HIPS/BB for Linux

That being said, bugs like this should not be in a kernel. At all.

(Of course, Windows NT might be full of stuff like this, and we'd just never know because it's closed source. Nonetheless...)

 

In a perfect world, that might be true. Point is that no vuln makes casual users subject to trojan/bot in Linux. Can that be said about Win?

 

I have not read all of the posts in this thread, but a common misconception about Linux firewalls is that netfilter/iptables protects you which just isn't true in the following context:

Netfilter/iptables is a network layer packet protection mechanism, and does not provide protection from other layer attacks, such as arp table attacks.

All Linux distros today (version 2.6 kernel) come with netfilter/iptables capability, but this in and of itself does not protect you even at the network layer until you activate it with iptables rules (the rules do not come with the distro - they are a user responsibility).

With regard to firewalls in general, there are generally speaking three kinds:
1) a packet filter - aka a router
2) an application gateway, i.e. a proxy server coupled with an access list
3) stateful inspection firewall which is a hybrid of 1) and 2).

The packet filter kind is the poor man's firewall which is what netfilter/iptables is, and only works for the IP (network) layer. They are not scaleable and do not provide maximum security. Because it does not check the application layer it gives you speed, and you are not guaranteed that the packet will be legitimate and without malicious intent.

Application gateways can easily be brought to their feet by Qos (Quality), Tos (Time) and Dos (Denial of Service) attacks.

An example of stateful inspection is Cisco's PIX box. It works on all 7 layers from the physical up to the application layer. The only issue with it is if you define any traffic to go through it because the vendor allows it, such as insecure programs like NFS and Berkeley services.

-- Tom

 

Hi Tom,

arp is only an issue in untrusted networks, at home it is meaningless.

Some distros come with firewall activated and the basic inbound rule configured, so it's cool. In fact, most do.

As to iptables, why it's poor man's firewall - and why do you need to check the application layer, don't you trust your apps? Besides, you run as user, so even if there's a vulnerability, it won't do much harm if exploited - if it all, considering you get patches for everything every few days ...

Mrk

 

Yep. Besides, these MAC systems that we were discussing in this thread protect the applications anyway -- even against 0-days.

 

Provided no user intervention is required, even after many updates to kernel and programs, it might be fine to install apparmor-profiles for someone like me being a simple home desktop user.
The additional profiles available in the apparmor-profiles package are shown in the screenshot. They will be in complain mode by default, so at a later stage one should put them all in enforce mode. Seems that they are geared more towards server systems but I am asking anyway.
Has anyone running these profiles in enforced mode ever experienced nasty problems ?

​

 

Hi Ocky,

Right you are - those are apparmor profiles for servers.

As a home user, the most important apparmor profile anyone should be interested in is a Firefox apparmor profile. I found one discussed in a technical paper and tried it out for a while. I decided after a while that I wasn't paranoid enough to continue using it given the other protections I had in place.

If you want to try it, I have included it as an attachment. The name of the file is usr.lib.firefox.firefox and needs to be located in /etc/apparmor.d with rw-r--r-- permissions for root user and root group. I have named the file usr.lib.firefox.firefox.txt for the attachment upload and you will need to rename it usr.lib.firefox.firefox (it is an ASCII file).

Note: the following two commands (commented out below) need to be given to effect its startup for apparmor:
#mount securityfs -t securityfs /sys/kernel/security
#/etc/init.d/apparmor start

-- Tom

 

Hi Mrk,

Sorry to take so long in answering your post.

The reference to iptables as - a poor man's firewall - is an apt description for a router since it only ever protects the Network layer - all other layers are not protected which is what the stateful inspection firewall like PIX (mucho dinero in comparison to a router cost such as a LinkSys popular with home users) is capable of doing. Note: I am referring to the use of a hardware router here, and iptables (with rules) running on a Unix/Linux OS (as a software router in the kernel) which can be run without the hardware router (most run embedded RT Linux distro OSes).

So, it is not an issue of not trusting the apps - albeit an issue that usually flies over the head of most uninformed users. Only the super paranoid never trust their apps, but then again, most apps are not designed with security in mind, so why should they be trusted at all, eh?

