network security related question

Ray Parrish crp at cmc.net
Fri Feb 27 16:33:15 UTC 2009 

Vitorio Okio wrote:
> I need an explanation from somebody that knows about networking security 
> a bit more than I do.  The question below also might be particular to my 
> hardware/software set.
>
> I'm behind Linksys WRT54 router with DD-WRT v.24 on it with the router 
> SPI firewall enabled.
>
> I also have Firestarter running on my Ubuntu 8.04.
>
> I used to think that being behind a NAT router is quite safe.  And I used 
> to think that keeping Firestarter running is my tribute to security 
> paranoia.
>
> But today I've noticed a huge number of incoming connections reported 
> blocked by Firestarter. All of them are of ICMP protocol, and my 
> understanding is they are either pings, or simple port scans, or 
> something of the kind. 
>
> Though almost all of them come from the same 2 sources outside of my 
> country and this persistence worries me.
>
> My question is how do they ever reach my Firestarter? How they go through 
> my NAT router? I thought they are supposed to be blocked on that level.
>
> Am I missing something in my knowledge or my router firewall is just 
> doing a poor job?
>
> Can anybody of networking gurus explain it to me, please?
>   
Hello,

There are over 65,000 ports on your computer, and most firewalls only 
monitor a basic set of the most used ones. How much configuration have 
you done to your router firewall? I know that on mine, there are only a 
few selections which can be made, and even if I select a custom 
configuration, it only allows me to configure around 60 or 70 ports. 
Most software firewalls only monitor a small set of often used ports as 
well.

For an idea of how it is possible to get past your firewall have a look 
at this link. -

<http://www.packetfactory.net/firewalk/firewalk-final.html>

To learn more about what different attacks look like in your firewall 
logs, and how to make yourself more secure, have a look at this article.

<http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html>

In addition to reading those, install portsentry, which will allow you 
to specify precisely which ports you wish to monitor, up to and 
including the entire 65,000 some ports. [although monitoring all of them 
is probably overkill] To learn how to configure and use portsentry see 
"man portsentry", "man portsentry.conf", and take a look at the files 
in  /usr/share/doc/portsentry/ as well to get more insight into it's 
usage. They are in .gz files but it's easy to open them temporarily with 
file roller and view them.

I am using it right along with my external router's firewall and 
Firestarter. Another thing to make sure you do is set your 
etc/hosts.deny file's contents to ALL: ALL which will deny connections 
to all services on your computer to all attempts from the outside world 
to access them. If there are those you wish to allow access, use the 
/etc/hosts.allow file to selectively white list the users and services 
you want to allow access. They both have man pages that explain them 
pretty well.

I'm no expert, but I have been doing a lot of reading in the 
/usr/share/docs folder after installing quite a few documentation 
packages including harden-doc which is the "Securing Debian Manual". 
Other useful docs are "Linux 2.4 Packet filtering How To" which is 
located here if you have iptables installed.

<file:///usr/share/doc/iptables/html/packet-filtering-HOWTO.html#toc1>

Additionally, install the package sysadmin-guide, and you will find it 
located here -

<file:///usr/share/doc/sysadmin-guide/html/index.html>

It contains a brief section on setting up users and access control. The 
ubuntu-server-guide may also prove useful as it contains a lot of 
information on networking security. It's main file will be here -

<file:///usr/share/ubuntu-serverguide/html/C/index.html>

There are other docs you can install as well like the Rute Book, and the 
iproute-doc. If you really want to get safer yet, you might consider 
installing user-mode-linux and user-mode-linux-doc and running it as a 
secure sandbox or jail within your main Linux system. I hope this helps.

Later, Ray Parrish

-- 
Human reviewed index of links about the computer
http://www.rayslinks.com
Poetry from the mind of a Schizophrenic
http://www.writingsoftheschizophrenic.com/

More information about the ubuntu-users mailing list