• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Security Suggestions needed

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
F4

F4

Red Raccoon Dojo
Joined
Mar 29, 2003
Location
Beamsville
Okay, security is never something I've taken seriously much before, but as of now, I will be starting.

My aunt's boyfreind hired a company to spy on her, and that company found backdoor software on her PC, which they exploited and sent chat logs & emails to her boyfreind, as well as traced back how the backdoor software got in, and who else was using it her ex-husband.

I need suggestions, because this is obviously a problem. But I'm not sure what the best solution is because I've never taken security seriously before. Having an insecure network has never posed an actual problem, only a potential problem.

I went to their house and installed zone alarm on both PC's, and gave them a tutorial on how to use it. I need suggestions for what else to do.

The network setup is simple, it's 2 pc's connected by a hub, with a cable modem plugged in. My thoughts were, to possibly bring in a linux box to set up as a gateway/firewall, just to take extra care.

I really do need some suggestions though, as to what the best route to take would be.

Thanks in advance.
 
Go to ShieldsUp's home site. www.GRC.com. Get tested for stealthness.

Go and enter services control(s) to adjust any communication with remote sources to the appropriate level of secureness. It may be a bot or altered IRC programming, something like that.
You can stop all that through your services and/or firewall(physical or soft, and I think soft could be sufficient in this case)...
 
What is the OS being used on the machines in question? If the OS is not Win2K or XP Pro I would suggest an upgrade to either of those OS's.

Since the machines were connected to the cable modem through a hub with no physical firewall, it is entirely possible that a key logging program was installed.
 
I never thought about a key logging program, but typically speaking, those are installed either through a backdoor, or by physically sitting down at the computer.

Firewall or not, if the backdoor software is in, and being let through, they can install a keystroke recorder.
 
I would install a linux router (or a cable/dsl router). They don't sound like they need to have any ports open, so either router will add extra protection.

I would also install a virus scanner on both of the computers, do a full scan, and have it update the definitions automatically.

If there is still a security risk, I would advise formatting & reinstalling.. that may be a little over the top,but it would get rid of any back doors that may be left open. Zone alarm is only as good as the user... they get the option "let the trojan access the internet?"

Depending on the level of risk, you may want to go further. On the OSes, I would definately have them log in with complex passwords and disabled guest accounts. If there's a possible physical security threat, disable auto-login. Keystroke recorders can come in physical form too.. you can get ones that will attach between the keyboard and the computer... they will automatically email out the keystrokes every so often.
 
PsYcO CyBrArIaN said:
Go to ShieldsUp's home site. www.GRC.com. Get tested for stealthness.
Click to expand...

Ohh yes I love http://grc.com it certainly makes an interesting read, the claims and statements made by Gibson are simply a little suspect.. Ask any person who does networking for a living or security if they have ever heard of nano probes ?
In fact, a simple traffic sniffer reveals the truth about those probes, they are merely ICMP and TCP/UDP based connect and scan attempts.
It is strange that Gibson places so much concern over XP's raw sockets when his own shields up service states that XP machines are safe and hidden on the internet. If this is the case then an XP box can not be scanned, which makes the only threat a trojan which needs to be downloaded and installed by the XP user... Hardly something to be concerned about then it is ?
Gibson does not make appearances on *real* security boards/interviews/gatherings such as Defcon or the BlackHat Conference ? Why doesn't he comment on Bugtraq
Gibson worked for years as a marketer specializing in media advertising and public relations , and that's what he is really good at.

IMHO Take GRC information with a pinch of salt.. these are my opinions after researching the matter and are not endorsed in anyway by Overclockers.com

Also check out http://grcsucks.com do not take my views as being true, read up on the matter, run a traffic sniffer discover for yourself the facts and decide what you wish to believe

Personally speaking, I think that SU Root offers the most realistic and sensible advice, without greatly effecting the user experience
 
I do plan on taking his advice.

Basically though, what I don't understand, is that if I block all the ports coming in through the interface attached to the cable modem on the linux box, wouldn't that prevent the user from actually doing anything online?

Furthermore, if I do block all the ports and that doesn't interfere with the user using the net, does that mean that I can stop worrying about the XP boxen being attacked via the internet?

Or are there still potential problems? (aside from someone packet sniffing)
 
F4 said:
I do plan on taking his advice.

Basically though, what I don't understand, is that if I block all the ports coming in through the interface attached to the cable modem on the linux box, wouldn't that prevent the user from actually doing anything online?

