1:46 p.m.
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that
quickly and easily shows attempts to hack in to a computer. I think it
was either in the Fedora magazine or Gnome's website. I've since made
multiple attempts to find that article, but failed. I'm needing to
check for hack-in attempts (something I suppose I should do
quazi-periodically anyway). What is the tool/application to do that? If
such a tool/application does not exist, then what is the best way for me
to do that?
thanks,
Bill.
2:11 p.m.
router logs help me...
On Thu, Feb 20, 2020 at 11:47 AM home user <mattisonw(a)comcast.net> wrote:
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that
quickly and easily shows attempts to hack in to a computer. I think it
was either in the Fedora magazine or Gnome's website. I've since made
multiple attempts to find that article, but failed. I'm needing to
check for hack-in attempts (something I suppose I should do
quazi-periodically anyway). What is the tool/application to do that? If
such a tool/application does not exist, then what is the best way for me
to do that?
thanks,
Bill.
_______________________________________________
users mailing list -- users(a)lists.fedoraproject.org
To unsubscribe send an email to users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
2:49 p.m.
If you are thinking of brute-force attacks on open ports, have a look
at "fail2ban" - would use logs on your workstation and your firewall
setup to block attempts.
Are there specific applications/services you are concerned about? If
you are thinking about SSHD, consider use of ssh-keygen for user/host
certificates.
On Thu, Feb 20, 2020 at 3:22 PM home user <mattisonw(a)comcast.net> wrote:
>
> (on 02/20/2020 1:11pm mountain time, Jack said)
> > router logs help me...
> My system is isp -> modem -> workstation. No router at this time.
> _______________________________________________
> users mailing list -- users(a)lists.fedoraproject.org
> To unsubscribe send an email to users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
5:18 p.m.
(on 02/20/2020 1:49pm mountain time, Frank said)
If you are thinking of brute-force attacks on open ports,
have a look at "fail2ban" - would use logs on your workstation
and your firewall setup to block attempts.
I looked at it, downloaded it, looked at the man pages, and tried it.
At this point, all I want is a report. How do I get that?
Are there specific applications/services you are concerned about? ...
Not yet.
3:10 p.m.
On 2020-02-21 04:21, home user wrote:
(on 02/20/2020 1:11pm mountain time, Jack said)
> router logs help me...
My system is isp -> modem -> workstation. No router at this time.
Do you have a fixed IP or dynamic IP?
What services do you run on your system? It helps to know what area you're concerned
with.
--
The key to getting good answers is to ask good questions.
4:49 p.m.
(on 02/20/2020 at 2:10pm mountain time, Ed said)
Do you have a fixed IP or dynamic IP?
I believe it's fixed, provided by the ISP (comcast).
What services do you run on your system? It helps to know what area
you're concerned with.
* Firefox, Thunderbird, Tor (rarely), dnf, zoom (for meetings). (What
counts as "services" here?)
* Other uses of internet are "under the hood" and mostly
unknown/invisible to me.
* Oddball: when logged in as root, and I launch a terminal, several
seconds later, I see a short wave of internet activity; this is very
consistent. What's going on there?
* No one is authorized to connect in from outside; I myself do not try
to do so.
This morning, I got 2 messages from the bank saying 2 attempts to make
purchases via paypal were rejected because the card had not yet been
activated. I called the bank. The messages were legitimate. Curious:
the card is near expiration, and a new one (same number) had just been
made/mailed. The bank then de-activated the card. I do not know what
other personal info the malicious person/group got, where the info came
from, or who the malicious person/group is. I think it wise for me to
check that no one is getting into my system. Thus this thread. By the
way, both chkrootkit and rkhunter reported my system is clean later this
morning. I do realize they don't check everything.
I'll try Frank's suggestion and respond to him later; I'm researching it
first.
Bill.
4:59 p.m.
On 2020-02-21 06:49, home user wrote:
(on 02/20/2020 at 2:10pm mountain time, Ed said)
> Do you have a fixed IP or dynamic IP?
I believe it's fixed, provided by the ISP (comcast).
> What services do you run on your system? It helps to know what area you're
concerned with.
* Firefox, Thunderbird, Tor (rarely), dnf, zoom (for meetings). (What counts as
"services" here?)
None. Those are all clients.
Examples of a service are
sshd - for allowing incoming ssh connections
httpd - for running a web server
named - for a dns server
* Other uses of internet are "under the hood" and mostly
unknown/invisible to me.
* Oddball: when logged in as root, and I launch a terminal, several seconds later, I see
a short wave of internet activity; this is very consistent. What's going on there?
If you want to know what is going on you'd need to use something like
"wireshark" to capture the network
activity and examine it.
* No one is authorized to connect in from outside; I myself do not
try to do so.
I don't know what that means.
This morning, I got 2 messages from the bank saying 2 attempts to make purchases via
paypal were rejected because the card had not yet been activated. I called the bank. The
messages were legitimate. Curious: the card is near expiration, and a new one (same
number) had just been made/mailed. The bank then de-activated the card. I do not know
what other personal info the malicious person/group got, where the info came from, or who
the malicious person/group is. I think it wise for me to check that no one is getting
into my system. Thus this thread. By the way, both chkrootkit and rkhunter reported my
system is clean later this morning. I do realize they don't check everything.
Well, that sounds much more you information was leaked by PayPal. Not your system.
--
The key to getting good answers is to ask good questions.
5:50 p.m.
(on 02/20/2020 at 3:59pm mountain time, Ed said)
Examples of a service are
...
If these are running on my workstation, it must be by default. I did
not start them. How do I check?
> No one is authorized to connect in from outside; I myself do not
try to do so.
I don't know what that means.
As far as I know, I'm not
running any services. I do not try to connect
to my workstation from any other system.
Well, that sounds much more you information was leaked by PayPal.
Not your system.
I did not think the information came from my system. But I can't be
certain. So it seems wise to check my system. My guess is the
information came from the "dark web", or some commercial system (paypal?
the bank? other businesses for which I use that card?) got hacked, but
the word hasn't yet gotten out.
6:15 p.m.
On 2020-02-21 07:50, home user wrote:
(on 02/20/2020 at 3:59pm mountain time, Ed said)
> Examples of a service are
> ...
If these are running on my workstation, it must be by default. I did not start them.
How do I check?
sudo netstat -napt | grep -i listen
--
The key to getting good answers is to ask good questions.
8:43 p.m.
(on 02/20/2020 at 3:59pm mountain time, Ed said)
sudo netstat -napt | grep -i listen
I did it twice, the extra
time to get the column headers. Splicing the
two together...
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN
1252/dnsmasq
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
1081/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
2068/sendmail: acce
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::631 :::* LISTEN 1081/cupsd
Is this what it should be? Anything I should do? I guess it's not
relevant to the current matter, but should cupsd be in the list twice?
8:54 p.m.
Looks fine, CUPSD, is listening on both ipv4 and ipv6. There does not
seem to be anything out of the ordinary. If not already done so,
install and configure a firewall.
You can do 'systemctl status firewalld' to see if firewall is enabled
On Thu, Feb 20, 2020 at 9:44 PM home user <mattisonw(a)comcast.net> wrote:
>
> (on 02/20/2020 at 3:59pm mountain time, Ed said)
> > sudo netstat -napt | grep -i listen
> I did it twice, the extra time to get the column headers. Splicing the
> two together...
>
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> PID/Program name
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
> tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN
> 1252/dnsmasq
> tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
> 1081/cupsd
> tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
> 2068/sendmail: acce
> tcp6 0 0 :::111 :::* LISTEN 1/systemd
> tcp6 0 0 :::631 :::* LISTEN 1081/cupsd
>
> Is this what it should be? Anything I should do? I guess it's not
> relevant to the current matter, but should cupsd be in the list twice?
> _______________________________________________
> users mailing list -- users(a)lists.fedoraproject.org
> To unsubscribe send an email to users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
9:03 p.m.
(on 02/20/2020 at 7:54pm mountain time, Frank said)
Looks fine, CUPSD, is listening on both ipv4 and ipv6.
There does not seem to be anything out of the ordinary.
If not already done so, install and configure a firewall.
