[gentoo-user] Making sure I am a good netizen and secure.

[gentoo-user] Making sure I am a good netizen and secure.

[Dale]

Hi,

As some may know already, I recently got DSL.  It's not a super fast
connection by broadband standards but it does mean that my box may be
easier to find for a hacker.  So, I have a few questions about
security.  I think I am OK but want to make sure. 

1:  I have a good root password.  It's not something someone would guess
for sure.  Nothing related to my history, birthdays or anything.  It is
still fairly easy for me to type tho.

2:  I went to this link:  https://www.grc.com/x/ne.dll?bh0bkyd2 
According to that site my ports are in "stealth" mode which is good from
what I understand.

3:  I have no servers running here.  No Apache, MySql, or any of that. 
I also have turned off/stopped ssh since I have only one box at the
moment. 

4:  I'm currently using this kernel:  2.6.25-gentoo-r9  I plan to
upgrade that in the next day or so. 

The DSL modem I am using is the Motorola 2210.  It seems to be a gateway
thing.  I have no router at the moment but if I build a new rig I will
be getting one then.  Most likely a Linksys or something.  I'll post
here before getting one anyway.  ;-) 

Am I missing anything?  If you need more info, let me know.  I just want
to make sure no one can get into my box without me knowing about it and
getting into mischief.

Thanks much

Dale

:-)  :-) 

Re: [gentoo-user] Making sure I am a good netizen and secure.

[Alan McKinnon]

On Saturday 05 September 2009 11:56:09 Dale wrote:
> Hi,
> 
> As some may know already, I recently got DSL.  It's not a super fast
> connection by broadband standards but it does mean that my box may be
> easier to find for a hacker.  So, I have a few questions about
> security.  I think I am OK but want to make sure.
> 
> 1:  I have a good root password.  It's not something someone would guess
> for sure.  Nothing related to my history, birthdays or anything.  It is
> still fairly easy for me to type tho.

Good. Also disable root login using sshd

> 2:  I went to this link:  https://www.grc.com/x/ne.dll?bh0bkyd2
> According to that site my ports are in "stealth" mode which is good from
> what I understand.

That's Gibson. Sometimes he talks sense and has good ideas, but he always 
rambles. Wheat and chaff.

Run "netstat -atnup" and see what's open. Apply brainpower to what you see.
Learn how to drive nmap and throw it at localhost. Apply brainpower to what 
you see.

> 3:  I have no servers running here.  No Apache, MySql, or any of that.
> I also have turned off/stopped ssh since I have only one box at the
> moment.

no services running by default is a sane starting point for personal use. But 
you will likely need *some* services, so deploy them one by one and audit each 
one before taking it live. Start them only when you need them.

> 4:  I'm currently using this kernel:  2.6.25-gentoo-r9  I plan to
> upgrade that in the next day or so.

Kernel bugs exist of course, but in terms of numbers, it's far easier for 
someone to access your box using other routes. Like php.

Pay attention to kernel bugs but you also have to prioritize by risk factor, 
so that one is correspondingly lower on the list.

> The DSL modem I am using is the Motorola 2210.  It seems to be a gateway
> thing.  I have no router at the moment but if I build a new rig I will
> be getting one then.  Most likely a Linksys or something.  I'll post
> here before getting one anyway.  ;-)
> 
> Am I missing anything?  If you need more info, let me know.  I just want
> to make sure no one can get into my box without me knowing about it and
> getting into mischief.

By far the most common attack vector into home machines is users doing stupid 
things with mail and dodgy links. This is how phishers work. So you need to 
apply diligence in what you click and where you go. But, you are likely 
exercising this already.

Top of my list is always to lock down things that give shell access. No 
telnet, no root login, access for specific users only. I use "AllowGroups" in 
sshd_config a lot - only that group's members may log in and one grep shows 
you exactly who is in that group.

You deal with brute force attacks using packages like fail2ban and denyhosts. 
The general idea is that if a certain number of failed attempts show up in the 
logs in a short time, that IP is locked out for a few hours.

john the ripper is excellent at finding weak passwords. I don't know how much 
benefit you will get - having only two users with passwords - but I use it 
routinely on my servers. There's a certain satisfaction in attending security 
forum meetings and telling some manager with a stick up his ass that you are 
the one who trashed his access because you found his password in 38 seconds 
:-)

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Making sure I am a good netizen and secure.

[Dale]

Alan McKinnon wrote:
> On Saturday 05 September 2009 11:56:09 Dale wrote:
>   
>> Hi,
>>
>> As some may know already, I recently got DSL.  It's not a super fast
>> connection by broadband standards but it does mean that my box may be
>> easier to find for a hacker.  So, I have a few questions about
>> security.  I think I am OK but want to make sure.
>>
>> 1:  I have a good root password.  It's not something someone would guess
>> for sure.  Nothing related to my history, birthdays or anything.  It is
>> still fairly easy for me to type tho.
>>     
>
> Good. Also disable root login using sshd
>   

Since ssh is not running, I assume it doesn't matter at this point?

>   
>> 2:  I went to this link:  https://www.grc.com/x/ne.dll?bh0bkyd2
>> According to that site my ports are in "stealth" mode which is good from
>> what I understand.
>>     
>
> That's Gibson. Sometimes he talks sense and has good ideas, but he always 
> rambles. Wheat and chaff.
>
> Run "netstat -atnup" and see what's open. Apply brainpower to what you see.
> Learn how to drive nmap and throw it at localhost. Apply brainpower to what 
> you see.
>   

This looks OK to me.  It is things that I have connected to the internet
and am using.  I have Seamonkey running and Kopete is logged into Yahoo
at the moment.  Still want to get rid of that pesky upgrade message
tho.  ;-)  I do have cups running but nothing is shared.  It's just a
local printer.  I have no idea what the mDNSResponderP thing is.  That
is something that is pulled in by something else and it showed up ages
ago. 

root@smoker / # netstat -atnup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address        
State       PID/Program name
tcp        0      0 127.0.0.1:3493          0.0.0.0:*              
LISTEN     26885/upsd
tcp        0      0 127.0.0.1:631           0.0.0.0:*              
LISTEN     5428/cupsd
tcp        0      0 127.0.0.1:3493          127.0.0.1:40613        
ESTABLISHED26885/upsd
tcp        0      0 127.0.0.1:38147         127.0.0.1:631          
TIME_WAIT  -
tcp        0      0 127.0.0.1:631           127.0.0.1:38148        
ESTABLISHED5428/cupsd
tcp        0      0 192.168.1.1:53247       68.180.217.6:5050      
ESTABLISHED6730/kopete
tcp        1      0 192.168.1.1:45608       204.2.215.83:80        
CLOSE_WAIT 6269/gpg-agent
tcp        1      0 192.168.1.1:45609       204.2.215.83:80        
CLOSE_WAIT 6269/gpg-agent
tcp        0      0 127.0.0.1:38148         127.0.0.1:631          
ESTABLISHED6795/seamonkey-bin
tcp        0      0 127.0.0.1:40613         127.0.0.1:3493         
ESTABLISHED28709/upsmon
udp        0      0 0.0.0.0:40143          
0.0.0.0:*                          5382/mDNSResponderP
udp        0      0 0.0.0.0:5353           
0.0.0.0:*                          5348/mdnsd
udp        0      0 0.0.0.0:5353           
0.0.0.0:*                          5382/mDNSResponderP
udp        0      0 0.0.0.0:60777          
0.0.0.0:*                          5348/mdnsd
udp        0      0 192.168.1.1:123        
0.0.0.0:*                          25561/ntpd
udp        0      0 127.0.0.1:123          
0.0.0.0:*                          25561/ntpd
udp        0      0 0.0.0.0:123            
0.0.0.0:*                          25561/ntpd
root@smoker / #  

