How do you keep safe?

[+BudMan MVC]

"but it won't help a compromised system from sending and receiving traffic."

 

This is such flawed logic

 

The word you should be keyed in on here is "compromised"  So you executed code, or were exploited in some manner so code ran on your machine in such a way to compromise it..  But you think some other code on the box is going to prevent it from talking on the network??

 

Beside the complete PITA aspect of having to auth all outbound connections any process tries to make for the user.. Which has no clue what to allow and not to allow.. Have seen dhcp client denied, etc.

 

Now if you want to run some sort of IDS on the host to examine outbound traffic to allow or deny or warn, ok..  But again  "compromised" -- why can the bad software not just disable or trick the good software into allowing such traffic.  The box is compromised - your security has failed already in the fact that is was compromised, yet some software you are running on that same compromised is going to save the day??   I am sure company X selling each copy of their software at $50 a pop wants you to go that route

 

If you are worried about such traffic I would suggest you again at your borders of trust and hostile run IDS, IPS to look at traffic - look for bad stuff and block it at the edge where that compromised box has no control over if that packet leaves the network or not.

 

It makes more sense to control the flow of traffic both in and out of your trusted network at the border of that network.. Not on every single device on said network, that is a administration nightmare..

 

As to receiving traffic.. Again this can be done at the border, it is very simple to block traffic both to and from known bad IP blocks.  So can not talk to command and control even of the ports used to communicate are allowed.  Dns filtering of bad fqdn is quite easy to deploy,  again this is best done at the border of the network where compromised devices don't have the ability to mess with the rules like they could do on a box they have owned, no matter the OS on said box.

[+John Teacake MVC]

"but it won't help a compromised system from sending and receiving traffic."

 

This is such flawed logic

 

The word you should be keyed in on here is "compromised"  So you executed code, or were exploited in some manner so code ran on your machine in such a way to compromise it..  But you think some other code on the box is going to prevent it from talking on the network??

 

Beside the complete PITA aspect of having to auth all outbound connections any process tries to make for the user.. Which has no clue what to allow and not to allow.. Have seen dhcp client denied, etc.

 

Now if you want to run some sort of IDS on the host to examine outbound traffic to allow or deny or warn, ok..  But again  "compromised" -- why can the bad software not just disable or trick the good software into allowing such traffic.  The box is compromised - your security has failed already in the fact that is was compromised, yet some software you are running on that same compromised is going to save the day??   I am sure company X selling each copy of their software at $50 a pop wants you to go that route

 

If you are worried about such traffic I would suggest you again at your borders of trust and hostile run IDS, IPS to look at traffic - look for bad stuff and block it at the edge where that compromised box has no control over if that packet leaves the network or not.

 

It makes more sense to control the flow of traffic both in and out of your trusted network at the border of that network.. Not on every single device on said network, that is a administration nightmare..

 

As to receiving traffic.. Again this can be done at the border, it is very simple to block traffic both to and from known bad IP blocks.  So can not talk to command and control even of the ports used to communicate are allowed.  Dns filtering of bad fqdn is quite easy to deploy,  again this is best done at the border of the network where compromised devices don't have the ability to mess with the rules like they could do on a box they have owned, no matter the OS on said box.

 

 

As always BRILLIANT post ... As a side note. Two Home Broadband Connections. Connected up a Cisco router and both within literally less than 10 minutes had people trying to login with SSH....Checked the IP's ... China!! I am going to email the authority's (And I mean high level people here) and actually ask what they are doing to curb these, I am just generally curious as to what they do. They must know about it.....

[+BudMan MVC]

What is so funny is I just read that china has made some changes to lock down vpn protocols outbound from china.. I would assume in attempt to control users from there from circumvention of the great firewall   SSH is the most basic way to tunnel traffic and circumvent any sort attempt to limit where you can go.

 

http://techcrunch.com/2015/01/23/china-vpn-crackdown/

 

So how does it makes sense that yeah if you log hits to your ssh server, the VAST majority of traffic is from china IPs   Every time I put up a honey pot, pretty much every attempt is china

[simplezz]

"but it won't help a compromised system from sending and receiving traffic."

 

This is such flawed logic

 

The word you should be keyed in on here is "compromised"  So you executed code, or were exploited in some manner so code ran on your machine in such a way to compromise it..  But you think some other code on the box is going to prevent it from talking on the network??

A driver level firewall that intercepts all outgoing traffic can prevent most trojans, keyloggers, and other nasties from stealing your data, propagating, etc. It's unlikely that initial malware could interdict said firewall.

You have to remember that bots and remote prototocols are very common in relation to malware these days. Often a bootstrap trojan will download additional software and update itself. Without that facility, it greatly reduces the severity of such attacks.

If you're using Windows, an outgoing firewall is essential.

[+BudMan MVC]

^ whatever..  I just don't feel like beating this dead horse at the moment..

 

You just keeping telling yourself that your safe because you run software X..  And that software Y that you let exe on your box can not doing anything to software X

 

Better plan is not run software X in the first place if you ask me!  Just Saying!

