(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that quickly and easily shows attempts to hack in to a computer. I think it was either in the Fedora magazine or Gnome's website. I've since made multiple attempts to find that article, but failed. I'm needing to check for hack-in attempts (something I suppose I should do quazi-periodically anyway). What is the tool/application to do that? If such a tool/application does not exist, then what is the best way for me to do that?
thanks, Bill.
router logs help me...
On Thu, Feb 20, 2020 at 11:47 AM home user mattisonw@comcast.net wrote:
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that quickly and easily shows attempts to hack in to a computer. I think it was either in the Fedora magazine or Gnome's website. I've since made multiple attempts to find that article, but failed. I'm needing to check for hack-in attempts (something I suppose I should do quazi-periodically anyway). What is the tool/application to do that? If such a tool/application does not exist, then what is the best way for me to do that?
thanks, Bill. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
If you are thinking of brute-force attacks on open ports, have a look at "fail2ban" - would use logs on your workstation and your firewall setup to block attempts.
Are there specific applications/services you are concerned about? If you are thinking about SSHD, consider use of ssh-keygen for user/host certificates.
On Thu, Feb 20, 2020 at 3:22 PM home user mattisonw@comcast.net wrote:
(on 02/20/2020 1:11pm mountain time, Jack said)
router logs help me...
My system is isp -> modem -> workstation. No router at this time. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 2020-02-21 04:21, home user wrote:
(on 02/20/2020 1:11pm mountain time, Jack said)
router logs help me...
My system is isp -> modem -> workstation. No router at this time.
Do you have a fixed IP or dynamic IP?
What services do you run on your system? It helps to know what area you're concerned with.
(on 02/20/2020 at 2:10pm mountain time, Ed said)
Do you have a fixed IP or dynamic IP?
I believe it's fixed, provided by the ISP (comcast).
What services do you run on your system? It helps to know what area
you're concerned with.
* Firefox, Thunderbird, Tor (rarely), dnf, zoom (for meetings). (What counts as "services" here?) * Other uses of internet are "under the hood" and mostly unknown/invisible to me. * Oddball: when logged in as root, and I launch a terminal, several seconds later, I see a short wave of internet activity; this is very consistent. What's going on there? * No one is authorized to connect in from outside; I myself do not try to do so.
This morning, I got 2 messages from the bank saying 2 attempts to make purchases via paypal were rejected because the card had not yet been activated. I called the bank. The messages were legitimate. Curious: the card is near expiration, and a new one (same number) had just been made/mailed. The bank then de-activated the card. I do not know what other personal info the malicious person/group got, where the info came from, or who the malicious person/group is. I think it wise for me to check that no one is getting into my system. Thus this thread. By the way, both chkrootkit and rkhunter reported my system is clean later this morning. I do realize they don't check everything.
I'll try Frank's suggestion and respond to him later; I'm researching it first.
Bill.
On 2020-02-21 06:49, home user wrote:
(on 02/20/2020 at 2:10pm mountain time, Ed said)
Do you have a fixed IP or dynamic IP?
I believe it's fixed, provided by the ISP (comcast).
What services do you run on your system? It helps to know what area you're concerned with.
- Firefox, Thunderbird, Tor (rarely), dnf, zoom (for meetings). (What counts as "services" here?)
None. Those are all clients.
Examples of a service are
sshd - for allowing incoming ssh connections httpd - for running a web server named - for a dns server
- Other uses of internet are "under the hood" and mostly unknown/invisible to me.
- Oddball: when logged in as root, and I launch a terminal, several seconds later, I see a short wave of internet activity; this is very consistent. What's going on there?
If you want to know what is going on you'd need to use something like "wireshark" to capture the network activity and examine it.
- No one is authorized to connect in from outside; I myself do not try to do so.
I don't know what that means.
This morning, I got 2 messages from the bank saying 2 attempts to make purchases via paypal were rejected because the card had not yet been activated. I called the bank. The messages were legitimate. Curious: the card is near expiration, and a new one (same number) had just been made/mailed. The bank then de-activated the card. I do not know what other personal info the malicious person/group got, where the info came from, or who the malicious person/group is. I think it wise for me to check that no one is getting into my system. Thus this thread. By the way, both chkrootkit and rkhunter reported my system is clean later this morning. I do realize they don't check everything.
Well, that sounds much more you information was leaked by PayPal. Not your system.
(on 02/20/2020 1:49pm mountain time, Frank said)
If you are thinking of brute-force attacks on open ports, have a look at "fail2ban" - would use logs on your workstation and your firewall setup to block attempts.
I looked at it, downloaded it, looked at the man pages, and tried it. At this point, all I want is a report. How do I get that?
Are there specific applications/services you are concerned about? ...
Not yet.
(on 02/20/2020 at 3:59pm mountain time, Ed said)
Examples of a service are ...
If these are running on my workstation, it must be by default. I did not start them. How do I check?
No one is authorized to connect in from outside; I myself do not
try to do so.
I don't know what that means.
As far as I know, I'm not running any services. I do not try to connect to my workstation from any other system.
Well, that sounds much more you information was leaked by PayPal.
Not your system. I did not think the information came from my system. But I can't be certain. So it seems wise to check my system. My guess is the information came from the "dark web", or some commercial system (paypal? the bank? other businesses for which I use that card?) got hacked, but the word hasn't yet gotten out.
On 2020-02-21 07:50, home user wrote:
(on 02/20/2020 at 3:59pm mountain time, Ed said)
Examples of a service are ...
If these are running on my workstation, it must be by default. I did not start them. How do I check?
sudo netstat -napt | grep -i listen
On Thu, 20 Feb 2020 at 18:50, home user mattisonw@comcast.net wrote:
(on 02/20/2020 at 2:10pm mountain time, Ed said)
Do you have a fixed IP or dynamic IP?
I believe it's fixed, provided by the ISP (comcast).
What services do you run on your system? It helps to know what area
you're concerned with.
- Firefox, Thunderbird, Tor (rarely), dnf, zoom (for meetings). (What
counts as "services" here?)
- Other uses of internet are "under the hood" and mostly
unknown/invisible to me.
- Oddball: when logged in as root, and I launch a terminal, several
seconds later, I see a short wave of internet activity; this is very consistent. What's going on there?
- No one is authorized to connect in from outside; I myself do not try
to do so.
This morning, I got 2 messages from the bank saying 2 attempts to make purchases via paypal were rejected because the card had not yet been activated.
"Not yet been activated" sounds like someone stole the mail and tried to use your new card (new 3-digit code and new expiry date).
[...]
Another suggestion, get Wireshark for sniffing traffic, run a sniffer trace as you are using the machine. You'll want to capture any IP (layer 3) traffic leaving or entering your machine (may want to setup filters to reduce capture size). This may be a way to start your analysis.
Disable any services (daemons) running on the machine that are not required with a listening port:
sudo netstat -tulpn | grep LISTEN
above will display listening ports
This is at least a start
Frank
On Thu, Feb 20, 2020 at 5:50 PM home user mattisonw@comcast.net wrote:
(on 02/20/2020 at 2:10pm mountain time, Ed said)
Do you have a fixed IP or dynamic IP?
I believe it's fixed, provided by the ISP (comcast).
What services do you run on your system? It helps to know what area
you're concerned with.
- Firefox, Thunderbird, Tor (rarely), dnf, zoom (for meetings). (What
counts as "services" here?)
- Other uses of internet are "under the hood" and mostly
unknown/invisible to me.
