Sign in with
Sign up | Sign in
Your question

Would a firewall prevent Sasser worm?

Last response: in Networking
Share
Anonymous
a b 8 Security
May 4, 2004 12:33:32 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

If I had a firewall would that prevent the Sasser worm infecting my
PC?

I mean, if another infected system cannot see my ports because they
are stealthed then presumably Sasser could not infect me?
Anonymous
a b 8 Security
May 4, 2004 12:33:33 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh

>If I had a firewall would that prevent the Sasser worm infecting my
>PC?
>
>I mean, if another infected system cannot see my ports because they
>are stealthed then presumably Sasser could not infect me?

Yes, any firewall that blocks incoming port 445 will prevent infection
by the Sasser worm.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
a b 8 Security
May 4, 2004 2:52:38 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>
>
>>If I had a firewall would that prevent the Sasser worm infecting my
>>PC?
>>
>>I mean, if another infected system cannot see my ports because they
>>are stealthed then presumably Sasser could not infect me?
>
>
> Yes, any firewall that blocks incoming port 445 will prevent infection
> by the Sasser worm.
>
> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)

From Microsoft: "Customers who have enabled the Windows XP Firewall are
protected from the vector this worm attacks, which is TCP Port 139.
Most third party firewalls also block this attack vector by default."

g-w
Related resources
May 4, 2004 6:25:28 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

<snip>
> Yes, any firewall that blocks incoming port
> 445 will prevent infection by the Sasser worm.

As long as someone won't write a variant
of the worm spreading by email too :-)

Brain; the best firewall in the world (if one uses it)
Anonymous
a b 8 Security
May 4, 2004 6:25:29 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 14:25:28 +0200, ObiWan spoketh

><snip>
>> Yes, any firewall that blocks incoming port
>> 445 will prevent infection by the Sasser worm.
>
>As long as someone won't write a variant
>of the worm spreading by email too :-)
>
>Brain; the best firewall in the world (if one uses it)
>
>

We can only deal with the "known knowns". The "unknown unknowns" we'll
have to leave for Mr. Rumsfeld...

Currently, the Sasser worm only spreads by exploiting the LSASS buffer
overflow vulnerability through port 445.

Sasser.D now also sends an ICMP echo request, which will certainly show
up in many more logs :( 

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
May 4, 2004 6:25:30 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Hi,

I agree with ObiWan, why use a firewall to filter some port if it can
be exploited in other ways ??

In this case, the "unknow" can be commonly suposed...

Real secure protect the source problem, not workarrounds... ;-)

Fix the overflow at lsass.exe! :) 

ps.: A machine up2date today isn't enough.

Regards.

Mercenarie's Club Member => http://cdm.frontthescene.com.br
Front The Scene Team => http://www.frontthescene.com.br
Personal Page => http://ws.frontthescene.com.br
Anonymous
a b 8 Security
May 4, 2004 8:27:45 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Piotr Makley <pmakley@mail.com> writes:

]If I had a firewall would that prevent the Sasser worm infecting my
]PC?

]I mean, if another infected system cannot see my ports because they
]are stealthed then presumably Sasser could not infect me?

Sassler cannot infect you if you do not run Windows. Sassler cannot
infect you if you install the patch from Microsoft. A firewall might
help, but if you insist on not doing the first two you will always be in
danger. Note that a firewall has nothing to do with "stealthing" your
ports. It simply rejects all attempts to connect to ports except those
you deliberately open. You can do the same by not opening any ports
except those you absolutely need in the first place. What ports are open
on your system? Do you know?
Anonymous
a b 8 Security
May 4, 2004 8:29:07 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> writes:

]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh

]>If I had a firewall would that prevent the Sasser worm infecting my
]>PC?
]>
]>I mean, if another infected system cannot see my ports because they
]>are stealthed then presumably Sasser could not infect me?

]Yes, any firewall that blocks incoming port 445 will prevent infection
]by the Sasser worm.

Why is port 445 open on his system in the first place?
Anonymous
a b 8 Security
May 4, 2004 9:09:38 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh

>Lars M. Hansen <badnews@hansenonline.net> writes:
>
>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>
>]>If I had a firewall would that prevent the Sasser worm infecting my
>]>PC?
>]>
>]>I mean, if another infected system cannot see my ports because they
>]>are stealthed then presumably Sasser could not infect me?
>
>]Yes, any firewall that blocks incoming port 445 will prevent infection
>]by the Sasser worm.
>
>Why is port 445 open on his system in the first place?

Port 445 is open by default on any W2K or WXP system unless you've
closed it somehow. Despite the fact that we all wish people would have
firewalls or at least a NAT router, we're not quite there yet...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
May 4, 2004 10:07:15 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:
> Lars M. Hansen <badnews@hansenonline.net> writes:

> ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh

> ]>If I had a firewall would that prevent the Sasser worm infecting my
> ]>PC?
> ]>
> ]>I mean, if another infected system cannot see my ports because they
> ]>are stealthed then presumably Sasser could not infect me?

> ]Yes, any firewall that blocks incoming port 445 will prevent infection
> ]by the Sasser worm.

> Why is port 445 open on his system in the first place?

Becouse microsoft has it enabled and vulnerable by default.


--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
Anonymous
a b 8 Security
May 4, 2004 10:10:37 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> writes:

]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh

]>Lars M. Hansen <badnews@hansenonline.net> writes:
]>
]>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
]>
]>]>If I had a firewall would that prevent the Sasser worm infecting my
]>]>PC?
]>]>
]>]>I mean, if another infected system cannot see my ports because they
]>]>are stealthed then presumably Sasser could not infect me?
]>
]>]Yes, any firewall that blocks incoming port 445 will prevent infection
]>]by the Sasser worm.
]>
]>Why is port 445 open on his system in the first place?

]Port 445 is open by default on any W2K or WXP system unless you've
]closed it somehow. Despite the fact that we all wish people would have
]firewalls or at least a NAT router, we're not quite there yet...

?? Again, why is port 445 open anyway? You advocate that the user gets a
firewall. Surely it would be easier just to close port 445 or any ports
not absolutely needed than it would be to get and properly set up a
firewall. Or are you saying it is impossible to close many ports on a
Win machine?
This is like an exchange "I've got some dirt on my face" "Buy a skimask so people
cannot see the dirt". Why not just wash? If you cannot wash for some
reason then maybe a skimask would be an option, but surely advocating it
as the first thing to do is silly.