>   
>> 3:  I have no servers running here.  No Apache, MySql, or any of that.
>> I also have turned off/stopped ssh since I have only one box at the
>> moment.
>>     
>
> no services running by default is a sane starting point for personal use. But 
> you will likely need *some* services, so deploy them one by one and audit each 
> one before taking it live. Start them only when you need them.
>
>   
>> 4:  I'm currently using this kernel:  2.6.25-gentoo-r9  I plan to
>> upgrade that in the next day or so.
>>     
>
> Kernel bugs exist of course, but in terms of numbers, it's far easier for 
> someone to access your box using other routes. Like php.
>
> Pay attention to kernel bugs but you also have to prioritize by risk factor, 
> so that one is correspondingly lower on the list.
>
>   
>> The DSL modem I am using is the Motorola 2210.  It seems to be a gateway
>> thing.  I have no router at the moment but if I build a new rig I will
>> be getting one then.  Most likely a Linksys or something.  I'll post
>> here before getting one anyway.  ;-)
>>
>> Am I missing anything?  If you need more info, let me know.  I just want
>> to make sure no one can get into my box without me knowing about it and
>> getting into mischief.
>>     
>
> By far the most common attack vector into home machines is users doing stupid 
> things with mail and dodgy links. This is how phishers work. So you need to 
> apply diligence in what you click and where you go. But, you are likely 
> exercising this already.
>
> Top of my list is always to lock down things that give shell access. No 
> telnet, no root login, access for specific users only. I use "AllowGroups" in 
> sshd_config a lot - only that group's members may log in and one grep shows 
> you exactly who is in that group.
>
> You deal with brute force attacks using packages like fail2ban and denyhosts. 
> The general idea is that if a certain number of failed attempts show up in the 
> logs in a short time, that IP is locked out for a few hours.
>
> john the ripper is excellent at finding weak passwords. I don't know how much 
> benefit you will get - having only two users with passwords - but I use it 
> routinely on my servers. There's a certain satisfaction in attending security 
> forum meetings and telling some manager with a stick up his ass that you are 
> the one who trashed his access because you found his password in 38 seconds 
> :-)
>
>   

I don't think anyone can login here except through something local.  I
can't remember where but it has to be a local connection for it to let
you login.  Basically, I don't want anyone to be able to login, root or
user, from anything but my chair.  I think that is how it is set up.  I
don't access or need access from a remote location basically. 

I am careful with things like bank sites, credit card sites even myspace
and others.  I don't click on links in emails or anything.  I have most
everything bookmarked in Seamonkey and keyworded so I don't have to type
much.  For my google email account, I type in gmail and it goes to my
google email account.  My bank and credit card doesn't allow form
managers which in a way I don't like.  I used to have a really long
password that was about as secure as it could get but now that I have to
type all that crap in, I changed it to something shorter.  Yea, me and
the bank went a few rounds on that one. 

I'll check into fail2ban and denyhosts.  Any one better or more
preferred than the other?

Thanks.  I knew you would help me on this.  LOL

Dale

:-)  :-)

Re: [gentoo-user] Making sure I am a good netizen and secure.

[Willie Wong]

On Sat, Sep 05, 2009 at 06:01:21AM -0500, Penguin Lover Dale squawked:
> Since ssh is not running, I assume it doesn't matter at this point?


> I'll check into fail2ban and denyhosts.  Any one better or more
> preferred than the other?

AFAIK, either of those are for brute force attacks on SSHD. If you are
not opening up ssh...

Personally I use neither. I rolled my own scripts to monitor brute
force attacks and it has held up alright. 

You can make double sure and get iptables to drop all connections not
originating from the LAN. Actually, go ahead, look into iptables, and
apply brainpower like Alan said. 

On my setup, I just block almost everything (except ssh) by default
and maintain a white-list of IPs. 

W

-- 
These are things people "actually said" in court....
+++++++
Q: What is your date of birth?
A: July fifteenth.
Q: What year?
A: Every year.
+++++++
Q: What gear were you in at the moment of the impact?
A: Gucci sweats and Reeboks.
+++++++
Q: Sir, what is your IQ?
A: Well, I can see pretty well, I think.
+++++++
Q: Did you blow your horn or anything?
A: After the accident?
Q: Before the accident.
A: Sure, I played for ten years. I even went to school for it.
+++++++
Q: Trooper, when you stopped the defendant, were your red and blue 
   lights flashing?
A: Yes.
Q: Did the defendant say anything when she got out of her car?
A: Yes, sir.
Q: What did she say?
A: What disco am I at?
+++++++
Q: Now doctor, isn't it true that when a person dies in his sleep,
   he doesn't know about it until the next morning?
+++++++
Q: The youngest son, the twenty-year old, how old is he?
+++++++
Q: Were you present when your picture was taken?
+++++++
Q: She had three children, right?
A: Yes.
Q: How many were boys?
A: None.
Q: Were there any girls?
+++++++
Q: How was your first marriage terminated?
A: By death.
Q: And by whose death was it terminated?
+++++++
Q: Is you appearance here this morning pursuant to a deposition notice
   which I sent to your attorney?
A: No, this is how I dress when I go to work.
+++++++
Q: Doctor, how many autopsies have you performed on dead people?
A: All my autopsies are performed on dead people.
+++++++
Q: Doctor, before you performed the autopsy, did you check for a pulse?
A: No.
Q: Did you check for blood pressure?
A: No.
Q: Did you check for breathing?
A: No.
Q: So, then it is possible that the patient was alive when you began
   the autopsy?
A: No.
Q: How can you be so sure, Doctor?
A: Because his brain was sitting on my desk in a jar.
Q: But could the patient have still been alive nevertheless?
A: Yes, it is possible that he could have been alive and practicing
   law somewhere.
Sortir en Pantoufles: up 1002 days, 12:39

Re: [gentoo-user] Making sure I am a good netizen and secure.

[John J. Foster]

[-- Attachment #1: Type: text/plain, Size: 73 bytes --]

Hey Willie - a 67 line sig ?

festus
-- 
I just want to break even.

[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]

Re: [gentoo-user] Making sure I am a good netizen and secure.

[Dale]

John J. Foster wrote:
> Hey Willie - a 67 line sig ?
>
> festus
>   

It was funny tho.  LOL

Dale

:-)  :-) 

Re: [gentoo-user] Making sure I am a good netizen and secure.

[Willie Wong]

On Sat, Sep 05, 2009 at 08:11:30AM -0600, Penguin Lover John J. Foster squawked:
> Hey Willie - a 67 line sig ?
> 
> festus

My apologies.

My sigs are randomly pulled from fortune (with some custom databases). 
Usually I try to make sure that the ones that ends up going to mailing 
lists are not excessively long. This one slipped through. 

I promise I'll be even more diligent in the future. 

Thanks for pointing it out. 

W

-- 
"And wow! Hey! What's this thing coming towards me very 
fast? Very very fast. So big and flat and round, it needs a 
big wide sounding word like... ow... ound... round... 
ground! That's it! That's a good name - ground!
I wonder if it will be friends with me?" 

- For the sperm whale, it wasn't. 
Sortir en Pantoufles: up 1002 days, 13:37

[gentoo-user] Re: Making sure I am a good netizen and secure.

[Grant Edwards]

On 2009-09-05, Dale <rdalek1967@gmail.com> wrote:

> As some may know already, I recently got DSL.
[...]
> The DSL modem I am using is the Motorola 2210.  It seems to be
> a gateway thing.  I have no router at the moment

The 2210 is a router that is doing NAT with a stateful
firewall.  It will (assuming it's not too buggy) prevent
outside access to your network.

If you buy a second router (e.g. a Linksys or DLink), you'll
just be duplicating the NAT/firewall/routing functions in the
2210. You can do that if you want.  I used to run a two layer
NAT setup with a Cisco 678 DSL modem (configure to forward all
TCP/UDP ports) and an OpenWRT gateway.  There were features I
needed that OpenWRT had that the Cisco didn't.

Unless there's something specific that you want to do that
isn't supported by the 2210 (or you're aware of deficiencies in
the 2210), I probably wouldn't bother adding a second firewall
box.

-- 
Grant Edwards                   grante             Yow! Everywhere I look I
                                  at               see NEGATIVITY and ASPHALT
                               visi.com            ...