- Oddball: when logged in as root, and I launch a terminal, several
seconds later, I see a short wave of internet activity; this is very consistent. What's going on there?
- No one is authorized to connect in from outside; I myself do not try
to do so.
This morning, I got 2 messages from the bank saying 2 attempts to make purchases via paypal were rejected because the card had not yet been activated. I called the bank. The messages were legitimate. Curious: the card is near expiration, and a new one (same number) had just been made/mailed. The bank then de-activated the card. I do not know what other personal info the malicious person/group got, where the info came from, or who the malicious person/group is. I think it wise for me to check that no one is getting into my system. Thus this thread. By the way, both chkrootkit and rkhunter reported my system is clean later this morning. I do realize they don't check everything.
I'll try Frank's suggestion and respond to him later; I'm researching it first.
Bill. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
(on 02/20/2020 at 3:59pm mountain time, Ed said)
sudo netstat -napt | grep -i listen
I did it twice, the extra time to get the column headers. Splicing the two together...
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1252/dnsmasq tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 1081/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2068/sendmail: acce tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::631 :::* LISTEN 1081/cupsd
Is this what it should be? Anything I should do? I guess it's not relevant to the current matter, but should cupsd be in the list twice?
Looks fine, CUPSD, is listening on both ipv4 and ipv6. There does not seem to be anything out of the ordinary. If not already done so, install and configure a firewall.
You can do 'systemctl status firewalld' to see if firewall is enabled
On Thu, Feb 20, 2020 at 9:44 PM home user mattisonw@comcast.net wrote:
(on 02/20/2020 at 3:59pm mountain time, Ed said)
sudo netstat -napt | grep -i listen
I did it twice, the extra time to get the column headers. Splicing the two together...
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1252/dnsmasq tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 1081/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2068/sendmail: acce tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::631 :::* LISTEN 1081/cupsd
Is this what it should be? Anything I should do? I guess it's not relevant to the current matter, but should cupsd be in the list twice? _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
(on 02/20/2020 at 6:14pm mountain time, George said)
"Not yet been activated" sounds like someone stole the mail and tried to use your new card (new 3-digit code and new expiry date).
Possible, but rather unlikely. The mailbox requires a key to open. It's also possible that data going from the bank to the company that makes the cards was intercepted, or that the computers of one of those two companies was hacked. The bank is supposed to notify me when the new card is mailed, but that had not yet happened.
(on 02/20/2020 at 7:54pm mountain time, Frank said)
Looks fine, CUPSD, is listening on both ipv4 and ipv6. There does not seem to be anything out of the ordinary. If not already done so, install and configure a firewall. You can do 'systemctl status firewalld' to see if firewall is enabled
It is enabled: -bash.5[~]: systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2020-02-20 11:04:08 MST; 8h ago Docs: man:firewalld(1) Main PID: 908 (firewalld) Tasks: 2 (limit: 4915) Memory: 41.0M CGroup: /system.slice/firewalld.service └─908 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Feb 20 11:03:54 [sysname] systemd[1]: Starting firewalld - dynamic firewall daemon... Feb 20 11:04:08 [sysname] systemd[1]: Started firewalld - dynamic firewall daemon. -bash.6[~]:
On Thursday, February 20, 2020 1:21:08 PM MST home user wrote:
(on 02/20/2020 1:11pm mountain time, Jack said)
router logs help me...
My system is isp -> modem -> workstation. No router at this time.
Are you running "GNOME Workstation" on that system? If so, I would recommend changing the firewall zone immediately, as everything on your system is currently open to the internet as a whole if you're running the default. The GNOME Spin does not consider security. Please be aware of this when running the GNOME Spin, as it affects any open network as well.
On 2020-02-21 10:43, home user wrote:
(on 02/20/2020 at 3:59pm mountain time, Ed said)
sudo netstat -napt | grep -i listen
I did it twice, the extra time to get the column headers. Splicing the two together...
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1252/dnsmasq tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 1081/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2068/sendmail: acce tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::631 :::* LISTEN 1081/cupsd
Is this what it should be? Anything I should do? I guess it's not relevant to the current matter, but should cupsd be in the list twice?
As already noted, cupsd is listening on both ipv4 and ipv6.
It isn't important, but I would note there is an unnecessary service running on port 111. That would be rpcbind.
As time permits I'd check
systemctl status rpcbind
and
systemctl status rpcbind.socket
On Thursday, February 20, 2020 8:06:56 PM MST John M. Harris Jr wrote:
On Thursday, February 20, 2020 1:21:08 PM MST home user wrote:
(on 02/20/2020 1:11pm mountain time, Jack said)
router logs help me...
My system is isp -> modem -> workstation. No router at this time.
Are you running "GNOME Workstation" on that system? If so, I would recommend changing the firewall zone immediately, as everything on your system is currently open to the internet as a whole if you're running the default. The GNOME Spin does not consider security. Please be aware of this when running the GNOME Spin, as it affects any open network as well. -- John M. Harris, Jr. Splentity
To further clarify, if you are using the GNOME variant of Fedora, the commands you'll need to run are:
Step 1: `sudo firewall-cmd --set-default-zone=public`
After this, you'll want to get the name of the primary interface. You can do this with a few commands, I recommend `ip link`. It will likely begin with 'enp', for example, 'enp0s1'.
Then you would run the following command with that interface name: `sudo firewall-cmd --change-interface=enpXsY --zone=public`
For example, `sudo firewall-cmd --change-interface=enp0s1 --zone=public'
This exact scenario is why I don't believe the GNOME Spin should have ever been allowed to effectively disable the firewall with their absurd FedoraWorkstation firewall zone.
On 2020-02-21 11:17, John M. Harris Jr wrote:
This exact scenario is why I don't believe the GNOME Spin should have ever been allowed to effectively disable the firewall with their absurd FedoraWorkstation firewall zone.
What do you find absurd about the FedoraWorkstation zone?
[root@f31g ~]# firewall-cmd --info-zone=FedoraWorkstation FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: dhcpv6-client mdns samba-client ssh vnc-server ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[root@f31g ~]# firewall-cmd --info-zone=public public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns ssh vnc-server ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
The only difference between public and FedoraWorkstation seems to be the inclusion of samba-client.
On 2020-02-21 11:25, Ed Greshko wrote:
On 2020-02-21 11:17, John M. Harris Jr wrote:
This exact scenario is why I don't believe the GNOME Spin should have ever been allowed to effectively disable the firewall with their absurd FedoraWorkstation firewall zone.
What do you find absurd about the FedoraWorkstation zone?
[root@f31g ~]# firewall-cmd --info-zone=FedoraWorkstation FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: dhcpv6-client mdns samba-client ssh vnc-server ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[root@f31g ~]# firewall-cmd --info-zone=public public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns ssh vnc-server ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
The only difference between public and FedoraWorkstation seems to be the inclusion of samba-client.
Oh, never mind. Wrong system. The "default" rules for FedoraWorkstationso seem "odd".
[root@f31m ~]# firewall-cmd --info-zone=FedoraWorkstation FedoraWorkstation target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client samba-client ssh ports: 1025-65535/udp 1025-65535/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
(on 02/20/2020 at 7:34pm mountain time, Frank said)
Another suggestion, get Wireshark for sniffing traffic, run a sniffer trace as you are using the machine. You'll want to capture any IP (layer 3) traffic leaving or entering your machine (may want to setup filters to reduce capture size). This may be a way to start your analysis.