"Close all ports that you do not absolutely need on your machine"
should surely be the first bit of advice. Then after you have done that
also install a firewall for that extra bit of protection.
Anonymous
a b 8 Security
May 4, 2004 10:11:22 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <c78mat$4ps$1@string.physics.ubc.ca>,
unruh@string.physics.ubc.ca says...
> "Close all ports that you do not absolutely need on your machine"
> should surely be the first bit of advice. Then after you have done that
> also install a firewall for that extra bit of protection.

The problem is that most people don't have a clue as to how to close
ports, setup IPSec rules, etc... Most people don't even know to enable
the ICF on their machines.

The best thing people can do is purchase a cheap router with NAT and use
it from the moment they get their computer. This lets them download the
updates, install and update the AV software, etc... before they have a
chance to get hacked.

I put this back on the ISP's - they provide a open connection and don't
warn the unsuspecting public about the risk/problems. If they just
enabled NAT by default on their routers (DSL or Cable) most of this
problem would go away.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
May 4, 2004 10:47:03 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 18:10:37 +0000 (UTC), Bill Unruh spoketh

>Lars M. Hansen <badnews@hansenonline.net> writes:
>
>]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh
>
>]>Lars M. Hansen <badnews@hansenonline.net> writes:
>]>
>]>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>]>
>]>]>If I had a firewall would that prevent the Sasser worm infecting my
>]>]>PC?
>]>]>
>]>]>I mean, if another infected system cannot see my ports because they
>]>]>are stealthed then presumably Sasser could not infect me?
>]>
>]>]Yes, any firewall that blocks incoming port 445 will prevent infection
>]>]by the Sasser worm.
>]>
>]>Why is port 445 open on his system in the first place?
>
>]Port 445 is open by default on any W2K or WXP system unless you've
>]closed it somehow. Despite the fact that we all wish people would have
>]firewalls or at least a NAT router, we're not quite there yet...
>
>?? Again, why is port 445 open anyway? You advocate that the user gets a
>firewall. Surely it would be easier just to close port 445 or any ports
>not absolutely needed than it would be to get and properly set up a
>firewall. Or are you saying it is impossible to close many ports on a
>Win machine?

Yes, port 445 are difficult to close on a Windows computer. It's the
port used by what's commonly known as "Windows Networking", which means
sharing files and printers over a network. There are ways of closing it,
but it takes a little reading...

>This is like an exchange "I've got some dirt on my face" "Buy a skimask so people
>cannot see the dirt". Why not just wash? If you cannot wash for some
>reason then maybe a skimask would be an option, but surely advocating it
>as the first thing to do is silly.

No comment ...

>
>"Close all ports that you do not absolutely need on your machine"
>should surely be the first bit of advice. Then after you have done that
>also install a firewall for that extra bit of protection.

If all ports are closed, then there's little need for a firewall. If
there are some ports left open, then the firewall will need to allow
those ports anyways, unless the firewall is there to restrict the IP
addresses that'll gain access or because it does protocol validation.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
May 4, 2004 10:47:04 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 18:47:03 GMT, Lars M. Hansen
<badnews@hansenonline.net> wrote:
>Yes, port 445 are difficult to close on a Windows computer. It's the
>port used by what's commonly known as "Windows Networking", which means
>sharing files and printers over a network. There are ways of closing it,
>but it takes a little reading...
With NAT firewalls at the $19.99 range on sale (or sometimes after
rebate) there is no reason DSL and Cable modem users should be
directly connected anymore.

That whole idea foisted on us by the telcos and cable companies has
caused so many problems it is beyond comprehension.

I have never had a persistent connection to the internet with no
routing/filtering capabilities. And there is no reason anyone should.

Was it here that someone posted the spam emissions of ATTBI and one
other network's trojaned machines was 1.6 billion messages a day? I
can't lay my hand on that post. But that is reason enough that
everyone who has a computer connected to the internet should have and
use a NAT router as a minimum.
Anonymous
a b 8 Security
May 4, 2004 10:49:42 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 18:07:15 +0000 (UTC), phn@icke-reklam.ipsec.nu
spoketh

>In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:
>> Lars M. Hansen <badnews@hansenonline.net> writes:
>
>> ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>
>> ]>If I had a firewall would that prevent the Sasser worm infecting my
>> ]>PC?
>> ]>
>> ]>I mean, if another infected system cannot see my ports because they
>> ]>are stealthed then presumably Sasser could not infect me?
>
>> ]Yes, any firewall that blocks incoming port 445 will prevent infection
>> ]by the Sasser worm.
>
>> Why is port 445 open on his system in the first place?
>
>Becouse microsoft has it enabled and vulnerable by default.

"Vulnerable by default"? What the F*** does that mean? Does that mean
when the next vulnerability for linux are discovered, the Microsoft camp
can claim that linux are "vulnerable by default"?

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
May 4, 2004 10:49:43 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:

>"Vulnerable by default"? What the F*** does that mean? Does that mean
>when the next vulnerability for linux are discovered, the Microsoft camp
>can claim that linux are "vulnerable by default"?

Gosh, I can't remember the last remote vulnerability for Linux. Can
you? I've been swept away by the flood of Winders vulnerabilities.
Linux would really have to get on the ball if it's going to catch the
MotherShip.
May 4, 2004 10:49:43 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> wrote in message news:<bapf909rbrkcvqp4nasstjsfacj8f105i6@4ax.com>...

> >Becouse microsoft has it enabled and vulnerable by default.
>
> "Vulnerable by default"? What the F*** does that mean? Does that mean
> when the next vulnerability for linux are discovered, the Microsoft camp
> can claim that linux are "vulnerable by default"?

Well, you must admit that with Microsoft adopting the Secure Software
Initiatives during the writing of XP and 2000 (the only OS's
vulnerable to Sasser) and with the vulnerability being EXACTLY the
same buffer-overflow of the sort they've spent more than five years
patching in other versions, and most ironically the vulnerability is
in what they call the "Local Security Authority Service" -- it does
rather scream negligence.

Sure, they fixed it a month ago... but if you're able to clobber the
very security system itself by sending data, then I'm sorry, but
you've really got to call that "shipped vulnerable".