You can do 'systemctl status firewalld' to see if firewall is enabled
It is
enabled:
-bash.5[~]: systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled;
vendor preset: enabled)
Active: active (running) since Thu 2020-02-20 11:04:08 MST; 8h ago
Docs: man:firewalld(1)
Main PID: 908 (firewalld)
Tasks: 2 (limit: 4915)
Memory: 41.0M
CGroup: /system.slice/firewalld.service
└─908 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Feb 20 11:03:54 [sysname] systemd[1]: Starting firewalld - dynamic
firewall daemon...
Feb 20 11:04:08 [sysname] systemd[1]: Started firewalld - dynamic
firewall daemon.
-bash.6[~]:
9:16 p.m.
On 2020-02-21 10:43, home user wrote:
(on 02/20/2020 at 3:59pm mountain time, Ed said)
> sudo netstat -napt | grep -i listen
I did it twice, the extra time to get the column headers. Splicing the two together...
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1252/dnsmasq
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 1081/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2068/sendmail: acce
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::631 :::* LISTEN 1081/cupsd
Is this what it should be? Anything I should do? I guess it's not relevant to the
current matter, but should cupsd be in the list twice?
As already noted, cupsd is listening on both ipv4 and ipv6.
It isn't important, but I would note there is an unnecessary service running on port
111. That
would be rpcbind.
As time permits I'd check
systemctl status rpcbind
and
systemctl status rpcbind.socket
--
The key to getting good answers is to ask good questions.
10:02 p.m.
(on 02/20/2020 at 8:16pm mountain time, Ed said)
...
(port 111 and rpcbind)
As time permits I'd check
systemctl status rpcbind
and
systemctl status rpcbind.socket
-bash.13[~]: systemctl status rpcbind
● rpcbind.service - RPC Bind
Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled;
vendor pre>
Active: active (running) since Thu 2020-02-20 11:03:52 MST; 9h ago
Docs: man:rpcbind(8)
Main PID: 858 (rpcbind)
Tasks: 1 (limit: 4915)
Memory: 2.0M
CGroup: /system.slice/rpcbind.service
└─858 /usr/bin/rpcbind -w -f
Feb 20 11:03:52 coyote systemd[1]: Starting RPC Bind...
Feb 20 11:03:52 coyote rpcbind[858]: rpcbind: svc_tli_create: could not
bind to>
Feb 20 11:03:52 coyote systemd[1]: Started RPC Bind.
-bash.14[~]: systemctl status rpcbind.socket
● rpcbind.socket - RPCbind Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/rpcbind.socket; enabled;
vendor pres>
Active: active (running) since Thu 2020-02-20 11:03:42 MST; 9h ago
Listen: /run/rpcbind.sock (Stream)
0.0.0.0:111 (Stream)
0.0.0.0:111 (Datagram)
[::]:111 (Stream)
[::]:111 (Datagram)
Tasks: 0 (limit: 4915)
Memory: 208.0K
CGroup: /system.slice/rpcbind.socket
-bash.15[~]:
What do I do so that this unneeded service is not launched? (I assume
it's launched during boot.)
10:05 p.m.
On 2020-02-21 12:02, home user wrote:
(on 02/20/2020 at 8:16pm mountain time, Ed said)
> ...
> (port 111 and rpcbind)
> As time permits I'd check
> systemctl status rpcbind
> and
> systemctl status rpcbind.socket
-bash.13[~]: systemctl status rpcbind
● rpcbind.service - RPC Bind
Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled; vendor pre>
Active: active (running) since Thu 2020-02-20 11:03:52 MST; 9h ago
Docs: man:rpcbind(8)
Main PID: 858 (rpcbind)
Tasks: 1 (limit: 4915)
Memory: 2.0M
CGroup: /system.slice/rpcbind.service
└─858 /usr/bin/rpcbind -w -f
Feb 20 11:03:52 coyote systemd[1]: Starting RPC Bind...
Feb 20 11:03:52 coyote rpcbind[858]: rpcbind: svc_tli_create: could not bind to>
Feb 20 11:03:52 coyote systemd[1]: Started RPC Bind.
-bash.14[~]: systemctl status rpcbind.socket
● rpcbind.socket - RPCbind Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/rpcbind.socket; enabled; vendor pres>
Active: active (running) since Thu 2020-02-20 11:03:42 MST; 9h ago
Listen: /run/rpcbind.sock (Stream)
0.0.0.0:111 (Stream)
0.0.0.0:111 (Datagram)
[::]:111 (Stream)
[::]:111 (Datagram)
Tasks: 0 (limit: 4915)
Memory: 208.0K
CGroup: /system.slice/rpcbind.socket
-bash.15[~]:
What do I do so that this unneeded service is not launched? (I assume it's launched
during boot.)
systemctl --now disable rpcbind
systemctl --now disable rpcbind.socket
--
The key to getting good answers is to ask good questions.
10:54 p.m.
(on 02/20/2020 at 9:05pm mountain time, Ed said)
systemctl --now disable rpcbind
systemctl --now disable rpcbind.socket
-bash.1[~]: systemctl --now disable rpcbind
Removed /etc/systemd/system/multi-user.target.wants/rpcbind.service.
Warning: Stopping rpcbind.service, but it can still be activated by:
rpcbind.socket
-bash.2[~]: systemctl --now disable rpcbind.socket
Removed /etc/systemd/system/sockets.target.wants/rpcbind.socket.
-bash.3[~]:
I guess I should reboot again.
10:56 p.m.
On 2020-02-21 12:54, home user wrote:
(on 02/20/2020 at 9:05pm mountain time, Ed said)
> systemctl --now disable rpcbind
> systemctl --now disable rpcbind.socket
-bash.1[~]: systemctl --now disable rpcbind
Removed /etc/systemd/system/multi-user.target.wants/rpcbind.service.
Warning: Stopping rpcbind.service, but it can still be activated by:
rpcbind.socket
-bash.2[~]: systemctl --now disable rpcbind.socket
Removed /etc/systemd/system/sockets.target.wants/rpcbind.socket.
-bash.3[~]:
I guess I should reboot again.
No need.
--
The key to getting good answers is to ask good questions.
11:08 p.m.
(on 02/20/2020 at 9:56pm mountain time, Ed said)
No need.
I didn't see that until after I rebooted.
-bash.1[~]: netstat -napt | grep -i listen
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN
1246/dnsmasq
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
1078/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
2194/sendmail: acce
tcp6 0 0 :::631 :::* LISTEN 1078/cupsd
-bash.2[~]:
Looks good. Thank-you, Ed.
Now I need to reboot myself. I really need it! It will take all night!
Shutting down...
11:51 p.m.
On 2020-02-21 13:08, home user wrote:
(on 02/20/2020 at 9:56pm mountain time, Ed said)
> No need.
I didn't see that until after I rebooted.
-bash.1[~]: netstat -napt | grep -i listen
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1246/dnsmasq
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 1078/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2194/sendmail: acce
tcp6 0 0 :::631 :::* LISTEN 1078/cupsd
-bash.2[~]:
Looks good. Thank-you, Ed.
Now I need to reboot myself. I really need it! It will take all night!
Shutting down...
Sounds like a plan.
BTW, if you do an "ip -6 add show eno1" do the numbers a358:d643 appear in the
output?
--
The key to getting good answers is to ask good questions.
2:15 p.m.
(On 2020-0221 10:51pm, Ed wrote)
BTW, if you do an "ip -6 add show eno1"
do the numbers a358:d643 appear in the output?
-bash.1[~]: ip -6 add show eno1
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP group default qlen 1000
inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global dynamic
noprefixroute
valid_lft 342949sec preferred_lft 342949sec
inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
-bash.2[~]:
So the answer is yes.
(responding to related comments)
(Samuel (11:19pm))
But most people don't realize that their ISP modem is also a
router.
I don't think my modem is also a router, but I'm not sure. It's
an
Arris model TM822G, self-purchased (not rented from the ISP). So I'm
inclined to agree with Ed...
(Ed (11:26pm))
We shall see how he answers (if he does) my question on "ip
add".
I have my own good reason to suspect he actually is directly connected.
Are Ed and
I correct? What is the significance/importance of this?
4:10 p.m.
On 2/21/20 12:15 PM, home user wrote:
(On 2020-0221 10:51pm, Ed wrote)
> BTW, if you do an "ip -6 add show eno1"
> do the numbers a358:d643 appear in the output?
-bash.1[~]: ip -6 add show eno1
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP group default qlen 1000
inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global dynamic
noprefixroute
valid_lft 342949sec preferred_lft 342949sec
inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
-bash.2[~]:
So the answer is yes.
