linux, and Cable Modems?

beagle asks: "I just signed up for Time Warner's Road Runner service, and I'm concerned for security on my home machine now. As I started to crack down on my box over the weekend, I noticed that GNOME has about ten ports open in the range of 1030-1040, for such things as gpilotd, tasklist (sp?), and other similar apps. I shut off inetd, named, sendmail, and all other basic services except httpd. Of course, ssh is the only remote login method I support. However, I run Helix GNOME at home (I don't at work; I only ssh into the work machine - no console) and I don't want to stop using GNOME."

"I have always been more lax about security on my home Linux box than I have been on my public Linux box, but now that my home machine will be online all the time, security becomes more of an issue.

Are there any security concerns related to GNOME? Should I worry about all these ports that GNOME is using? Is there anything I can do to beef up security on the machine? (There are bunches of other UNIX sockets open too - ORBIT comes to mind - but I'm only worried about the TCP sockets.) Of course, I have Zone Alarm for when the machine is running Windows (once in a blue moon), but I don't know of anything like that for a single Linux box.

I know I could use a spare machine as a firewall and run Linux's IP masquerading. My only spare machine, however, is an old 486dx2-66 with an NE2000 ethernet card. Not exactly a speed demon, and speed is exactly why I got a cable modem. (Well, that and my wife is tired of me tying up the landline every night.)

So, what about it, gurus of Slashdot? Is my best option to go ahead and run IPFW and IP Masquerading on my old 32MB 486? Do I even need to worry about the ports GNOME is using at all?"

Are the listening ports wildcards?

Before panicing, be sure that these ports really are open to the world.

Use netstat to see what network they are bound to.

A foreign address of *:* is a bad thing.

A foreign address of 127.0.0.1:* indicates that
the connection is restricted to localhost only. An attacker would have to spoof packets originating from 127.0.0.1 in order to connect to the port.

Userspace threat, definately.

Any program which grabs a network socket and accepts connections from the outside world represents a potential threat from buffer overflows. Fortunately, I'm pretty certain all of these run with the permisstions of the user, so a successful crack would be limited to the user's account. Doesn't make me feel any safer though. It just doesn't make sense that the GNOME team would need open sockets for these services... why not just use a local named pipe down /tmp, for instance (which they do use)?

Can a competent GNOME hacker please chime in?

Re:Quit your whining use ipchains

Actually it is much more secure to first DENY all inbound connections, and then selectively ALLOW connections that you have deemed to be secure. For example, assuming eth0 is your only public network interface.

First, deny and log to syslog all inbound connections: ipchains -A input -p tcp -y -l -i eth0 -j REJECT

I'm pretty sure I got it right but I didn;t consult the manual. Use at your own risk.

Second, decide that you wish to always allow inbound SSH connections: ipchains -I input 1 -p tcp --dport ssh -i eth0 -j ACCEPT

And maybe a secure web server too: ipchains -I input 1 -p tcp --dport 443 -i eth0 -j ACCEPT

WHAT the heck are you talking about?

they've decided to take it upon themselves to police YOUR system.

With the exception of Time Warner's Acceptable Use Policy [twcincy.com] (Mirrored verbatim from city to city), they don't probe users' systems.

I had someone get kicked off the network for having telnet open.. apparently it's "windows or mac only" - with a vengance.

A) I seriously doubt you got a user "kicked off" for simply having telnet open. I had RoadRunner for over a year with several services (including telnet) open, and Time Warner was full aware of it. I talked with a few techs there, and they knew what I was running. How? I told them. They never "scanned" me to find out.

B) Part of the reason of RoadRunner eliminating the Windows/Macintosh login program was to support users of other operating systems. It used to be that users of RoadRunner would have to log into the system using an authentication program for either Windows or Mac. This step has been eliminated, in part because of pressure from users of other systems.

The extent of Time Warner's involvement with users' security can be found here [rr.com].

-- Give him Head? Be a Beacon?

ORBit configuration error

I'm pretty sure there was a bug in one of the Helix packages a while back that caused ORBit to listen on a TCP socket by default... This caused any gnome app exporting a CORBA interface to have an open socket. (gnome-terminal, panel, gpilot-applet, etc. - any applet and many apps)

At any rate, Helix fixed this in one of their updates, and the recent ORBit RPMs have this feature disabled by default. A simple upgrade should fix your troubles.

Quit your whining use ipchains

Just set up a quick ipchains ruleset to filter those ports IPCHAINS-HOWTO [linuxdoc.org] Thanks for bringing it to our attention though.

Linksys != firewall!!! Get a SonicWall instead!