I am not saying that Mac's or Linux PCs are better, but it's like
being a surgeon that just held a press-conference praising and
proclaiming your attention to cleanliness, and then going into surgery
using used dental-floss for sutures. If it's not technically
malpractice, then it is at least general-knowledge for
industrial-strength incompetence.
Anonymous
a b 8 Security
May 4, 2004 11:16:36 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 4 May 2004 18:10:37 +0000 (UTC), unruh@string.physics.ubc.ca
(Bill Unruh) wrote:

>Lars M. Hansen <badnews@hansenonline.net> writes:
>
>]On Tue, 4 May 2004 16:29:07 +0000 (UTC), Bill Unruh spoketh

>]Port 445 is open by default on any W2K or WXP system unless you've
>]closed it somehow. Despite the fact that we all wish people would have
>]firewalls or at least a NAT router, we're not quite there yet...
>
>?? Again, why is port 445 open anyway? You advocate that the user gets a
>firewall. Surely it would be easier just to close port 445 or any ports
>not absolutely needed than it would be to get and properly set up a
>firewall. Or are you saying it is impossible to close many ports on a
>Win machine?
>This is like an exchange "I've got some dirt on my face" "Buy a skimask so people
>cannot see the dirt". Why not just wash? If you cannot wash for some
>reason then maybe a skimask would be an option, but surely advocating it
>as the first thing to do is silly.
>
>"Close all ports that you do not absolutely need on your machine"
>should surely be the first bit of advice. Then after you have done that
>also install a firewall for that extra bit of protection.

Without port 445, I am unable to share the printer on our network. So
when I edit the registry to close this port, we can't print from XP
computers. We're relying on our router/firewall.
Anonymous
a b 8 Security
May 4, 2004 11:16:37 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 19:16:36 GMT, "------>That Way!"
<traxless@yahoo.com> wrote:
>
>>"Close all ports that you do not absolutely need on your machine"
>>should surely be the first bit of advice. Then after you have done that
>>also install a firewall for that extra bit of protection.
>
>Without port 445, I am unable to share the printer on our network. So
>when I edit the registry to close this port, we can't print from XP
>computers. We're relying on our router/firewall.
But port 445 doesn't need to be open from outside your network.
That's the problem.
May 4, 2004 11:21:51 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

> ><snip>
> >> Yes, any firewall that blocks incoming port
> >> 445 will prevent infection by the Sasser worm.
> >
> >As long as someone won't write a variant
> >of the worm spreading by email too :-)
> >
> >Brain; the best firewall in the world (if one uses it)
> >
> >
>
> We can only deal with the "known knowns". The "unknown unknowns"
> we'll have to leave for Mr. Rumsfeld...

Uh .. bad day ?!? I was just putting a little of sarcasm there :-) !!

> Currently, the Sasser worm only spreads by exploiting the LSASS buffer
> overflow vulnerability through port 445.

Yes, got some "proof of concept" code here, know how it works :-/

> Sasser.D now also sends an ICMP echo request, which will certainly show
> up in many more logs :( 

That's what I was saying I don't think it would take too much
before we'll see a "mail spreading" variant, then, due to the
high number of "don't use the brain, just click here" users it
will become another treat :-(
Anonymous
a b 8 Security
May 4, 2004 11:21:52 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 4 May 2004 19:21:51 +0200, ObiWan spoketh

>> ><snip>
>> >> Yes, any firewall that blocks incoming port
>> >> 445 will prevent infection by the Sasser worm.
>> >
>> >As long as someone won't write a variant
>> >of the worm spreading by email too :-)
>> >
>> >Brain; the best firewall in the world (if one uses it)
>> >
>> >
>>
>> We can only deal with the "known knowns". The "unknown unknowns"
>> we'll have to leave for Mr. Rumsfeld...
>
>Uh .. bad day ?!? I was just putting a little of sarcasm there :-) !!

Sorry, I thought my "unknown unknowns" comment was fairly humorous ...

>
>> Currently, the Sasser worm only spreads by exploiting the LSASS buffer
>> overflow vulnerability through port 445.
>
>Yes, got some "proof of concept" code here, know how it works :-/
>
>> Sasser.D now also sends an ICMP echo request, which will certainly show
>> up in many more logs :( 
>
>That's what I was saying I don't think it would take too much
>before we'll see a "mail spreading" variant, then, due to the
>high number of "don't use the brain, just click here" users it
>will become another treat :-(
>
>

I expect there will be another worm exploiting the LSASS vulnerability
(as well as other vulnerabilities listed in MS04-011) that'll be
delivered through e-mail. Can't speculate on if it'll be a Sasser
variation or not, but I'm almost willing to bet the farm that we'll see
it by the end of the week...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
May 4, 2004 11:28:59 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On 4 May 2004 17:02:25 -0500, Micheal Robert Zium spoketh

>Lars M. Hansen wrote:
>
>>"Vulnerable by default"? What the F*** does that mean? Does that mean
>>when the next vulnerability for linux are discovered, the Microsoft camp
>>can claim that linux are "vulnerable by default"?
>
>Gosh, I can't remember the last remote vulnerability for Linux. Can
>you? I've been swept away by the flood of Winders vulnerabilities.
>Linux would really have to get on the ball if it's going to catch the
>MotherShip.

No, the last remote access vulnerability I recall was some SSH related
issue about a year ago.

The reason I had an issue with the statement was that it sounded like
Microsoft intentionally left something vulnerable in their OS, which is
preposterous.

I consider every computer vulnerable after the initial OS installation,
regardless of OS. Its only after patches have been applied and services
properly configured (or removed as the case may be) that the computer
becomes less of a security risk. Unfortunately, unless programmers
become perfect, we'll always have imperfect software. Windows have had a
couple of big issues in the past few months (DCOM and now LSASS), and
unfortunately, people are not good at patching their computer.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
a b 8 Security
May 5, 2004 12:27:32 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 12:29:17 -0700, Steevo@my-deja.com spoketh

>On Tue, 04 May 2004 18:47:03 GMT, Lars M. Hansen
><badnews@hansenonline.net> wrote:
>>Yes, port 445 are difficult to close on a Windows computer. It's the
>>port used by what's commonly known as "Windows Networking", which means
>>sharing files and printers over a network. There are ways of closing it,
>>but it takes a little reading...