[simplezz]

You just keeping telling yourself that your safe because you run software X..  And that software Y that you let exe on your box can not doing anything to software X

I think you misunderstand me. A firewall is a failsafe, not a licence to disregard common sense. Just the same way an Antivirus is no guarantee that running an untrusted program won't bork your system.

 

Better plan is not run software X in the first place if you ask me!  Just Saying!

OFC. And that's why Linux is far safer. Software is obtained through peer-reviewed repositories rather than random websites. You're much more likely to encounter a trojan at some point running Windows. Therefore, it's a good idea to block unauthorised outgoing traffic by default assuming you don't want your data stolen or your machine turned into a zombie/bot doing the bidding of some hacker. And don't think this is mere hyperbole, I've seen it happen myself.

[xxxxxx.xxxxxx]

To keep myself safe online i generally use;

 

• Anonymous VPN
• Tor Network
• GnuPG
• dmcrypt/LUKS and eCryptfs
• iptables
• Properly configured NAT
• I don't run services or leave ports open if i don't require them at that moment in time
• Common sense approach to downloading/surfing implementing counter measures where required
• Primary e-mail account only given to those who i REQUIRE to have it (brutal SpamAssassin)
• Secondary e-mail account for website registrations etc to avoid the usual phishing, scams, unwanted attachments etc.

That is pretty much it, haven't had a problem for a good few years now.

 

Paranoid, maybe... but it works for me 

[sc302 Veteran]

I think you misunderstand me. A firewall is a failsafe, not a licence to disregard common sense. Just the same way an Antivirus is no guarantee that running an untrusted program won't bork your system.

 

OFC. And that's why Linux is far safer. Software is obtained through peer-reviewed repositories rather than random websites. You're much more likely to encounter a trojan at some point running Windows. Therefore, it's a good idea to block unauthorised outgoing traffic by default assuming you don't want your data stolen or your machine turned into a zombie/bot doing the bidding of some hacker. And don't think this is mere hyperbole, I've seen it happen myself.

So you think running a software firewall will stop a compromised system from communicating out...I have some news for you, a compromised system is just that...what makes you think that a piece of software is going to stop a computer from communicating?  At best it will alert you, at worst it won't tell you anything and communicate out anyway.  This did happen to me a few years ago with a 0 day worm, the software firewall detected that chrome was going out to a china site, then it changed to ie, then it changed to firefox, then it changed to explorer, then it changed to itunes.  Nothing the software firewall could do, other than shut down all communications, would stop this thing from communicating out, the firewall logs and sniffer logs proved that.  Somebody asked me how do I know for sure that it was a virus communicating, showed them the logs...unbelievable they said...All software firewalls do is use resources on the machine and perhaps protect you from really poorly executed malware.

[coolguy80]

I've firewall configured(iptables) and that's it for average user.

This is a interesting read about Linux and virus/security fear:

http://linuxmafia.com/~rick/faq/index.php?page=virus

[simplezz]

So you think running a software firewall will stop a compromised system from communicating out...I have some news for you, a compromised system is just that...what makes you think that a piece of software is going to stop a computer from communicating?

Because a decent personal firewall (as apposed to a network firewall) will operate at the kernel level registering itself as a packet filter. All subsequent traffic will run through its callback routines permitting or refusing traffic based on some kind of ruleset that the PC user can modify in realtime. This negates most malware or trojan activities.

 

At best it will alert you, at worst it won't tell you anything and communicate out anyway.

Then you clearly don't know how a personal firewall works. This doesn't include Windows' built in firewall because it's extremely limited.

 

This did happen to me a few years ago with a 0 day worm, the software firewall detected that chrome was going out to a china site, then it changed to ie, then it changed to firefox, then it changed to explorer, then it changed to itunes.  Nothing the software firewall could do, other than shut down all communications, would stop this thing from communicating out, the firewall logs and sniffer logs proved that.

A lot of personal firewalls also checksum the programs that a ruleset allows network access to. So if another program is modifying them it should automatically detect and block that. It's not perfect, but it can stop most threats.

 

Somebody asked me how do I know for sure that it was a virus communicating, showed them the logs...unbelievable they said...All software firewalls do is use resources on the machine and perhaps protect you from really poorly executed malware.

I suggest you have a read of This.

Unlike network firewalls, many personal firewalls are able to control network traffic allowed to programs on the firewalled computer. When an application attempts an outbound connection, the firewall may block it if blacklisted, or ask the user whether to blacklist it if it is not yet known. This protects against malware implemented as an executable program. Personal firewalls may also provide some level of intrusion detection, allowing the software to terminate or block connectivity where it suspects an intrusion is being attempted.

[Aergan]

CIDR blocking most of APNIC works quite well.

[sc302 Veteran]

Because a decent personal firewall (as apposed to a network firewall) will operate at the kernel level registering itself as a packet filter. All subsequent traffic will run through its callback routines permitting or refusing traffic based on some kind of ruleset that the PC user can modify in realtime. This negates most malware or trojan activities.

