> Which in turn opens you up for a nice DoS attack with spoofed IPs, right? At > least, that would be my concern - maybe I'm overly paranoid. However, as I > mentioned before: On my machine portsentry would never see a thing, as the > firewall already deals with that.
Understood. I have in fact tried tightening the firewall before, only to find a lot of applications (yes, mainly MS ones admittedly), stop working. I really couldn't be bothered trying to find every port on every program required. Maybe there's a list somewhere? i.e. To run PC Anywhere - use iptables <blah blah blah> It also doesn't help that I still don't really 'get' netfilter, despite the tutorial reading. I'm still using a firewall script I found on some security site a year ago (the name escapes me). > Ok, got me stumped here: What's "conntrack"? iptable's 'stateful' feature? > Sounds that way at least (I was using ipfilter and am using pf on OpenBSD, > which uses different terminology). I don't even know whether it's required to use the stateful feature to be honest, but it does allow you to view all those things in /proc/net/ip_conntrack, very handy for seeing what connections are used and why they are opened. I use it in conjunction with a perl scipt conntrack-viewer to tell me the state of connection at any time. > I'm not an expert, either, but that would mean that the attack would have to > come from the destination one already has contact with (i.e. some malicious > user) or that someone hijacks that connection - which is far more difficult, > AFAIK. Hey, if there are malicious users out there, wouldn't it make sense they would be EXACTLY the sort of people who would use Kazaa? Epsecially if they put some files on their systems everybody wants. They just have to wait for people to start downloading, and boom, instant working IP address. Beats looking for one randomly. > > A tighter firewall should fix this, but may break the actual downloading > > process. > > Not really - if the threat comes from the client software itself, there's > nothing the firewall can do about it - after all, you told it to allow > outward connections from that client and to allow returning traffic. > If that app isn't secure - boom, end of story. My thoughts on that are slightly different. Kazaa uses certain ports right? So, IF the destination user gets a connection in from me, ALL he would need is a Linux box which is NATting Kazza at his end to do a tcpdump, or even use the same conntrack-viewer I'm using to see exactly which connections are made where. He/She may not necessarily go after the Kazaa program itself (even though nobody really knows the FastTrak protocol it uses, so god knows whether IT can be exploited), but he may simply start probing that IP address for some NETBIOS packets. Even when filesharing is turned off for the ppp adapter, you can still get a list of connections. Or something else (telnet, ftp, whatever). I'm just saying it's not necessarily Kazaa's fault, but it may aid in exposing the box. > > As for Kazaa running as root - no, it's a Microsoft only program AFAIK. So > > in relation to user access - Security 0 Hackers 1. > > Sure looks that way - but how got the Linux boxes affected then, if it's an > MS only client? Or did I miss something in your description? See above. I told the story of one Kazaa user running through Linux NAT who got hacked. How many more are there? Note again, none of this is proven, they are just my logical thoughts. I may be completely on the wrong (conn)track here LOL. --- Edward Dekkers (Director) Triple D Computer Services P/L -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