>With NAT firewalls at the $19.99 range on sale (or sometimes after
>rebate) there is no reason DSL and Cable modem users should be
>directly connected anymore.

I wholeheartedly agree with you. Forsaking happy-meals for a couple of
days is enough to pay for the protection of a NAT router. Although not
perfect in every way, it is an affordable solution for almost every
household. If you can afford a computer, you should be able to afford
the NAT router as well.

>
>That whole idea foisted on us by the telcos and cable companies has
>caused so many problems it is beyond comprehension.

Luckily, here, Comcast doesn't care. They don't support it, but if you
hook it up, they won't complain.



Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
May 5, 2004 12:27:33 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 20:27:32 GMT, Lars M. Hansen
<badnews@hansenonline.net> wrote:

>>
>>That whole idea foisted on us by the telcos and cable companies has
>>caused so many problems it is beyond comprehension.
>
>Luckily, here, Comcast doesn't care. They don't support it, but if you
>hook it up, they won't complain.
What I meant to say was the dsl modems and cable modems should be
banned if they lack such filtering/routing. They are just too much
trouble.
Anonymous
a b 8 Security
May 5, 2004 12:27:33 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 04 May 2004 20:27:32 GMT, Lars M. Hansen
<badnews@hansenonline.net> wrote:
>>
>>That whole idea foisted on us by the telcos and cable companies has
>>caused so many problems it is beyond comprehension.
>
>Luckily, here, Comcast doesn't care. They don't support it, but if you
>hook it up, they won't complain.

I found that quote

http://www.senderbase.org/ calculates comcast.net / attbi.com is
spewing over 1.5 billion e-mails per day, from 45889 hosts of
which only a handful are legitimate mail relays.

Are most of those machines trojaned? Being abused by spammers?
Yes, and if those users had even a $20 NAT firewall this would be
less, lots less. Would it be eliminated by a NAT firewall? No. But
it would be a fraction of what it is now.
Anonymous
a b 8 Security
May 5, 2004 1:35:54 AM

Archived from groups: comp.security.firewalls (More info?)

In article <ib1g90t8b2ss2bupq09aukvbervjchlvjt@4ax.com>, steevo@my-
deja.com says...
> http://www.senderbase.org/ calculates comcast.net / attbi.com is
> spewing over 1.5 billion e-mails per day, from 45889 hosts of
> which only a handful are legitimate mail relays.

Legit relays require authentication or they are "open" relays and are
not really legit then.

> Are most of those machines trojaned? Being abused by spammers?
> Yes, and if those users had even a $20 NAT firewall this would be
> less, lots less. Would it be eliminated by a NAT firewall? No. But
> it would be a fraction of what it is now.

It doesn't even cost $20, most vendors (ISP's) cable/dsl modem devices
can provide NAT, nothing to purchase - they won't do it because they
don't want too.

Would it eliminate open relays and worms - yes. If you don't port
forward to an infected machine it can't be used as a relay.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
May 5, 2004 1:40:50 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley <pmakley@mail.com> wrote:

>If I had a firewall would that prevent the Sasser worm infecting my
>PC?
>
>I mean, if another infected system cannot see my ports because they
>are stealthed then presumably Sasser could not infect me?

Yes. Provided the ports in question are closed, a firewall will prevent
infection.

---
LAWYER, n. One skilled in circumvention of the law.

- Ambrose Bierce
Anonymous
a b 8 Security
May 5, 2004 1:50:44 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Tue, 04 May 2004 18:11:22 GMT, Leythos <void@nowhere.com> wrote:

>I put this back on the ISP's - they provide a open connection and don't
>warn the unsuspecting public about the risk/problems. If they just
>enabled NAT by default on their routers (DSL or Cable) most of this
>problem would go away.

The problem will not go away.
Look at my case. My ISP (FastWeb in Itay) has implemented a somewhat
weird solution: I am connected to their router which has NAT enabled.
This it is not a safety choice but a must since behind their router
they use IPs not allocated by APNIC
This looks at first sight a safe approach.
However if i look at the log of MY own hardware router is full of
attempts to reach port 135, 136, 137, 138, 139, 445, etc.
They are from other users like me which are behind the same ISP
router and are all scanning in the range of IPs assigned by the ISP's
DHCP.
Most of this guys are infected by warms, virus, etc. , but they don't
know it. All is needed is one infected computer behind the ISP router
and it will spread the problem pretty fast.

While writing I am checking my router log. Between 21:31 and 21:37 I
see the following attempts (in sequence) : port 445, 135, 445, 135,
445, 445. Roughly one a minute.
Anonymous
a b 8 Security
May 5, 2004 2:13:41 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Micheal Robert Zium wrote:

> Lars M. Hansen wrote:
>
>
>>"Vulnerable by default"? What the F*** does that mean? Does that mean
>>when the next vulnerability for linux are discovered, the Microsoft camp
>>can claim that linux are "vulnerable by default"?
>
>
> Gosh, I can't remember the last remote vulnerability for Linux. Can
> you? I've been swept away by the flood of Winders vulnerabilities.
> Linux would really have to get on the ball if it's going to catch the
> MotherShip.
>

I truly am surprised as well. I just recently re-installed Windows XP
on this machine. Not thinking at all, I never unplugged my internet
modem. By the time I installed avast! anti-virus (approximately 30
minutes after installing Windows), it was reporting an infection. I
installed the BlackICE defender to prevent further infection and removed
the worm, so it's clear now, but it spread at an alarming rate. I was
rather interested however at the fact that it has fairly slow self
prorogation. It took so long for it to create copies of itself. Are
there any destructive actions taken by the worm other than spreading
itself? I'm curious to learn...
Anonymous
a b 8 Security
May 5, 2004 2:32:46 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

"Lars M. Hansen" wrote:
>
> On Tue, 4 May 2004 18:07:15 +0000 (UTC), phn@icke-reklam.ipsec.nu
> spoketh
>
> >In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:

> >> Why is port 445 open on his system in the first place?
> >
> >Becouse microsoft has it enabled and vulnerable by default.
>
> "Vulnerable by default"? What the F*** does that mean?

A default environment is one which is in effect if no substitute is
explicitly selected. Vulnerability means the presence of a weakness which is
exposed to attack. I'm leaving it to you to combine these definitions.

F***s set.

