[gentoo-user] In the fear of getting hacked (WLAN setup)

[gentoo-user] In the fear of getting hacked (WLAN setup)

[Meino.Cramer]

Hi,

in order to connect my ASUS Memp Pad 7 ME176CX to the internet I need
a working WLAN (my DSL router/modem is of the copper area - no
Wifi/WLAN). The hardware (an USB dongle) is already there...it needs
"only" be configured and setup.

The problem I (possibly needless) see is: While I am tinkering and
testing the configuration I may setup an open Wifi access point
without noticing it in first glance and
BANG! get hacked ... in the worst case: unrecognized...

What is the "best practice" here?
Is there a certain independant configuration, which I can set,
which prevents this scenario?

Thank you very much in advance for any help!
Best regards,
Meino

PS: If one knows the ASUS Memo Pad 7 ME176CX and knows a
way to locally connect this tablet to the internet...this
would be a way to go also. I would appreciate any hint in
this case (Using Lollipop 5.0).

[gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[Nikos Chantziaras]

On 18/07/2015 06:34 πμ, Meino.Cramer@gmx.de wrote:
> Hi,
>
> in order to connect my ASUS Memp Pad 7 ME176CX to the internet I need
> a working WLAN (my DSL router/modem is of the copper area - no
> Wifi/WLAN). The hardware (an USB dongle) is already there...it needs
> "only" be configured and setup.
>
> The problem I (possibly needless) see is: While I am tinkering and
> testing the configuration I may setup an open Wifi access point
> without noticing it in first glance and
> BANG! get hacked ... in the worst case: unrecognized...
>
> What is the "best practice" here?
> Is there a certain independant configuration, which I can set,
> which prevents this scenario?
>
> Thank you very much in advance for any help!
> Best regards,
> Meino
>
> PS: If one knows the ASUS Memo Pad 7 ME176CX and knows a
> way to locally connect this tablet to the internet...this
> would be a way to go also. I would appreciate any hint in
> this case (Using Lollipop 5.0).

If you don't have any daemons running that provide network services 
(have opened listen ports), you can't get hacked. This is usually a 
problem for Windows, which by default has a gazillion of services 
running (NetBIOS, printer/media/filesystem/everything sharing, 
messaging, remote desktop, etc.)

On Gentoo, if *you* didn't set up a service, then nothing is listening 
on the network.

Re: [gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1808 bytes --]

H,

On Sat, 18 Jul 2015 06:47:21 +0300 Nikos Chantziaras wrote:
> > The problem I (possibly needless) see is: While I am tinkering and
> > testing the configuration I may setup an open Wifi access point
> > without noticing it in first glance and
> > BANG! get hacked ... in the worst case: unrecognized...
> >
> > What is the "best practice" here?
> > Is there a certain independant configuration, which I can set,
> > which prevents this scenario?
> >
> > Thank you very much in advance for any help!
> > Best regards,
> > Meino
> >
> > PS: If one knows the ASUS Memo Pad 7 ME176CX and knows a
> > way to locally connect this tablet to the internet...this
> > would be a way to go also. I would appreciate any hint in
> > this case (Using Lollipop 5.0).
> 
> If you don't have any daemons running that provide network services 
> (have opened listen ports), you can't get hacked. This is usually a 
> problem for Windows, which by default has a gazillion of services 
> running (NetBIOS, printer/media/filesystem/everything sharing, 
> messaging, remote desktop, etc.)
> 
> On Gentoo, if *you* didn't set up a service, then nothing is listening 
> on the network.

Yes and no. If user enabled network interface and has no network
daemons running, kernel still listens to that interface (ARP, icmp
and so on) and may be hacked using vulnerabilities in network
stack, protocol handlers or even network device drivers.

By default Gentoo has no interfaces enabled, but usually they are
set up during initial install. And users may be unaware that even
without any network applications they may be vulnerable with
enabled interfaces. Proper configuration of kernel, especially
iproute2 and iptables can minimize such risks, of course.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

[gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[Nikos Chantziaras]

On 18/07/2015 08:43 μμ, Andrew Savchenko wrote:
> On Sat, 18 Jul 2015 06:47:21 +0300 Nikos Chantziaras wrote:
>>> The problem I (possibly needless) see is: While I am tinkering and
>>> testing the configuration I may setup an open Wifi access point
>>> without noticing it in first glance and
>>> BANG! get hacked ... in the worst case: unrecognized...
>>
>> If you don't have any daemons running that provide network services
>> (have opened listen ports), you can't get hacked.
>
> Yes and no. If user enabled network interface and has no network
> daemons running, kernel still listens to that interface (ARP, icmp
> and so on) and may be hacked using vulnerabilities in network
> stack, protocol handlers or even network device drivers.