Dude! Linksys should be SMACKED for calling that POS a "firewall". Linux IPChains is MUCH, MUCH better! At least it has some REAL logging!

For $350, you can get the SonicWall SOHO/10. It is the only ICSA approved firewall you can find for under $500. It has excellent features, including one-to-one NAT (so you can let in certain ports), and logging is fairly good (nothing to complain about at that price). I've used these little babies on corporate networks.

-- Bryan "TheBS" Smith

Firewall Info

Here's some Firewall info I've referred to many times.
Check out the Trinity OS Paper [csuchico.edu] . It gives some excellent advice on Securing your Linux System. This paper also comes with various IPCHAINS Rule-Sets you can use. Don't try to print it out though. It's atleast 1,400 pages long and growing.
This Firewall Site [linux-firewall-tools.com] allows you to configure an excellent firewall Script just by answering some simple questions. I know of many people who have used this site to configure their firewalls.

Re:Could an old...

A cable modem isnt going to be pushing more than around 384k, with full-sized ethernet packets, 1500bytes = 12k-bits, you'll be pushing around 30 or 40 packets a second, 60 to 80 for bidirectonal... and a 486dx2-66 is going to be able to act as a router for that just fine.

Re:Firewall

Yup - OpenBSD works really nicely for that.

I have a Pentium 120 running OpenBSD 2.6 for my firewall, and even when my other four computers are generating loads of traffic and completely filling my DSL it doesn't even slow down.

I used OpenBSD for the firewall because I'm not an expert on security and wanted to be less likely to screw it up. The OpenBSD FAQ had a pretty good section on how to set up the IP Masquerading and IP Firewalling, including opening a few ports up to connect to the Linux HTTP / Web server behind it.

It's not as easy to install as Mandrake, but it was fun. I like a little variety.


Torrey Hoffman (Azog)

Re:Get thee a firewall .. and the LinkSys is great

The linksys is $104.00 at Outpost.com and that is cheaper then the amount of electricity a single linux box will use over a year.

Plus with the linksys you get a 4 port 100mbit SWITCH with Nat and routing and only 4 minutes to install. If there is a poweroutage no fs to rebuild and no parts to replace on a dead peecee should something happen.

Plus if your concerned about uptime and connectivity the Linksys uses alot less UPS power and will hide easily on a shelf and does make a hell of alot less noise then an old pc box.

Don't underestimate the power of theses devices.

Same problem as you

Actually I came across this very same problem. I have @home Rogers Cable Access. I setup a Proxy server on my box so another computer could use the network and use that connection. But it seems to be as slow as a 14.4 modem (maybe worse). Servers me right for using a Windows Proxy program.
I came across a proxy/boot floppy setup which is perfect for your old 486 as long as you have 2 NIC cards installed.

Here is the address:
http://lightening.prohosting.com/~normr/index.sh tml
Hopefully this guy doesn't suffer from the Slashdot affect after this post

Good Luck!

The easiest way

First of all, your 486 is fast enough for what you need. My personal setup at in my room is a P90 with 24mb of ram that does all my IP forwarding and acts as a firewall. I dont know if I have the most secure setup but here are the tools I use and you will need to get this working:

dhcpcd
dhcpd
ndc (not a requirement but you may benefit from having a local name server instead of using the slow @home ones)
pmfirewall
rc.firewall

You can find the rc.firewall script here [codeburner.com]. It sets up all your forwarding modules for your network.

dhcpd and dhcpcd are used to assign an IP address to your main machine. I use them because I am lazy and dont want to bother with setting a static address.

Your dhcpd.conf should probably look something like this [codeburner.com] for your type of two computer network. dhcpcd just has to be run on your main computer and it will get all the info it needs from the dhcpd on the firewall computer.

Finally, you need your firewall program. I use pmfirewall because it is easy to install and use. It is basically a frontend to ipchains and it takes all the nasty configuration out of setting up a firewall.

You can download it here [pointman.org].

The best thing about pmfirewall is how easy it is to allow complete access to one address (like your main computer) to everything you need and close off the important/scary ports to everyone else.

As long as your network cards are working, you should have no problems getting dhcpd to work and the rest of it installs very easily. As for your gnome ports, you can close those to everyone but you so you dont have to worry about screwing up gnome.

Hope that helps.

Yellow Network Coalition, Risks, CERT, BugTraq

Some Useful Websites:

The Yellow Network Coalition [ync.org] takes old 486's and turns them into firewalls and IP masquerading servers they give away for free to people who have cable modems and DSL. I gave them my 486 when I moved. They also set up free public-access kiosks. These guys are inspired by the freely available yellow bicycles in Amsterdam.