Thor

--
http://thorweb.anta.net/ IRCnet #areena
Anonymous
a b 8 Security
May 5, 2004 2:42:32 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

"Bill Unruh" <unruh@string.physics.ubc.ca> wrote in message
news:c78mat$4ps$1@string.physics.ubc.ca...
>
> ?? Again, why is port 445 open anyway? You advocate that the user gets
a
> firewall. Surely it would be easier just to close port 445 or any
ports
> not absolutely needed than it would be to get and properly set up a
> firewall. Or are you saying it is impossible to close many ports on a
> Win machine?
> This is like an exchange "I've got some dirt on my face" "Buy a
skimask so people
> cannot see the dirt". Why not just wash? If you cannot wash for some
> reason then maybe a skimask would be an option, but surely advocating
it
> as the first thing to do is silly.
>
> "Close all ports that you do not absolutely need on your machine"
> should surely be the first bit of advice. Then after you have done
that
> also install a firewall for that extra bit of protection.
>

I think it's because the OS is used by both home users and by business
users.

For a home user the ports are of no value, but for a business user the
ports are often required for communication within the LAN where the
system resides.

Obviously with the OS being used by both types of users. I think it's
believed to be easier to ship with the ports open and utilize a firewall
at the perimeter as opposed to shipping with the ports closed which no
doubt results in a deluge of phone calls asking how to open the ports to
allow network communication to occur.

Just my .02

--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".
Anonymous
a b 8 Security
May 5, 2004 10:08:15 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Lars M. Hansen <badnews@hansenonline.net> wrote:
> On Tue, 4 May 2004 18:07:15 +0000 (UTC), phn@icke-reklam.ipsec.nu
> spoketh

>>In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:
>>> Lars M. Hansen <badnews@hansenonline.net> writes:
>>
>>> ]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>>
>>> ]>If I had a firewall would that prevent the Sasser worm infecting my
>>> ]>PC?
>>> ]>
>>> ]>I mean, if another infected system cannot see my ports because they
>>> ]>are stealthed then presumably Sasser could not infect me?
>>
>>> ]Yes, any firewall that blocks incoming port 445 will prevent infection
>>> ]by the Sasser worm.
>>
>>> Why is port 445 open on his system in the first place?
>>
>>Becouse microsoft has it enabled and vulnerable by default.

> "Vulnerable by default"? What the F*** does that mean? Does that mean

It means the ordinary thing "Its enabled by your vendor, who in their infinite
wizdom thinks that this port should be left open".

The opposit is examplified with FreeBSD that has zero externally reachable
ports outside the box after a "default install" ( default install
is defined as one where all suggestions is accepoted without changes)


> when the next vulnerability for linux are discovered, the Microsoft camp
> can claim that linux are "vulnerable by default"?

You should think before writing.

> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
Anonymous
a b 8 Security
May 5, 2004 10:13:22 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Lars M. Hansen <badnews@hansenonline.net> wrote:
> On 4 May 2004 17:02:25 -0500, Micheal Robert Zium spoketh

>>Lars M. Hansen wrote:
>>
>>>"Vulnerable by default"? What the F*** does that mean? Does that mean
>>>when the next vulnerability for linux are discovered, the Microsoft camp
>>>can claim that linux are "vulnerable by default"?
>>
>>Gosh, I can't remember the last remote vulnerability for Linux. Can
>>you? I've been swept away by the flood of Winders vulnerabilities.
>>Linux would really have to get on the ball if it's going to catch the
>>MotherShip.

> No, the last remote access vulnerability I recall was some SSH related
> issue about a year ago.

> The reason I had an issue with the statement was that it sounded like
> Microsoft intentionally left something vulnerable in their OS, which is
> preposterous.

Still it's true. Winessed bu a million infected hosts today, all infected
by the same sasser

> I consider every computer vulnerable after the initial OS installation,
> regardless of OS. Its only after patches have been applied and services
> properly configured (or removed as the case may be) that the computer
> becomes less of a security risk. Unfortunately, unless programmers
> become perfect, we'll always have imperfect software. Windows have had a
> couple of big issues in the past few months (DCOM and now LSASS), and
> unfortunately, people are not good at patching their computer.

The above is correct if the only OS tried is windows. If you ever tried
anything else you might experience that there exists thinks like secure
OS designed to be as safe as possible even in in-experienced users hands.

The fact that "proffessional admins" has been running on MS-classes and
has their machines infected while Linux admins is self-educated and has
no such infectiions might give you a clue ?

> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
Anonymous
a b 8 Security
May 5, 2004 11:07:54 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Wed, 5 May 2004 06:13:22 +0000 (UTC), phn@icke-reklam.ipsec.nu
spoketh


>
>> I consider every computer vulnerable after the initial OS installation,
>> regardless of OS. Its only after patches have been applied and services
>> properly configured (or removed as the case may be) that the computer
>> becomes less of a security risk. Unfortunately, unless programmers
>> become perfect, we'll always have imperfect software. Windows have had a
>> couple of big issues in the past few months (DCOM and now LSASS), and
>> unfortunately, people are not good at patching their computer.
>
>The above is correct if the only OS tried is windows. If you ever tried
>anything else you might experience that there exists thinks like secure
>OS designed to be as safe as possible even in in-experienced users hands.
>
>The fact that "proffessional admins" has been running on MS-classes and
>has their machines infected while Linux admins is self-educated and has
>no such infectiions might give you a clue ?
>

I don't think you have any idea what I have tried and what I have not
tried. I have installed several systems with Linux, and many installs
all sorts of junk that you cannot easily get rid of without spending
hours resolving package interdependencies. It is virtually impossible
today to install RH8 or RH9 KDE or Gnome and without sun-rpc, because
there are so many gnome packages dependent on sun-rpc.

As for the professionalism of admins; I've never had an outbreak on my
network. One computer once did get a virus, but since we weren't using
Outlook at the time, the virus was contained. Funny how the
"professional linux admin" in our sister organization had to deal with a
couple of hacked mail servers ...

Applying your logic now, it looks like Windows admins are good, and
linux admins are bad. So, just because some percentage of Windows admins
haven't been doing a good job at something, that doesn't make all of
them bad, and equally, just because some linux admins are very good at
what they do, there's still some idiots out there that have no idea how
to secure they computers...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
a b 8 Security
May 5, 2004 4:00:54 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <c7a0m2$bgg$5@nyheter.ipsec.se>, phn@icke-reklam.ipsec.nu
says...
> The fact that "proffessional admins" has been running on MS-classes and
> has their machines infected while Linux admins is self-educated and has
> no such infectiions might give you a clue ?