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Dale]

Grant Edwards wrote:
> On 2009-09-05, Dale <rdalek1967@gmail.com> wrote:
>
>   
>> As some may know already, I recently got DSL.
>>     
> [...]
>   
>> The DSL modem I am using is the Motorola 2210.  It seems to be
>> a gateway thing.  I have no router at the moment
>>     
>
> The 2210 is a router that is doing NAT with a stateful
> firewall.  It will (assuming it's not too buggy) prevent
> outside access to your network.
>
> If you buy a second router (e.g. a Linksys or DLink), you'll
> just be duplicating the NAT/firewall/routing functions in the
> 2210. You can do that if you want.  I used to run a two layer
> NAT setup with a Cisco 678 DSL modem (configure to forward all
> TCP/UDP ports) and an OpenWRT gateway.  There were features I
> needed that OpenWRT had that the Cisco didn't.
>
> Unless there's something specific that you want to do that
> isn't supported by the 2210 (or you're aware of deficiencies in
> the 2210), I probably wouldn't bother adding a second firewall
> box.
>
>   

I was thinking about buying a router IF I build a second box and need to
share the internet with it.  The modem only has one port and apparently
zero reconfigurability because when I log in, there are no options to
change anything except what time it updates the modem software.  So, I
hope it works well.  o_O

Dale

:-)  :-) 

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 4020 bytes --]

On Saturday 05 September 2009, Dale wrote:
> Grant Edwards wrote:
> > On 2009-09-05, Dale <rdalek1967@gmail.com> wrote:
> >> As some may know already, I recently got DSL.
> >
> > [...]
> >
> >> The DSL modem I am using is the Motorola 2210.  It seems to be
> >> a gateway thing.  I have no router at the moment
> >
> > The 2210 is a router that is doing NAT with a stateful
> > firewall.  It will (assuming it's not too buggy) prevent
> > outside access to your network.
> >
> > If you buy a second router (e.g. a Linksys or DLink), you'll
> > just be duplicating the NAT/firewall/routing functions in the
> > 2210. You can do that if you want.  I used to run a two layer
> > NAT setup with a Cisco 678 DSL modem (configure to forward all
> > TCP/UDP ports) and an OpenWRT gateway.  There were features I
> > needed that OpenWRT had that the Cisco didn't.
> >
> > Unless there's something specific that you want to do that
> > isn't supported by the 2210 (or you're aware of deficiencies in
> > the 2210), I probably wouldn't bother adding a second firewall
> > box.
>
> I was thinking about buying a router IF I build a second box and need to
> share the internet with it.  The modem only has one port and apparently
> zero reconfigurability because when I log in, there are no options to
> change anything except what time it updates the modem software.  So, I
> hope it works well.  o_O

Just a few suggestions:

Make sure that you change all passwds in the router - it may have more than 
one user defined - and shut down any router services that you do not need at 
the moment (e.g. telnet, ftp, or whatever Motorola are providing).

Make sure you disable Upnp as it can be susceptible to having your router 
cracked open and its configuration changed.

If you google for the above two I am sure that you will find a lot of stories 
about the poor defaults of some routers.  I do not know if your Motorola is 
one of those of course, so take these and others like them with a pinch of 
salt, because I do not want to alarm you unnecessarily:

http://www.jibble.org/o2-broadband-fail/
http://www.informationweek.com/news/personal_tech/showArticle.jhtml?articleID=205800419

The cheapest solution by far to networking a second PC in the LAN is to use 
your first PC as a router and forward packets through it.  The second option 
is to buy another router.  In this case I recommend that you use your 
Motorola in fully bridged mode where it acts as a transparent ADSL modem 
(look through its GUI and read the manual as to how to achieve this) and use 
your new router to achieve PPPoE authentication with your ISP's network.  If 
you buy an old Cisco or Adtran router off ebay make sure you flash them with 
the latest firmware as they will be open to the Internet via your fully 
transparent bridged ADSL modem.

Your netstat results show that you are running mdnsd and mDNSResponder.  Is 
this necessary?

Instead of fail2ban and similar I recommend native sshd solutions:

No root logins, a random high port number instead of 22 and only public key 
authentication allowed.  The random port will get rid of 99.5% of the botnets 
and the pubkey will drop dead anything else.  Make sure that you secure your 
private key with a strong passwd - if you are paranoid and also just in case 
your user account is one day compromised.

The stealthiness or not of your ports is determined by your router (responding 
to ICMP echo requests) and is for all intends and purposes irrelevant.  GRC 
have to make money somehow out of panicky MSWindows users.  Some discussion 
on this here, although there are no doubt more serious comments on the web 
about this topic:

http://www.wilderssecurity.com/showthread.php?t=216892

Finally, I would recommend that you configure IP tables (there's loads of 
scripts out there).  You never know if some application you're trying out 
decides to open a port just for laughs.

HTH.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Dale]

Mick wrote:
> On Saturday 05 September 2009, Dale wrote:
>   
>> Grant Edwards wrote:
>>     
>>> On 2009-09-05, Dale <rdalek1967@gmail.com> wrote:
>>>       
>>>> As some may know already, I recently got DSL.
>>>>         
>>> [...]
>>>
>>>       
>>>> The DSL modem I am using is the Motorola 2210.  It seems to be
>>>> a gateway thing.  I have no router at the moment
>>>>         
>>> The 2210 is a router that is doing NAT with a stateful
>>> firewall.  It will (assuming it's not too buggy) prevent
>>> outside access to your network.
>>>
>>> If you buy a second router (e.g. a Linksys or DLink), you'll
>>> just be duplicating the NAT/firewall/routing functions in the
>>> 2210. You can do that if you want.  I used to run a two layer
>>> NAT setup with a Cisco 678 DSL modem (configure to forward all
>>> TCP/UDP ports) and an OpenWRT gateway.  There were features I
>>> needed that OpenWRT had that the Cisco didn't.
>>>
>>> Unless there's something specific that you want to do that
>>> isn't supported by the 2210 (or you're aware of deficiencies in
>>> the 2210), I probably wouldn't bother adding a second firewall
>>> box.
>>>       
>> I was thinking about buying a router IF I build a second box and need to
>> share the internet with it.  The modem only has one port and apparently
>> zero reconfigurability because when I log in, there are no options to
>> change anything except what time it updates the modem software.  So, I
>> hope it works well.  o_O
>>     
>
> Just a few suggestions:
>
> Make sure that you change all passwds in the router - it may have more than 
> one user defined - and shut down any router services that you do not need at 
> the moment (e.g. telnet, ftp, or whatever Motorola are providing).
>
> Make sure you disable Upnp as it can be susceptible to having your router 
> cracked open and its configuration changed.
>
> If you google for the above two I am sure that you will find a lot of stories 
> about the poor defaults of some routers.  I do not know if your Motorola is 
> one of those of course, so take these and others like them with a pinch of 
> salt, because I do not want to alarm you unnecessarily:
>
> http://www.jibble.org/o2-broadband-fail/
> http://www.informationweek.com/news/personal_tech/showArticle.jhtml?articleID=205800419
>
> The cheapest solution by far to networking a second PC in the LAN is to use 
> your first PC as a router and forward packets through it.  The second option 
> is to buy another router.  In this case I recommend that you use your 
> Motorola in fully bridged mode where it acts as a transparent ADSL modem 
> (look through its GUI and read the manual as to how to achieve this) and use 
> your new router to achieve PPPoE authentication with your ISP's network.  If 
> you buy an old Cisco or Adtran router off ebay make sure you flash them with 
> the latest firmware as they will be open to the Internet via your fully 
> transparent bridged ADSL modem.
>   

As far as I can tell, I can't configure anything in the modem, at all. 
That is the weirdest modem I have ever seen.  Unless I am missing
something, I can't enable or disable anything at all.  I guess it is
designed to either work or not work.  Sort of like a steel ball.  lol

> Your netstat results show that you are running mdnsd and mDNSResponder.  Is 
> this necessary?
>   

I vaguely remember something pulling that in a LONG time ago.  I have no
clue what the heck that thing is, none whatsoever.  I remember checking
the forums when it was installed and it being needed by something.  I
don't think I have it set to start, I think it starts because something
else needs it.  Should I kill that thing or what?