They Need Your Donations of Old 486's and Other Hardware

The Forum on Risks to the Public in Computers and Related Systems [ncl.ac.uk] discusses security holes, bugs in software, user and usability problems that cause such trouble as security problems, and carries security announcements.

The CERT Coordination Center [cert.org] carries authoritative announcements of security problems and what you can do to fix them; provides rapid response to security emergencies while they are in progress.

I've also heard BugTaq is good and better than CERT for timely information but don't have a URL handy.

Re:Clarifications

1. It's not called masq. It was called IP Masquerading to distingush it from NAT. Linux (as of 2.2) doesn't include any TRUE network address translation services, but rather just a port-based NAT derrivative. NAT, in it's truest form, relys on a pool of public IP addresses that are dynamically assigned (and translated) for internal addresses, and doesn't suffer from the problem that IP masq has in dealing with listening connections.

2. A 486 is more than up for the job. A 486-DX2 running Linux kernel version 2.2.x with ISA NICs will become saturated at about the 3-4Mbit/sec mark. As long as you never see more than that much traffic, you'll be fine.

3. Safety first. I agree that keeping your firewall clean and efficient is very important. However, I find the claims that Linux is less secure than BSD more than a bit bogus. Almost all those server daemons that have had buffer overflows on Linux can be compiled and install into OpenBSD with the same buffer overflows. Security is a journey not a destination is true in ALL cases, even OpenBSD. An incompetent (or inexperienced) administrator can easily turn a secure machine into one that's wide open for anyone to break into.
Most people usually end up compromised because of services that they either never used or never knew about, and therefore didn't bother maintaining. Due to the shortsightedness of most Linux distributors, you'll probably end up "cleaning" dozens of packages out that are completely worthless. Ideally, your result should be a machine that's not listening to anything on the public interface.

4. Raise Hell About Gnome Security Issues. Absolutely! A TCP/IP port should never be opened unless there's a very good reason why this service needs to be advertised to the world. Most of the time, this is just lazy coding, and a place where other types of sockets would probably serve better.

Re:How do you check ...

How do you check to see what ports are open? Use a shell script to port sweep with netcat(nc)?

netstat -t -u --listening | less

Re:very good question

Those are some pretty bad habits you're espousing. Don't turn on ftp *ever* - use scp.

Enumerate whatever services you are sporadicaly turning on and off, and either decide that they are vulnerable, and never use them, or leave them on and tighten what you can.

For example, you already decided to leave ssh on. That's an example of the second option. To continue on that line, tighten ssh by making sure rhosts is off, root cannot log in directly, and blank passowrds are disallowed.

An example of the first option would be disabling ftp for good, and learing how to use scp.

Ben Ploni

10 minute solution:

As others have mentioned, a 486 can easily route a T-1 or more with no performance hit. The easiest solution on the planet has to be Freesco. http://www.freesco.org. It runs off a floppy, can be easily migrated to the smallest hdd you have, and supports such niceties as dynaminc DNS and port forwarding...all without editing config files. Port forwarding will allow you to run Apache or ftp behind the Freesco box, even if you're using a private subnet. A huge benefit.

Clarifications

1. It's not called masq. It's called net address translation. It's been called that for 20 years. Then these linux kids come along and make up masq. Call it by it's technical name; not a developer's gimmick name.

2.A 486 is more than up for the job. It will handle a saturated cable line and still not carry a heavy load.

3. Safety first. Just because the 486 is more than enough power don't feel justified in making a stupid security mistake; keep the firewall clean.
Linux is not as secure as BSD, as you are finding, because many chances are taken in user land apps with permissions. This makes the OS more cutting edge, but security is the price. (This is not a troll--how many weeks go by before another bugtraq post comes up about another linux exploit--every few weeks; how often for OpenBSD? Not for three years. Look, it's better than windows, OK, but linux is riddled with buffer overflows in user space, which in turn lead to LOCAL ROOT compromises.)
So, DON'T LISTEN TO OTHERS WHO SUGGEST RUNNING OTHER SERVICES ON THE BOX.

Don't do it.

Run these other service (mail, httpd, etc.) off your interior boxes.
Your absolutely want ipfilter or other socket filtration software to have a complete crack at packets; you don't want to make a nice firewall, and then junk it up with services. Keep the firewall clean and separate from user space. Hell, even remove ls from the freakin' firewall. Trash it so you have to admin by booting from a floppy. Don't leave your tools on the firewall; the hacker will only use them to compromise other machines on the LAN.