With the exception of BSD (possibly) every version of a home install of
Linux has flaws that requires the user to update/patch in order to
secure their system. The only difference between Linux and Windows is
the number installed systems and the fact that more users of Linux based
systems have some technical understanding than those of the Windows
platform.

Imagine installing RH 9, doing a full install, and putting that system
on the net, it would be compromised in short too.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
May 5, 2004 4:03:25 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <c7a0m2$bgg$5@nyheter.ipsec.se>, phn@icke-reklam.ipsec.nu
says...
> The fact that "proffessional admins" has been running on MS-classes and
> has their machines infected while Linux admins is self-educated and has
> no such infectiions might give you a clue ?

This is to wrong - I experience with Fortune 100 companies which have
their entire web presence based on the MS IIS platform and have never
been hacked. I've managed over 100 sites personally that run on IIS
(since version 4) that were never compromised.

Both platforms are easy to secure if you have taken the time to
understand the security issues, taken the time to secure them, and
understand more than you can read in some classroom book.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
May 5, 2004 5:59:22 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Tue, 4 May 2004 18:07:15 +0000 (UTC), phn@icke-reklam.ipsec.nu
> spoketh
>
>
>>In comp.security.misc Bill Unruh <unruh@string.physics.ubc.ca> wrote:
>>
>>>Lars M. Hansen <badnews@hansenonline.net> writes:
>>
>>>]On Tue, 04 May 2004 08:33:32 GMT, Piotr Makley spoketh
>>
>>>]>If I had a firewall would that prevent the Sasser worm infecting my
>>>]>PC?
>>>]>
>>>]>I mean, if another infected system cannot see my ports because they
>>>]>are stealthed then presumably Sasser could not infect me?
>>
>>>]Yes, any firewall that blocks incoming port 445 will prevent infection
>>>]by the Sasser worm.
>>
>>>Why is port 445 open on his system in the first place?
>>
>>Becouse microsoft has it enabled and vulnerable by default.
>
>
> "Vulnerable by default"? What the F*** does that mean? Does that mean
> when the next vulnerability for linux are discovered, the Microsoft camp
> can claim that linux are "vulnerable by default"?
>

They will no doubt be stupid enough to do that, although it will most likely
be totally unjustified.

If some misguided distro. builder includes a package which by default was
enabled and had a vulnerability in it then that distro only would be
vulnerable, not "Linux".

The vast majority of sensible Linux distros. these days enable no network
services which might be attacked when the system is first installed, and the
better ones install a firewall with a high security setting. Often the
default is to allow no incoming connections. If you need network connections
you have to read up on how to enable them, and hopefully at the same time
you will read what that implies in terms of security.

The problem with Windows is that Microsoft put user convenience before user
security. Therefore, far too many network ports are open by default. The
general user probably has no conception of what a network port is never mind
what exploit it might be used for and how to close it.

Thankfully, it seems that MS are beginning to see the light, and SP2 should
have a much better firewall, enabled by default. Although, I have no doubt
that this will end up putting them back in court as the vendors of
firewalling products file anti-trust suits against them...

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
Anonymous
a b 8 Security
May 5, 2004 6:11:14 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Wed, 5 May 2004 06:13:22 +0000 (UTC), phn@icke-reklam.ipsec.nu
> spoketh
>
>
>
>>>I consider every computer vulnerable after the initial OS installation,
>>>regardless of OS. Its only after patches have been applied and services
>>>properly configured (or removed as the case may be) that the computer
>>>becomes less of a security risk. Unfortunately, unless programmers
>>>become perfect, we'll always have imperfect software. Windows have had a
>>>couple of big issues in the past few months (DCOM and now LSASS), and
>>>unfortunately, people are not good at patching their computer.
>>
>>The above is correct if the only OS tried is windows. If you ever tried
>>anything else you might experience that there exists thinks like secure
>>OS designed to be as safe as possible even in in-experienced users hands.
>>
>>The fact that "proffessional admins" has been running on MS-classes and
>>has their machines infected while Linux admins is self-educated and has
>>no such infectiions might give you a clue ?
>>
>
>
> I don't think you have any idea what I have tried and what I have not
> tried. I have installed several systems with Linux, and many installs
> all sorts of junk that you cannot easily get rid of without spending
> hours resolving package interdependencies. It is virtually impossible
> today to install RH8 or RH9 KDE or Gnome and without sun-rpc, because
> there are so many gnome packages dependent on sun-rpc.
>

There is no sun-rpc package in RH8 or RH9· Are you sure you've really
installed them?

If you actually meant the portmap package then that is only required by fam.
Since fam is monitoring local filesystems there is no need to open port 111
to anything other than the loopback interface. No vulnerability whatsoever.

You should not equate Linux with Windows. Just because RPC on Windows is a
security hole does not mean that RPC in Linux is also.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
Anonymous
a b 8 Security
May 5, 2004 6:16:07 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

On Wed, 05 May 2004 14:11:14 +0100, Nigel Wade spoketh

>
>There is no sun-rpc package in RH8 or RH9· Are you sure you've really
>installed them?
>
>If you actually meant the portmap package then that is only required by fam.
>Since fam is monitoring local filesystems there is no need to open port 111
>to anything other than the loopback interface. No vulnerability whatsoever.
>
>You should not equate Linux with Windows. Just because RPC on Windows is a
>security hole does not mean that RPC in Linux is also.

Cut from my /etc/services file on my RH8 box:

sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP

You were saying?

As for RPC being an issue on Linux, well, there may not be any known
issues at this time, but there has been in the past, and who knows
what's around the corner...


Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
May 5, 2004 8:12:59 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Leythos <void@nowhere.com> wrote:

> Imagine installing RH 9, doing a full install, and putting that system
> on the net, it would be compromised in short too.

If you use the default firewall settings, the probability of it
getting compromised is pretty much zero. It will only get insecure as
people specifically add additional things to the install, and
customize the configuration in insecure ways.