Disable any services (daemons) running on the machine that are not required with a listening port: sudo netstat -tulpn | grep LISTEN above will display listening ports This is at least a start
Except for the netstat command, that went over my head. I have no training in sysadmin and IT security. I'm a home user. I don't know how to do what you suggest, or what to look for in the output.
Output to the netstat command is the same as what I put in my earlier reply to Ed.
(my own idea) I tried wading through several thousand lines of journalctl output. I couldn't even find my 2 logins since the last boot (late this morning). I vaguely recall a few years ago stumbling onto large numbers of hack attempts noted in journalctl output, but I don't remember what to look for.
(on 02/20/2020 at 8:16pm mountain time, Ed said)
... (port 111 and rpcbind) As time permits I'd check systemctl status rpcbind and systemctl status rpcbind.socket
-bash.13[~]: systemctl status rpcbind ● rpcbind.service - RPC Bind Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled; vendor pre> Active: active (running) since Thu 2020-02-20 11:03:52 MST; 9h ago Docs: man:rpcbind(8) Main PID: 858 (rpcbind) Tasks: 1 (limit: 4915) Memory: 2.0M CGroup: /system.slice/rpcbind.service └─858 /usr/bin/rpcbind -w -f
Feb 20 11:03:52 coyote systemd[1]: Starting RPC Bind... Feb 20 11:03:52 coyote rpcbind[858]: rpcbind: svc_tli_create: could not bind to> Feb 20 11:03:52 coyote systemd[1]: Started RPC Bind. -bash.14[~]: systemctl status rpcbind.socket ● rpcbind.socket - RPCbind Server Activation Socket Loaded: loaded (/usr/lib/systemd/system/rpcbind.socket; enabled; vendor pres> Active: active (running) since Thu 2020-02-20 11:03:42 MST; 9h ago Listen: /run/rpcbind.sock (Stream) 0.0.0.0:111 (Stream) 0.0.0.0:111 (Datagram) [::]:111 (Stream) [::]:111 (Datagram) Tasks: 0 (limit: 4915) Memory: 208.0K CGroup: /system.slice/rpcbind.socket -bash.15[~]:
What do I do so that this unneeded service is not launched? (I assume it's launched during boot.)
On 2020-02-21 11:53, home user wrote:
(on 02/20/2020 at 7:34pm mountain time, Frank said)
Another suggestion, get Wireshark for sniffing traffic, run a sniffer trace as you are using the machine. You'll want to capture any IP (layer 3) traffic leaving or entering your machine (may want to setup filters to reduce capture size). This may be a way to start your analysis.
Disable any services (daemons) running on the machine that are not required with a listening port: sudo netstat -tulpn | grep LISTEN above will display listening ports This is at least a start
Except for the netstat command, that went over my head. I have no training in sysadmin and IT security. I'm a home user. I don't know how to do what you suggest, or what to look for in the output.
Output to the netstat command is the same as what I put in my earlier reply to Ed.
(my own idea) I tried wading through several thousand lines of journalctl output. I couldn't even find my 2 logins since the last boot (late this morning). I vaguely recall a few years ago stumbling onto large numbers of hack attempts noted in journalctl output, but I don't remember what to look for.
I don't know how you've gone about identifying "hack attempts".
But the "last" command should display all successful logins.
Additionally, the "lastb" command would reveal failed logins. I do have one system configured to allow ssh connections from the Internet using only public-key authentication. I do so to watch attempts by "script-kiddies".
The most recent attempts being...
support ssh:notty 92.63.194.7 Fri Feb 21 09:45 - 09:45 (00:00) guest ssh:notty 92.63.194.108 Fri Feb 21 09:45 - 09:45 (00:00) ubnt ssh:notty 92.63.194.107 Fri Feb 21 09:45 - 09:45 (00:00) guest ssh:notty 92.63.194.106 Fri Feb 21 09:45 - 09:45 (00:00) test ssh:notty 92.63.194.104 Fri Feb 21 09:44 - 09:44 (00:00) admin ssh:notty 92.63.194.107 Fri Feb 21 09:44 - 09:44 (00:00) user ssh:notty 92.63.194.106 Fri Feb 21 09:44 - 09:44 (00:00) admin ssh:notty 92.63.194.105 Fri Feb 21 09:44 - 09:44 (00:00) admin ssh:notty 92.63.194.104 Fri Feb 21 09:44 - 09:44 (00:00)
92.63.194.107 being in Russia. :-)
On 2020-02-21 12:02, home user wrote:
(on 02/20/2020 at 8:16pm mountain time, Ed said)
... (port 111 and rpcbind) As time permits I'd check systemctl status rpcbind and systemctl status rpcbind.socket
-bash.13[~]: systemctl status rpcbind ● rpcbind.service - RPC Bind Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled; vendor pre> Active: active (running) since Thu 2020-02-20 11:03:52 MST; 9h ago Docs: man:rpcbind(8) Main PID: 858 (rpcbind) Tasks: 1 (limit: 4915) Memory: 2.0M CGroup: /system.slice/rpcbind.service └─858 /usr/bin/rpcbind -w -f
Feb 20 11:03:52 coyote systemd[1]: Starting RPC Bind... Feb 20 11:03:52 coyote rpcbind[858]: rpcbind: svc_tli_create: could not bind to> Feb 20 11:03:52 coyote systemd[1]: Started RPC Bind. -bash.14[~]: systemctl status rpcbind.socket ● rpcbind.socket - RPCbind Server Activation Socket Loaded: loaded (/usr/lib/systemd/system/rpcbind.socket; enabled; vendor pres> Active: active (running) since Thu 2020-02-20 11:03:42 MST; 9h ago Listen: /run/rpcbind.sock (Stream) 0.0.0.0:111 (Stream) 0.0.0.0:111 (Datagram) [::]:111 (Stream) [::]:111 (Datagram) Tasks: 0 (limit: 4915) Memory: 208.0K CGroup: /system.slice/rpcbind.socket -bash.15[~]:
What do I do so that this unneeded service is not launched? (I assume it's launched during boot.)
systemctl --now disable rpcbind systemctl --now disable rpcbind.socket
(on 02/20/2020 8:17pm mountain time, John said)
(if using Gnome...) Step 1: `sudo firewall-cmd --set-default-zone=public`
-bash.16[~]: firewall-cmd --set-default-zone=public Warning: ZONE_ALREADY_SET: public success -bash.17[~]
After this, you'll want to get the name of the primary interface. You can do this with a few commands, I recommend `ip link`. It will likely begin with 'enp', for example, 'enp0s1'.
-bash.17[~]: ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 30:85:a9:97:53:7e brd ff:ff:ff:ff:ff:ff 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000 link/ether 52:54:00:ca:4d:bd brd ff:ff:ff:ff:ff:ff 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000 link/ether 52:54:00:ca:4d:bd brd ff:ff:ff:ff:ff:ff -bash.18[~]: ip link | grep enp -bash.19[~]:
Nothing starting with "enp". So what is the interface name that I should use in the second firewall-cmd?
On Thursday, February 20, 2020 9:14:24 PM MST home user wrote:
(on 02/20/2020 8:17pm mountain time, John said)
(if using Gnome...) Step 1: `sudo firewall-cmd --set-default-zone=public`
-bash.16[~]: firewall-cmd --set-default-zone=public Warning: ZONE_ALREADY_SET: public success -bash.17[~]
After this, you'll want to get the name of the primary interface. You can do this with a few commands, I recommend `ip link`. It will likely begin with 'enp', for example, 'enp0s1'.
