[ale] About that firewall machine [Was]Re: [ale] unidentified processes

Chris Fowler cfowler at outpostsentinel.com
Tue Dec 18 18:48:35 EST 2001


I believe to keep the wats that low you'll need to go to en embedded type
device.  I have such a unit that will take a 2nd ethernet interface.

Chris

-----Original Message-----
From: Thompson Freeman [mailto:tfreeman at intel.digichem.net]
To: ale at ale.org
Sent: Tuesday, December 18, 2001 6:42 PM
To: Dow Hurst
Cc: John Wells; ale at ale.org
Subject: [ale] About that firewall machine [Was]Re: [ale] unidentified
processes



I'm curious about what sort of firewall machine can be gotten these
days. Obviously, an intel type proc with either a CDROM or other mass
storage is available, but for one off projects are there any
others? Massive compute horsepower isn't especially needed, so can
something be assembled which draws perhaps 1-5 watts, carries at least two
ethernet interfaces, and runs headless? Or can the kernel be virtualized
on a server with enough safety? (which would help the electric bills.)

While I'm at it - is there a processor/MotherBoard combination with enough
capacity to run office productivity type stuff, and still keep the energy
consumption below say 10 or 15 watts (on the computer, the monitor is
another computation). Using a computer as a space heater strikes me as
somewhat dumb.

On Tue, 18 Dec 2001, Dow Hurst wrote:

> John,
> Even though James email is funny, he is absolutely correct in the
> approach.  The portmapper and rpc.statd are RPC based processes along
> with NFS and NIS (RPC uses UDP traditionally instead of TCP
> connections).  The portmapper advertises what RPC services are available
> on particular ports to remote requests.  rpc.statd lets remote
> applications and remoted machines "know" what the status, of the local
> machine or application that is RPC enabled, is.  Both services are
> easily spoofed, cracked, and known cracks are available for both.  Since
> you have had those running, as well as ftpd, you should reload from
> scratch and choose to format your partitions too.  This is faster and
> less prone to mistakes than working thru proving the machine is clean.
> (Even though that would be very educational!)  No service should be run
> directly on a firewall machine that doesn't have to be.  That is why it
> is recommended that you have a server inside your network for services
> like Samba, NFS, and appletalk and not combine your firewall server with
> that machine.  Running your firewall from a CD filesystem is a beautiful
> suggestion.  Your cracker is limited even more by not being able to
> change the read only system.  I need to look into that!
>
> One major difficulty in setting up a firewall for people not intimate
> with Linux, or any OS that is used, is that default choices during
> install can leave you quite vulnerable and your not even aware of it til
> you learn more.  Use "netstat -an" to prove that you have *only* sshd
> advertising a service on port 22 before you hook back up to the
> Internet.  You don't even have to have that, except it is convenient and
> secure for remote admin.
>
> Here is an excerpt from an email Bob sent me just the other day:
> "Btw, we just put up the first of 4 firewalls at this client (in
> Europe).
> It took only one hour and 34 minutes for someone to discover it and
> start
> breaking into it.  Within 20 minutes after that, a second cracker joined
> in."
>
> So you see it doesn't take long for a scan to find you and start to
> reveal possible entry points.  I would just reload to be on the safe
> side.  With more experience and a good "dd" backup, you can quickly
> identify differences in a file system to see if your hacked.  At my
> workplace, we have been recovering from a several crackers for the past
> year.  Nov. 2000 we had the telnetd hole exploited on most of our SGIs.
> We don't have much manpower to rebuild systems and keep our work moving
> along, so it has taken all year to work on rebuilding machines.  Hope
> this helps,
> Dow
>
>
> John Wells wrote:
> >
> > In addition to ftp and ssh, I have two processes
> > running on ports 111 and 1024.  They both seem to work
> > with rpc, and are the portmapper and rpc.statd
> > respectively.
> >
> > Can I disable these processes without any effect to my
> > system?  If so, I assume I just remove the links to
> > the startup scripts from my runlevel's startup
> > directory.
> >
> > Also, how insecure is it to run ftp on my
> > router/firewall box?
> >
> > Thanks,
> > John
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Check out Yahoo! Shopping and Yahoo! Auctions for all of
> > your unique holiday gifts! Buy at http://shopping.yahoo.com
> > or bid at http://auctions.yahoo.com
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems
should be
> > sent to listmaster at ale dot org.
>
>

--
===========================================
The harder I work, the luckier I get.
                    Lee Iacocca
===========================================
Thompson Freeman          tfreeman at intel.digichem.net


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list