4. Raise Hell About Gnome Security Issues.
You should start asking loud, noisy questions about (a) what are these ports, (b) HAS THERE BEEN A SECURITY AUDIT OF THEM (answer: No), and (c) Are the really necessary (perhaps they are; could they instead be wrapped; are they suid? who owns that port? etc.).

yes, excellent script!

You have made a wonderful script Manuka, thanks for your hard work! I have made a quick security guide for my local users group, and this script is a big part of it.

http://usmcug.usm.main e.edu/papers/linux_security_guide.html [maine.edu]

Get thee a firewall ...

Over the weekend, I installed a firewall made by LinkSys:

http://www.linksys.com/products/product.asp?prid =20&grid=5

and it replaced a simple Linux machine that was running the usual ipchains/NAT software. Why use the LinkSys? Smaller, much less power consumption, no noise, very little heat. While a linux machine is a lot more powerful, the power simply isn't needed in this situation. The linksys allows port forwarding, supports DHCP, and a few more exotic features. The unit has gotten a lot of good reviews on epinions.com.

Easier than any Linux solution

If you have an old Mac, as I do, load it up with dual Ethernets, Open Transport 1.1.1 or better, and IPNetRouter [sustworks.com]. It does all the port mapping and filtering you need, and comes with excellent instructions.

The same reason Macs were chosen by the U.S Army [slashdot.org] will make your old Mac a great firewall: Macs don't hardly have any open TCP/IP ports! Other than the ones you explicitly enable, of course.

I loaded up IPNetRouter on my 6-yr-old Mac and used it both as a firewall for my house and as my primary workstation for over 9 months before I upgraded. It has been extremely reliable (uptimes on the order of weeks ain't bad considering all I do to it) and easy to maintain.

Which is more than I can say for the Linux rig I used for my firewall previously.

My experiences

I have a dsl line in my apartment. I have it connected to a dual NIC pentium 90 that is my ip-masq/firewall/dhcp server/samba/ssh/httpd server. That's right, a Pentium 90. Not as bad as a 486, but no great shakes. I VERY carefully bind vulnerable services to the inside NIC, and only have http and ssh available to the outside nic. ipchains rules do the masqing and firewalling.

Te box has flawless uptimes, and speed is NOT an issue. It's very easy to saturate a cable or DSL line. CPU won't be your bottleneck.

Things to watch out for:
1) listening ports. do a "netstat -a" and check for "*:anything ... LISTEN". If you dont want it to be available to the outside world FIX it!
2) NO X. Duh.
3) understand ipchains. It's not hard, but not obvious either
4) dont forget about UDP.

Good luck,
Ben Ploni

Re:yes, excellent script!

initializing your ipchains via rc.local as you suggest leaves you highly vulnerable for a short period of time whenever you reboot. You need to run the script before the network is started

if you look in /etc/rc.d/rc{3,5}.d/ you will see the SnnNetwork startup script. put a symbolic link named SnnFirewall to your firewall script. replace the nn with a smaller number than the network script uses.

Securing Linux

Information sites on keeping your Linux box secured:

http://www.linuxgazette.com/issue34/v ertes.html [linuxgazette.com]
http://www.linu xworld.com/linuxworld/lw-1999-05/lw-05-ramparts_p. html [linuxworld.com]
http://www.secu rityfocus.com/focus/linux/articles/linux-securing. html [securityfocus.com]
http://www.isr.umd.edu/~dani elf/Linux/securinglinux.html [umd.edu]
http://www.gl.umbc.edu/~jjasen1/unix/ linux.html [umbc.edu]

--
Kiro

Update your Gnome install

I believe that these problems have largely been fixed in the recent versions of Helix Gnome. If you just run helix-update, you can download the new packages that use Unix sockets by default instead.

I remember having similar frustration myself, and I was happy when it was fixed.
--
Ski-U-Mah!

ipchains

Simply run ipchains with a set of rules that firewall that individual machine. There is a script at http://firewall.langistix.com [langistix.com] that I wrote which will do precisely that if only given one interface. Combined with intrusion detection, it can be a very powerful tool.

The ports open.

Each port open is a CORBA connection from an application that supports being controlled through CORBA.

To access those services you do have to know the secret password (which is generated once for each session) so it is basically as secure has being able to log into your computer.

Now, we realized that this was a potential problem and some systems are shipping with ORBit CORBA sockets disabled (Helix GNOME ships with a disabled CORBA socket connection) as well as other distributions that have turned this feature off.

If you want to play it safe (although no security holes are known to exist in ORBits incoming processing path) you can put this in your /etc/orbitrc:

ORBIIOPUSock=1
ORBIIOPIPv4=0
ORBIIOPIPv6=0

Miguel