-bash.17[~]: ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 30:85:a9:97:53:7e brd ff:ff:ff:ff:ff:ff 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000 link/ether 52:54:00:ca:4d:bd brd ff:ff:ff:ff:ff:ff 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000 link/ether 52:54:00:ca:4d:bd brd ff:ff:ff:ff:ff:ff -bash.18[~]: ip link | grep enp -bash.19[~]:
Nothing starting with "enp". So what is the interface name that I should use in the second firewall-cmd?
On your system, it'd be `eno1`.
(on 02/20/2020 at 9:03pm mountain time, Ed said)
I don't know how you've gone about identifying "hack attempts".
I was looking at journalctl output for something else; I don't recall what. It was years ago. I happened to notice many entries reporting login attempts to root and other login names coming from various ip addresses. Someone in the fedora users list at that time noted that there was an interesting assortment of countries from which those attempts were originating.
I tried "last" and "lastb". Those look useful. Thank-you, Ed. I believe those are what I am looking for.
Back to John's suggestions.
(on 02/20/2020 at 9:05pm mountain time, Ed said)
systemctl --now disable rpcbind systemctl --now disable rpcbind.socket
-bash.1[~]: systemctl --now disable rpcbind Removed /etc/systemd/system/multi-user.target.wants/rpcbind.service. Warning: Stopping rpcbind.service, but it can still be activated by: rpcbind.socket -bash.2[~]: systemctl --now disable rpcbind.socket Removed /etc/systemd/system/sockets.target.wants/rpcbind.socket. -bash.3[~]:
I guess I should reboot again.
On 2020-02-21 12:54, home user wrote:
(on 02/20/2020 at 9:05pm mountain time, Ed said)
systemctl --now disable rpcbind systemctl --now disable rpcbind.socket
-bash.1[~]: systemctl --now disable rpcbind Removed /etc/systemd/system/multi-user.target.wants/rpcbind.service. Warning: Stopping rpcbind.service, but it can still be activated by: rpcbind.socket -bash.2[~]: systemctl --now disable rpcbind.socket Removed /etc/systemd/system/sockets.target.wants/rpcbind.socket. -bash.3[~]:
I guess I should reboot again.
No need.
(on 02/20/2020 at 9:56pm mountain time, Ed said)
No need.
I didn't see that until after I rebooted.
-bash.1[~]: netstat -napt | grep -i listen tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1246/dnsmasq tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 1078/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2194/sendmail: acce tcp6 0 0 :::631 :::* LISTEN 1078/cupsd -bash.2[~]:
Looks good. Thank-you, Ed.
Now I need to reboot myself. I really need it! It will take all night! Shutting down...
On 2/20/20 7:47 PM, Ed Greshko wrote:
Oh, never mind. Wrong system. The "default" rules for FedoraWorkstationso seem "odd".
Not really.
[root@f31m ~]# firewall-cmd --info-zone=FedoraWorkstation FedoraWorkstation target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client samba-client ssh ports: 1025-65535/udp 1025-65535/tcp
Any critical system daemons are 1024 and below. The reason the high ports are left open is for user applications to be able to communicate without users having to figure out the firewall.
On 2/20/20 11:46 AM, home user wrote:
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that quickly and easily shows attempts to hack in to a computer. I think it was either in the Fedora magazine or Gnome's website. I've since made multiple attempts to find that article, but failed. I'm needing to check for hack-in attempts (something I suppose I should do quazi-periodically anyway). What is the tool/application to do that? If such a tool/application does not exist, then what is the best way for me to do that?
Given that you are behind a router, the chance of any direct hacking attempts is extremely unlikely. Even if you went on a public wifi, you are only "at risk" from the other users at your current location (unless it's a wider network like some places have).
On 2020-02-21 13:39, Samuel Sieb wrote:
On 2/20/20 11:46 AM, home user wrote:
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that quickly and easily shows attempts to hack in to a computer. I think it was either in the Fedora magazine or Gnome's website. I've since made multiple attempts to find that article, but failed. I'm needing to check for hack-in attempts (something I suppose I should do quazi-periodically anyway). What is the tool/application to do that? If such a tool/application does not exist, then what is the best way for me to do that?
Given that you are behind a router, the chance of any direct hacking attempts is extremely unlikely. Even if you went on a public wifi, you are only "at risk" from the other users at your current location (unless it's a wider network like some places have).
It didn't sound as if he is behind a router since he stated his configuration is...
"My system is isp -> modem -> workstation. No router at this time."
On Thursday, February 20, 2020 10:39:06 PM MST Samuel Sieb wrote:
On 2/20/20 11:46 AM, home user wrote:
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that quickly and easily shows attempts to hack in to a computer. I think it was either in the Fedora magazine or Gnome's website. I've since made multiple attempts to find that article, but failed. I'm needing to check for hack-in attempts (something I suppose I should do quazi-periodically anyway). What is the tool/application to do that? If such a tool/application does not exist, then what is the best way for me to do that?
Given that you are behind a router, the chance of any direct hacking attempts is extremely unlikely. Even if you went on a public wifi, you are only "at risk" from the other users at your current location (unless it's a wider network like some places have).
He explicitly stated he is NOT behind a router. Hence my advice, because of GNOME spin's horrible default firewall.
On 2020-02-21 13:34, Samuel Sieb wrote:
On 2/20/20 7:47 PM, Ed Greshko wrote:
Oh, never mind. Wrong system. The "default" rules for FedoraWorkstationso seem "odd".
Not really.
[root@f31m ~]# firewall-cmd --info-zone=FedoraWorkstation FedoraWorkstation target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client samba-client ssh ports: 1025-65535/udp 1025-65535/tcp
Any critical system daemons are 1024 and below. The reason the high ports are left open is for user applications to be able to communicate without users having to figure out the firewall.
Yeah, which is the reason for quotes around odd.
I understand the reasoning to make it easier on users. It is just something I wouldn't have done. I can envision someone configuring a service to run on the higher ports which can be compromised and then disables selinux because they run into it trying to protect them.
Maybe I shouldn't pity them. :-)
On Thursday, February 20, 2020 10:44:16 PM MST Ed Greshko wrote:
On 2020-02-21 13:34, Samuel Sieb wrote:
On 2/20/20 7:47 PM, Ed Greshko wrote:
Oh, never mind. Wrong system. The "default" rules for FedoraWorkstationso seem "odd".
Not really.
[root@f31m ~]# firewall-cmd --info-zone=FedoraWorkstation FedoraWorkstation target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client samba-client ssh ports: 1025-65535/udp 1025-65535/tcp
Any critical system daemons are 1024 and below. The reason the high ports are left open is for user applications to be able to communicate without users having to figure out the firewall.
Yeah, which is the reason for quotes around odd.
I understand the reasoning to make it easier on users. It is just something I wouldn't have done. I can envision someone configuring a service to run on the higher ports which can be compromised and then disables selinux because they run into it trying to protect them. Maybe I shouldn't pity them. :-)
It's not just odd, it's a security nightmare. Processes running directly as the user have more privileges than most daemons, in fact.
On 2020-02-21 13:08, home user wrote:
(on 02/20/2020 at 9:56pm mountain time, Ed said)
No need.
I didn't see that until after I rebooted.
-bash.1[~]: netstat -napt | grep -i listen tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1246/dnsmasq tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 1078/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2194/sendmail: acce tcp6 0 0 :::631 :::* LISTEN 1078/cupsd -bash.2[~]:
Looks good. Thank-you, Ed.