On the other hand, if you do a Windows 2000 Server default install,
you're open to an untold number of vulnerabilities. Setting up
honeypots, I have never had a W2K server (default install) go longer
than 12 hours without being compromised. Maybe that's not a fair
statistic, since the default W2K server installs a buggy IIS, which is
exploited by zillions of script-kiddie tools, but the fact remains:
*default* W2K installs tend to be insecure, and *default* RH9 installs
tend to be (more) secure. You have to muck with a RH9 box to make it
insecure, and you have to muck with a W2K box to make it secure.

Things may have changed since the Windows 2000 days -- I've honestly
never worked on a Windows XP system, so don't know if they're better.
However, the prevalence of Sasser, and the fact that a reasonable
default software firewall setting would have prevented this (the
default ruleset of the RH9 firewall would have prevented Sasser, even
if the underlying service were there), makes me think it's not a whole
lot better.

--

That's News To Me!
newstome@comcast.net
May 5, 2004 8:30:32 PM

Archived from groups: comp.security.firewalls (More info?)

> Cut from my /etc/services file on my RH8 box:
>
> sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
> sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
>
> You were saying?
>
> As for RPC being an issue on Linux, well, there may not be any known
> issues at this time, but there has been in the past, and who knows
> what's around the corner...

Yes, the real problem is that although there have been many
hacks/exploits against *nix boxes, not everything was "tested
and explored" so it's possible that there are undiscovered
holes in *nix which may be exploited, also, from some stuff I
was reading time ago, many folks working on *nix in the IT
industry fear that we'll probably see a bunch of *nix "viruses"
in the next months due to the wider diffusion of Linux desktops
and to the fact that some distros have a loose security .. just
to ease the initial impact with the O/S ... :-P
Anonymous
a b 8 Security
May 5, 2004 9:33:05 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b01a88a95d1538b98a4ce@news-server.columbus.rr.com...
> In article <c78mat$4ps$1@string.physics.ubc.ca>,
> unruh@string.physics.ubc.ca says...
> > "Close all ports that you do not absolutely need on your machine"
> > should surely be the first bit of advice. Then after you have done that
> > also install a firewall for that extra bit of protection.
>
> The problem is that most people don't have a clue as to how to close
> ports, setup IPSec rules, etc... Most people don't even know to enable
> the ICF on their machines.
>
> The best thing people can do is purchase a cheap router with NAT and use
> it from the moment they get their computer. This lets them download the
> updates, install and update the AV software, etc... before they have a
> chance to get hacked.
>
> I put this back on the ISP's - they provide a open connection and don't
> warn the unsuspecting public about the risk/problems. If they just
> enabled NAT by default on their routers (DSL or Cable) most of this
> problem would go away.

NAT by itself doesn't do much for you - because safety depends on who is on
your side of the router.

In a SOHO environment then NAT is pretty damn good - because you know all
the people behind the NAT router and you don't expect them to hack you
(although one PC with a worm behind your NAT router can gut all the other
local PCs). Safest is one PC behind a NAT router - nobody else to compromise
you.

If an ISP has a NAT router then (unless I am missing something) all the
other customers (at least those served by your particular router) will also
be your side of the router, and able to port scan you anytime they want.

I think that most ISPs will have firewalls between their own customers and
the Internet - if only to protect their own machines and routers.

It is the customers within your ISP who are likely to threaten your PC - and
I don't think having NAT on an ISP router would help much.

Having each port on the router firewalled against incoming traffic would be
nice - most ISPs already block port 25 to prevent open email relays and
presumably other ports could be blocked also.

However there will always be someone who wants unusual ports open for
incoming traffic (PTP probably) so administration could be a nightmare.

Buy your own NAT router and don't rely on a 3rd party.

Cheers
Dave R
Anonymous
a b 8 Security
May 5, 2004 9:55:11 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <fo8mc.36781$Ik.2315088@attbi_s53>, newstome@comcast.net
says...
> On the other hand, if you do a Windows 2000 Server default install,
> you're open to an untold number of vulnerabilities. Setting up
> honeypots, I have never had a W2K server (default install) go longer
> than 12 hours without being compromised. Maybe that's not a fair
> statistic, since the default W2K server installs a buggy IIS, which is
> exploited by zillions of script-kiddie tools,

On the other hand, with a zillion articles on how to secure a Windows
platform, including IIS, NT 4, Windows 2000, Windows XP, Windows 2003,
it's almost negligent that they are not secured. As I've said before,
there are a few fortune 100 companies that have run IIS as their web
server platform for more than 5 years I that I've had contact with. I've
had my own IIS servers and Exchange, and FTP, and etc... servers running
on Windows platforms as well as Linux platforms (and AIX). Not one of
those servers has been compromised when configured by anyone with half-
a-clue.

Anyone that would put any platform directly on the net, without some
protection, without proper configuration, isn't doing a smart thing.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
May 5, 2004 9:57:03 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
nospam@talk21.com says...
> If an ISP has a NAT router then (unless I am missing something) all the
> other customers (at least those served by your particular router) will also
> be your side of the router, and able to port scan you anytime they want.
>
> I think that most ISPs will have firewalls between their own customers and
> the Internet - if only to protect their own machines and routers.

I wasn't talking about the ISP doing a NAT for their network, I was
talking about the ISP enabling NAT on the Cable/DSL modem at each
customers location. Free, works great, blocks uninvited inbound.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
May 6, 2004 2:58:00 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b02f4f6dd8e767f98a4d9@news-server.columbus.rr.com...
> In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
> nospam@talk21.com says...
> > If an ISP has a NAT router then (unless I am missing something) all the
> > other customers (at least those served by your particular router) will
also
> > be your side of the router, and able to port scan you anytime they want.
> >
> > I think that most ISPs will have firewalls between their own customers
and
> > the Internet - if only to protect their own machines and routers.
>
> I wasn't talking about the ISP doing a NAT for their network, I was
> talking about the ISP enabling NAT on the Cable/DSL modem at each
> customers location. Free, works great, blocks uninvited inbound.

Ah - yep that makes more sense :-)
Anonymous
a b 8 Security
May 6, 2004 8:34:28 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Leythos <void@nowhere.com> wrote:
> In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
> nospam@talk21.com says...
>> If an ISP has a NAT router then (unless I am missing something) all the
>> other customers (at least those served by your particular router) will also
>> be your side of the router, and able to port scan you anytime they want.
>>
>> I think that most ISPs will have firewalls between their own customers and
>> the Internet - if only to protect their own machines and routers.
>
> I wasn't talking about the ISP doing a NAT for their network, I was
> talking about the ISP enabling NAT on the Cable/DSL modem at each
> customers location. Free, works great, blocks uninvited inbound.

