network security related question
 

On Fri, 2009-02-27 at 05:17 +0000, Vitorio Okio wrote:

> I also have Firestarter running on my Ubuntu 8.04.
>
> I used to think that being behind a NAT router is quite safe. And I used
> to think that keeping Firestarter running is my tribute to security
> paranoia.
>
> But today I've noticed a huge number of incoming connections reported
> blocked by Firestarter. All of them are of ICMP protocol, and my
> understanding is they are either pings, or simple port scans, or
> something of the kind.
>
> Though almost all of them come from the same 2 sources outside of my
> country and this persistence worries me.
>
> My question is how do they ever reach my Firestarter? How they go through
> my NAT router? I thought they are supposed to be blocked on that level.

If they are ICMP and they are reaching the firewall, then they must be
some type of response to a request initiated from your Linux box. For
example an outbound TCP or UDP connection attempt will generate an ICMP
response if the remote host refuses the connection. Those type of
requests should be permitted for the protocols to work properly, BTW.

I'd see what type the ICMP packets are. That will give you a clue as to
what is going on.
--
Smoot Carl-Mitchell
Computer Systems and
Network Consultant
smoot@tic.com
+1 480 922 7313
cell: +1 602 421 9005

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

network security related question
 

Vitorio Okio wrote:
> I need an explanation from somebody that knows about networking security
> a bit more than I do. The question below also might be particular to my
> hardware/software set.
>
> I'm behind Linksys WRT54 router with DD-WRT v.24 on it with the router
> SPI firewall enabled.
>
> I also have Firestarter running on my Ubuntu 8.04.
>
> I used to think that being behind a NAT router is quite safe. And I used
> to think that keeping Firestarter running is my tribute to security
> paranoia.
>
> But today I've noticed a huge number of incoming connections reported
> blocked by Firestarter. All of them are of ICMP protocol, and my
> understanding is they are either pings, or simple port scans, or
> something of the kind.
>
> Though almost all of them come from the same 2 sources outside of my
> country and this persistence worries me.
>
> My question is how do they ever reach my Firestarter? How they go through
> my NAT router? I thought they are supposed to be blocked on that level.
>
> Am I missing something in my knowledge or my router firewall is just
> doing a poor job?
>
> Can anybody of networking gurus explain it to me, please?
>
Hello,

There are over 65,000 ports on your computer, and most firewalls only
monitor a basic set of the most used ones. How much configuration have
you done to your router firewall? I know that on mine, there are only a
few selections which can be made, and even if I select a custom
configuration, it only allows me to configure around 60 or 70 ports.
Most software firewalls only monitor a small set of often used ports as
well.

For an idea of how it is possible to get past your firewall have a look
at this link. -

<http://www.packetfactory.net/firewalk/firewalk-final.html>

To learn more about what different attacks look like in your firewall
logs, and how to make yourself more secure, have a look at this article.

<http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html>

In addition to reading those, install portsentry, which will allow you
to specify precisely which ports you wish to monitor, up to and
including the entire 65,000 some ports. [although monitoring all of them
is probably overkill] To learn how to configure and use portsentry see
"man portsentry", "man portsentry.conf", and take a look at the files
in /usr/share/doc/portsentry/ as well to get more insight into it's
usage. They are in .gz files but it's easy to open them temporarily with
file roller and view them.

I am using it right along with my external router's firewall and
Firestarter. Another thing to make sure you do is set your
etc/hosts.deny file's contents to ALL: ALL which will deny connections
to all services on your computer to all attempts from the outside world
to access them. If there are those you wish to allow access, use the
/etc/hosts.allow file to selectively white list the users and services
you want to allow access. They both have man pages that explain them
pretty well.

I'm no expert, but I have been doing a lot of reading in the
/usr/share/docs folder after installing quite a few documentation
packages including harden-doc which is the "Securing Debian Manual".
Other useful docs are "Linux 2.4 Packet filtering How To" which is
located here if you have iptables installed.

<file:///usr/share/doc/iptables/html/packet-filtering-HOWTO.html#toc1>

Additionally, install the package sysadmin-guide, and you will find it
located here -

<file:///usr/share/doc/sysadmin-guide/html/index.html>

It contains a brief section on setting up users and access control. The
ubuntu-server-guide may also prove useful as it contains a lot of
information on networking security. It's main file will be here -

<file:///usr/share/ubuntu-serverguide/html/C/index.html>

There are other docs you can install as well like the Rute Book, and the
iproute-doc. If you really want to get safer yet, you might consider
installing user-mode-linux and user-mode-linux-doc and running it as a
secure sandbox or jail within your main Linux system. I hope this helps.