> Instead of fail2ban and similar I recommend native sshd solutions:
>
> No root logins, a random high port number instead of 22 and only public key 
> authentication allowed.  The random port will get rid of 99.5% of the botnets 
> and the pubkey will drop dead anything else.  Make sure that you secure your 
> private key with a strong passwd - if you are paranoid and also just in case 
> your user account is one day compromised.
>
> The stealthiness or not of your ports is determined by your router (responding 
> to ICMP echo requests) and is for all intends and purposes irrelevant.  GRC 
> have to make money somehow out of panicky MSWindows users.  Some discussion 
> on this here, although there are no doubt more serious comments on the web 
> about this topic:
>
> http://www.wilderssecurity.com/showthread.php?t=216892
>
> Finally, I would recommend that you configure IP tables (there's loads of 
> scripts out there).  You never know if some application you're trying out 
> decides to open a port just for laughs.
>
> HTH.
>   

I ran a iptable script and saved the config a long time ago.  I don't
know if it is the modem or my iptables that is making me "stealthy" or
what.  I'm just glad that me hiding appears to be a good thing.  lol

Oooops, I hope that wasn't to loud.  I had a thought here.  I may have
ground up a gear or two.  This may help:

root@smoker / # equery depends mDNSResponder
[ Searching for packages depending on mDNSResponder... ]
kde-base/kdelibs-3.5.10-r6 (!avahi & !bindist? net-misc/mDNSResponder)
kde-base/kdelibs-4.3.1 (zeroconf & !bindist? net-misc/mDNSResponder)
kde-base/krdc-4.3.1 (zeroconf? net-misc/mDNSResponder)
kde-base/krfb-4.3.1 (zeroconf? net-misc/mDNSResponder)
media-libs/libgphoto2-2.4.3 (bonjour? net-misc/mDNSResponder)
net-misc/ntp-4.2.4_p7 (zeroconf? net-misc/mDNSResponder)
net-print/cups-1.3.10-r2 (zeroconf & !avahi? net-misc/mDNSResponder)
root@smoker / #

Looks like a few things needs mDNSResponder.  I can't see me going
without kdelibs anytime soon.  lol

Dale

:-)  :-) 

Re: [gentoo-user] Making sure I am a good netizen and secure.

[Stroller]

On 5 Sep 2009, at 15:48, Willie Wong wrote:

> On Sat, Sep 05, 2009 at 08:11:30AM -0600, Penguin Lover John J.  
> Foster squawked:
>> Hey Willie - a 67 line sig ?
>>
>> festus
>
> My apologies.
>
> My sigs are randomly pulled from fortune (with some custom databases).
> Usually I *_try_* to make sure that the ones that ends up going to  
> mailing
> lists are not excessively long. This one slipped through.

[emphasis added]

I assume you use a script to do this, in which case use of `wc -l`  
should *ensure* they are not.

It was funny, though.

Stroller.

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1812 bytes --]

On Saturday 05 September 2009, Dale wrote:

> As far as I can tell, I can't configure anything in the modem, at all.
> That is the weirdest modem I have ever seen.  Unless I am missing
> something, I can't enable or disable anything at all.  

Hmm ... you haven't searched this much now, have you?

Have you tried pointing your browser to: http://192.168.1.254 ?

The authentication code/passwd is probably written in a sticker below the 
router itself, or look at the manual, or ring your ISP.

Have a look here for more info:  
http://www.dslreports.com/faq/bellsouth/3.121_Motorola_Info

> > Your netstat results show that you are running mdnsd and mDNSResponder. 
> > Is this necessary?
>
> I vaguely remember something pulling that in a LONG time ago.  I have no
> clue what the heck that thing is, none whatsoever.  I remember checking
> the forums when it was installed and it being needed by something.  I
> don't think I have it set to start, I think it starts because something
> else needs it.  Should I kill that thing or what?

I believe it is running because of zeroconf.  Unless you have use for zeroconf 
on your LAN network I would remove them from rc-update.

> > The stealthiness or not of your ports is determined by your router
> > (responding to ICMP echo requests) and is for all intends and purposes
> > irrelevant.  

> I ran a iptable script and saved the config a long time ago.  I don't
> know if it is the modem or my iptables that is making me "stealthy" or
> what.  I'm just glad that me hiding appears to be a good thing.  lol

Aheam, if you re-read the previous paragraph of mine and the link I provided 
in previous message you'll see that being stealthy is irrelevant, at least  
from a network security perspective.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Dale]

Mick wrote:
> On Saturday 05 September 2009, Dale wrote:
>
>   
>> As far as I can tell, I can't configure anything in the modem, at all.
>> That is the weirdest modem I have ever seen.  Unless I am missing
>> something, I can't enable or disable anything at all.  
>>     
>
> Hmm ... you haven't searched this much now, have you?
>   

Yep, I looked at the login screen the modem gave me.  LOL  It's just the
wrong one.  See below.

> Have you tried pointing your browser to: http://192.168.1.254 ?
>   

Yep, did that and bookmarked it.  THAT was mistake #1.  It bookmarked a
different part of the modem.  Therefore, it didn't give me the other
pages you are referring too.  Going to he link you gave worked better,
MUCH better!!  I see some stuff I can mess up now. 

> The authentication code/passwd is probably written in a sticker below the 
> router itself, or look at the manual, or ring your ISP.
>
> Have a look here for more info:  
> http://www.dslreports.com/faq/bellsouth/3.121_Motorola_Info
>   

Now that was cool.  The pages were slow as crap but cool anyway.  I
don't know why but the AT&T pages load about the same speed on DSL as
they did on dial-up.  Everything else is fast but not AT&T.  Weird huh? 
I think it is those sucky servers that run winders.  LOL 

>   
>>> Your netstat results show that you are running mdnsd and mDNSResponder. 
>>> Is this necessary?
>>>       
>> I vaguely remember something pulling that in a LONG time ago.  I have no
>> clue what the heck that thing is, none whatsoever.  I remember checking
>> the forums when it was installed and it being needed by something.  I
>> don't think I have it set to start, I think it starts because something
>> else needs it.  Should I kill that thing or what?
>>     
>
> I believe it is running because of zeroconf.  Unless you have use for zeroconf 
> on your LAN network I would remove them from rc-update.
>   

I don't have zeroconf in a runlevel.  Something is starting it but I
don't know what it is.  This is a list of what I have set up to start.

root@smoker / # rc-update show
            bootmisc | boot
             checkfs | boot
           checkroot | boot
               clock | boot
         consolefont | boot
               cupsd |      default
                hald |      default
            hostname | boot
               ivman |      default
             keymaps | boot
               local |      default nonetwork
          localmount | boot
             modules | boot
            net.eth0 |      default
              net.lo | boot
            netmount |      default
                ntpd |      default
             numlock |      default
           rmnologin | boot
              smartd |      default
           syslog-ng |      default
                upsd |      default
              upsdrv |      default
              upsmon |      default
             urandom | boot
          vixie-cron |      default
                 xdm |      default
root@smoker / #                   

I'd be glad to get rid of it but I don't know which one to stop and
remove from the services to start.  Ideas?

>   
>>> The stealthiness or not of your ports is determined by your router
>>> (responding to ICMP echo requests) and is for all intends and purposes
>>> irrelevant.  
>>>       
>
>   
>> I ran a iptable script and saved the config a long time ago.  I don't
>> know if it is the modem or my iptables that is making me "stealthy" or
>> what.  I'm just glad that me hiding appears to be a good thing.  lol
>>     
>
> Aheam, if you re-read the previous paragraph of mine and the link I provided 
> in previous message you'll see that being stealthy is irrelevant, at least  
> from a network security perspective.
>   

Well, if they can't find me, how do they break in?  LOL  Just kidding
but you know.  It's a start.

Dale

:-)  :-) 

[gentoo-user] Re: Making sure I am a good netizen and secure.

[Nikos Chantziaras]

On 09/05/2009 12:56 PM, Dale wrote:
> Hi,
>
> As some may know already, I recently got DSL.  It's not a super fast
> connection by broadband standards but it does mean that my box may be
> easier to find for a hacker.  So, I have a few questions about
> security.  I think I am OK but want to make sure.
>
> 1:  I have a good root password.  It's not something someone would guess
> for sure.  Nothing related to my history, birthdays or anything.  It is
> still fairly easy for me to type tho.

That's always a good idea.  But if you have SSH disabled, then it 
doesn't really matter.  And with SSH enabled, root login is disabled by 
default, so...


> 2:  I went to this link:  https://www.grc.com/x/ne.dll?bh0bkyd2
> According to that site my ports are in "stealth" mode which is good from
> what I understand.