???? What does this mean ????

I'm not aware of any Cable modem with an IP stack, so they simply
wouldn't be capable of doing NAT. I imagine DSL modems are the same.

The ISP could provide a NAT-enabled router of some sort in addition to
the Cable/DSL modem, but that would be an extra cost....

--

That's News To Me!
newstome@comcast.net
Anonymous
a b 8 Security
May 6, 2004 9:57:09 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Lars M. Hansen <badnews@hansenonline.net> wrote:
> On Wed, 5 May 2004 06:13:22 +0000 (UTC), phn@icke-reklam.ipsec.nu
> spoketh


>>
>>> I consider every computer vulnerable after the initial OS installation,
>>> regardless of OS. Its only after patches have been applied and services
>>> properly configured (or removed as the case may be) that the computer
>>> becomes less of a security risk. Unfortunately, unless programmers
>>> become perfect, we'll always have imperfect software. Windows have had a
>>> couple of big issues in the past few months (DCOM and now LSASS), and
>>> unfortunately, people are not good at patching their computer.
>>
>>The above is correct if the only OS tried is windows. If you ever tried
>>anything else you might experience that there exists thinks like secure
>>OS designed to be as safe as possible even in in-experienced users hands.
>>
>>The fact that "proffessional admins" has been running on MS-classes and
>>has their machines infected while Linux admins is self-educated and has
>>no such infectiions might give you a clue ?
>>

> I don't think you have any idea what I have tried and what I have not
> tried. I have installed several systems with Linux, and many installs
> all sorts of junk that you cannot easily get rid of without spending
> hours resolving package interdependencies. It is virtually impossible
> today to install RH8 or RH9 KDE or Gnome and without sun-rpc, because
> there are so many gnome packages dependent on sun-rpc.

You are talking about redhat as equivalent with linux. It's not.
And gnome is not needed, it's unly used for those who
prefer gnome as window-manager, but no appluícations care about
which window-manager that is used.

FreeBSD OpenBSD are examples of systems where no ports are
open unless choosen to.

> As for the professionalism of admins; I've never had an outbreak on my
> network. One computer once did get a virus, but since we weren't using
> Outlook at the time, the virus was contained. Funny how the
> "professional linux admin" in our sister organization had to deal with a
> couple of hacked mail servers ...

I Admit that it was un unfair example.

> Applying your logic now, it looks like Windows admins are good, and
> linux admins are bad. So, just because some percentage of Windows admins
> haven't been doing a good job at something, that doesn't make all of
> them bad, and equally, just because some linux admins are very good at
> what they do, there's still some idiots out there that have no idea how
> to secure they computers...

Agree. Thats why examples, bad or good, often is off target.



> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
Anonymous
a b 8 Security
May 6, 2004 9:59:54 AM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

In comp.security.misc Leythos <void@nowhere.com> wrote:
> In article <c7a0m2$bgg$5@nyheter.ipsec.se>, phn@icke-reklam.ipsec.nu
> says...
>> The fact that "proffessional admins" has been running on MS-classes and
>> has their machines infected while Linux admins is self-educated and has
>> no such infectiions might give you a clue ?

> With the exception of BSD (possibly) every version of a home install of
> Linux has flaws that requires the user to update/patch in order to
> secure their system. The only difference between Linux and Windows is
> the number installed systems and the fact that more users of Linux based
> systems have some technical understanding than those of the Windows
> platform.

> Imagine installing RH 9, doing a full install, and putting that system
> on the net, it would be compromised in short too.

Luckliy enough RedHat has removed that possibility. They have
priced themself out of the market.
Maybe the above problems occur in fedora, but i assume that
most users has moved away, and most of the alternate distros
are better(securitywize).

> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
Anonymous
a b 8 Security
May 6, 2004 12:02:52 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

newstome@comcast.net wrote:
>
> In comp.security.misc Leythos <void@nowhere.com> wrote:

> > I was
> > talking about the ISP enabling NAT on the Cable/DSL modem at each
> > customers location. Free, works great, blocks uninvited inbound.

> I'm not aware of any Cable modem with an IP stack, so they simply
> wouldn't be capable of doing NAT. I imagine DSL modems are the same.

DSL modems often include a router. For an example, look at the Cisco 827.

Thor

--
http://thorweb.anta.net/ IRCnet #areena
Anonymous
a b 8 Security
May 6, 2004 1:27:38 PM

Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> writes:

>On Wed, 05 May 2004 14:11:14 +0100, Nigel Wade spoketh

>>There is no sun-rpc package in RH8 or RH9· Are you sure you've really
>>installed them?

>>If you actually meant the portmap package then that is only
>>required by fam. Since fam is monitoring local filesystems there
>>is no need to open port 111 to anything other than the loopback
>>interface. No vulnerability whatsoever.

>>You should not equate Linux with Windows. Just because RPC on
>>Windows is a security hole does not mean that RPC in Linux is
>>also.

>Cut from my /etc/services file on my RH8 box:

>sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
>sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP

/etc/services is only for documentation and reference.

No way are the 8000+ other services dosumented *running* on most
Linux boxes.

SuSE ships with all ports effectively turned off. I wouldn't use the
"default" installation for firewalling anyway because a GUI (X) is
just asking for trouble when exposed to the Internet. SuSE also
ships with an easily configurable "personal" firewall suitable for
home PC deployment... (setting up a modem/DSL connection starts the
firewall by default) and one where you have to get down to the
nitty-gritty for more serious use such as building a stand-alone
firewall for firewalling a LAN.

>You were saying?

>As for RPC being an issue on Linux, well, there may not be any known
>issues at this time, but there has been in the past, and who knows
>what's around the corner...

Here's a note provided by SuSE for the latest kernel security patch:

- A buffer overflow in panic(). Although there seems no way to
trigger this bug, it has been fixed.

Looks like there's plenty of pro-active code review and patching.
A great proportion of possible vulnerabilities can be mechanically
located and then manually reviewed.

--
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ / ASCII ribbon campaign | I'm a .signature virus!
X against HTML mail | Copy me into your ~/.signature
/ \ and postings | to help me spread!
!