Re: Safe practices

Richard Kruse wrote:

Questions from a Linux newbie...

Assume I'm logged in to my (own) Linux system as a normal (non-root) user.
System is stand-alone, non-networked, but connected to internet via
always-on DSL. I'm "behind" a NAT DSL modem/router/firewall, using "1483
Bridged IP LLC". The Linux box thinks my IP address is 10.0.0.4.

Can a hacker even get in at all, past my modem/router/firewall?

And, assuming the answer to that is "YES"...

Occasionally I need to either "SU ROOT" or start a root-level xterm for
some system-level task.

While I try to accomplish those tasks as quickly as I can, and then exit
from that shell, I wonder: During that short time, am I exposing my
system's root-level "guts" to internet evildoers?



I can see by the other posts that you have your answer, but I thought that
it might be a bit confusing.

A Firewall doesn't actually do very much, all it really does is stop any
traffic aimed at a port that you don't allow, example, let's pretend for a
minute that your IP address is public (it isn't, but just to help explain
it). Someone might try to get to you through a port used for other purposes
other than communications,
http://10.0.0.4:37

That happens to be the Timeserver port address, because you may well have
some code responding to this port, so it might be crasheable or it might
just be fun to spin your days around, or might just give out information
that tells a hacker more than it is good for him to know.

Your Firewall prevents this sort of thing by limiting the ports available to
incoming traffic to those that you have allowed, probably 80 and 443.

This came about because at one time we were all very lax when it came to
these ports, we were also very lax when it came to the code that responds
to those ports that we use internal to our system. If there was no code to
respond then the firewall wouldn't be necessary, but of cause many ports
are used internally by your Linux system.

So your Firewall has ensured that you can relax about that side of things,
just don't open unnecessary ports.

Now for further protection you have to look to your own Linux box. Traffic
coming in from the Internet on port 80, what is it capable of doing? Well
it can run javascript, but the javascript itself is limited, deliberately
so because it was intended as an aid to views without having access to the
local machine, other than through cookies.

Java might have been the next problem, which is why you have to be a bit
carefull of who and where you will accept java from. The engine has built
in safeguards, but the worry is that now that java is going open that it
might go off in various directions, chances are that we will have to be
very much more carefull in the future when new java-like engines come out.

Your 'su root' at your console:- You are in a different thread to the rest
of your shell, code can't jump from your gui shell into the session you are
in, nor can anything spy on it. There isn't a risk, other than the risk we
present ourselves. A badly typed commandline for example that can sweep
through the system and do damage as root would be very much less damaging
if it were ran as your user.

When people tell you not to log in as root, what they really mean is don't
log in to the gui as root instead of your user, except for particular
actions. Much better to let the system tell you when it is necessary to log
in as root. For example if you select an action in the control panel that
requires root, it will tell you. If there is a regular command you need to
run as root, and they will be some, then learn how to do that through
'sudo'.


Incidentally, while you are new to Linux it is a good idea to have a second
user that you use while learning how best to make use of the commandline
and scripts. Keep your main user protected from mistakes. You don't have to
be paranoid about that, I just want you to have a protected user
environment that you can always return to for your general daily computing.


.

Relevant Pages

  • Re: IPTABLES full DMZ
    ... You just could put a switch between ADSL and the linux ... the internet, unless you want to manage traffic from ... If you want to know what ports are open on your VIP ... > When i mail to PLANET to ask for the TCP/UDP port ...
    (Fedora)
  • Re: SSH Verbindung im Internet oeffentlich
    ... > Kann ich einen Linux Server bedenkenlos ins Internet stellen? ... Du willst Samba exportieren? ... > Ich habe hier einen kleinen Router, bei dem wuerde ich dann den Port 22 ... > auf den Internen Linux Rechner forwarden,, ggf. ...
    (de.comp.security.misc)
  • SSH Verbindung im Internet oeffentlich
    ... Kann ich einen Linux Server bedenkenlos ins Internet stellen? ... Zugelassene Dienste wären ssh und Samba. ... Ich habe hier einen kleinen Router, bei dem wuerde ich dann den Port 22 ...
    (de.comp.security.misc)
  • Re: Web pages access help
    ... I have the linux machine ... And you have internet connection sharing enabled in 2k - make ... the port) and that your ISP permits you to serve on that port. ... forget 2k's built in firewall, yes it's laughable but if misconfigured ...
    (comp.os.linux.networking)
  • Re: Security question
    ... > gateway to the internet for the rest. ... a firewall does the Linux box get used for? ... And if any of those things happen who is the user, root, or an ordinary ... How does the windows a/v software get access to the Linux ...
    (comp.os.linux.security)