I don't know what the significance of the "a358:d643" part is, although
it's probably related to the first "2001" indicating that you have IPV6
over a tunnel.
(responding to related comments)
(Samuel (11:19pm))
> But most people don't realize that their ISP modem is also a router.
I don't think my modem is also a router, but I'm not sure. It's an
Arris model TM822G, self-purchased (not rented from the ISP). So I'm
inclined to agree with Ed...
After checking the modem manual, I agree.
(Ed (11:26pm))
> We shall see how he answers (if he does) my question on "ip add".
> I have my own good reason to suspect he actually is directly connected.
Are Ed and I correct? What is the significance/importance of this?
Unlike most people, you *are* directly connected to the internet, so
would do well to have basic security enabled. Keep the firewall on. :-)
You're not running anything other than cups that's remotely connectable,
so there's not really anything to even check for hacking attempts, since
there's nothing to break into. (cups should be blocked by default by
the firewall.)
4:41 p.m.
On 2020-02-22 06:10, Samuel Sieb wrote:
On 2/21/20 12:15 PM, home user wrote:
> (On 2020-0221 10:51pm, Ed wrote)
> > BTW, if you do an "ip -6 add show eno1"
> > do the numbers a358:d643 appear in the output?
>
> -bash.1[~]: ip -6 add show eno1
> 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
> inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global dynamic
noprefixroute
> valid_lft 342949sec preferred_lft 342949sec
> inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute
> valid_lft forever preferred_lft forever
> -bash.2[~]:
>
> So the answer is yes.
I don't know what the significance of the "a358:d643" part is, although
it's probably related to the first "2001" indicating that you have IPV6 over
a tunnel.
I asked about that number since some folks are skittish about revealing their actual IP
addresses.
And, no, I don't think a tunnel is involved. Comcast owns 2001:558:6040::/48
My IPv6 address is 2001:b030:112f::140e and, in fact, 2001:b030:112f:0000::/56 belongs to
me.
I also have a test system which does have a 6in4 tunnel via Hurricane Electric. With the
segment
2001:470:67:cce::/64
I gleaned his IPv6 address and, as we all know, there isn't much a need for NAT with
IPv6.
My network is behind a router based firewall and I do have to configure rules to allow
access as the
default is "deny". Based on "probing" his IPv6 address while various
things were being done yesterday
it was apparent that there was no router FW.
> (Ed (11:26pm))
> > We shall see how he answers (if he does) my question on "ip add".
> > I have my own good reason to suspect he actually is directly connected.
> Are Ed and I correct? What is the significance/importance of this?
Unlike most people, you *are* directly connected to the internet, so would do well to
have basic security enabled. Keep the firewall on. :-)
You're not running anything other than cups that's remotely connectable, so
there's not really anything to even check for hacking attempts, since there's
nothing to break into. (cups should be blocked by default by the firewall.)
Actually, when it comes to cupsd...
Host is up.
PORT STATE SERVICE
631/tcp filtered ipp
So, yes, he is covered there as well.
FWIW, I have an additional system fully open to the Internet but configured as an IPv6
only system.
I use a public NAT64/DNS64 service for access to non-IPv6. Owing to the number of IPv6
addresses, I assume,
it has never been probed by the ssh script kiddies.
--
The key to getting good answers is to ask good questions.
6:10 p.m.
On Fri, 21 Feb 2020 at 18:42, Ed Greshko <ed.greshko(a)greshko.com> wrote:
[...]
FWIW, I have an additional system fully open to the Internet but
configured as an IPv6 only system.
I use a public NAT64/DNS64 service for access to non-IPv6. Owing to the
number of IPv6 addresses, I assume,
it has never been probed by the ssh script kiddies.
Some bad actor is now or soon will be harvesting IPv6 addresses from forums
and mail lists.
--
George N. White III
6:23 p.m.
On 2020-02-22 08:10, George N. White III wrote:
On Fri, 21 Feb 2020 at 18:42, Ed Greshko <ed.greshko(a)greshko.com
<mailto:ed.greshko@greshko.com>> wrote:
[...]
FWIW, I have an additional system fully open to the Internet but configured as an
IPv6 only system.
I use a public NAT64/DNS64 service for access to non-IPv6. Owing to the number of
IPv6 addresses, I assume,
it has never been probed by the ssh script kiddies.
Some bad actor is now or soon will be harvesting IPv6 addresses from forums and mail
lists.
Sure, and they will have the one IP address of my outgoing mail server.
Good luck to them finding which of the ~4.72236648287e+21 addresses under my control are
in use. :-)
--
The key to getting good answers is to ask good questions.
6:11 a.m.
On Fri, 2020-02-21 at 13:15 -0700, home user wrote:
(On 2020-0221 10:51pm, Ed wrote)
> BTW, if you do an "ip -6 add show eno1"
> do the numbers a358:d643 appear in the output?
-bash.1[~]: ip -6 add show eno1
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state
UP group default qlen 1000
inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global
dynamic
noprefixroute
valid_lft 342949sec preferred_lft 342949sec
inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
-bash.2[~]:
So the answer is yes.
(responding to related comments)
(Samuel (11:19pm))
> But most people don't realize that their ISP modem is also a
router.
I don't think my modem is also a router, but I'm not sure. It's an
Arris model TM822G, self-purchased (not rented from the ISP).
What kind of IPv4-address do you get? The public IP or an RFC1918
(192.168.x.y or 10.x.y.z or 172.16.x.y): if it is the public IP the
modem likely does not do the firewall as it does not do NAT.
A quick check of the Arris manual seems to suggest that it does not
have a firewall and it seems to handout ISP addresses directly.
1:52 p.m.
On Saturday, February 22, 2020 5:11:49 AM MST Louis Lagendijk wrote:
On Fri, 2020-02-21 at 13:15 -0700, home user wrote:
> (On 2020-0221 10:51pm, Ed wrote)
>
> > BTW, if you do an "ip -6 add show eno1"
> > do the numbers a358:d643 appear in the output?
>
>
> -bash.1[~]: ip -6 add show eno1
> 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
> state
> UP group default qlen 1000
>
> inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global
>
> dynamic
> noprefixroute
>
> valid_lft 342949sec preferred_lft 342949sec
>
> inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute
>
> valid_lft forever preferred_lft forever
>
> -bash.2[~]:
>
> So the answer is yes.
>
> (responding to related comments)
> (Samuel (11:19pm))
>
> > But most people don't realize that their ISP modem is also a
>
> router.
> I don't think my modem is also a router, but I'm not sure. It's an
> Arris model TM822G, self-purchased (not rented from the ISP).
>
What kind of IPv4-address do you get? The public IP or an RFC1918
(192.168.x.y or 10.x.y.z or 172.16.x.y): if it is the public IP the
modem likely does not do the firewall as it does not do NAT.
A quick check of the Arris manual seems to suggest that it does not
have a firewall and it seems to handout ISP addresses directly.
We've already confirmed, earlier in the thread, that it's on a public IP.
--
John M. Harris, Jr.
Splentity
4:36 p.m.
On 2020-02-23 03:52, John M. Harris Jr wrote:
We've already confirmed, earlier in the thread, that it's on
a public IP.
That is only true in the context of the IPv6 address space.
There is no reason why the IPv4 address can't be "private" with NAT being
performed by another
device within the Comcast network.
As the OP requested:
ip add show
will show all the addresses assigned on the system.
--
The key to getting good answers is to ask good questions.
6:50 p.m.
(responding to the 2020-02-21 0759pm mountain time post by Louis)
(Ed earlier said)
I asked about that number since some folks are skittish
about revealing their actual IP addresses.
Ed knows me well!
I'm not sure which of all them sequences "ip add show" displays Louis is
referring to, so here's the output, with digits after the first 2 groups
of each sequence replaced with n's in most cases:
-bash.1[~]: ip add show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP group default qlen 1000
link/ether 30:85:nn:nn:nn:nn brd ff:ff:ff:ff:ff:ff
inet 67.172.nnn.nn/nn brd 67.172.nnn.nnn scope global dynamic
noprefixroute eno1
valid_lft 174956sec preferred_lft 174956sec
inet6 2001:558:nnnn:nn:nnnn:nnnn:nnnn:nnn/nnn scope global dynamic
noprefixroute
valid_lft 318456sec preferred_lft 318456sec
inet6 fe80::nnnn:nnnn:nnnn:nnnn/nn scope link noprefixroute
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN group default qlen 1000
link/ether 52:54:nn:nn:nn:nn brd ff:ff:ff:ff:ff:ff
inet 192.168.nnn.n/nn brd 192.168.nnn.nnn scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master
virbr0 state DOWN group default qlen 1000
link/ether 52:54:nn:nn:nn:nn brd ff:ff:ff:ff:ff:ff
-bash.2[~]:
I see "192.168.", but no "10." and no "172.16.". Does that
mean it is
an RFC1918, and that the modem does do NAT and the firewall? Am I
understanding Louis correctly? What's the practical significance of this?