 

Then you clearly don't know how a personal firewall works. This doesn't include Windows' built in firewall because it's extremely limited.

 

A lot of personal firewalls also checksum the programs that a ruleset allows network access to. So if another program is modifying them it should automatically detect and block that. It's not perfect, but it can stop most threats.

 

I suggest you have a read of This.

I guess you have never seen malware/worms hide themselves as other applications before (using the legitimate application to run, the application itself was perfectly fine and not compromised as shown by many different submissions to virus total and other sites...the system however was compromised and spread to other systems).  I stand behind stating that once a system is compromised, all software on the system is compromised...even the software firewall.  I will agree that the windows firewall isn't anything really special nor would it give you any information as to what application is running and communicating the instant that something does communicate. 0 day is 0 day, no definitions (even checksums) will protect against them.

[simplezz]

I guess you have never seen malware/worms hide themselves as other applications before.

Any decent personal firewall worth its salt will notice that. As I said, ruleset entries usually store a checksum of the target executable. If something tries to inject itself or masquerade as another program, it should be detected. Note we're talking about a Windows PC here, not Linux. Linux doesn't suffer from such problems so a router level NAT firewall is usually sufficient to protect yourself.

I stand behind stating that once a system is compromised, all software on the system is compromised...even the software firewall.

That's simply wrong. While malware can be sophisticted, it's not omnipotent. It's limited by its original programming and the fact it can't account for all security software out there. I'd say a personal firewall will block the majority of malware out there.

I will agree that the windows firewall isn't anything really special.

As far as I'm aware, it doesn't allow the user to authorise or deny traffic automatically. One has to manually configure it. For that reason, it doesn't make a good application level firewall.

[sc302 Veteran]

I beg to differ, mainly because I have seen it in a live environment and spent weeks with symantec and microsoft on the phone to diagnose.  You can think or believe what you want.  Microsoft eventually released a repair definition in security essentials two weeks after the site was infected (first one to release a definition, others followed suit shortly there after).  You may have heard of it, maybe you haven't, but it was dubbed Morto.

 

 

http://www.enigmasoftware.com/wormwin32mortoa-removal/

 

While it is a simple enough piece of malware to remove, finding it was very difficult, protecting a computer that had 3389 open and weak passwords was also difficult and it was also difficult to protect computers that had the rule to allow all traffic from trusted computers enabled.  When it still was a zero day/at the time, many different softwares were used, symantec endpoint protection, eset smart security, zone alarm firewall, comodo firewall (far better than zone alarm as it was detecting traffic to remote sites but could not block it), vipre, trend micro, and a bevy of other sotfwares to try to thwart this infection prior to the definition or any documentation being released on how to remove this.   BTW, this did not show up in the combofix log nor was it in the otl log....yeah this was a bitch

[+BudMan MVC]

So sc302, guess you in a beat the dead horse mood..

 

"once a system is compromised, all software on the system is compromised"

 

This is fact!!

 

Here is another tidbit.. Users are Users - guess what happens when Firewall X asks the user if ok if Y uses the network..   You have 2 most common, they allow the bad code or they block the good code..

 

Software firewalls do another thing other than suck up resources, they generate support calls from uses on why they can not play their game.. Or video chat with their friend, etc..

 

If you get paid from support tickets then by all means - install a software firewall

[sc302 Veteran]

Software firewalls, stopping users from doing what they want since 2002. Really, the greatest invention to give people a false sense of security since the tin foil hat.

[imort]

On 22.01.2015 at 3:39 AM, Art_X said:

I have heard about IDS scripts and such but having to look through log files every day to see if "something" happened it not that appealing to me, and I often hear the excuse "well if you don't vist bad sites you should be fine!", but then how do you know if a site is back, sites are always being hijacked and code added, how can you tell if a site that was good yesterday is still good today?

 

I am not writing this to flame or bait about which system is better, I am writing it in the hope that people can help me to understand Linux better so that I can trust it for my day to day needs

1

I can found that the same rules can be applied both for Windows and Linux: keep it updated, use common sense and be careful

 

I'm running no antivirus on my Windows computer for years and do a quick check every few month.

Never ever get any problems with that

 

Can't recommend the same my friends and relatives of course

 

If we're talking about some home PC it will be enough.

But if we need to talk about some office servers that's another story

 

[Gotenks98]

On 1/21/2015 at 4:46 PM, Max Norris said:

Just like every other OS. Keep it up to date, regular backups, and a healthy dose of common sense. For the home user, that malware doesn't wind up on your system by magic, it's either via an exploit (IE keeping your system up to date) or user error (IE, no dumbassery allowed.) A few basic rules have kept all of my systems (Windows, BSD and Linux) malware free for a good number of years now, no babysitting software required. If you run public facing servers, obviously that's a whole different ballgame.

That is pretty much what I do. Unless you had something on your system like teamviewer there would be no reason or way for hackers just to get to your system especially on Linux. They would first have to have a reason to target you then an exploit to get into your system.

[Boo Berry]

Arch + virtual machines work pretty well for me.