"Stealth" ports give problems with p2p and file transfers (MSN and the 
like).  A stealthed port means you can't be reached.  Even if you want 
to be reached.  If you encounter problems, for example no one can send 
you a file from IRC/MSN/etc you know what to blame.

Also, even with "stealthed" ports, it's still possible to find you. 
When someone pings your machine, and you never reply, and nothing else 
replies, it means you're there :)  That because if you're really not 
there, your ISP will reply to the pinger with "that IP is not there." 
If that doesn't happen, the pinger knows you're there and hiding behind 
your finger :)

But some ISPs don't send that "no there" reply to the pinger, so in 
those cases, "stealth" ports might make sense.


> 3:  I have no servers running here.  No Apache, MySql, or any of that.
> I also have turned off/stopped ssh since I have only one box at the
> moment.

Then "stealth" ports are a bit useless since nothing is listening on 
those ports anyway.


> The DSL modem I am using is the Motorola 2210.  It seems to be a gateway
> thing.  I have no router at the moment but if I build a new rig I will
> be getting one then.  Most likely a Linksys or something.  I'll post
> here before getting one anyway.  ;-)

I think the Motorola *is* a router.  That means you can just buy a cheap 
ethernet switch, connect it to the 2210 and then connect the machines to 
the switch and the 2210 will route everything just fine.

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 3958 bytes --]

On Saturday 05 September 2009, Dale wrote:
> Mick wrote:

> > Have you tried pointing your browser to: http://192.168.1.254 ?
>
> Yep, did that and bookmarked it.  THAT was mistake #1.  It bookmarked a
> different part of the modem.  Therefore, it didn't give me the other
> pages you are referring too.  Going to he link you gave worked better,
> MUCH better!!  I see some stuff I can mess up now.

Careful what settings you de/select because you can lock yourself out.  Make 
sure that you disable remote admin access, unless you intend to access it 
locally and set a passwd anyway.  Also disable upnp.

> >>> Your netstat results show that you are running mdnsd and mDNSResponder.
> >>> Is this necessary?
> >>
> >> I vaguely remember something pulling that in a LONG time ago.  I have no
> >> clue what the heck that thing is, none whatsoever.  I remember checking
> >> the forums when it was installed and it being needed by something.  I
> >> don't think I have it set to start, I think it starts because something
> >> else needs it.  Should I kill that thing or what?
> >
> > I believe it is running because of zeroconf.  Unless you have use for
> > zeroconf on your LAN network I would remove them from rc-update.
>
> I don't have zeroconf in a runlevel.  Something is starting it but I
> don't know what it is.  This is a list of what I have set up to start.
>
> root@smoker / # rc-update show
>             bootmisc | boot
>              checkfs | boot
>            checkroot | boot
>                clock | boot
>          consolefont | boot
>                cupsd |      default
>                 hald |      default
>             hostname | boot
>                ivman |      default
>              keymaps | boot
>                local |      default nonetwork
>           localmount | boot
>              modules | boot
>             net.eth0 |      default
>               net.lo | boot
>             netmount |      default
>                 ntpd |      default
>              numlock |      default
>            rmnologin | boot
>               smartd |      default
>            syslog-ng |      default
>                 upsd |      default
>               upsdrv |      default
>               upsmon |      default
>              urandom | boot
>           vixie-cron |      default
>                  xdm |      default
> root@smoker / #

No I meant disable mDNSResponder and mdnsd, but you don't seem to have them 
there ... 

> I'd be glad to get rid of it but I don't know which one to stop and
> remove from the services to start.  Ideas?

Well, on my system it is kdelibs that pull it in:

# emerge --depclean -pv net-misc/mDNSResponder

Calculating dependencies... done!
  net-misc/mDNSResponder-107.6-r5 pulled in by:
    kde-base/kdelibs-3.5.10-r6

despite the fact that I do not have avahi and zeroconf USE flags enabled 
either in kdelibs or cups:
=======================================
# emerge -pDv kde-base/kdelibs

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] kde-base/kdelibs-3.5.10-r6  USE="acl alsa branding cups fam 
spell 
tiff -arts -avahi -bindist -debug -doc -jpeg2k -kdehiddenvisibility -kerberos -legacyssl -lua -openexr -utempter" 
0 kB

# emerge -pDv net-print/cups  

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] net-print/cups-1.3.10-r2  USE="X acl dbus jpeg ldap pam perl 
png ppds python ssl 
tiff -avahi -gnutls -java -kerberos -php -samba -slp -static -xinetd -zeroconf" 
LINGUAS="en -de -es -et -fr -he -id -it -ja -pl -sv -zh_TW" 0 kB
=======================================

> Well, if they can't find me, how do they break in?  LOL  Just kidding
> but you know.  It's a start.

They can find you.  The probes show 'filtered' ports instead of 'closed'.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: Making sure I am a good netizen and secure.

[Grant Edwards]

On 2009-09-05, Dale <rdalek1967@gmail.com> wrote:
> Grant Edwards wrote:
>> On 2009-09-05, Dale <rdalek1967@gmail.com> wrote:
>>
>>   
>>> As some may know already, I recently got DSL.
>>>     
>> [...]
>>   
>>> The DSL modem I am using is the Motorola 2210.  It seems to be
>>> a gateway thing.  I have no router at the moment
>>>     
>>
>> The 2210 is a router that is doing NAT with a stateful
>> firewall.  It will (assuming it's not too buggy) prevent
>> outside access to your network.
>>
>> If you buy a second router (e.g. a Linksys or DLink), you'll
>> just be duplicating the NAT/firewall/routing functions in the
>> 2210. You can do that if you want.  I used to run a two layer
>> NAT setup with a Cisco 678 DSL modem (configure to forward all
>> TCP/UDP ports) and an OpenWRT gateway.  There were features I
>> needed that OpenWRT had that the Cisco didn't.
>>
>> Unless there's something specific that you want to do that
>> isn't supported by the 2210 (or you're aware of deficiencies in
>> the 2210), I probably wouldn't bother adding a second firewall
>> box.
>
> I was thinking about buying a router IF I build a second box and need to
> share the internet with it.  The modem only has one port

Probably all you need is an Ethernet switch, though there are
some DSL modems that have been intentionally crippled in an
attempt to make them work with only a single client.

My sister has one.  It will support a /16 internal network just
fine except that the DSL modem's DHCP server will only hand out
a single address (and there's no way to shut off the DHCP
server so you can let something else take over).  You could
fill the house with machines as long as they all have
statically assigned addresses.

> and apparently zero reconfigurability because when I log in,
> there are no options to change anything except what time it
> updates the modem software.  So, I hope it works well.  o_O

If you do want something else, you can add a second
firewall/router, or you can probably replace the 2210 with
something a bit more configurable.  I've installed a couple
Zoom DSL modems. They work fine, and were fairly configurable.

What would be coolest would be something supported by OpenWRT,
but I was never able to find such a thing.

-- 
Grant

[gentoo-user] Re: Making sure I am a good netizen and secure.

[Grant Edwards]

On 2009-09-05, Mick <michaelkintzios@gmail.com> wrote:

> The cheapest solution by far to networking a second PC in the
> LAN is to use your first PC as a router and forward packets
> through it.

Buying an Ethernet switch is probably a lot easier.

> The second option is to buy another router.  In this case I
> recommend that you use your Motorola in fully bridged mode
> where it acts as a transparent ADSL modem (look through its
> GUI and read the manual as to how to achieve this) and use 
> your new router to achieve PPPoE authentication with your
> ISP's network.

The ISP and the 2210 may or may not allow that.