Now I need to reboot myself. I really need it! It will take all night! Shutting down...
Sounds like a plan.
BTW, if you do an "ip -6 add show eno1" do the numbers a358:d643 appear in the output?
On 2/20/20 9:42 PM, Ed Greshko wrote:
On 2020-02-21 13:39, Samuel Sieb wrote:
On 2/20/20 11:46 AM, home user wrote:
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that quickly and easily shows attempts to hack in to a computer. I think it was either in the Fedora magazine or Gnome's website. I've since made multiple attempts to find that article, but failed. I'm needing to check for hack-in attempts (something I suppose I should do quazi-periodically anyway). What is the tool/application to do that? If such a tool/application does not exist, then what is the best way for me to do that?
Given that you are behind a router, the chance of any direct hacking attempts is extremely unlikely. Even if you went on a public wifi, you are only "at risk" from the other users at your current location (unless it's a wider network like some places have).
It didn't sound as if he is behind a router since he stated his configuration is...
"My system is isp -> modem -> workstation. No router at this time."
That's what he said, yes. But most people don't realize that their ISP modem is also a router. You generally have to ask the ISP to switch the modem to bridge mode, which I do so I can run my own gateway server.
It's very unlikely that he's directly connected to the internet because most ISPs only give you one IP address which the modem uses and provides NAT to the internal network.
On 2020-02-21 14:19, Samuel Sieb wrote:
On 2/20/20 9:42 PM, Ed Greshko wrote:
On 2020-02-21 13:39, Samuel Sieb wrote:
On 2/20/20 11:46 AM, home user wrote:
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that quickly and easily shows attempts to hack in to a computer. I think it was either in the Fedora magazine or Gnome's website. I've since made multiple attempts to find that article, but failed. I'm needing to check for hack-in attempts (something I suppose I should do quazi-periodically anyway). What is the tool/application to do that? If such a tool/application does not exist, then what is the best way for me to do that?
Given that you are behind a router, the chance of any direct hacking attempts is extremely unlikely. Even if you went on a public wifi, you are only "at risk" from the other users at your current location (unless it's a wider network like some places have).
It didn't sound as if he is behind a router since he stated his configuration is...
"My system is isp -> modem -> workstation. No router at this time."
That's what he said, yes. But most people don't realize that their ISP modem is also a router. You generally have to ask the ISP to switch the modem to bridge mode, which I do so I can run my own gateway server.
It's very unlikely that he's directly connected to the internet because most ISPs only give you one IP address which the modem uses and provides NAT to the internal network.
We shall see how he answers (if he does) my question on "ip add".
I have my own good reason to suspect he actually is directly connected. :-)
On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
Any critical system daemons are 1024 and below. The reason the high ports are left open is for user applications to be able to communicate without users having to figure out the firewall.
Beyond the usual (HTTP, mail, DNS servers, etc), what is the average non-admin user going to set up that listens as a server? Admin-users setting up those traditional services ought to know how to manage firewalls, or they ought not to mess around with those services.
Thanks to the forever moving target closed-source things like ICQ, MSN, Yahoo messenger (some of which have gone by the way of the dodo), there isn't much in the way of Linux-based clients for those kind of things that need to have listening ports.
I can only think of something like bitorrent, which doesn't seem to need you to poke holes in your firewall.
OSSEC, perhaps?
On 2/20/20 1:46 PM, home user wrote:
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that quickly and easily shows attempts to hack in to a computer. I think it was either in the Fedora magazine or Gnome's website. I've since made multiple attempts to find that article, but failed. I'm needing to check for hack-in attempts (something I suppose I should do quazi-periodically anyway). What is the tool/application to do that? If such a tool/application does not exist, then what is the best way for me to do that?
thanks, Bill.
On Fri, 21 Feb 2020 at 11:08, Tim via users users@lists.fedoraproject.org wrote:
On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
Any critical system daemons are 1024 and below. The reason the high ports are left open is for user applications to be able to communicate without users having to figure out the firewall.
Beyond the usual (HTTP, mail, DNS servers, etc), what is the average non-admin user going to set up that listens as a server? Admin-users setting up those traditional services ought to know how to manage firewalls, or they ought not to mess around with those services.
The linux user base is so diverse that talking about the average user isn't very useful. Before retiring I worked with scientists whose computer background included those who started out with Fortran on mainframes (CDC) that had minimal security and no internet, biologists replacing Windows (7) with linux, and numerical modellers who are focused on intricate computations. All these groups have no background in system administration or security.
Thanks to the forever moving target closed-source things like ICQ, MSN, Yahoo messenger (some of which have gone by the way of the dodo), there isn't much in the way of Linux-based clients for those kind of things that need to have listening ports.
In the scientific community there is a trend towards services to perform calculations on a robust "server" using a GUI client (browser or Java app) on a laptop. "Notebook" in a browser applications like Jupyter and Rstudio Server have large user bases.
(On 2020-0221 10:51pm, Ed wrote)
BTW, if you do an "ip -6 add show eno1" do the numbers a358:d643 appear in the output?
-bash.1[~]: ip -6 add show eno1 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global dynamic noprefixroute valid_lft 342949sec preferred_lft 342949sec inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute valid_lft forever preferred_lft forever -bash.2[~]:
So the answer is yes.
(responding to related comments) (Samuel (11:19pm))
But most people don't realize that their ISP modem is also a router.
I don't think my modem is also a router, but I'm not sure. It's an Arris model TM822G, self-purchased (not rented from the ISP). So I'm inclined to agree with Ed... (Ed (11:26pm))
We shall see how he answers (if he does) my question on "ip add". I have my own good reason to suspect he actually is directly connected.
Are Ed and I correct? What is the significance/importance of this?
On 2/21/20 7:07 AM, Tim via users wrote:
On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
Any critical system daemons are 1024 and below. The reason the high ports are left open is for user applications to be able to communicate without users having to figure out the firewall.
Beyond the usual (HTTP, mail, DNS servers, etc), what is the average non-admin user going to set up that listens as a server? Admin-users setting up those traditional services ought to know how to manage firewalls, or they ought not to mess around with those services.
There are a variety of things like file sharing (webdav), media sharing (dlna), remote desktop, various 3rd party or proprietary software, etc.
On 2/21/20 12:15 PM, home user wrote:
(On 2020-0221 10:51pm, Ed wrote)
BTW, if you do an "ip -6 add show eno1" do the numbers a358:d643 appear in the output?
-bash.1[~]: ip -6 add show eno1 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global dynamic noprefixroute valid_lft 342949sec preferred_lft 342949sec inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute valid_lft forever preferred_lft forever -bash.2[~]:
So the answer is yes.
I don't know what the significance of the "a358:d643" part is, although it's probably related to the first "2001" indicating that you have IPV6 over a tunnel.
(responding to related comments) (Samuel (11:19pm))
But most people don't realize that their ISP modem is also a router.
I don't think my modem is also a router, but I'm not sure. It's an Arris model TM822G, self-purchased (not rented from the ISP). So I'm inclined to agree with Ed...
After checking the modem manual, I agree.
(Ed (11:26pm))
We shall see how he answers (if he does) my question on "ip add". I have my own good reason to suspect he actually is directly connected.
Are Ed and I correct? What is the significance/importance of this?