Which is not a realistic scenario. We can assume that for all intents 
and purposes, the OP is safe.

Re: [gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[Rich Freeman]

On Mon, Jul 20, 2015 at 10:37 AM, Nikos Chantziaras <realnc@gmail.com> wrote:
> On 18/07/2015 08:43 μμ, Andrew Savchenko wrote:
>>
>> Yes and no. If user enabled network interface and has no network
>> daemons running, kernel still listens to that interface (ARP, icmp
>> and so on) and may be hacked using vulnerabilities in network
>> stack, protocol handlers or even network device drivers.
>
> Which is not a realistic scenario. We can assume that for all intents and
> purposes, the OP is safe.
>

It is a completely realistic scenario and has in fact happened in the
past (ping of death and so on).  That said, all you can do to protect
against it is update your kernel when a vulnerability is discovered,
unless you want to go funding your own kernel audit.  This scenario
applies to virtually any router in existence to some degree - at least
with a linux router you build yourself you know for sure what is
running on it and it is easy to update if a vulnerability does get
discovered.

Just run a supported kernel and you should be fine.  You'll probably
want a longterm kernel on something like a router.

So, it isn't a reason to panic, but you could conceivably have a linux
router whose only userspace process is an init that sets up
iptables/iproute/etc and then just does an idle loop, and it could
still have a vulnerability.  The kernel is software like anything
else, and it can contain bugs.  That shouldn't make you afraid to use
linux, but as with any networked device you should understand security
and ensure that if there is a problem you'll find out about it and be
able to fix it.  That is true of linux, any embedded OS, or of almost
any device that contains RAM.

-- 
Rich

[gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[James]

 <Meino.Cramer <at> gmx.de> writes:


> What is the "best practice" here?
> Is there a certain independant configuration, which I can set,
> which prevents this scenario?

Briefly::

'eix -Cc net-wireless' will tell you what the packages in this
category do.

You either have to purchase a wireless router, or build one with
a wireless card, iptables and set up NAT.  You'll need some additional
software packages from net-wireless. Once you get the wireless device setup,
its a good idea to test your wireless network security.


net-wireless/airsnort  is the grand_daddy
Many others exist::
net-wireless/airtraf
net-wireless/aircrack-ng

is a good start. You can run these from a laptop with a wireless interface.
Google for wiki sites or arch linux sites and howto setup and use.


hth,
James

[gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[walt]

On Sat, 18 Jul 2015 05:34:53 +0200
Meino.Cramer@gmx.de wrote:

> Hi,
> 
> in order to connect my ASUS Memp Pad 7 ME176CX to the internet I need
> a working WLAN (my DSL router/modem is of the copper area - no
> Wifi/WLAN). The hardware (an USB dongle) is already there...it needs
> "only" be configured and setup.
> 
> The problem I (possibly needless) see is: While I am tinkering and
> testing the configuration I may setup an open Wifi access point
> without noticing it in first glance and
> BANG! get hacked ... in the worst case: unrecognized...

I heard this on a podcast about security from someone (Steve Gibson)
who knows a lot about the subject.  He suggested using all those old
home routers (you have sitting around collecting dust) in a new way.

Apparently we can't trust any individual black-box home router to be
secure any more, but maybe we can combine them to make hackers work
harder:

The idea is to chain all those home routers in series (instead of using
them as the manufacturers intended) and then, as the last step, to plug
your (new) wireless router into the end of the chain of old routers.

I have no idea if this idea is good or bad, I'm just passing it along.