7:56 p.m.
On 2020-02-23 08:50, home user wrote:
(responding to the 2020-02-21 0759pm mountain time post by Louis)
(Ed earlier said)
> I asked about that number since some folks are skittish
> about revealing their actual IP addresses.
Ed knows me well!
I'm not sure which of all them sequences "ip add show" displays Louis is
referring to, so here's the output, with digits after the first 2 groups of each
sequence replaced with n's in most cases:
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group
default qlen 1000
link/ether 30:85:nn:nn:nn:nn brd ff:ff:ff:ff:ff:ff
inet 67.172.nnn.nn/nn brd 67.172.nnn.nnn scope global dynamic noprefixroute eno1
valid_lft 174956sec preferred_lft 174956sec
inet6 2001:558:nnnn:nn:nnnn:nnnn:nnnn:nnn/nnn scope global dynamic noprefixroute
valid_lft 318456sec preferred_lft 318456sec
inet6 fe80::nnnn:nnnn:nnnn:nnnn/nn scope link noprefixroute
valid_lft forever preferred_lft forever
I see "192.168.", but no "10." and no "172.16.". Does that
mean it is an RFC1918, and that the modem does do NAT and the firewall? Am I
understanding Louis correctly? What's the practical significance of this?
You are a Comcast customer. Comcast owns 67.172.0.0 - 67.172.255.255
So, your IPv4 address is also a Public IP address the same way the IPv6 address is.
Directly
connected to the Internet with no NAT. Also, your modem does not have an internal
Firewall.
Therefore, the firewall on your system is vital.
--
The key to getting good answers is to ask good questions.
5:45 a.m.
On Sun, 2020-02-23 at 09:56 +0800, Ed Greshko wrote:
your IPv4 address is also a Public IP address the same way the IPv6
address is. Directly connected to the Internet with no NAT. Also,
your modem does not have an internal Firewall. Therefore, the
firewall on your system is vital.
I'd say it's even *more* vital that if you run any services (SSH, mail,
FTP, HTTP, DNS, etc), that you configure them securely, than rely on a
firewall to protect them.
e.g. If you ran a test webserver, but didn't intend to serve it to the
WWW, then you'd configure the test webserver to only listen to internal
addresses/interfaces. Likewise with any other server that you don't
intend to be externally accessible.
I've watched someone (albeit on Windows) get hacked 4 seconds after
connecting to the internet, several times in a row. But the
principal's the same, no matter what OS (flaws exist that you don't
know about). And asshats are continually trying to get it.
Dropping a firewall to test something is something that a lot of people
will do, but isn't something you'd want to do if you couldn't trust all
your services to protect themselves. And there's no safe time period
that you can get away with momentarily dropping one.
--
uname -rsvp
Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
6:34 a.m.
On 2020-02-23 19:45, Tim via users wrote:
On Sun, 2020-02-23 at 09:56 +0800, Ed Greshko wrote:
> your IPv4 address is also a Public IP address the same way the IPv6
> address is. Directly connected to the Internet with no NAT. Also,
> your modem does not have an internal Firewall. Therefore, the
> firewall on your system is vital.
I'd say it's even *more* vital that if you run any services (SSH, mail,
FTP, HTTP, DNS, etc), that you configure them securely, than rely on a
firewall to protect them.
Well, if you are going to expose those services to the outside world that almost goes
without
saying.
But, the OP has no desire, it seems, to do that.
So, if one would check, all ports are now "filtered".
e.g. If you ran a test webserver, but didn't intend to serve it
to the
WWW, then you'd configure the test webserver to only listen to internal
addresses/interfaces. Likewise with any other server that you don't
intend to be externally accessible.
His system seems to be quite stand-alone.
He only has one interface connected to the Internet and one for virtual machines. No LAN
and
no apparent WiFi interface.
--
The key to getting good answers is to ask good questions.
7:30 a.m.
On Sunday, February 23, 2020 4:45:55 AM MST Tim via users wrote:
On Sun, 2020-02-23 at 09:56 +0800, Ed Greshko wrote:
> your IPv4 address is also a Public IP address the same way the IPv6
> address is. Directly connected to the Internet with no NAT. Also,
> your modem does not have an internal Firewall. Therefore, the
> firewall on your system is vital.
I'd say it's even *more* vital that if you run any services (SSH, mail,
FTP, HTTP, DNS, etc), that you configure them securely, than rely on a
firewall to protect them.
e.g. If you ran a test webserver, but didn't intend to serve it to the
WWW, then you'd configure the test webserver to only listen to internal
addresses/interfaces. Likewise with any other server that you don't
intend to be externally accessible.
I've watched someone (albeit on Windows) get hacked 4 seconds after
connecting to the internet, several times in a row. But the
principal's the same, no matter what OS (flaws exist that you don't
know about). And asshats are continually trying to get it.
Dropping a firewall to test something is something that a lot of people
will do, but isn't something you'd want to do if you couldn't trust all
your services to protect themselves. And there's no safe time period
that you can get away with momentarily dropping one.
The defaults for SSH are "good enough", you can't reasonably expect every
user
to only use ed25519, key exchange, limit ciphers, MACs and KexAlgorithms.
As for mail, FTP, DNS, web servers, these are not installed by default. If the
user installs them, the user will likely be able to figure out how to
configure them.
As for dropping the firewall, it's fine to drop the firewall temporarily if
you're on an airgapped network, or if you're on a trusted network that
enforces a firewall between you and a WAN and disallows unknown devices from
connecting.
--
John M. Harris, Jr.
Splentity
8:05 p.m.
On 2/22/20 4:50 PM, home user wrote:
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
noqueue
state DOWN group default qlen 1000
link/ether 52:54:nn:nn:nn:nn brd ff:ff:ff:ff:ff:ff
inet 192.168.nnn.n/nn brd 192.168.nnn.nnn scope global virbr0
valid_lft forever preferred_lft forever
This is the virtual network used for virtual machines. libvirtd is
enabled by default.
7:41 p.m.
On Thu, 20 Feb 2020 at 18:50, home user <mattisonw(a)comcast.net> wrote:
(on 02/20/2020 at 2:10pm mountain time, Ed said)
> Do you have a fixed IP or dynamic IP?
I believe it's fixed, provided by the ISP (comcast).
> What services do you run on your system? It helps to know what area
you're concerned with.
* Firefox, Thunderbird, Tor (rarely), dnf, zoom (for meetings). (What
counts as "services" here?)
* Other uses of internet are "under the hood" and mostly
unknown/invisible to me.
* Oddball: when logged in as root, and I launch a terminal, several
seconds later, I see a short wave of internet activity; this is very
consistent. What's going on there?
* No one is authorized to connect in from outside; I myself do not try
to do so.
This morning, I got 2 messages from the bank saying 2 attempts to make
purchases via paypal were rejected because the card had not yet been
activated.
"Not yet been activated" sounds like someone stole the mail and tried to
use
your new card (new 3-digit code and new expiry date).
[...]
--
George N. White III
8:59 p.m.
(on 02/20/2020 at 6:14pm mountain time, George said)
"Not yet been activated" sounds like someone stole the
mail
and tried to use your new card (new 3-digit code and new expiry date).
Possible,
but rather unlikely. The mailbox requires a key to open. It's
also possible that data going from the bank to the company that makes
the cards was intercepted, or that the computers of one of those two
companies was hacked. The bank is supposed to notify me when the new
card is mailed, but that had not yet happened.
8:34 p.m.
Another suggestion, get Wireshark for sniffing traffic, run a sniffer
trace as you are using the machine. You'll want to capture any IP
(layer 3) traffic leaving or entering your machine (may want to setup
filters to reduce capture size). This may be a way to start your
analysis.
