netstat
shows open ports, but there is nothing running there. What do i miss?
The perimeter network is also known as DMZ (Demilitarized Zone). In it there are switching computers for all protocols/services who should work from one net to the other net. Such a switching computer is also known as Proxy, because it works pro procurationem/by proxy (like a secretary). Proxies work on application level, means they understand the communication they handle.
A netscan is a complimentary and standardized request of services to a group of computers. In real life it would be the same as looking down a street for an open store.
Like an observer of a house could plan a break in a scan can prepare an attack. But this indicator is really weak.
A scan that goes a bit deeper is a bannerscan. With a bannerscan you contact every public service and detect the server software and it's version number. This is legal, too.
No scan is necessarily a preparation for an attack, nor is it an attack.
A desktop-firewall can help you to learn more about your system, but it can't help you being more secure. Better prevent using a desktop-firewall by following the guidelines described in "I have open ports, what are they used for?" and "How can i find out what's happening on my interfaces/network?".
man riskcompensation.
Everybody not understanding the effects of a security solution will develop a certain laxity, due to the feeling the system protects him.
Who doesn't think that firewallsystems work, should await questions why he installs such systems.
Many of the so called desktop-firewalls report every incoming packet as an attack. This causes panic and a sense of having spent the money the right way. All the people you know cannot live without this protection, too, so you better hurry with calling them ...
In most cases the reported packets are responses to requests you generated by reading a website, getting your email or playing internet games.
With a dialup account and getting a dynamic IP (like with most providers) it's possible to get packets after your dial-in from connections of the predecessor with this IP. It's nothing that's dangerous nor is it an attack.
If you've got a trojan horse on your computer then you are responsible for the installation. The firewall isn't able to protect you from doing that and it's to late after all.
If you don't have installed a trojan horse the request will be rejected. The firewall does the same so what is the benefit?
A firewall can help, even a desktop-firewall. But only if it's well thought out and maintained. But one question is still there. Why don't you solve the errors in your system? Patches are normally deliverd with the announcement of the security hole.
On the other side: Why do you buy well known defective technik? If you recognize this error after the purchase you have the possibility of a refund or to give back the product. Making mistakes isn't fatal, but not accepting them is nonexcusable.
If something doesn't work learn what the software needs and why it needs this. Then allow access if you need the software.
Chronological order of what to learn: basics of IP, ICMP, UDP and TCP. After that all protocolls. Start with DNS over UDP (all directions), then telnet. Next is POP3. After that SMTP and HTTP. After FTP you can learn SSH and HTTPS.
Some prefacing remarks and examples can be found at the website of the BSI (in german): http://www.bsi.bund.de/literat/doc/sinetdoc/sinetstd.htm
whois -h whois.thur.de request
As an alternative way you can type in your request in telnet telnet
whois.thur.de 43
Of course nobody is engaged to use these ports. So if a trojan horse wants to install a service it will use a known port. This way nothing can distinguish the trojan from the "normal" serice at first. Most of the trojan ports were "made" in the last years. They normally have port numbers higher than 1024 and therefore can be opened on a UNIX system without special rights. Every internetservice opens a port this way to be able to communicate. Most trojan horses aren't trojans, but normal remote admisistration utilities who use not assigned port numbers. A general listening to a special port- means server services -are quite uncommon, for example FTP, Napster, Gnutella, ICQ, ... use the technic of random used ports.
Which programm listens on which port can be found out with
lsof -i, which communications are currently active can be
found out with netstat -tu and which services are running
with netstat -lp. In Windows TDIMon can help you, too: http://www.sysinternals.com/ntw2k/freeware/tdimon.shtml.
Even though you need a second system to control a possible compromised
system it is suggestive to determine the normal operation of your system. On
UNIX systems you have tcpdump to observe network traffic. For
Windows you can find information here: http://netgroup-serv.polito.it/winpcap/.
For a long term observation of your network traffic Snort http://www.snort.org/ is worth to have a look
at.
DENY means to throw away the connection attempts. The inquiring computer gets a timeout in this case.
Administrators who bother about script kiddies sometimes believe that they can stop them with DENY. This is wrong. It's possible to start several thousand scans at once and therefore to wait for all timeouts at once. A scanner wont slow down because of this. On the other side you slow down all legitimate users and services. Specifically the IDENT requests.
The ident services gives the administrator of a neat system a help for identifying misbehaving users. DENY has the consequence that this help isn't recorded at other servers. Do you want to hide spammers and script kiddies please use DENY.
Just take it from this point of view:
It's better to say your partner
that you're not interested to discuss a special subject (REJECT): Your partner
knows from the beginning what's the case and can immediatly decide if he wants
to continue the relationship.
If you never talk about a certain subject (DENY) it has two consequences: a) you have to listen to the talking of your partner and this takes your time and b) it takes the time of your partner, because he wanted to tell you something important and would have better done that somewhere else.