Re: [gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[Meino.Cramer]

walt <w41ter@gmail.com> [15-07-19 04:08]:
> On Sat, 18 Jul 2015 05:34:53 +0200
> Meino.Cramer@gmx.de wrote:
> 
> > Hi,
> > 
> > in order to connect my ASUS Memp Pad 7 ME176CX to the internet I need
> > a working WLAN (my DSL router/modem is of the copper area - no
> > Wifi/WLAN). The hardware (an USB dongle) is already there...it needs
> > "only" be configured and setup.
> > 
> > The problem I (possibly needless) see is: While I am tinkering and
> > testing the configuration I may setup an open Wifi access point
> > without noticing it in first glance and
> > BANG! get hacked ... in the worst case: unrecognized...
> 
> I heard this on a podcast about security from someone (Steve Gibson)
> who knows a lot about the subject.  He suggested using all those old
> home routers (you have sitting around collecting dust) in a new way.
> 
> Apparently we can't trust any individual black-box home router to be
> secure any more, but maybe we can combine them to make hackers work
> harder:
> 
> The idea is to chain all those home routers in series (instead of using
> them as the manufacturers intended) and then, as the last step, to plug
> your (new) wireless router into the end of the chain of old routers.
> 
> I have no idea if this idea is good or bad, I'm just passing it along.
> 
> 
> 


Hi all,

thank you very much for all tips and trick on this topic. The only
router/dsl-modem I own is the own I got from my first DSL provider 
in times, when the DSL modem/router was not controlled by the
provider ;)
So the chain has only one link.

May be I get my tablet rooted and will able to convince the kernel
to accept an USB/Ethernet USB-gadget (or how it is called). Wifi/WLAN
is a weird thing. I dont trust it that far, as I trust a good ole
cable going from 'A' to 'B'... ;)

A little old school, but who cares. Better safe than sorry...

Thanks a lot again!
Best regards,
Meino

Re: [gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2479 bytes --]

On Sunday 19 Jul 2015 11:18:45 Meino.Cramer@gmx.de wrote:
> walt <w41ter@gmail.com> [15-07-19 04:08]:
> > On Sat, 18 Jul 2015 05:34:53 +0200
> > 
> > Meino.Cramer@gmx.de wrote:
> > > Hi,
> > > 
> > > in order to connect my ASUS Memp Pad 7 ME176CX to the internet I need
> > > a working WLAN (my DSL router/modem is of the copper area - no
> > > Wifi/WLAN). The hardware (an USB dongle) is already there...it needs
> > > "only" be configured and setup.
> > > 
> > > The problem I (possibly needless) see is: While I am tinkering and
> > > testing the configuration I may setup an open Wifi access point
> > > without noticing it in first glance and
> > > BANG! get hacked ... in the worst case: unrecognized...
> > 
> > I heard this on a podcast about security from someone (Steve Gibson)
> > who knows a lot about the subject.  He suggested using all those old
> > home routers (you have sitting around collecting dust) in a new way.
> > 
> > Apparently we can't trust any individual black-box home router to be
> > secure any more, but maybe we can combine them to make hackers work
> > harder:
> > 
> > The idea is to chain all those home routers in series (instead of using
> > them as the manufacturers intended) and then, as the last step, to plug
> > your (new) wireless router into the end of the chain of old routers.
> > 
> > I have no idea if this idea is good or bad, I'm just passing it along.
> 
> Hi all,
> 
> thank you very much for all tips and trick on this topic. The only
> router/dsl-modem I own is the own I got from my first DSL provider
> in times, when the DSL modem/router was not controlled by the
> provider ;)
> So the chain has only one link.
> 
> May be I get my tablet rooted and will able to convince the kernel
> to accept an USB/Ethernet USB-gadget (or how it is called). Wifi/WLAN
> is a weird thing. I dont trust it that far, as I trust a good ole
> cable going from 'A' to 'B'... ;)
> 
> A little old school, but who cares. Better safe than sorry...
> 
> Thanks a lot again!
> Best regards,
> Meino

I didn't answer immediately, because I am not entirely clear what is the 
attack vector that you are worried about.

I you are going to use your PC to create a wireless access point, so that the 
tablet can wirelessly connect to the Internet through this, then using WPA2-
CCMP encryption of your wireless connection should be enough for most 
practical purposes.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

[gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[James]

Mick <michaelkintzios <at> gmail.com> writes:


> > > > BANG! get hacked ... in the worst case: unrecognized...

