WIFI Security - Page 5 - maemo.org

XooH | # 41 | 2008-03-14, 09:45 | Report

brecklundin : You're not right, but I won't argue, it's a lost of time. Just take a tour with your favorite search engine for words like : "computers internet security hack worms breaches ... wifi ...".

TA-t3 : on my N810, with netstat -antu (u stands for UDP, which you missed), I get :
111 (tcp, udp) (see below)
53 (tcp, udp) (see below)
22 (SSH, and YES, I know how to secure SSH... AllowUsers and so on; I also have openvpn, and I know how to use it)

* "For example, port 111 is assigned a stand-alone portmapper service not required for most e-mail servers.The portmapper service, which is technically part of the Sun Remote Procedure Call (RPC) service, runs on server machines and assigns port numbers to RPC packets, such as NIS and NFS packets."
I guess it's because I installed WizardMounter, which helps to mount CIFS (samba) and NFS shares.
(http://www.governmentsecurity.org/archive/t1695.html, after a quick googleing)

* Port 53 (tcp) is used for DNS (search DNS attacks in G.)
Should I remove the DNS system from my tablet or prevent it from working properly ?
(see : http://www.hackinglinuxexposed.com/a.../20030703.html)
Ohh : thanks to that page, I think I just discover why my simple FW (ported from my server) was not working; if I get it to work, I'll post it here.

So...

Just knowing what is running on your tablet or shutting it off has nothing to do with network security. It's like stopping crossing roads because they're cars out there...

Each serious sysadmin will tell you that only firewalls, reverse proxies and apps properly written can protect you from the outside world.

Now : for those who think I like to live in a "secure buble" and take no risk in life, I ride a motorbike (every day in huge traffic, on holidays, under rain and sometimes in snow) and I'd like my young daughter to do the same -if she enjoys it-, I go skiing on glacier, etc, etc.

Taking risks (in life, in general) does not mean you do not want to know them, evaluate them and to adapt your behaviour to them.

Again : I really do not want to argue. I'm just proposing, offering my contribution, if someone more comfortable with the N8x0 wants to build a FW with me.
(for me it's a matter of kernel modules / iptables hacking or twicking)

cheers,
XooH

TA-t3 | # 42 | 2008-03-14, 12:06 | Report

Xooh:
What in "Checking UDP" was unclear to you? I didn't think I had to write down the actual command I used to make it clear. Of course I checked UDP. No port 111 on my (OS2007) system though.

What I was arguing against was your claim that you would be vulnerable even without a server listening on the port in question. That's simply not true.

XooH | # 43 | 2008-03-14, 12:54 | Report

Originally Posted by TA-t3 View Post

Xooh:
What I was arguing against was your claim that you would be vulnerable even without a server listening on the port in question. That's simply not true.

As I said, I do not want to argue that point, because having a firewall _IS_ the _ONLY_ way (mandatory, but not enough), for every user (power or average) to be safe.

Why ?

Because you never know what port a new application install procedure will open (i.e. will be listening to) on your Tablet.
And because it shouldn't be up to the NIT user to watch after it.

My point is : that _SHOULDN'T_ even be an issue.
Each tablet user should have the option, not to allow any single incoming traffic to it NIT.
Then, if it's a power user, it should have the possibility to tweak it.

I'm working on it; if anybody wants to join this effort, you're welcome ;-)

XooH

iamthewalrus | # 44 | 2008-03-14, 12:57 | Report

The tablets have iptables. That basically is firewall if you configure rules with it. The tablet users are not the demographic that would be fooled by a ssl certificate popup. But I would guess most people just click on 'accept', like they are trained with popups in Internet Exploder.

<edit>
Sorry for mentioning iptables *again* ..I should read threads. Too bad it doesn't work like you would expect.
</edit>

Last edited by iamthewalrus; 2008-03-14 at 13:27.

XooH | # 45 | 2008-03-14, 13:21 | Report

Originally Posted by iamthewalrus View Post

The tablets have iptables. That basically is firewall if you configure rules with it.

Yes ;-) I know...
But for some reason, I'm -for now- unable to port my iptables script to my N810.

Here's what I have on the NIT, unfortunately this blocks ALL traffic, even the outside responses :

Code:

# Clear any existing firewall stuff before we start
iptables --flush

# As the default policies, drop all traffic
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

#
iptables -A INPUT -i wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# openvpn
iptables -A INPUT -p all -s 10.8.0.0/24 -j ACCEPT

# local
iptables -A INPUT -p all -s 127.0.0.1 -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

On my server I have that, but the iptables on the N810 does not understand it :

Code:

# Accept all incoming traffic associated with an established
# connection, or a "related" connection
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

I get :

Code:

/home/user # iptables -A INPUT -i wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables v1.2.11: Couldn't load match `state':/lib/iptables/libipt_state.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
/home/user # iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables v1.2.11: Couldn't load match `state':/lib/iptables/libipt_state.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

XooH