Another real life example:
You're walking down the street in your city
and a tramp asks you if you can spare some money. You could either say "nope,
don't have money" (REJECT) or you could endure the endless mendicancy (DENY).
So the only things you can do are the option of LART against your users or the arrangement of so called "white lists", means you can only reach trustworthy servers in the internet. In this case you can't talk about real internet access anymore.
It should be clear in one's mind that it's impossible to solve social
problems with the help of technology, regardless how much money you're going
to spend on the problem.
netstat shows open ports, but there is nothing
running there. What do i miss?
netstat -an shows the
sourceport with state listen. But LISTEN in terms of TCP/IP means: here is a
server running that accepts TCP connection attempts. Proto Local Address Foreign Address State tcp 217.17.192.37:1213 217.17.192.67:119 ESTABLISHED tcp 0.0.0.0:1213 0.0.0.0:* LISTEN
To show the FTP-server to where he has to open a data connection you send a
PORT-command to the server. This command contains the IP address
and the port of the users system. The potential risk is obvious. A firewall
has to analyse this active FTP, has to retype the PORT command if needed and
has to accomodate it's own.
Therefore you should always try to use passive FTP.
For especially obscure problems you can post a message in one of the
following newsgroups:
It's beneficial to show why a particular service has to be used and in
which extent the usage of this service corresponds to your policy. Without
this specification the advice to remove the packetfilter is adequate.
For some systems there are some websites who encircle the problems:
By and by the experts who read and discuss in this newsgroup for quite some
time get fretful, in particular when they see that the questioner doesn't put
enough effort in his research to find the
answers to his problem(s) on his own. In the end this leads to a sarcastically
notation by the experts.
Unintentional the question of a rookie reads like this in the eyes of an
expert: "My house is standing at a public street. I don't want people to see
my house from the street. I heared that one can see my house with the help of
a torch (nmap) even when the sun, moon and street lighting is shut off. How
can i protect myself?"
The answer you want to hear is: "There are some really cool OHP
transparencies with an imprinting like 'This is not a house.', which you can
stick to your windows. Free of charge and extra colorfull are the ones from
Zonealarm."
This FAQ should help to keep these unaccomplishable wishes to a minimum or
even non-existant i in this newsgroup. It should inspire to think about it.
Note: No answer is the same as answering "I'm here and fine.". If you are
not there another system will respond with "He's not there". This other system
is the nearest router, located at your provider. And if it do so, you weren't
connected to the internet.
On the other side software firewalls are more up to date due to higher market pressure and have more features. (sold hardware ties the customers for a longer time.) The drawback is a higher risk of faults in the bigger source code.
Finally there are hardware firewalls without software. These use physical effects. For example: one inch of air is enough to protect a personal computer from network attacks.
For mobile users IKE with shared key authentication is widely used. Which parameters are set up? DES/3DES, SHA1/MD5, DH-Group1/2? Is the same shared secret used (possibly called group password) or do you use certificates? Are the IKE-ID's build on names or addresses? Maybe you have to use a peer address (if it's a dynamically assigned address) of 0.0.0.0 or better a netmask.
Can you see the IKE management tunnel? Have you some debugging output? If the management tunnel is established you've almost won.
To be able to configure a client you have to use (not yet standardized) protocols like Uauth (who's the requester?) and mode-config (which IP, DNS, WinS, ... does he get?). Does it fail on these protocols? If yes there is nothing left like building a PPP connection over IPSec. If you want to transmit broadcasts (Windows :-/) you have to use L2TP through the PPP tunnel. And then you're going to spit.
If mode-config succeded you need the IPSec tunnels. There you change ID's first, which define the interesting traffic. This has to fit! Of course the algorithms for the tunnels have to fit, too. Is it transparent or tunnel mode? Only with tunnel mode you can reach whole networks! If you use authentication headers the packets don't have to be altered on their way between the devices. You should start with ESP and a simple cipher. You should avoid AH, because you can build a tunnel more stable with ESP and HMAC.
Native address translation (NAT) is almost always harmfull for IPSec, IKE can fail in this case, because the source port could be wrong.
Though all protocolls use dynamic addresses from a
great range of ports (RTP uses UDP 16384-32767) it's mandatory to read those
protocolls on the firewall systems and adjust the rulesets. For Linux you can
find at http://www.coritel.it/coritel/ip/sofia/nat/nat2/nat2.htm
a modul that allows voice-unicast to a service with official IP address,
without management of ressources and numbers.
You should pay attention to deliver any protocol
descriptions (references to data by URL), an exact explanation of the problem
(especially the to be configured packetfilter) and indicate how you tried to
solve the problem. Actual workarounds are worth to be mentioned.
comp.security.firewall
(english)
de.comp.security.firewall
(german)