Disable any services (daemons) running on the machine that are not
required with a listening port:
sudo netstat -tulpn | grep LISTEN
above will display listening ports
This is at least a start
Frank
On Thu, Feb 20, 2020 at 5:50 PM home user <mattisonw(a)comcast.net> wrote:
>
> (on 02/20/2020 at 2:10pm mountain time, Ed said)
>
> > Do you have a fixed IP or dynamic IP?
>
> I believe it's fixed, provided by the ISP (comcast).
>
> > What services do you run on your system? It helps to know what area
> you're concerned with.
>
> * Firefox, Thunderbird, Tor (rarely), dnf, zoom (for meetings). (What
> counts as "services" here?)
> * Other uses of internet are "under the hood" and mostly
> unknown/invisible to me.
> * Oddball: when logged in as root, and I launch a terminal, several
> seconds later, I see a short wave of internet activity; this is very
> consistent. What's going on there?
> * No one is authorized to connect in from outside; I myself do not try
> to do so.
>
> This morning, I got 2 messages from the bank saying 2 attempts to make
> purchases via paypal were rejected because the card had not yet been
> activated. I called the bank. The messages were legitimate. Curious:
> the card is near expiration, and a new one (same number) had just been
> made/mailed. The bank then de-activated the card. I do not know what
> other personal info the malicious person/group got, where the info came
> from, or who the malicious person/group is. I think it wise for me to
> check that no one is getting into my system. Thus this thread. By the
> way, both chkrootkit and rkhunter reported my system is clean later this
> morning. I do realize they don't check everything.
>
> I'll try Frank's suggestion and respond to him later; I'm researching it
> first.
>
> Bill.
> _______________________________________________
> users mailing list -- users(a)lists.fedoraproject.org
> To unsubscribe send an email to users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
9:53 p.m.
(on 02/20/2020 at 7:34pm mountain time, Frank said)
Another suggestion, get Wireshark for sniffing traffic,
run a sniffer trace as you are using the machine. You'll
want to capture any IP (layer 3) traffic leaving or
entering your machine (may want to setup filters to reduce
capture size). This may be a way to start your analysis.
Disable any services (daemons) running on the machine that
are not required with a listening port:
sudo netstat -tulpn | grep LISTEN
above will display listening ports
This is at least a start
Except for the netstat command, that went over my head. I have no
training in sysadmin and IT security. I'm a home user. I don't know
how to do what you suggest, or what to look for in the output.
Output to the netstat command is the same as what I put in my earlier
reply to Ed.
(my own idea) I tried wading through several thousand lines of
journalctl output. I couldn't even find my 2 logins since the last boot
(late this morning). I vaguely recall a few years ago stumbling onto
large numbers of hack attempts noted in journalctl output, but I don't
remember what to look for.
10:03 p.m.
On 2020-02-21 11:53, home user wrote:
(on 02/20/2020 at 7:34pm mountain time, Frank said)
> Another suggestion, get Wireshark for sniffing traffic,
> run a sniffer trace as you are using the machine. You'll
> want to capture any IP (layer 3) traffic leaving or
> entering your machine (may want to setup filters to reduce
> capture size). This may be a way to start your analysis.
> Disable any services (daemons) running on the machine that
> are not required with a listening port:
> sudo netstat -tulpn | grep LISTEN
> above will display listening ports
> This is at least a start
Except for the netstat command, that went over my head. I have no training in sysadmin
and IT security. I'm a home user. I don't know how to do what you suggest, or
what to look for in the output.
Output to the netstat command is the same as what I put in my earlier reply to Ed.
(my own idea) I tried wading through several thousand lines of journalctl output. I
couldn't even find my 2 logins since the last boot (late this morning). I vaguely
recall a few years ago stumbling onto large numbers of hack attempts noted in journalctl
output, but I don't remember what to look for.
I don't know how you've gone about identifying "hack attempts".
But the "last" command should display all successful logins.
Additionally, the "lastb" command would reveal failed logins. I do have one
system configured to allow
ssh connections from the Internet using only public-key authentication. I do so to watch
attempts by
"script-kiddies".
The most recent attempts being...
support ssh:notty 92.63.194.7 Fri Feb 21 09:45 - 09:45 (00:00)
guest ssh:notty 92.63.194.108 Fri Feb 21 09:45 - 09:45 (00:00)
ubnt ssh:notty 92.63.194.107 Fri Feb 21 09:45 - 09:45 (00:00)
guest ssh:notty 92.63.194.106 Fri Feb 21 09:45 - 09:45 (00:00)
test ssh:notty 92.63.194.104 Fri Feb 21 09:44 - 09:44 (00:00)
admin ssh:notty 92.63.194.107 Fri Feb 21 09:44 - 09:44 (00:00)
user ssh:notty 92.63.194.106 Fri Feb 21 09:44 - 09:44 (00:00)
admin ssh:notty 92.63.194.105 Fri Feb 21 09:44 - 09:44 (00:00)
admin ssh:notty 92.63.194.104 Fri Feb 21 09:44 - 09:44 (00:00)
92.63.194.107 being in Russia. :-)
--
The key to getting good answers is to ask good questions.
10:29 p.m.
(on 02/20/2020 at 9:03pm mountain time, Ed said)
I don't know how you've gone about identifying "hack
attempts".
I was looking at journalctl output for something else; I don't
recall
what. It was years ago. I happened to notice many entries reporting
login attempts to root and other login names coming from various ip
addresses. Someone in the fedora users list at that time noted that
there was an interesting assortment of countries from which those
attempts were originating.
I tried "last" and "lastb". Those look useful. Thank-you, Ed. I
believe those are what I am looking for.
Back to John's suggestions.
9:06 p.m.
On Thursday, February 20, 2020 1:21:08 PM MST home user wrote:
(on 02/20/2020 1:11pm mountain time, Jack said)
> router logs help me...
My system is isp -> modem -> workstation. No router at this time.
Are you running "GNOME Workstation" on that system? If so, I would recommend
changing the firewall zone immediately, as everything on your system is
currently open to the internet as a whole if you're running the default. The
GNOME Spin does not consider security. Please be aware of this when running
the GNOME Spin, as it affects any open network as well.
--
John M. Harris, Jr.
Splentity
9:17 p.m.
On Thursday, February 20, 2020 8:06:56 PM MST John M. Harris Jr wrote:
On Thursday, February 20, 2020 1:21:08 PM MST home user wrote:
> (on 02/20/2020 1:11pm mountain time, Jack said)
>
>
> > router logs help me...
>
>
> My system is isp -> modem -> workstation. No router at this time.
Are you running "GNOME Workstation" on that system? If so, I would recommend
changing the firewall zone immediately, as everything on your system is
currently open to the internet as a whole if you're running the default.
The GNOME Spin does not consider security. Please be aware of this when
running the GNOME Spin, as it affects any open network as well.
--
John M. Harris, Jr.
Splentity
To further clarify, if you are using the GNOME variant of Fedora, the commands
you'll need to run are:
Step 1: `sudo firewall-cmd --set-default-zone=public`
After this, you'll want to get the name of the primary interface. You can do
this with a few commands, I recommend `ip link`. It will likely begin with
'enp', for example, 'enp0s1'.
Then you would run the following command with that interface name:
`sudo firewall-cmd --change-interface=enpXsY --zone=public`
For example, `sudo firewall-cmd --change-interface=enp0s1 --zone=public'
This exact scenario is why I don't believe the GNOME Spin should have ever
been allowed to effectively disable the firewall with their absurd
FedoraWorkstation firewall zone.
--
John M. Harris, Jr.
Splentity
9:25 p.m.
On 2020-02-21 11:17, John M. Harris Jr wrote:
This exact scenario is why I don't believe the GNOME Spin should
have ever
been allowed to effectively disable the firewall with their absurd
FedoraWorkstation firewall zone.
What do you find absurd about the FedoraWorkstation zone?
[root@f31g ~]# firewall-cmd --info-zone=FedoraWorkstation
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: dhcpv6-client mdns samba-client ssh vnc-server
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@f31g ~]# firewall-cmd --info-zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh vnc-server
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
The only difference between public and FedoraWorkstation seems to be the inclusion of
samba-client.
--
The key to getting good answers is to ask good questions.
9:47 p.m.