Later, Ray Parrish

--
Human reviewed index of links about the computer
http://www.rayslinks.com
Poetry from the mind of a Schizophrenic
http://www.writingsoftheschizophrenic.com/


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

network security related question
 

Vitorio Okio wrote:
> I'm behind Linksys WRT54 router with DD-WRT v.24 on it with the
> router SPI firewall enabled.
>
> I also have Firestarter running on my Ubuntu 8.04.

> But today I've noticed a huge number of incoming connections reported
> blocked by Firestarter. All of them are of ICMP protocol, and my
> understanding is they are either pings, or simple port scans, or
> something of the kind.

> My question is how do they ever reach my Firestarter? How they go
> through my NAT router? I thought they are supposed to be blocked on
> that level.

Could it be that you have your router configured in a way that makes
your Ubuntu machine the "default server"? Maybe it has a different name
in your router software. If you have enabled this option you don't
block anything with your NAT setup. Then everything received by the
router will be sent to your Ubuntu machine unless you have an extra
filter to block specific traffic.


Nils

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

network security related question
 

On Thu, 26 Feb 2009 22:38:23 -0700, Smoot Carl-Mitchell wrote:

> If they are ICMP and they are reaching the firewall, then they must be
> some type of response to a request initiated from your Linux box.

In such case wouldn't my firewall accept the response rather then block
it?


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

network security related question
 

> In addition to reading those, install portsentry, which will allow you
> to specify precisely which ports you wish to monitor, up to and
> including the entire 65,000 some ports. [although monitoring all of them
> is probably overkill] To learn how to configure and use portsentry see
> "man portsentry", "man portsentry.conf", and take a look at the files in
> /usr/share/doc/portsentry/ as well to get more insight into it's usage.
> They are in .gz files but it's easy to open them temporarily with file
> roller and view them.

Thanks for this, I've never heard of it.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

network security related question
 

On Fri, 2009-02-27 at 17:45 +0000, Vitorio Okio wrote:
> On Thu, 26 Feb 2009 22:38:23 -0700, Smoot Carl-Mitchell wrote:
>
> > If they are ICMP and they are reaching the firewall, then they must be
> > some type of response to a request initiated from your Linux box.
>
> In such case wouldn't my firewall accept the response rather then block
> it?

In this case it should unless you are specifically blocking ICMP
"connection refused" packets which you should not do because it would
violate some essential protocol behavior. Without seeing a packet trace
I am doing a bit of guessing as to what your issue might be. My
suggestion is a way of narrowing the scope of the issue you are seeing.
With your NATed router it is difficult, but not impossible to construct
packets which will get past the router and be received by your Linux
box. I'd suggest capturing some of the dropped packets and seeing what
they contain.
--
Smoot Carl-Mitchell
Computer Systems and
Network Consultant
smoot@tic.com
+1 480 922 7313
cell: +1 602 421 9005

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

network security related question
 

Nils Kassube wrote:

>
> Could it be that you have your router configured in a way that makes
> your Ubuntu machine the "default server"? Maybe it has a different name
> in your router software. If you have enabled this option you don't
> block anything with your NAT setup. Then everything received by the
> router will be sent to your Ubuntu machine unless you have an extra
> filter to block specific traffic.
>
>
This is also called a DMZ host on some routers, and was my first guess
as well.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

network security related question
 

> Could it be that you have your router configured in a way that makes
> your Ubuntu machine the "default server"? Maybe it has a different name
> in your router software. If you have enabled this option you don't block
> anything with your NAT setup. Then everything received by the router
> will be sent to your Ubuntu machine unless you have an extra filter to
> block specific traffic.

no, this is not the case.



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

network security related question
 

Vitorio Okio wrote:
>> In addition to reading those, install portsentry, which will allow you
>> to specify precisely which ports you wish to monitor, up to and
>> including the entire 65,000 some ports. [although monitoring all of them
>> is probably overkill] To learn how to configure and use portsentry see
>> "man portsentry", "man portsentry.conf", and take a look at the files in
>> /usr/share/doc/portsentry/ as well to get more insight into it's usage.
>> They are in .gz files but it's easy to open them temporarily with file
>> roller and view them.
>>
>
> Thanks for this, I've never heard of it.
>
You're welcome. I hadn't heard of it either until I started
investigating the docs available for installation via the repositories.
I've learned more in the past two weeks reading those, than I had in the
past six months of blindly fumbling around the file structure searching
for clues in the script files and configuration files, and doing online
searches.

Nothing beats having the information right here on my own machine to
study, and it's all layed out in a logical manner too.

Later, Ray Parrish

--
Human reviewed index of links about the computer
http://www.rayslinks.com
Poetry from the mind of a Schizophrenic
http://www.writingsoftheschizophrenic.com/


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users