Firewall confusion
in [Suse]
|
Prev: Do I have a Virus?
Next: making an rpm package
From: Stephen Horne on 28 Dec 2009 12:01 On Mon, 28 Dec 2009 17:37:53 +0100, houghi <houghi(a)houghi.org.invalid> wrote: >Stephen Horne wrote: >>>To be fair, you could include the PATH of the aplication. But wich one >>>is correct: >>>/bin/firefox >>>/opt/firefox/bin/firefox >>>~/.mozilla/firefox >>>~/bin/firefox >>> >>>Could be done, but a LOT of hard work and prone to mistakes. >> >> So make it easier - only allow applications installed in the standard >> way in standard locations to be whitelisted, mandate a standard way of >> identifying the path, and mandate that the relevant path must be >> protected behind an admin password. > >Like the above? They are all standard and I could name a few other >places that are correct and standard. OK - I assumed you were talking about some kind of alias to the same location. If not, then simply mandate that the whitelist specify the path that actually contains the application. Where it may be on someone elses system isn't really relevant.
From: Stephen Horne on 28 Dec 2009 12:03 On Mon, 28 Dec 2009 15:13:15 +0100, houghi <houghi(a)houghi.org.invalid> wrote: >Stephen Horne wrote: >> And I said differently when? > >All the time. You want to do root things as user. At this point, the penny drops - no way can you genuinely still believe that, therefore you're just trolling.
From: Stephen Horne on 28 Dec 2009 12:07 On Mon, 28 Dec 2009 15:45:56 +0100, Peter K�hlmann <peter-koehlmann(a)t-online.de> wrote: >"why is it OK for Linux apps to request the root password" > >Your words. Well, tell us what linux apps a normal user would run need >root access. Be precise Deliberate out-of-context selective misleading quoting. Another troll.
From: David Bolt on 28 Dec 2009 12:15 On Monday 28 Dec 2009 15:58, while playing with a tin of spray paint, houghi painted this mural: > David Bolt wrote: >> Here's some steps you can try: >> >> 1, create a new table using iptables, maybe calling it allowed_apps; >> 2, insert a rule that forces all outbound traffic through allowed_apps; >> 3, insert a rule that blocks all outbound access to the net for GID >> users in the main table; >> 4, when starting up a new application, make a note of the PID and add >> an entry to allowed_apps allowing that particular PID; >> 5, once you quit the application, remove the rule for the matching PID. >> >> For whitelisted applications, I can see one way to do it, but it would >> require a wrapper shell and some fiddling. > > To make the first semi-automatic, what you must do is notice that a new > application is started and by who. That part is easy, just look in /proc for those details. What you'd need to do is scan it frequently for new or removed entries. You can find out exactly which binary or script is running and who "owns" it. > Also from where it is started as you > can be logged in more then once and send the request there. That would be an issue, although one possible way would be to look at the various file descriptors to see which terminal it's attached to. Of course, then you get to try and solve the issue of file redirection. > Depending on the application, it could be that you need to restart your > application and it could be that it tries another port on the second go. You mean like they would normally do? Source port varies, destination port may be the same. > Also what if the same application asks for a connection on a different > port? Oops. Now you've gone from just checking if an application has started, which could be done by a daemon sitting in user space, through to something sitting in the network stack as well, which means running inside kernel space. The only think that should be running in kernel space are hardware drivers and the kernel itself. Anything else makes it easier for systems to be broken. > e.g. `mc`. First I can use it to ssh and then to ftp, then ssh on a > server on a different port. > > I can imagine that it could be fun to write something like that. > useless, but fun. I imagine it would be more of a nightmare than fun. > Even more fun if you connect it to MySQL and a > webinterface to maintain. And this is where it gets even harder. > Many people think that a firewall is the first line of defence. It > should be the last one. I read an interesting comment made several years ago[0]: A software firewall is like wearing a bulletproof vest inside your body. Firewalls should be between you/your machine and whatever you're trying to protect your machine from. That's their job and, while running something on your machine to prevent access from outside is a good thing, it's still possible to be worked around. [0] http://groups.google.com/group/news.admin.net-abuse.email/msg/2a21f9963cfde96e Regards, David Bolt -- Team Acorn: www.distributed.net OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s openSUSE 11.0 32b | | openSUSE 11.2 32b | openSUSE 11.0 64b | openSUSE 11.1 64b | openSUSE 11.2 64b | TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11
From: Van Chocstraw on 28 Dec 2009 12:25
central wrote: > On Mon, 28 Dec 2009 15:53:58 +0100, J G Miller wrote: > >> On Mon, 28 Dec 2009 04:59:24 +0000, Stephen Horne wrote: >> >>> It doesn't matter whether you download binaries or build from source - >>> unless you inspect that source line by line, the possibility still >>> exists that there is an undocumented nasty lurking within. >> >> A good example of this is the trojan contained in the Gnome Waterfall >> screensaver installation package which was uploaded to the official site >> Gnome Look. >> >> <http://www.zdnet.com.AU/blogs/null-pointer/soa/Carelessness-busts- > Linux- >> security/0,2001102868,339299939,00.htm> >> >>> *BUT* - with a ZoneAlarm-style firewall - that trojan *cannot* phone >>> home, and so the security issue is minimised. >> >> As far as I am aware this is not the case. A firewall works by blocking >> ports. When Zone Alarm initially asks you if you want to allow an >> application to access the internet, it opens the port for that >> application. If another application uses the same port, then as far as >> I am aware, it will be able to get through the already opened port. > > Might be so of the cheapie Zonealarm, but back in the days I used windows > on a regular basis, I used a soft firewall from Sygate, which would only > allow specified apps AND only to specific ports, so, for instance, I > could allow Outhouse pop and smtp but block it from everything else, thus > preventing the vast bulk of emails from collecting images from the web > AND still blocking smtp and pop for anything else. Of course, then I > discovered Linux email packages that blocked that stuff by default - > about 5 years before Outhouse had the same functionality... > I remember Sygate (SPF) bought by Symantec, had a 'Block All' option which was handy if you left the PC but I suppose is the same as putting your router in standby or powered off. |