-- 
Grant

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Alan McKinnon]

On Sunday 06 September 2009 01:17:21 Mick wrote:
> Well, on my system it is kdelibs that pull it in:
> 
> # emerge --depclean -pv net-misc/mDNSResponder
> 
> Calculating dependencies... done!
>   net-misc/mDNSResponder-107.6-r5 pulled in by:
>     kde-base/kdelibs-3.5.10-r6
> 
> despite the fact that I do not have avahi and zeroconf USE flags enabled 
> either in kdelibs or cups:
> =======================================
> # emerge -pDv kde-base/kdelibs
> 
> These are the packages that would be merged, in order:
> 
> Calculating dependencies... done!
> [ebuild   R   ] kde-base/kdelibs-3.5.10-r6  USE="acl alsa branding cups
>  fam  spell
> tiff -arts -avahi -bindist -debug -doc -jpeg2k -kdehiddenvisibility
>  -kerberos -legacyssl -lua -openexr -utempter"  0 kB
> 

Recent kde-libs-3.5 have a hard dependency on zeroconf/nDSNResponder. A 
contentious decision at the time

KDE-4 uses avahi

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Dale]

Alan McKinnon wrote:
> On Sunday 06 September 2009 01:17:21 Mick wrote:
>   
>> Well, on my system it is kdelibs that pull it in:
>>
>> # emerge --depclean -pv net-misc/mDNSResponder
>>
>> Calculating dependencies... done!
>>   net-misc/mDNSResponder-107.6-r5 pulled in by:
>>     kde-base/kdelibs-3.5.10-r6
>>
>> despite the fact that I do not have avahi and zeroconf USE flags enabled 
>> either in kdelibs or cups:
>> =======================================
>> # emerge -pDv kde-base/kdelibs
>>
>> These are the packages that would be merged, in order:
>>
>> Calculating dependencies... done!
>> [ebuild   R   ] kde-base/kdelibs-3.5.10-r6  USE="acl alsa branding cups
>>  fam  spell
>> tiff -arts -avahi -bindist -debug -doc -jpeg2k -kdehiddenvisibility
>>  -kerberos -legacyssl -lua -openexr -utempter"  0 kB
>>
>>     
>
> Recent kde-libs-3.5 have a hard dependency on zeroconf/nDSNResponder. A 
> contentious decision at the time
>
> KDE-4 uses avahi
>
>   

There is hope for the future, if I ever get to liking KDE 4.  I got KDE
4.3 installed but just ain't warmed up to it yet.  :\

Dale

:-)  :-) 

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Alan McKinnon]

On Sunday 06 September 2009 10:40:53 Dale wrote:
> > Recent kde-libs-3.5 have a hard dependency on zeroconf/nDSNResponder. A 
> > contentious decision at the time
> >
> > KDE-4 uses avahi
> >
> >   
> 
> There is hope for the future, if I ever get to liking KDE 4.  I got KDE
> 4.3 installed but just ain't warmed up to it yet.  :\

KDE-4 takes some getting used to, but it's worth the effort if you like a rich 
interactive desktop.

One thing it definitely is not, is the next evolution of KDE-3. Comparisons 
with KDE-3 are going result in disappointment :-) Better to consider it for 
what it is - a project that stands alone and should be judged on it's own 
merits.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1921 bytes --]

On Sunday 06 September 2009, Grant Edwards wrote:
> On 2009-09-05, Mick <michaelkintzios@gmail.com> wrote:
> > The cheapest solution by far to networking a second PC in the
> > LAN is to use your first PC as a router and forward packets
> > through it.
>
> Buying an Ethernet switch is probably a lot easier.

Well I'm not sure about the 'easier' part.  I would have thought that it is 
easier to run something like:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT

(This needs checking because it's just off the top of my head.)

You'll need two NICs, or one NIC and a wireless adaptor on your 'router PC'.

However, it is not convenient to always have to boot your first PC up, before 
any other machines in the house can connect to the Internet.  So an external 
switch/router is probably the most convenient solution.

> > The second option is to buy another router.  In this case I
> > recommend that you use your Motorola in fully bridged mode
> > where it acts as a transparent ADSL modem (look through its
> > GUI and read the manual as to how to achieve this) and use
> > your new router to achieve PPPoE authentication with your
> > ISP's network.
>
> The ISP and the 2210 may or may not allow that.

Unless the 2210 has crippled firmware by the ISP, it should be able to act as 
a transparent (fully bridged) modem.  All NAT-ing, DHCP, DNS repeating, etc 
will then happen at the router behind it.

I doubt that the ISP will not allow it, however, their support staff will 
undoubtedly go through their MSWindows specific troubleshooting scripts first 
and after they ask you to reboot your (MSWindows) PC they will probably tell 
you that they do not support the 2210 in bridged mode and ask you to switch 
it in router mode so that they can access it remotely.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Dale]

Alan McKinnon wrote:
> On Sunday 06 September 2009 10:40:53 Dale wrote:
>   
>>> Recent kde-libs-3.5 have a hard dependency on zeroconf/nDSNResponder. A 
>>> contentious decision at the time
>>>
>>> KDE-4 uses avahi
>>>
>>>   
>>>       
>> There is hope for the future, if I ever get to liking KDE 4.  I got KDE
>> 4.3 installed but just ain't warmed up to it yet.  :\
>>     
>
> KDE-4 takes some getting used to, but it's worth the effort if you like a rich 
> interactive desktop.
>
> One thing it definitely is not, is the next evolution of KDE-3. Comparisons 
> with KDE-3 are going result in disappointment :-) Better to consider it for 
> what it is - a project that stands alone and should be judged on it's own 
> merits.
>
>   

I was thinking it would have to grow on me a little .  One thing I don't
like is how it does the background.  I have a directory that has
thousands of pictures, I'm a little camera hungry at times, but each
time I login it rebuilds the index which takes a long time.  I just hope
that that will improve later on and a few other things will get better
as well.  It's OK but just not there for me yet.

Maybe 4.4 will be better.

Dale

:-)  :-)

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Peter Humphrey]

On Sunday 06 September 2009 10:49:13 Alan McKinnon wrote:

> One thing [kde:4] definitely is not, is the next evolution of KDE-3.
> Comparisons with KDE-3 are going result in disappointment

Well, that seems to condemn v4 out of hand :-) . If it can't compare 
favourably with its predecessor, what's it doing there at all?

I'm working quite hard at getting used to it (it's even the default grub 
choice), but it's uphill all the way.

-- 
Rgds
Peter

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 601 bytes --]

On Sunday 06 September 2009, Peter Humphrey wrote:
> On Sunday 06 September 2009 10:49:13 Alan McKinnon wrote:
> > One thing [kde:4] definitely is not, is the next evolution of KDE-3.
> > Comparisons with KDE-3 are going result in disappointment
>
> Well, that seems to condemn v4 out of hand :-) . If it can't compare
> favourably with its predecessor, what's it doing there at all?
>
> I'm working quite hard at getting used to it (it's even the default grub
> choice), but it's uphill all the way.

He, he, I think I will wait until it's on the stable tree.  ;-)

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Alan McKinnon]

On Sunday 06 September 2009 19:31:27 Peter Humphrey wrote:
> On Sunday 06 September 2009 10:49:13 Alan McKinnon wrote:
> > One thing [kde:4] definitely is not, is the next evolution of KDE-3.
> > Comparisons with KDE-3 are going result in disappointment
> 
> Well, that seems to condemn v4 out of hand :-) . If it can't compare
> favourably with its predecessor, what's it doing there at all?

Read the post again. I said nothing about favourable, unfavourable or anything 
else like that.

I only said that KDE4 is not KDE3 (doh...) so if you run KDE4 thinking you are 
going to get something like KDE3 you are going to be disappointed. It is not 
like KDE3, it is not built on KDE3, it is not an evolution of KDE3. It is 
different, and stands on it's own. Comparisons with KDE3 are unfair, sort of 
like comparing you with your father is unfair.

> I'm working quite hard at getting used to it (it's even the default grub
> choice), but it's uphill all the way.
 
Um, dude.... grub selects a kernel. Or an OS. But never a DE.
The dm does that.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Peter Humphrey]

On Sunday 06 September 2009 21:12:37 Alan McKinnon wrote:
> On Sunday 06 September 2009 19:31:27 Peter Humphrey wrote:
> > On Sunday 06 September 2009 10:49:13 Alan McKinnon wrote:
> > > One thing [kde:4] definitely is not, is the next evolution of KDE-3.
> > > Comparisons with KDE-3 are going result in disappointment
> >
> > Well, that seems to condemn v4 out of hand :-) . If it can't compare
> > favourably with its predecessor, what's it doing there at all?
>
> Read the post again. I said nothing about favourable, unfavourable or
> anything else like that.
>
> I only said that KDE4 is not KDE3 (doh...) so if you run KDE4 thinking
> you are going to get something like KDE3 you are going to be
> disappointed. It is not like KDE3, it is not built on KDE3, it is not an
> evolution of KDE3. It is different, and stands on it's own. Comparisons
> with KDE3 are unfair, sort of like comparing you with your father is
> unfair.