Unlike most people, you *are* directly connected to the internet, so would do well to have basic security enabled. Keep the firewall on. :-) You're not running anything other than cups that's remotely connectable, so there's not really anything to even check for hacking attempts, since there's nothing to break into. (cups should be blocked by default by the firewall.)
On 2020-02-22 06:10, Samuel Sieb wrote:
On 2/21/20 12:15 PM, home user wrote:
(On 2020-0221 10:51pm, Ed wrote) > BTW, if you do an "ip -6 add show eno1" > do the numbers a358:d643 appear in the output?
-bash.1[~]: ip -6 add show eno1 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global dynamic noprefixroute valid_lft 342949sec preferred_lft 342949sec inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute valid_lft forever preferred_lft forever -bash.2[~]:
So the answer is yes.
I don't know what the significance of the "a358:d643" part is, although it's probably related to the first "2001" indicating that you have IPV6 over a tunnel.
I asked about that number since some folks are skittish about revealing their actual IP addresses.
And, no, I don't think a tunnel is involved. Comcast owns 2001:558:6040::/48
My IPv6 address is 2001:b030:112f::140e and, in fact, 2001:b030:112f:0000::/56 belongs to me.
I also have a test system which does have a 6in4 tunnel via Hurricane Electric. With the segment 2001:470:67:cce::/64
I gleaned his IPv6 address and, as we all know, there isn't much a need for NAT with IPv6.
My network is behind a router based firewall and I do have to configure rules to allow access as the default is "deny". Based on "probing" his IPv6 address while various things were being done yesterday it was apparent that there was no router FW.
(Ed (11:26pm)) > We shall see how he answers (if he does) my question on "ip add". > I have my own good reason to suspect he actually is directly connected. Are Ed and I correct? What is the significance/importance of this?
Unlike most people, you *are* directly connected to the internet, so would do well to have basic security enabled. Keep the firewall on. :-) You're not running anything other than cups that's remotely connectable, so there's not really anything to even check for hacking attempts, since there's nothing to break into. (cups should be blocked by default by the firewall.)
Actually, when it comes to cupsd...
Host is up.
PORT STATE SERVICE 631/tcp filtered ipp
So, yes, he is covered there as well.
FWIW, I have an additional system fully open to the Internet but configured as an IPv6 only system. I use a public NAT64/DNS64 service for access to non-IPv6. Owing to the number of IPv6 addresses, I assume, it has never been probed by the ssh script kiddies.
On Fri, 21 Feb 2020 at 18:42, Ed Greshko ed.greshko@greshko.com wrote:
[...] FWIW, I have an additional system fully open to the Internet but configured as an IPv6 only system. I use a public NAT64/DNS64 service for access to non-IPv6. Owing to the number of IPv6 addresses, I assume, it has never been probed by the ssh script kiddies.
Some bad actor is now or soon will be harvesting IPv6 addresses from forums and mail lists.
On Friday, February 21, 2020 8:07:15 AM MST Tim via users wrote:
On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
Any critical system daemons are 1024 and below. The reason the high ports are left open is for user applications to be able to communicate without users having to figure out the firewall.
Beyond the usual (HTTP, mail, DNS servers, etc), what is the average non-admin user going to set up that listens as a server? Admin-users setting up those traditional services ought to know how to manage firewalls, or they ought not to mess around with those services.
Thanks to the forever moving target closed-source things like ICQ, MSN, Yahoo messenger (some of which have gone by the way of the dodo), there isn't much in the way of Linux-based clients for those kind of things that need to have listening ports.
I can only think of something like bitorrent, which doesn't seem to need you to poke holes in your firewall.
--
uname -rsvp Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list.
Most likely, many services, entirely unknowingly, as their own user. I have no idea what led the GNOME folks into believing it was a good idea to open up EVERYTHING above 1024.
On 2020-02-22 08:10, George N. White III wrote:
On Fri, 21 Feb 2020 at 18:42, Ed Greshko <ed.greshko@greshko.com mailto:ed.greshko@greshko.com> wrote:
[...] FWIW, I have an additional system fully open to the Internet but configured as an IPv6 only system. I use a public NAT64/DNS64 service for access to non-IPv6. Owing to the number of IPv6 addresses, I assume, it has never been probed by the ssh script kiddies.Some bad actor is now or soon will be harvesting IPv6 addresses from forums and mail lists.
Sure, and they will have the one IP address of my outgoing mail server.
Good luck to them finding which of the ~4.72236648287e+21 addresses under my control are in use. :-)
Tim:
Beyond the usual (HTTP, mail, DNS servers, etc), what is the average non-admin user going to set up that listens as a server? Admin- users setting up those traditional services ought to know how to manage firewalls, or they ought not to mess around with those services.
Samuel Sieb:
There are a variety of things like file sharing (webdav), media sharing (dlna), remote desktop, various 3rd party or proprietary software, etc.
So, why can't the installation of those applications automatically include an appropriate firewall rule? Better to allow a controlled opening, rather than just open-slather.
On Friday, February 21, 2020 7:17:33 PM MST Tim via users wrote:
Tim:
Beyond the usual (HTTP, mail, DNS servers, etc), what is the average non-admin user going to set up that listens as a server? Admin- users setting up those traditional services ought to know how to manage firewalls, or they ought not to mess around with those services.
Samuel Sieb:
There are a variety of things like file sharing (webdav), media sharing (dlna), remote desktop, various 3rd party or proprietary software, etc.
So, why can't the installation of those applications automatically include an appropriate firewall rule? Better to allow a controlled opening, rather than just open-slather.
--
uname -rsvp Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list.
They do come with firewall rules, see /usr/lib/firewalld/services. They aren't enabled automatically, of course, because it's up to the end-user whether or not it should be available on a given interface.
On Fri, 2020-02-21 at 13:15 -0700, home user wrote:
(On 2020-0221 10:51pm, Ed wrote)
BTW, if you do an "ip -6 add show eno1" do the numbers a358:d643 appear in the output?
-bash.1[~]: ip -6 add show eno1 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global dynamic noprefixroute valid_lft 342949sec preferred_lft 342949sec inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute valid_lft forever preferred_lft forever -bash.2[~]:
So the answer is yes.
(responding to related comments) (Samuel (11:19pm))
But most people don't realize that their ISP modem is also a
router. I don't think my modem is also a router, but I'm not sure. It's an Arris model TM822G, self-purchased (not rented from the ISP).
What kind of IPv4-address do you get? The public IP or an RFC1918 (192.168.x.y or 10.x.y.z or 172.16.x.y): if it is the public IP the modem likely does not do the firewall as it does not do NAT. A quick check of the Arris manual seems to suggest that it does not have a firewall and it seems to handout ISP addresses directly.
My workstation was off yesterday starting soon after 1:15pm (mountain time) post, and I was out. Now I'm back and online. On to the posts after that...
On Saturday, February 22, 2020 5:11:49 AM MST Louis Lagendijk wrote:
On Fri, 2020-02-21 at 13:15 -0700, home user wrote:
(On 2020-0221 10:51pm, Ed wrote)
BTW, if you do an "ip -6 add show eno1" do the numbers a358:d643 appear in the output?
-bash.1[~]: ip -6 add show eno1 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope globaldynamic noprefixroute
valid_lft 342949sec preferred_lft 342949sec inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute valid_lft forever preferred_lft forever-bash.2[~]:
So the answer is yes.
(responding to related comments) (Samuel (11:19pm))
But most people don't realize that their ISP modem is also a
router. I don't think my modem is also a router, but I'm not sure. It's an Arris model TM822G, self-purchased (not rented from the ISP).