Furthermore, if I do block all the ports and that doesn't interfere with the user using the net, does that mean that I can stop worrying about the XP boxen being attacked via the internet?
Click to expand...
On a Cable/DSL router, if you don't create any port maps or DMZ's (basically block all the ports), then no incomming packets will get through. How NAT works is when a request goes out, it tells the webserver to reply on a certain (random) port. That port is held open by the router for a certain amount of time, or until it recieves the reply, then it's closed. So, there are tiny temporary holes in the webserver, but none that can really be exploited. Any incomming connections, or unexpected packets will just be dropped.

On a linux box, you have to be careful. Because you aren't "Closing Ports", you are filtering traffic. Basically, you want to filter everything incoming TCP and UDP ports 1-1024 (this is a server range, nothing will use it). Debatably you can filter out incoming TCP and UDP ports 1025-4096, as they "shouldn't" be used (but sometimes programmers are lazy and use them anyway)... They are also server ports. The rest (4097-65535) should be left open for NAT. Any incomming connections will be connected to the linux box, not the XP boxes. Any incoming in the range of 1-4096 should be denied by the filter, anything else should hit a closed port (do an nmap on your linux box to be sure), the only ports that should be open are the temporary NAT ones, and they should only be open for short periods of time.

Or are there still potential problems? (aside from someone packet sniffing)
Click to expand...
It really depends on how far they go. If they are just attacking from the net, it's very unlikely that they will get past a proper Linux box, or a cable/dsl router, without the aid of a trojan. If they come in physically, then there's no much you can do.. If the computers are left logged in, then they have full access to the harddrive and logs, can install programs, etc. I highly doubt they'll go that far, but you never know.. If the house has an alarm, you'll be ok.

Some good linux router OSes:
http://www.coyotelinux.com/ (for harddrive-less)
http://www.smoothwall.org/ (for boxes with harddrives)
 
Well, I have a linux box at home I'm trying these things out with.

In RedHat, I have 3 tables for traffic filtering / NAT.

My policy on the Input chain is Drop that anything coming from eth0 (my internet connection), which I would have thought would have killed anything coming in from the internet.

Apparently though, the WinXP boxes are completely by-passing the INPUT chain, and only using the FORWARD chain. And since my FORWARD chain is only passing things through, and not blocking anything, essentially I have no ports blocked. Correct?

The linux box has lost connectivity, but the Windows PC's that acccess the net through it, are still going fine. Which seems odd to me, but I think I understand why it's doing that.

In order to block someone on the net from trying to hit a port on my Windows Boxes, I would need to block it on the forward chain, and it wouldn't really matter whether or not it's blocked on the INPUT chain. Is this correct?
 
F4 said:
My policy on the Input chain is Drop that anything coming from eth0 (my internet connection), which I would have thought would have killed anything coming in from the internet.

Apparently though, the WinXP boxes are completely by-passing the INPUT chain, and only using the FORWARD chain. And since my FORWARD chain is only passing things through, and not blocking anything, essentially I have no ports blocked. Correct?

The linux box has lost connectivity, but the Windows PC's that acccess the net through it, are still going fine. Which seems odd to me, but I think I understand why it's doing that.

In order to block someone on the net from trying to hit a port on my Windows Boxes, I would need to block it on the forward chain, and it wouldn't really matter whether or not it's blocked on the INPUT chain. Is this correct?
Click to expand...
It all depends on which chain is first. If the INPUT chain is first, nothing should get through. If the forward chain is first, then, depending on the rules in there, it may be letting some/all traffic through.

With any firewall, any incomming packet will test every rule in order. The first rule that it finds that tests true, it will stop at, and won't go any further. Ideally, you should need very few rules, except if you are forwarding ports. A basic firewall should be:
Deny Incomming TCP & UDP 1-4096
[NAT Rules]
Deny Incomming TCP & UDP 1-65535
So, If the packet is above 4096, then it goes to NAT. If NAT isn't familliar with it, then it wasn't requested, and is dropped.
 
It must be doing the forward chain first then, judging by it's behavior.

Thanks for the help Pedro.
 
You must log in or register to reply here.

Similar threads

B
Ethernet Cables and Best Cat Rating. Some Thoughts
Replies
3
Views
189
Railgun
Railgun
M
Ancient hardware VMM cooling
Replies
3
Views
187
don256us
don256us
eaglepi
Would appreciate some suggestions on a new CPU MB combo
4 5 6 7 8
Replies
157
Views
6K
eaglepi
eaglepi
c627627
How to disable Google nag "To get future Google Chrome updates, you'll need Windows 10 or later"
Replies
2
Views
2K
ZetaRevan
ZetaRevan
Nimblor
Router thoughts appreciated
Replies
8
Views
1K
JrClocker
JrClocker
Back