On 2020-02-21 11:25, Ed Greshko wrote:
On 2020-02-21 11:17, John M. Harris Jr wrote:
> This exact scenario is why I don't believe the GNOME Spin should have ever
> been allowed to effectively disable the firewall with their absurd
> FedoraWorkstation firewall zone.
What do you find absurd about the FedoraWorkstation zone?
[root@f31g ~]# firewall-cmd --info-zone=FedoraWorkstation
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: dhcpv6-client mdns samba-client ssh vnc-server
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@f31g ~]# firewall-cmd --info-zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh vnc-server
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
The only difference between public and FedoraWorkstation seems to be the inclusion of
samba-client.
Oh, never mind. Wrong system. The "default" rules for FedoraWorkstationso seem
"odd".
[root@f31m ~]# firewall-cmd --info-zone=FedoraWorkstation
FedoraWorkstation
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
--
The key to getting good answers is to ask good questions.
11:34 p.m.
On 2/20/20 7:47 PM, Ed Greshko wrote:
Oh, never mind. Wrong system. The "default" rules for
FedoraWorkstationso seem "odd".
Not really.
[root@f31m ~]# firewall-cmd --info-zone=FedoraWorkstation
FedoraWorkstation
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
Any critical system daemons are 1024 and below. The reason the high
ports are left open is for user applications to be able to communicate
without users having to figure out the firewall.
11:44 p.m.
On 2020-02-21 13:34, Samuel Sieb wrote:
On 2/20/20 7:47 PM, Ed Greshko wrote:
> Oh, never mind. Wrong system. The "default" rules for FedoraWorkstationso
seem "odd".
Not really.
> [root@f31m ~]# firewall-cmd --info-zone=FedoraWorkstation
> FedoraWorkstation
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcpv6-client samba-client ssh
> ports: 1025-65535/udp 1025-65535/tcp
Any critical system daemons are 1024 and below. The reason the high ports are left open
is for user applications to be able to communicate without users having to figure out the
firewall.
Yeah, which is the reason for quotes around odd.
I understand the reasoning to make it easier on users. It is just something I
wouldn't have done.
I can envision someone configuring a service to run on the higher ports which can be
compromised
and then disables selinux because they run into it trying to protect them.
Maybe I shouldn't pity them. :-)
--
The key to getting good answers is to ask good questions.
11:46 p.m.
On Thursday, February 20, 2020 10:44:16 PM MST Ed Greshko wrote:
On 2020-02-21 13:34, Samuel Sieb wrote:
> On 2/20/20 7:47 PM, Ed Greshko wrote:
>
>> Oh, never mind. Wrong system. The "default" rules for
>> FedoraWorkstationso seem "odd".
>
>
> Not really.
>
>
>
>> [root@f31m ~]# firewall-cmd --info-zone=FedoraWorkstation
>> FedoraWorkstation
>> target: default
>> icmp-block-inversion: no
>> interfaces:
>> sources:
>> services: dhcpv6-client samba-client ssh
>> ports: 1025-65535/udp 1025-65535/tcp
>
>
>
> Any critical system daemons are 1024 and below. The reason the high ports
> are left open is for user applications to be able to communicate without
> users having to figure out the firewall.
Yeah, which is the reason for quotes around odd.
I understand the reasoning to make it easier on users. It is just something
I wouldn't have done. I can envision someone configuring a service to run
on the higher ports which can be compromised and then disables selinux
because they run into it trying to protect them.
Maybe I shouldn't pity them. :-)
It's not just odd, it's a security nightmare. Processes running directly as
the user have more privileges than most daemons, in fact.
--
John M. Harris, Jr.
Splentity
9:07 a.m.
On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
Any critical system daemons are 1024 and below. The reason the high
ports are left open is for user applications to be able to
communicate without users having to figure out the firewall.
Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
non-admin user going to set up that listens as a server? Admin-users
setting up those traditional services ought to know how to manage
firewalls, or they ought not to mess around with those services.
Thanks to the forever moving target closed-source things like ICQ, MSN,
Yahoo messenger (some of which have gone by the way of the dodo), there
isn't much in the way of Linux-based clients for those kind of things
that need to have listening ports.
I can only think of something like bitorrent, which doesn't seem to
need you to poke holes in your firewall.
--
uname -rsvp
Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
9:59 a.m.
On Fri, 21 Feb 2020 at 11:08, Tim via users <users(a)lists.fedoraproject.org>
wrote:
On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
> Any critical system daemons are 1024 and below. The reason the high
> ports are left open is for user applications to be able to
> communicate without users having to figure out the firewall.
Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
non-admin user going to set up that listens as a server? Admin-users
setting up those traditional services ought to know how to manage
firewalls, or they ought not to mess around with those services.
The linux user base is so diverse that talking about the average user
isn't very useful. Before retiring I worked with scientists whose computer
background included those who started out with Fortran on mainframes
(CDC) that had minimal security and no internet, biologists replacing
Windows (7) with linux, and numerical modellers who are focused on
intricate computations. All these groups have no background in system
administration or security.
Thanks to the forever moving target closed-source things like ICQ,
MSN,
Yahoo messenger (some of which have gone by the way of the dodo), there
isn't much in the way of Linux-based clients for those kind of things
that need to have listening ports.
In the scientific community there is a trend towards services to perform
calculations on a robust "server" using a GUI client (browser or Java
app) on a laptop. "Notebook" in a browser applications like Jupyter and
Rstudio Server have large user bases.
--
George N. White III
3:53 p.m.
On 2/21/20 7:07 AM, Tim via users wrote:
On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
> Any critical system daemons are 1024 and below. The reason the high
> ports are left open is for user applications to be able to
> communicate without users having to figure out the firewall.
Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
non-admin user going to set up that listens as a server? Admin-users
setting up those traditional services ought to know how to manage
firewalls, or they ought not to mess around with those services.
There are a variety of things like file sharing (webdav), media sharing
(dlna), remote desktop, various 3rd party or proprietary software, etc.
8:17 p.m.
Tim:
> Beyond the usual (HTTP, mail, DNS servers, etc), what is the
average
> non-admin user going to set up that listens as a server? Admin-
> users setting up those traditional services ought to know how to
> manage firewalls, or they ought not to mess around with those
> services.
Samuel Sieb:
There are a variety of things like file sharing (webdav), media
sharing (dlna), remote desktop, various 3rd party or proprietary
software, etc.
So, why can't the installation of those applications automatically
include an appropriate firewall rule? Better to allow a controlled
opening, rather than just open-slather.
--
uname -rsvp
Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
8:59 p.m.
On Friday, February 21, 2020 7:17:33 PM MST Tim via users wrote:
Tim:
>> Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
>> non-admin user going to set up that listens as a server? Admin-
>> users setting up those traditional services ought to know how to
>> manage firewalls, or they ought not to mess around with those
>> services.
Samuel Sieb:
> There are a variety of things like file sharing (webdav), media
> sharing (dlna), remote desktop, various 3rd party or proprietary
> software, etc.
So, why can't the installation of those applications automatically
include an appropriate firewall rule? Better to allow a controlled
opening, rather than just open-slather.
--
uname -rsvp
Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
They do come with firewall rules, see /usr/lib/firewalld/services. They aren't
enabled automatically, of course, because it's up to the end-user whether or
not it should be available on a given interface.
--
John M. Harris, Jr.
Splentity
6:16 p.m.
On Friday, February 21, 2020 8:07:15 AM MST Tim via users wrote:
On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
> Any critical system daemons are 1024 and below. The reason the high
> ports are left open is for user applications to be able to
> communicate without users having to figure out the firewall.
Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
non-admin user going to set up that listens as a server? Admin-users
setting up those traditional services ought to know how to manage
firewalls, or they ought not to mess around with those services.
Thanks to the forever moving target closed-source things like ICQ, MSN,
Yahoo messenger (some of which have gone by the way of the dodo), there
isn't much in the way of Linux-based clients for those kind of things
that need to have listening ports.
I can only think of something like bitorrent, which doesn't seem to
need you to poke holes in your firewall.
--
uname -rsvp
Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
Most likely, many services, entirely unknowingly, as their own user. I have no
idea what led the GNOME folks into believing it was a good idea to open up
EVERYTHING above 1024.
--
John M. Harris, Jr.
Splentity
10:14 p.m.
(on 02/20/2020 8:17pm mountain time, John said)
(if using Gnome...)
Step 1: `sudo firewall-cmd --set-default-zone=public`
-bash.16[~]: firewall-cmd --set-default-zone=public
Warning: ZONE_ALREADY_SET: public
success
-bash.17[~]
After this, you'll want to get the name of the primary
interface.