The way I read your words is equally valid. If I compare a later version 
with its predecessor I don't expect to be disappointed.

> > I'm working quite hard at getting used to it (it's even the default
> > grub choice), but it's uphill all the way.
>
> Um, dude.... grub selects a kernel. Or an OS. But never a DE.
> The dm does that.

Depends how you have it set up. On this box I have two separate 
installations: one with kde:3 and one with kde:4. I select the one I want 
with grub entries.

-- 
Rgds
Peter

[gentoo-user] Re: Making sure I am a good netizen and secure.

[James]

Willie Wong <wwong <at> math.princeton.edu> writes:


> On my setup, I just block almost everything (except ssh) by default
> and maintain a white-list of IPs. 


Hello Willie,


Can you share with us how you "white-list" IPs via your
iptables setup? That is your code you add to your startup
script and your iptables syntax on those white/black listed
IPs?

What do you use to maintain these white/black lists of IPs,
tools and philosophy.....?



tia,
James

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Dale]

Peter Humphrey wrote:
> On Sunday 06 September 2009 21:12:37 Alan McKinnon wrote:
>   
>> On Sunday 06 September 2009 19:31:27 Peter Humphrey wrote:
>>     
>>> On Sunday 06 September 2009 10:49:13 Alan McKinnon wrote:
>>>       
>>>> One thing [kde:4] definitely is not, is the next evolution of KDE-3.
>>>> Comparisons with KDE-3 are going result in disappointment
>>>>         
>>> Well, that seems to condemn v4 out of hand :-) . If it can't compare
>>> favourably with its predecessor, what's it doing there at all?
>>>       
>> Read the post again. I said nothing about favourable, unfavourable or
>> anything else like that.
>>
>> I only said that KDE4 is not KDE3 (doh...) so if you run KDE4 thinking
>> you are going to get something like KDE3 you are going to be
>> disappointed. It is not like KDE3, it is not built on KDE3, it is not an
>> evolution of KDE3. It is different, and stands on it's own. Comparisons
>> with KDE3 are unfair, sort of like comparing you with your father is
>> unfair.
>>     
>
> The way I read your words is equally valid. If I compare a later version 
> with its predecessor I don't expect to be disappointed.
>
>   
>>> I'm working quite hard at getting used to it (it's even the default
>>> grub choice), but it's uphill all the way.
>>>       
>> Um, dude.... grub selects a kernel. Or an OS. But never a DE.
>> The dm does that.
>>     
>
> Depends how you have it set up. On this box I have two separate 
> installations: one with kde:3 and one with kde:4. I select the one I want 
> with grub entries.
>
>   

Could you post your grub.conf?  I'd like to see how you do that. 

Dale

:-)  :-) 

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Alan McKinnon]

On Monday 07 September 2009 17:39:06 Dale wrote:
> Peter Humphrey wrote:
> > On Sunday 06 September 2009 21:12:37 Alan McKinnon wrote:
> >> On Sunday 06 September 2009 19:31:27 Peter Humphrey wrote:
> >>> On Sunday 06 September 2009 10:49:13 Alan McKinnon wrote:

> >> Um, dude.... grub selects a kernel. Or an OS. But never a DE.
> >> The dm does that.
> >
> > Depends how you have it set up. On this box I have two separate
> > installations: one with kde:3 and one with kde:4. I select the one I want
> > with grub entries.
> 
> Could you post your grub.conf?  I'd like to see how you do that.

Well, I'd do it with a customized init that launches a dm preset to a specific 
xsession. Or selects a specific .xinitrc.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Dale]

Alan McKinnon wrote:
> On Monday 07 September 2009 17:39:06 Dale wrote:
>   
>> Peter Humphrey wrote:
>>     
>>> On Sunday 06 September 2009 21:12:37 Alan McKinnon wrote:
>>>       
>>>> On Sunday 06 September 2009 19:31:27 Peter Humphrey wrote:
>>>>         
>>>>> On Sunday 06 September 2009 10:49:13 Alan McKinnon wrote:
>>>>>           
>
>   
>>>> Um, dude.... grub selects a kernel. Or an OS. But never a DE.
>>>> The dm does that.
>>>>         
>>> Depends how you have it set up. On this box I have two separate
>>> installations: one with kde:3 and one with kde:4. I select the one I want
>>> with grub entries.
>>>       
>> Could you post your grub.conf?  I'd like to see how you do that.
>>     
>
> Well, I'd do it with a customized init that launches a dm preset to a specific 
> xsession. Or selects a specific .xinitrc.
>
>   

It just seems like a hard way to do it is all.  The login screens that I
have seen allow you to just select which dm you want without even having
to worry about it when you boot up.  I would hate to know that he
reboots to change dm's.  That would be overkill.

First time for everything I guess.

Dale

:-)  :-) 

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Willie Wong]

On Mon, Sep 07, 2009 at 03:27:56PM +0000, Penguin Lover James squawked:
> Willie Wong <wwong <at> math.princeton.edu> writes:
> 
> 
> > On my setup, I just block almost everything (except ssh) by default
> > and maintain a white-list of IPs. 
> 
> 
> Can you share with us how you "white-list" IPs via your
> iptables setup? That is your code you add to your startup
> script and your iptables syntax on those white/black listed
> IPs?

Hum? the init script for iptables automatically saves and loads the
policy, at least with SAVE_ON_STOP="yes" in /etc/conf.d/iptables, so I
don't have any special configs in any start-up scripts. 

I built my tables using the commandline. A good quick intro guide is
at http://www.gentoo.org/doc/en/home-router-howto.xml , section 5. 

The static part of the table looks something like this

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.0.0/16       anywhere            
ACCEPT     all  --  localhost            anywhere            
general_port_block  all  --  anywhere             anywhere            
ssh_blacklist  all  --  anywhere             anywhere            

Chain general_port_block (1 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp 
DROP       tcp  --  anywhere             anywhere            tcp dpt:urd 
DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp 
DROP       tcp  --  anywhere             anywhere            tcp dpt:http 
DROP       tcp  --  anywhere             anywhere            tcp dpt:http-alt 
DROP       tcp  --  anywhere             anywhere            tcp dpt:https 
DROP       tcp  --  anywhere             anywhere            tcp dpt:783 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ipp 

If you know iptables at all, you can probably figure out what I did to
set it up(*). The 'general_port_block' chain is to just make things
tidier. So you see, I set the default policy to allow connections. I
whitelist first the LAN and localhost. Then I filter everything
through the two chains. The general_port_block chain is static, and
it blocks a bunch of services, some of which I run (but which I only
want my family to access from the LAN), some I don't. 

As you can see, I don't block ssh, because I sometimes travel a bit.
So instead, I have a separate chian that helps a bit in slowing down
brute force attacks. 

The ssh_blacklist chain is dynamically generated via a perl script.
The script monitors the ssh logs and blocks IPs for a certain period
of time after either an attempt to log-in as root, or five failed
log-in attempts. (I have locked myself out once or twice from a hotel
when I accidentaly hit the capslock...) Basically you just add a
target to be blocked to the iptables and use atd to remove it some
time later. 

(*)If you don't know iptables, man iptables. 

> What do you use to maintain these white/black lists of IPs,
> tools and philosophy.....?

My philosophy is common sense. I white list those ips that I want to
be able to access the services. I black list those I don't. For
services like ssh, I pray that my efforts are secure enough. 

