Re: On passwords, securtiy and real -sweat, blook and tears- life

Bruno Wolff III wrote:
On Sat, Apr 29, 2006 at 05:45:10 +0200,
"A.J. Bonnema" <abonnema@xxxxxxxxx> wrote:
What I wonder about is the following:

* given that all ports are closed to external contact through a physical allbeit consumer oriented firewall, just means I am safe for port-scanners. But does it mean that I am safe from cracker systems / programs? Is there a way to break in, without allowing external contact through one of the ports? (not including trojans and the like).

Since the firewall lets some packets through, there is a vector to
compromise your system using the network connection. Blocking inbound
connections reduces the risk a lot. You don't say what the firewall does
for UDP (which is connectionless). If it passes any UDP packets through
(or ICMP packets), then if there were bugs in your network stack or if
you have processes listening for UDP requests with bugs, you could be attacked
that way.


AFAIK my firewall has all ports closed for both TCP and UDP. However, I have no means of checking that this is true. Through the site "Shields Up" (www.grc.com) I have been able to check that *some* UDP ports are closed (windows related), but that is no surprise as I run FC5 and the Windows machines are currently not connected.


* A second issue is: suppose I would force my family to use really random passwords (like characters picked from a one-time pad). And now suppose I lose my root-password: would I be able to rectify this, without destroying the data?

You have physical access to the machine right? Unless you have encrypted
file systems, you can boot in single user mode and change the password.
Have a boot loader password? Boot off a rescue/live CD.
Have the BIOS set only to boot off the first disk drive, password protected
and you forgot the password? Pull the battery and the BIOS will reset to
a state where you can change boot device settings.


Thanks, that is what I needed. So actually I *can* use a strong password and if I lose it, no sweat, I can use the rescue disk to change to password file.

If your firewall is blocking inbound connections, it sounds like you aren't
expecting your family memebers to connect to your machine remotely. If that
is the case then they don't need particularly strong passwords (since they
have physical access, there isn't a lot of point of having them even to
protect against each other). If you go this route, you should take some
extra steps to prevent remote connections on your box in case something
happens to the firewall.


Yes, currently I have no external connections. However, I would very much like to be able to ssh into my computer, remotely. Because of the security implications and my current lack of knowledge I have chosen to keep it closed for the moment.
I was checking out some kind of door-knocking protocol, but that is where the commercial firewall gets in the way: there doesn't seem to be a way to implement this, short of replacing the firewall completely (by opening all ports and sending them through to one of my PCs).


Guus.
--
A.J. Bonnema, Leiden The Netherlands,
user #328198 (Linux Counter http://counter.li.org)

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Port 135
    ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ...
    (microsoft.public.security)
  • Re: Suspiciouis IP message at start...trace?
    ... The firewall is set to flag announce attempts in this range. ... >> but at every startup a new IP message is sent from my computer. ... > at boot before the malware can. ... > You can use Active Ports which I put a short-cut for Active Ports in the ...
    (comp.security.firewalls)
  • Re: Got Active Ports, now what?
    ... have services running and ports open does not in ANY way shape or form mean ... vulnerabilities and links to plenty of other ... Why do I need 23 connections to the ... > You should get a 'Application' Filtering Firewall for your XP box. ...
    (comp.security.firewalls)
  • Re: File sharing
    ... Instead of creating exceptions for individual ports for FPS I suggest that you try Group Policy and configuring the exemption for file and print sharing and probably the remote administration exemption. ... If there are do domain level Group Policies being applied to these computers currently for Windows Firewall, which you could verify by running rsop.msc on the client computer, you could try using local Group Policy to see if it does what you want. ... So then I went back and put in a custom setting to accept connections on the local subnet plus connections from my subnet, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Open Ports on a hardware firewall
    ... If you have the ports open, e.g. people are allowed to initiate connections ... isn't about detecting queso, but more about tracking past data ... you're telling the firewall that every incoming packet ...
    (comp.security.misc)