You can do this with a few commands, I recommend `ip link`.
It will likely begin with 'enp', for example, 'enp0s1'.
-bash.17[~]: ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP mode DEFAULT group default qlen 1000
link/ether 30:85:a9:97:53:7e brd ff:ff:ff:ff:ff:ff
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:ca:4d:bd brd ff:ff:ff:ff:ff:ff
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master
virbr0 state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:ca:4d:bd brd ff:ff:ff:ff:ff:ff
-bash.18[~]: ip link | grep enp
-bash.19[~]:
Nothing starting with "enp". So what is the interface name that I
should use in the second firewall-cmd?
10:16 p.m.
On Thursday, February 20, 2020 9:14:24 PM MST home user wrote:
(on 02/20/2020 8:17pm mountain time, John said)
> (if using Gnome...)
> Step 1: `sudo firewall-cmd --set-default-zone=public`
-bash.16[~]: firewall-cmd --set-default-zone=public
Warning: ZONE_ALREADY_SET: public
success
-bash.17[~]
> After this, you'll want to get the name of the primary interface.
> You can do this with a few commands, I recommend `ip link`.
> It will likely begin with 'enp', for example, 'enp0s1'.
-bash.17[~]: ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP mode DEFAULT group default qlen 1000
link/ether 30:85:a9:97:53:7e brd ff:ff:ff:ff:ff:ff
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:ca:4d:bd brd ff:ff:ff:ff:ff:ff
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master
virbr0 state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:ca:4d:bd brd ff:ff:ff:ff:ff:ff
-bash.18[~]: ip link | grep enp
-bash.19[~]:
Nothing starting with "enp". So what is the interface name that I
should use in the second firewall-cmd?
On your system, it'd be `eno1`.
--
John M. Harris, Jr.
Splentity
11:39 p.m.
On 2/20/20 11:46 AM, home user wrote:
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that
quickly and easily shows attempts to hack in to a computer. I think it
was either in the Fedora magazine or Gnome's website. I've since made
multiple attempts to find that article, but failed. I'm needing to
check for hack-in attempts (something I suppose I should do
quazi-periodically anyway). What is the tool/application to do that? If
such a tool/application does not exist, then what is the best way for me
to do that?
Given that you are behind a router, the chance of any direct hacking
attempts is extremely unlikely. Even if you went on a public wifi, you
are only "at risk" from the other users at your current location (unless
it's a wider network like some places have).
11:42 p.m.
On 2020-02-21 13:39, Samuel Sieb wrote:
On 2/20/20 11:46 AM, home user wrote:
> (F-30; Gnome; stand-alone home workstation)
>
> Sometime last year, I saw an article that talked about a tool that quickly and easily
shows attempts to hack in to a computer. I think it was either in the Fedora magazine or
Gnome's website. I've since made multiple attempts to find that article, but
failed. I'm needing to check for hack-in attempts (something I suppose I should do
quazi-periodically anyway). What is the tool/application to do that? If such a
tool/application does not exist, then what is the best way for me to do that?
Given that you are behind a router, the chance of any direct hacking attempts is
extremely unlikely. Even if you went on a public wifi, you are only "at risk"
from the other users at your current location (unless it's a wider network like some
places have).
It didn't sound as if he is behind a router since he stated his configuration is...
"My system is isp -> modem -> workstation. No router at this time."
--
The key to getting good answers is to ask good questions.
12:19 a.m.
On 2/20/20 9:42 PM, Ed Greshko wrote:
On 2020-02-21 13:39, Samuel Sieb wrote:
> On 2/20/20 11:46 AM, home user wrote:
>> (F-30; Gnome; stand-alone home workstation)
>>
>> Sometime last year, I saw an article that talked about a tool that quickly and
easily shows attempts to hack in to a computer. I think it was either in the Fedora
magazine or Gnome's website. I've since made multiple attempts to find that
article, but failed. I'm needing to check for hack-in attempts (something I suppose I
should do quazi-periodically anyway). What is the tool/application to do that? If such a
tool/application does not exist, then what is the best way for me to do that?
>
> Given that you are behind a router, the chance of any direct hacking attempts is
extremely unlikely. Even if you went on a public wifi, you are only "at risk"
from the other users at your current location (unless it's a wider network like some
places have).
It didn't sound as if he is behind a router since he stated his configuration is...
"My system is isp -> modem -> workstation. No router at this time."
That's what he said, yes. But most people don't realize that their ISP
modem is also a router. You generally have to ask the ISP to switch the
modem to bridge mode, which I do so I can run my own gateway server.
It's very unlikely that he's directly connected to the internet because
most ISPs only give you one IP address which the modem uses and provides
NAT to the internal network.
12:26 a.m.
On 2020-02-21 14:19, Samuel Sieb wrote:
On 2/20/20 9:42 PM, Ed Greshko wrote:
> On 2020-02-21 13:39, Samuel Sieb wrote:
>> On 2/20/20 11:46 AM, home user wrote:
>>> (F-30; Gnome; stand-alone home workstation)
>>>
>>> Sometime last year, I saw an article that talked about a tool that quickly
and easily shows attempts to hack in to a computer. I think it was either in the Fedora
magazine or Gnome's website. I've since made multiple attempts to find that
article, but failed. I'm needing to check for hack-in attempts (something I suppose I
should do quazi-periodically anyway). What is the tool/application to do that? If such a
tool/application does not exist, then what is the best way for me to do that?
>>
>> Given that you are behind a router, the chance of any direct hacking attempts is
extremely unlikely. Even if you went on a public wifi, you are only "at risk"
from the other users at your current location (unless it's a wider network like some
places have).
>
> It didn't sound as if he is behind a router since he stated his configuration
is...
>
> "My system is isp -> modem -> workstation. No router at this time."
That's what he said, yes. But most people don't realize that their ISP modem is
also a router. You generally have to ask the ISP to switch the modem to bridge mode,
which I do so I can run my own gateway server.
It's very unlikely that he's directly connected to the internet because most ISPs
only give you one IP address which the modem uses and provides NAT to the internal
network.
We shall see how he answers (if he does) my question on "ip add".
I have my own good reason to suspect he actually is directly connected. :-)
--
The key to getting good answers is to ask good questions.
11:42 p.m.
On Thursday, February 20, 2020 10:39:06 PM MST Samuel Sieb wrote:
On 2/20/20 11:46 AM, home user wrote:
> (F-30; Gnome; stand-alone home workstation)
>
> Sometime last year, I saw an article that talked about a tool that
> quickly and easily shows attempts to hack in to a computer. I think it
> was either in the Fedora magazine or Gnome's website. I've since made
> multiple attempts to find that article, but failed. I'm needing to
> check for hack-in attempts (something I suppose I should do
> quazi-periodically anyway). What is the tool/application to do that? If
> such a tool/application does not exist, then what is the best way for me
> to do that?
Given that you are behind a router, the chance of any direct hacking
attempts is extremely unlikely. Even if you went on a public wifi, you
are only "at risk" from the other users at your current location (unless
it's a wider network like some places have).
He explicitly stated he is NOT behind a router. Hence my advice, because of
GNOME spin's horrible default firewall.
--
John M. Harris, Jr.
Splentity
9:23 a.m.
OSSEC, perhaps?
On 2/20/20 1:46 PM, home user wrote:
(F-30; Gnome; stand-alone home workstation)
Sometime last year, I saw an article that talked about a tool that
quickly and easily shows attempts to hack in to a computer. I think it
was either in the Fedora magazine or Gnome's website. I've since made
multiple attempts to find that article, but failed. I'm needing to
check for hack-in attempts (something I suppose I should do
quazi-periodically anyway). What is the tool/application to do that? If
such a tool/application does not exist, then what is the best way for me
to do that?
thanks,
Bill.
10:43 a.m.
My workstation was off yesterday starting soon after 1:15pm (mountain
time) post, and I was out. Now I'm back and online. On to the posts
after that...
9:03 p.m.
New subject: how to detect hack attempts. [SOLVED]
The original desire for a way to occasionally check for hack-in attempts
is satisfied by the 2 commands "lastb" and "last" suggested by Ed.
Other related issues came up in this thread; I trust that they've been
addressed. My sense is that my firewall is as it should be. The
suggestions fail2ban, Wireshark, and OSSEC strike me as overkill, and
difficult for a non-sysadmin non-security person, so I'm passing on those.