HTH, 

W
-- 
I am so happy that Willetta is in my life. What would I do without her? 
Probably go insane. In fact, I am insanely in love with Willetta, so I am 
insane right now... but...
Sortir en Pantoufles: up 1005 days,  9:25

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Peter Humphrey]

On Monday 07 September 2009 19:09:25 Alan McKinnon wrote:
> On Monday 07 September 2009 17:39:06 Dale wrote:
> > Peter Humphrey wrote:
> > > On Sunday 06 September 2009 21:12:37 Alan McKinnon wrote:
> > >> On Sunday 06 September 2009 19:31:27 Peter Humphrey wrote:
> > >>> On Sunday 06 September 2009 10:49:13 Alan McKinnon wrote:
> > >>
> > >> Um, dude.... grub selects a kernel. Or an OS. But never a DE.
> > >> The dm does that.
> > >
> > > Depends how you have it set up. On this box I have two separate
> > > installations: one with kde:3 and one with kde:4. I select the one I
> > > want with grub entries.
> >
> > Could you post your grub.conf?  I'd like to see how you do that.
>
> Well, I'd do it with a customized init that launches a dm preset to a
> specific xsession. Or selects a specific .xinitrc.

In answer to Dale, here's my grub.conf. Do you (Alan) think your way is 
better, or simpler? (Hope you can sort the wrapping out.)

[...]
title=Gentoo Linux 2.6.30-r6
        root (hd0,0)
        kernel /boot/kernel-x86_64-2.6.30-gentoo-r6 root=/dev/md0 vga=0x31A 
video=vesafb:mtrr:3,ywrap fbcon=scrollback:128k splash=silent 
memory_corruption_check=1

title=Gentoo Linux 2.6.30-r6, no X
        root (hd0,0)
        kernel /boot/kernel-x86_64-2.6.30-gentoo-r6 root=/dev/md0 vga=0x317 
video=vesafb:mtrr:3,ywrap splash=silent softlevel=no-x 
memory_corruption_check=1

title=Gentoo Linux 2.6.30-r6, no network
        root (hd0,0)
        kernel /boot/kernel-x86_64-2.6.30-gentoo-r6 root=/dev/md0 vga=0x317 
video=vesafb:mtrr:3,ywrap splash=silent softlevel=nonetwork 
memory_corruption_check=1

[...]

title=Gentoo Test System 2.6.30-r6
        root (hd0,0)
        kernel /boot/kernel-x86_64-2.6.30-gentoo-r6-testsys root=/dev/sdc3 
vga=0x31A video=vesafb:mtrr:3,ywrap splash=silent

title=Gentoo Test System 2.6.30-r6, no X
        root (hd0,0)
        kernel /boot/kernel-x86_64-2.6.30-gentoo-r6-testsys root=/dev/sdc3 
vga=0x317 video=vesafb:mtrr:3,ywrap splash=silent softlevel=no-x

title=Gentoo Test System 2.6.30-r6, no network
        root (hd0,0)
        kernel /boot/kernel-x86_64-2.6.30-gentoo-r6-testsys root=/dev/sdc3 
vga=0x317 video=vesafb:mtrr:3,ywrap splash=silent softlevel=nonetwork

[...]

-- 
Rgds
Peter

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Alan McKinnon]

On Tuesday 08 September 2009 17:23:37 Peter Humphrey wrote:
> On Monday 07 September 2009 19:09:25 Alan McKinnon wrote:
> > On Monday 07 September 2009 17:39:06 Dale wrote:
> > > Peter Humphrey wrote:
> > > > On Sunday 06 September 2009 21:12:37 Alan McKinnon wrote:
> > > >> On Sunday 06 September 2009 19:31:27 Peter Humphrey wrote:
> > > >>> On Sunday 06 September 2009 10:49:13 Alan McKinnon wrote:
> > > >>
> > > >> Um, dude.... grub selects a kernel. Or an OS. But never a DE.
> > > >> The dm does that.
> > > >
> > > > Depends how you have it set up. On this box I have two separate
> > > > installations: one with kde:3 and one with kde:4. I select the one I
> > > > want with grub entries.
> > >
> > > Could you post your grub.conf?  I'd like to see how you do that.
> >
> > Well, I'd do it with a customized init that launches a dm preset to a
> > specific xsession. Or selects a specific .xinitrc.
> 
> In answer to Dale, here's my grub.conf. Do you (Alan) think your way is
> better, or simpler? (Hope you can sort the wrapping out.)

I don't see anything there that selects KDE-3 versus KDE-4

Apparently, you have two gentoo installs on the same machine:

a regular one with / on /dev/md0
a test system with / on /dev/sdc3 

I presume you have KDE-3 on one and KDE-4 on the other. This is purely and 
only a happy circumstance and has nothing to do with selecting a DE from grub. 
The entry you select at boot-time runs whatever system you configured, which 
in turn runs whatever it has on it. You could remove KDE-3 and install OpenBox 
instead, you are still not selecting OpenBox from the grub screen.







> 
> [...]
> title=Gentoo Linux 2.6.30-r6
>         root (hd0,0)
>         kernel /boot/kernel-x86_64-2.6.30-gentoo-r6 root=/dev/md0 vga=0x31A
> video=vesafb:mtrr:3,ywrap fbcon=scrollback:128k splash=silent
> memory_corruption_check=1
> 
> title=Gentoo Linux 2.6.30-r6, no X
>         root (hd0,0)
>         kernel /boot/kernel-x86_64-2.6.30-gentoo-r6 root=/dev/md0 vga=0x317
> video=vesafb:mtrr:3,ywrap splash=silent softlevel=no-x
> memory_corruption_check=1
> 
> title=Gentoo Linux 2.6.30-r6, no network
>         root (hd0,0)
>         kernel /boot/kernel-x86_64-2.6.30-gentoo-r6 root=/dev/md0 vga=0x317
> video=vesafb:mtrr:3,ywrap splash=silent softlevel=nonetwork
> memory_corruption_check=1
> 
> [...]
> 
> title=Gentoo Test System 2.6.30-r6
>         root (hd0,0)
>         kernel /boot/kernel-x86_64-2.6.30-gentoo-r6-testsys root=/dev/sdc3
> vga=0x31A video=vesafb:mtrr:3,ywrap splash=silent
> 
> title=Gentoo Test System 2.6.30-r6, no X
>         root (hd0,0)
>         kernel /boot/kernel-x86_64-2.6.30-gentoo-r6-testsys root=/dev/sdc3
> vga=0x317 video=vesafb:mtrr:3,ywrap splash=silent softlevel=no-x
> 
> title=Gentoo Test System 2.6.30-r6, no network
>         root (hd0,0)
>         kernel /boot/kernel-x86_64-2.6.30-gentoo-r6-testsys root=/dev/sdc3
> vga=0x317 video=vesafb:mtrr:3,ywrap splash=silent softlevel=nonetwork
> 
> [...]
> 

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Re: Making sure I am a good netizen and secure.

[Peter Humphrey]

On Tuesday 08 September 2009 16:42:42 Alan McKinnon wrote:

> Apparently, you have two gentoo installs on the same machine:
>
> a regular one with / on /dev/md0
> a test system with / on /dev/sdc3
>
> I presume you have KDE-3 on one and KDE-4 on the other.

Yes. As far as I'm concerned KDE-4 is still in testing. No amount of 
protestation of its readiness for the real world will persuade me to adopt 
it wholeheartedly until I'm happy with it. So far, I'm not, and I don't 
want to pollute my working KDE-3 system with loads of stuff I'll have 
difficulty removing.

> This is purely and only a happy circumstance

It's nothing of the sort. It's a conscious, deliberate decision.

> The entry you select at boot-time runs whatever system you 
> configured, which in turn runs whatever it has on it. You could remove
> KDE-3 and install OpenBox instead, you are still not selecting OpenBox
> from the grub screen.

This is just pointless semantics. I select the OS I want to run at grub 
time, the same as anyone else. Nothing I've said in this thread is 
inconsistent with what you're saying, so let's just leave it at that, shall 
we?

-- 
Rgds
Peter

[gentoo-user] Re: Making sure I am a good netizen and secure.

[James]

Willie Wong <wwong <at> math.princeton.edu> writes:




> I built my tables using the commandline. A good quick intro guide is
> at http://www.gentoo.org/doc/en/home-router-howto.xml , section 5. 

Nice ref.


> My philosophy is common sense. I white list those ips that I want to
> be able to access the services. I black list those I don't. For
> services like ssh, I pray that my efforts are secure enough. 

I'm re-visiting much of  what I do with IP tables and using a whitelist  seems
like a very keen idea, particularly on firewalls with limited resources compared
to the  network bandwidth they are attached to.


thanks for sharing your approach,


James