What kind of IPv4-address do you get? The public IP or an RFC1918 (192.168.x.y or 10.x.y.z or 172.16.x.y): if it is the public IP the modem likely does not do the firewall as it does not do NAT. A quick check of the Arris manual seems to suggest that it does not have a firewall and it seems to handout ISP addresses directly.
We've already confirmed, earlier in the thread, that it's on a public IP.
On 2020-02-23 03:52, John M. Harris Jr wrote:
We've already confirmed, earlier in the thread, that it's on a public IP.
That is only true in the context of the IPv6 address space.
There is no reason why the IPv4 address can't be "private" with NAT being performed by another device within the Comcast network.
As the OP requested:
ip add show
will show all the addresses assigned on the system.
(responding to the 2020-02-21 0759pm mountain time post by Louis)
(Ed earlier said)
I asked about that number since some folks are skittish about revealing their actual IP addresses.
Ed knows me well!
I'm not sure which of all them sequences "ip add show" displays Louis is referring to, so here's the output, with digits after the first 2 groups of each sequence replaced with n's in most cases:
-bash.1[~]: ip add show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 30:85:nn:nn:nn:nn brd ff:ff:ff:ff:ff:ff inet 67.172.nnn.nn/nn brd 67.172.nnn.nnn scope global dynamic noprefixroute eno1 valid_lft 174956sec preferred_lft 174956sec inet6 2001:558:nnnn:nn:nnnn:nnnn:nnnn:nnn/nnn scope global dynamic noprefixroute valid_lft 318456sec preferred_lft 318456sec inet6 fe80::nnnn:nnnn:nnnn:nnnn/nn scope link noprefixroute valid_lft forever preferred_lft forever 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:nn:nn:nn:nn brd ff:ff:ff:ff:ff:ff inet 192.168.nnn.n/nn brd 192.168.nnn.nnn scope global virbr0 valid_lft forever preferred_lft forever 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000 link/ether 52:54:nn:nn:nn:nn brd ff:ff:ff:ff:ff:ff -bash.2[~]:
I see "192.168.", but no "10." and no "172.16.". Does that mean it is an RFC1918, and that the modem does do NAT and the firewall? Am I understanding Louis correctly? What's the practical significance of this?
On 2020-02-23 08:50, home user wrote:
(responding to the 2020-02-21 0759pm mountain time post by Louis)
(Ed earlier said)
I asked about that number since some folks are skittish about revealing their actual IP addresses.
Ed knows me well!
I'm not sure which of all them sequences "ip add show" displays Louis is referring to, so here's the output, with digits after the first 2 groups of each sequence replaced with n's in most cases:
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 30:85:nn:nn:nn:nn brd ff:ff:ff:ff:ff:ff inet 67.172.nnn.nn/nn brd 67.172.nnn.nnn scope global dynamic noprefixroute eno1 valid_lft 174956sec preferred_lft 174956sec inet6 2001:558:nnnn:nn:nnnn:nnnn:nnnn:nnn/nnn scope global dynamic noprefixroute valid_lft 318456sec preferred_lft 318456sec inet6 fe80::nnnn:nnnn:nnnn:nnnn/nn scope link noprefixroute valid_lft forever preferred_lft forever
I see "192.168.", but no "10." and no "172.16.". Does that mean it is an RFC1918, and that the modem does do NAT and the firewall? Am I understanding Louis correctly? What's the practical significance of this?
You are a Comcast customer. Comcast owns 67.172.0.0 - 67.172.255.255
So, your IPv4 address is also a Public IP address the same way the IPv6 address is. Directly connected to the Internet with no NAT. Also, your modem does not have an internal Firewall. Therefore, the firewall on your system is vital.
On 2/22/20 4:50 PM, home user wrote:
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:nn:nn:nn:nn brd ff:ff:ff:ff:ff:ff inet 192.168.nnn.n/nn brd 192.168.nnn.nnn scope global virbr0 valid_lft forever preferred_lft forever
This is the virtual network used for virtual machines. libvirtd is enabled by default.
The original desire for a way to occasionally check for hack-in attempts is satisfied by the 2 commands "lastb" and "last" suggested by Ed. Other related issues came up in this thread; I trust that they've been addressed. My sense is that my firewall is as it should be. The suggestions fail2ban, Wireshark, and OSSEC strike me as overkill, and difficult for a non-sysadmin non-security person, so I'm passing on those.
Patching the workstation (I do that weekly) and upgrading (semi-annually) could change things like the firewall without me knowing. I've known these to create new groups and log-in names. Thus the desire to be able to occasionally check things (beyond what chkrootkit and rkhunter do). I've also been getting a lot of e-mails from addresses ending with ".ng" which are not spam (advertising) but probably are malicious (not sure; I just delete them). Recently, I've also started getting messages from addresses ending in "qq.com" (normally those would be from China) just like the ".ng" messages. These ".ng" and ".qq.com" messages have html attachments. There are other subtle hints of trouble. So I hope you understand my concern, and some desire to keep an eye on things.
I thank the 9 list members who contributed to this thread for their time and effort helping me. I've marked this thread "SOLVED". But I will continue to watch it for further posts.
Bill.
On Saturday, February 22, 2020 8:03:22 PM MST home user wrote:
The original desire for a way to occasionally check for hack-in attempts is satisfied by the 2 commands "lastb" and "last" suggested by Ed. Other related issues came up in this thread; I trust that they've been addressed. My sense is that my firewall is as it should be. The suggestions fail2ban, Wireshark, and OSSEC strike me as overkill, and difficult for a non-sysadmin non-security person, so I'm passing on those.
Patching the workstation (I do that weekly) and upgrading (semi-annually) could change things like the firewall without me knowing. I've known these to create new groups and log-in names. Thus the desire to be able to occasionally check things (beyond what chkrootkit and rkhunter do). I've also been getting a lot of e-mails from addresses ending with ".ng" which are not spam (advertising) but probably are malicious (not sure; I just delete them). Recently, I've also started getting messages from addresses ending in "qq.com" (normally those would be from China) just like the ".ng" messages. These ".ng" and ".qq.com" messages have html attachments. There are other subtle hints of trouble. So I hope you understand my concern, and some desire to keep an eye on things.
I thank the 9 list members who contributed to this thread for their time and effort helping me. I've marked this thread "SOLVED". But I will continue to watch it for further posts.
Bill.
Glad to hear it. A quick note, Fedora Workstation (what I refer to as the "GNOME Spin") may send out an update which resets your firewall to their defaults, which would open you back up to attacks. I'll pass this along, and hopefully we can get a more sane firewall into Fedora's GNOME experience within the year..
On 2/22/20 7:07 PM, John M. Harris Jr wrote:
Glad to hear it. A quick note, Fedora Workstation (what I refer to as the "GNOME Spin") may send out an update which resets your firewall to their defaults, which would open you back up to attacks. I'll pass this along, and hopefully we can get a more sane firewall into Fedora's GNOME experience within the year..
I guarantee that the firewall will not be changing. It has been discussed at length in the past and that is what was decided on. Your opinion on it is noted, but will not change anything.
On Saturday, February 22, 2020 8:17:01 PM MST Samuel Sieb wrote:
On 2/22/20 7:07 PM, John M. Harris Jr wrote:
Glad to hear it. A quick note, Fedora Workstation (what I refer to as the "GNOME Spin") may send out an update which resets your firewall to their defaults, which would open you back up to attacks. I'll pass this along, and hopefully we can get a more sane firewall into Fedora's GNOME experience within the year..