Patching the workstation (I do that weekly) and upgrading
(semi-annually) could change things like the firewall without me
knowing. I've known these to create new groups and log-in names. Thus
the desire to be able to occasionally check things (beyond what
chkrootkit and rkhunter do). I've also been getting a lot of e-mails
from addresses ending with ".ng" which are not spam (advertising) but
probably are malicious (not sure; I just delete them). Recently, I've
also started getting messages from addresses ending in "qq.com"
(normally those would be from China) just like the ".ng" messages.
These ".ng" and ".qq.com" messages have html attachments. There are
other subtle hints of trouble. So I hope you understand my concern, and
some desire to keep an eye on things.
I thank the 9 list members who contributed to this thread for their time
and effort helping me. I've marked this thread "SOLVED". But I will
continue to watch it for further posts.
Bill.
9:07 p.m.
New subject: how to detect hack attempts. [SOLVED]
On Saturday, February 22, 2020 8:03:22 PM MST home user wrote:
The original desire for a way to occasionally check for hack-in
attempts
is satisfied by the 2 commands "lastb" and "last" suggested by Ed.
Other related issues came up in this thread; I trust that they've been
addressed. My sense is that my firewall is as it should be. The
suggestions fail2ban, Wireshark, and OSSEC strike me as overkill, and
difficult for a non-sysadmin non-security person, so I'm passing on those.
Patching the workstation (I do that weekly) and upgrading
(semi-annually) could change things like the firewall without me
knowing. I've known these to create new groups and log-in names. Thus
the desire to be able to occasionally check things (beyond what
chkrootkit and rkhunter do). I've also been getting a lot of e-mails
from addresses ending with ".ng" which are not spam (advertising) but
probably are malicious (not sure; I just delete them). Recently, I've
also started getting messages from addresses ending in "qq.com"
(normally those would be from China) just like the ".ng" messages.
These ".ng" and ".qq.com" messages have html attachments. There are
other subtle hints of trouble. So I hope you understand my concern, and
some desire to keep an eye on things.
I thank the 9 list members who contributed to this thread for their time
and effort helping me. I've marked this thread "SOLVED". But I will
continue to watch it for further posts.
Bill.
Glad to hear it. A quick note, Fedora Workstation (what I refer to as the
"GNOME Spin") may send out an update which resets your firewall to their
defaults, which would open you back up to attacks. I'll pass this along, and
hopefully we can get a more sane firewall into Fedora's GNOME experience
within the year..
--
John M. Harris, Jr.
Splentity
9:17 p.m.
New subject: how to detect hack attempts. [SOLVED]
On 2/22/20 7:07 PM, John M. Harris Jr wrote:
Glad to hear it. A quick note, Fedora Workstation (what I refer to as
the
"GNOME Spin") may send out an update which resets your firewall to their
defaults, which would open you back up to attacks. I'll pass this along, and
hopefully we can get a more sane firewall into Fedora's GNOME experience
within the year..
I guarantee that the firewall will not be changing. It has been
discussed at length in the past and that is what was decided on. Your
opinion on it is noted, but will not change anything.
9:34 p.m.
New subject: how to detect hack attempts. [SOLVED]
On Saturday, February 22, 2020 8:17:01 PM MST Samuel Sieb wrote:
On 2/22/20 7:07 PM, John M. Harris Jr wrote:
> Glad to hear it. A quick note, Fedora Workstation (what I refer to as the
> "GNOME Spin") may send out an update which resets your firewall to their
> defaults, which would open you back up to attacks. I'll pass this along,
> and hopefully we can get a more sane firewall into Fedora's GNOME
> experience within the year..
I guarantee that the firewall will not be changing. It has been
discussed at length in the past and that is what was decided on. Your
opinion on it is noted, but will not change anything.
If it has been discussed at length, then you'd know that it makes no sense to
open all of the ports that firewall zone opens. You've seen a real-world
example of the harm that firewall zone causes in this very thread.
--
John M. Harris, Jr.
Splentity
9:38 p.m.
New subject: how to detect hack attempts. [SOLVED]
On 2/22/20 7:34 PM, John M. Harris Jr wrote:
On Saturday, February 22, 2020 8:17:01 PM MST Samuel Sieb wrote:
> On 2/22/20 7:07 PM, John M. Harris Jr wrote:
>
>> Glad to hear it. A quick note, Fedora Workstation (what I refer to as the
>> "GNOME Spin") may send out an update which resets your firewall to
their
>> defaults, which would open you back up to attacks. I'll pass this along,
>> and hopefully we can get a more sane firewall into Fedora's GNOME
>> experience within the year..
>
>
> I guarantee that the firewall will not be changing. It has been
> discussed at length in the past and that is what was decided on. Your
> opinion on it is noted, but will not change anything.
If it has been discussed at length, then you'd know that it makes no sense to
open all of the ports that firewall zone opens. You've seen a real-world
example of the harm that firewall zone causes in this very thread.
It makes sense and I didn't see any harm in this thread. Feel free to
bring it up again, but all you'll do is annoy people.
9:44 p.m.
New subject: how to detect hack attempts. [SOLVED]
On Saturday, February 22, 2020 8:38:38 PM MST Samuel Sieb wrote:
On 2/22/20 7:34 PM, John M. Harris Jr wrote:
> On Saturday, February 22, 2020 8:17:01 PM MST Samuel Sieb wrote:
>
>> On 2/22/20 7:07 PM, John M. Harris Jr wrote:
>>
>>
>>
>>> Glad to hear it. A quick note, Fedora Workstation (what I refer to as
>>> the
>>> "GNOME Spin") may send out an update which resets your firewall
to
>>> their
>>> defaults, which would open you back up to attacks. I'll pass this
>>> along,
>>> and hopefully we can get a more sane firewall into Fedora's GNOME
>>> experience within the year..
>>
>>
>>
>>
>> I guarantee that the firewall will not be changing. It has been
>> discussed at length in the past and that is what was decided on. Your
>> opinion on it is noted, but will not change anything.
>
>
> If it has been discussed at length, then you'd know that it makes no sense
> to open all of the ports that firewall zone opens. You've seen a
> real-world example of the harm that firewall zone causes in this very
> thread.
It makes sense and I didn't see any harm in this thread. Feel free to
bring it up again, but all you'll do is annoy people.
It makes absolutely no sense. The ports it opens are all meant to run as the
user, the ones that are, arguably, the most sensitive. It opens these on ALL
interfaces BY DEFAULT, which is absolutely absurd. This means that everything
binding a port as the user winds up open to every network they connect to,
unless the end user explicitly goes and changes the firewall zone, which the
GNOME UI doesn't even provide a way to do (unless something has changed), the
use has to use firewall-cmd or open nm-connection-editor. The harm in this
demonstrated in this thread was opening EVERY PROCESS THAT BINDS A PORT AS THE
USER to THE ENTIRE INTERNET, on both IPv4 and IPv6.
--
John M. Harris, Jr.
Splentity
11:32 p.m.
New subject: how to detect hack attempts. [SOLVED]
On 2020-02-23 11:44, John M. Harris Jr wrote:
The harm in this
demonstrated in this thread was opening EVERY PROCESS THAT BINDS A PORT AS THE
USER to THE ENTIRE INTERNET, on both IPv4 and IPv6.
Except that in this thread there were no processes bound to any higher port and in
LISTEN.
--
The key to getting good answers is to ask good questions.
11:37 p.m.
New subject: how to detect hack attempts. [SOLVED]
On Saturday, February 22, 2020 10:32:19 PM MST Ed Greshko wrote:
On 2020-02-23 11:44, John M. Harris Jr wrote:
> The harm in this
> demonstrated in this thread was opening EVERY PROCESS THAT BINDS A PORT AS
> THE USER to THE ENTIRE INTERNET, on both IPv4 and IPv6.
Except that in this thread there were no processes bound to any higher port
and in LISTEN.
Which demonstrates that fixing that horrible policy would not harm users.
--
John M. Harris, Jr.
Splentity
1533
days inactive
1536
days old
73 comments
10 participants
participants (10)
-
Ed Greshko -
Frank Pikelner -
George N. White III -
home user -
Jack Craig -
John M. Harris Jr -
Louis Lagendijk -
Samuel Sieb -
SternData -
Tim