From owner-freebsd-questions Sun Jul 2 3:21:22 2000 Delivered-To: freebsd-questions@freebsd.org Received: from relay1.inwind.it (relay1.inwind.it [212.141.53.67]) by hub.freebsd.org (Postfix) with ESMTP id 2D88037BE2A for ; Sun, 2 Jul 2000 03:20:46 -0700 (PDT) (envelope-from bartequi@neomedia.it) Received: from bartequi.ottodomain.org (212.141.78.36) by relay1.inwind.it; 2 Jul 2000 12:20:37 +0200 From: Salvo Bartolotta Date: Sun, 02 Jul 2000 11:22:49 GMT Message-ID: <20000702.11224900@bartequi.ottodomain.org> Subject: RE: Ports via FTP To: Bill Barnes Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <398FACC7@operamail.com> References: <398FACC7@operamail.com> X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Here's the configuration I might use. > Login as non-root > In screen 1 connect to my ISP and in the same screen execute Netscape > In screen 2 (for comfort) bring up xterm and su, ftp > Now I can browse, email, whatever while the ftp process does its thing. > Hence, I am connected to a trusted machine and who knows what else. That > sounds like my ftp connection is exposed thru the browser connections.= But > isn't the ftp connection exposed to an intruder anyway. > Hope I don't appear too dense hear but I haven't the foggiest about cracker > technology. > Bill Barnes Dear Bill Barnes, I seem to understand you are speaking of your homebox. If that is the case, you may wish to disable **all** unnecessary services in /etc/rc.conf (sendmail, portmap, etc.); if you run X, you might want to issue "startx [...] -- -nolisten tcp". This may be a very simple/simplistic method, but it allows you to surf the 'Net with a reasonable degree of security -- until you get to know a little more about services & security (cf security(7), handbook, etc.) 'netstat -an' will tell you which ports are open (LISTEN). As you can imagine, an open port ~ a possible means of attack for a cracker. Personally, I would advise you to configure a (stateful) packet filter (man ipfw or man ipf): there is a tutorial on the FreeBSD web site (tutorials section), which is an excellent starting point. Next, you may wish to install e.g. nmap (via the port in /usr/ports/security/nmap), connect to the Internet, and ... scan yourself (ie feed nmap with your dynamic IP). You should probably get something like "host seems down" if you have closed all holes, and installed a (stateful) firewall. So far so good. Then you will want to run 'nmap -P0' and wait until it completes (it may even take half an hour). If you are told no ports are open (e.g. all ports are filtered), you can **begin** to feel a little more confortable ... Since it is a homebox, you might want to configure a kernel with TCP_DROP_SYNFIN (against OS fingerprinting), TCP_RESTRICT_RST, ICMP_BANDLIM options (one never knows). Once you are done, 'nmap -O your_dynamic_IP' will not easily detect your OS. I hope this helps just a bit, Salvo P.S. hacker (constructive connotations) !=3D cracker (destructive connotations) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message