I guarantee that the firewall will not be changing. It has been discussed at length in the past and that is what was decided on. Your opinion on it is noted, but will not change anything.
If it has been discussed at length, then you'd know that it makes no sense to open all of the ports that firewall zone opens. You've seen a real-world example of the harm that firewall zone causes in this very thread.
On 2/22/20 7:34 PM, John M. Harris Jr wrote:
On Saturday, February 22, 2020 8:17:01 PM MST Samuel Sieb wrote:
On 2/22/20 7:07 PM, John M. Harris Jr wrote:
Glad to hear it. A quick note, Fedora Workstation (what I refer to as the "GNOME Spin") may send out an update which resets your firewall to their defaults, which would open you back up to attacks. I'll pass this along, and hopefully we can get a more sane firewall into Fedora's GNOME experience within the year..
I guarantee that the firewall will not be changing. It has been discussed at length in the past and that is what was decided on. Your opinion on it is noted, but will not change anything.
If it has been discussed at length, then you'd know that it makes no sense to open all of the ports that firewall zone opens. You've seen a real-world example of the harm that firewall zone causes in this very thread.
It makes sense and I didn't see any harm in this thread. Feel free to bring it up again, but all you'll do is annoy people.
On Saturday, February 22, 2020 8:38:38 PM MST Samuel Sieb wrote:
On 2/22/20 7:34 PM, John M. Harris Jr wrote:
On Saturday, February 22, 2020 8:17:01 PM MST Samuel Sieb wrote:
On 2/22/20 7:07 PM, John M. Harris Jr wrote:
Glad to hear it. A quick note, Fedora Workstation (what I refer to as the "GNOME Spin") may send out an update which resets your firewall to their defaults, which would open you back up to attacks. I'll pass this along, and hopefully we can get a more sane firewall into Fedora's GNOME experience within the year..
I guarantee that the firewall will not be changing. It has been discussed at length in the past and that is what was decided on. Your opinion on it is noted, but will not change anything.
If it has been discussed at length, then you'd know that it makes no sense to open all of the ports that firewall zone opens. You've seen a real-world example of the harm that firewall zone causes in this very thread.
It makes sense and I didn't see any harm in this thread. Feel free to bring it up again, but all you'll do is annoy people.
It makes absolutely no sense. The ports it opens are all meant to run as the user, the ones that are, arguably, the most sensitive. It opens these on ALL interfaces BY DEFAULT, which is absolutely absurd. This means that everything binding a port as the user winds up open to every network they connect to, unless the end user explicitly goes and changes the firewall zone, which the GNOME UI doesn't even provide a way to do (unless something has changed), the use has to use firewall-cmd or open nm-connection-editor. The harm in this demonstrated in this thread was opening EVERY PROCESS THAT BINDS A PORT AS THE USER to THE ENTIRE INTERNET, on both IPv4 and IPv6.
On 2020-02-23 11:44, John M. Harris Jr wrote:
The harm in this demonstrated in this thread was opening EVERY PROCESS THAT BINDS A PORT AS THE USER to THE ENTIRE INTERNET, on both IPv4 and IPv6.
Except that in this thread there were no processes bound to any higher port and in LISTEN.
On Saturday, February 22, 2020 10:32:19 PM MST Ed Greshko wrote:
On 2020-02-23 11:44, John M. Harris Jr wrote:
The harm in this demonstrated in this thread was opening EVERY PROCESS THAT BINDS A PORT AS THE USER to THE ENTIRE INTERNET, on both IPv4 and IPv6.
Except that in this thread there were no processes bound to any higher port and in LISTEN.
Which demonstrates that fixing that horrible policy would not harm users.
On Sun, 2020-02-23 at 09:56 +0800, Ed Greshko wrote:
your IPv4 address is also a Public IP address the same way the IPv6 address is. Directly connected to the Internet with no NAT. Also, your modem does not have an internal Firewall. Therefore, the firewall on your system is vital.
I'd say it's even *more* vital that if you run any services (SSH, mail, FTP, HTTP, DNS, etc), that you configure them securely, than rely on a firewall to protect them.
e.g. If you ran a test webserver, but didn't intend to serve it to the WWW, then you'd configure the test webserver to only listen to internal addresses/interfaces. Likewise with any other server that you don't intend to be externally accessible.
I've watched someone (albeit on Windows) get hacked 4 seconds after connecting to the internet, several times in a row. But the principal's the same, no matter what OS (flaws exist that you don't know about). And asshats are continually trying to get it.
Dropping a firewall to test something is something that a lot of people will do, but isn't something you'd want to do if you couldn't trust all your services to protect themselves. And there's no safe time period that you can get away with momentarily dropping one.
On 2020-02-23 19:45, Tim via users wrote:
On Sun, 2020-02-23 at 09:56 +0800, Ed Greshko wrote:
your IPv4 address is also a Public IP address the same way the IPv6 address is. Directly connected to the Internet with no NAT. Also, your modem does not have an internal Firewall. Therefore, the firewall on your system is vital.
I'd say it's even *more* vital that if you run any services (SSH, mail, FTP, HTTP, DNS, etc), that you configure them securely, than rely on a firewall to protect them.
Well, if you are going to expose those services to the outside world that almost goes without saying.
But, the OP has no desire, it seems, to do that.
So, if one would check, all ports are now "filtered".
e.g. If you ran a test webserver, but didn't intend to serve it to the WWW, then you'd configure the test webserver to only listen to internal addresses/interfaces. Likewise with any other server that you don't intend to be externally accessible.
His system seems to be quite stand-alone.
He only has one interface connected to the Internet and one for virtual machines. No LAN and no apparent WiFi interface.
On Sunday, February 23, 2020 4:45:55 AM MST Tim via users wrote:
On Sun, 2020-02-23 at 09:56 +0800, Ed Greshko wrote:
your IPv4 address is also a Public IP address the same way the IPv6 address is. Directly connected to the Internet with no NAT. Also, your modem does not have an internal Firewall. Therefore, the firewall on your system is vital.
I'd say it's even *more* vital that if you run any services (SSH, mail, FTP, HTTP, DNS, etc), that you configure them securely, than rely on a firewall to protect them.
e.g. If you ran a test webserver, but didn't intend to serve it to the WWW, then you'd configure the test webserver to only listen to internal addresses/interfaces. Likewise with any other server that you don't intend to be externally accessible.
I've watched someone (albeit on Windows) get hacked 4 seconds after connecting to the internet, several times in a row. But the principal's the same, no matter what OS (flaws exist that you don't know about). And asshats are continually trying to get it.
Dropping a firewall to test something is something that a lot of people will do, but isn't something you'd want to do if you couldn't trust all your services to protect themselves. And there's no safe time period that you can get away with momentarily dropping one.
The defaults for SSH are "good enough", you can't reasonably expect every user to only use ed25519, key exchange, limit ciphers, MACs and KexAlgorithms.
As for mail, FTP, DNS, web servers, these are not installed by default. If the user installs them, the user will likely be able to figure out how to configure them.
As for dropping the firewall, it's fine to drop the firewall temporarily if you're on an airgapped network, or if you're on a trusted network that enforces a firewall between you and a WAN and disallows unknown devices from connecting.
-
Ed Greshko -
Frank Pikelner -
George N. White III -
home user -
Jack Craig -
John M. Harris Jr -
Louis Lagendijk -
Samuel Sieb -
SternData -
Tim