> > thank you very much for all tips and trick on this topic. The only
> > router/dsl-modem I own is the own I got from my first DSL provider
> > in times, when the DSL modem/router was not controlled by the
> > provider ;)
> > So the chain has only one link.

Perhaps you need to convert an old pc to a firewall? If you look at several
of the associative thread lately, you can see that useful gentoo based
appliances, such as a robust firewall, are strictly the domain of (gentoo)
experts. But it does not have to be that way. A secure firewall could be
avaiable on the gentoo platform. However, atm, we struggle with offering a
simple if not guided installation proceedure for gentoo linux. Let us hope
that the Project::Installer will result in an offering where somebody could
then define how to build a gentoo-centric firewall for our user base. Until
then I'd suggest using a linux distro specifically tuned to building a
firewall with a wireless interface support [1].

> > May be I get my tablet rooted and will able to convince the kernel
> > to accept an USB/Ethernet USB-gadget (or how it is called). Wifi/WLAN
> > is a weird thing. I dont trust it that far, as I trust a good ole
> > cable going from 'A' to 'B'... ;)
> > 
> > A little old school, but who cares. Better safe than sorry...
> > 
> > Thanks a lot again!
> > Best regards,
> > Meino
> 
> I didn't answer immediately, because I am not entirely clear what is the 
> attack vector that you are worried about.

True. But we could offer a generic gentoo firewall, from which folks build
additional feature into for their needs beyond the basics.


> I you are going to use your PC to create a wireless access point, so 
> that the tablet can wirelessly connect to the Internet through this, 
> then using WPA2-CCMP encryption of your wireless connection should be 
> enough for most  practical purposes.

The number of 'gadgets' with wireless ethernet is currently exploding
on many markets. Inclusion of connecting, routing and securing wireless
devices via  gentoo centric firewall is definitely an opportunity for the
greater gentoo community. It think leveraging such a project on
top of the new Project::Installer offering is something that happens.

I'd be most curious to see a gentoo-embedded-firewall, that runs on a
variety of gentoo-embedded arch's such as PPC, arm7v, arm8v specifically.
That way low cost (low power consumption embedded boards) could be
purchased, setup and deploy for our userbase and to attract new gentoo members.


James
[1] http://www.tecmint.com/install-ipfire-firewall-distribution/

Re: [gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[J.Rutkowski]

On Sun, Jul 19, 2015, at 02:13 PM, James wrote:
> The number of 'gadgets' with wireless ethernet is currently exploding
> on many markets. Inclusion of connecting, routing and securing wireless
> devices via  gentoo centric firewall is definitely an opportunity for the
> greater gentoo community. It think leveraging such a project on
> top of the new Project::Installer offering is something that happens.
> 
> I'd be most curious to see a gentoo-embedded-firewall, that runs on a
> variety of gentoo-embedded arch's such as PPC, arm7v, arm8v specifically.
> That way low cost (low power consumption embedded boards) could be
> purchased, setup and deploy for our userbase and to attract new gentoo
> members.
>

I'm in the process of doing this with a beaglebone black[1] I had lying
around. I wanted to have a minimal wireless access point and firewall
for my home office. It's cheap, low maintenance (after install), and
completely configurable. Tying embedded systems into the
Project:Installer would be amazing! It would be awesome to see an
installer handle distcc.

-Josh

[1] http://beagleboard.org/BLACK

[gentoo-user] Re: In the fear of getting hacked (WLAN setup)

[James]

J.Rutkowski <jrtk <at> pancakebungalow.com> writes:

> I'm in the process of doing this with a beaglebone black[1] I had lying
> around. I wanted to have a minimal wireless access point and firewall
> for my home office. It's cheap, low maintenance (after install), and
> completely configurable. Tying embedded systems into the
> Project:Installer would be amazing! It would be awesome to see an
> installer handle distcc.

> -Josh 
> [1] http://beagleboard.org/BLACK

Ah:: Excellent move there Josh!
I have an older Pandaboard:: will it work too?

Will it support multiple ethernet interfaces, even if you have
to use a USB-2-RJ45 converters? Also, please make your
iptable ruleset modular so folks can test/deploy on other devices.

Do not forget to leverage the existing gentoo home router page in
your design, if possible? [1]

James

[1] https://wiki.gentoo.org/wiki/Home_Router