D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Broadband for Totnes

On Tuesday, Feb 25, 2003, at 13:53 Europe/London, David Batho wrote:

ARP request should be all the time, this only verify you on the DHCP network
or ADSL is providing. Address resolution. ( 32 bits per packet if I'm right,
tell me is I'm wrong.)

ARP has nothing to do with DHCP. ARP is used by a device on the local network to discover MAC addresses using IP addresses. DHCP on the other hand is a variant of bootpc - a DHCP client makes a broadcast for a DHCP server to give it a lease on an IP address and the DHCP server returns it an address (grossly oversimplified - there's a lot of negotiation going on behind the scenes).

If you block ARP or somehow screw with it's operation then expect to stop receiving data fairly soon :)

Windows NT has some dire faults with it's TCPIP stack.
1. If netbios is enabled, with no firewall between tou and the www, this will
broadcast. ( it's advised to disable netbios and netbeui if you are not using
them.) good old NT/2000 - if so products LoPhTcrack to hack password files.

Yes, Windows NT is crap. NetBIOS however is an integral part of Windows NT/2K and it's a PITA to completely disable. As "this will broadcast", broadcast what?

NetBEUI is a non-routed protocol. Virtually all ISPs (and it should be *all* ISPs) block non-IP traffic as close as they can to the customer (e.g. preventing PPP from even negotiating non-ip protocols). As for L0phtcrack, well it can do some pretty nasty things, even if you're behind a firewall (e.g. snarf NTLM hashes off the wire and crack them). And thanks to the shite-ness of MS it's trivial to spoof a user into sending a hash over the net to your own server.

2. POP3 will only connect on requests by example: 25 - 110 depending on your
config file to mail delivery and sending.

Eh?

3. IMCP checks - that no ones is pinging your machine. (deny ICMP packets)

God no! Don't just block ICMP. Only block those ICMP types that you really need to. ICMP echo/echo-reply are harmless if they are rate limited. Traceroute can reveal too much information for some security policies. Make sure you block ICMP redirects, router announcements/selection. Don't however block ICMP TTL Exceeded, or you'll lose notification of routing loops. Oh and blindly disabling ICMP will break Path MTU discovery :)

4. NT - disable the messenger service- easy to write a script to send
messengers to your NT box. Microsoft as many os'es say disable services that
are not required for your day to day service.

This is a sensible step for *any* OS. Remove all that you don't use, and securely configure what's left.

5. Linux - ipTables - very configurable to set a firewall up. or use SuSE 8.1
firewall very easy.

Firewalls won't fix everything though - there's more and more client-side holes that can be exploited and can lead to far more serious information compromise.

6. Check that you not running IIS if so check services - NNTP & HTTP and SMTP
are started by default. lovely hacking idea there.

Even better, make sure you keep up to date with patches and new versions of software. On a daily basis, preferably :)

J.

--
Jon Still                               E-mail: jon@xxxxxxxxxxx
tertial.org                             Web:    http://www.tertial.org/
GPG Key: http://xanthein.net/key.asc    Key ID: 0x00493D2B


--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.

Lynx friendly