I run in an Ubuntu Live CD environment, which I am in the process of customizing. My environment gets initialized every day to the same one as the previous day. I do not get daily security updates (maybe you are confusing me with a Windows user), however, I suppose I could crank up KSplice to update the Linux kernel security updates without having to reboot - that is a real win. I have saved off tarballs of all of the packages I need which initialize my environment after I do a preliminary setup - takes only a minute to apply. None of my disks are mounted when I activate my Internet connection after initialization is complete. Since the Live CD is not writable, I am willing to do what it takes to secure my home environment such that I have a $0.00 cost in security and OS cost. I also have lots of RAM. It works for me - helps to have been a system software engineer for years.

-- Tom

 

None is needed. Since any program execution requires superuser privileges, malware installation isn't a concern in Linux. If you get on a bad site, no drive by code can install and the bad guys just don't write for Linux. They write for Windows.

 

Iptables is a stateful firewall!

Huh? I have a hard time following that sentence. Can you rephrase it to make it easier to read? I think you are trying to say that a Linux distro running iptables is different from an embedded Linux distro running on a router (but this is false).

Instead of going through all that trouble and using an excruciatingly slow LiveCD environment, why not just use AppArmor?

 

I have all of those profiles in enforce mode and have not experienced a single problem yet. I have also created my own Firefox, Kopete, Transmission, and Kvirc profiles as well.

 

Hi NormanF,

What planet do you live on? Malware, although mostly targeted to Windows users, is also admittedly quite a lot less targeted to Unix/Linux computers - it does exist, and BTW what gives you the idea that anyone capable of intruding into a Linux computer would not be able to gain root (superuser) access? Bad guys do and can (with enough motivation) target Unix/Linux computers - i.e. they do not exclusively write for Windows.

-- Tom

 

Hi chronomatic,

Iptables only protects the network layer and no other layer by itself. You are confused about a stateful firewall vs. stateful inspection - two different things. The difference is that stateful inspection refers to what a hybrid firewall does which is a mix between an application gateway and a packet filter. Packet filters (stateful firewalls like iptable/netfilter) do not check application type and therefore you get speed, but you are not guaranteed that the packet will be legitimate and without malicious intent!

Ok - poorly worded. Iptables can be run without a hardware router, but it is and can do software routing at the kernel level since it is a software capability implemented jointly with netfilter in the kernel. A hardware router adds additional protection, and many use Linux real-time embedded OSes to implement routing such as the Verizon FiOS router which uses Busybox.

For the record, my Live CD environment on a 3.2GHz processor with over 3GB RAM and a high-speed Internet connection is no such slouch. The difference between it and all installed OSes out there with Internet connections is that they have their disks exposed, and mine are not even mounted - very much more secure. When I turn the power off, unless someone has rewritten my BIOS - no malware that resides in RAM will survive.

-- Tom

 

Iptables can indeed filter based on the layer-7 attributes of a packet. That is, it can do both SPI and DPI. In order to do DPI, one needs a module like L7-filter or fwsnort. Iptables is highly configurable and extensible with modules.

There is a Linux liveCD distro called "ZeroShell" that uses these IPtables technologies for achieving SPI and DPI.

I think we are getting our wires crossed. What I was saying is that running a Linux distro on a dedicated spare PC and using it as a dedicated firewall is no different (and actually more effective) than running a router. If one has a spare PC with more CPU horsepower, one can also set-up an IDS (Snort) and have it all on one machine.

And you can run Linux distros on certain routers (Linksys WRT54GS/L for instance). DD-WRT, Tomato, Open-WRT are all embedded Linux distros.

You can do this with an installed OS. For instance you can set your partition options in /etc/fstab to "noexec" where nothing can execute. And with a MAC like AppArmor, you can make it where nothing can write to certain directories (even when attempting to write to your /home partition).

 

They could. I haven't seen a case of a virus or malware in the wild infecting a Unix/Linux computer. This includes Mac OSX. They are inherently secure by design and Windows only implemented elevated user privileges after running in root for years. In Linux/Mac OSX, one runs in a limited user session and invokes superuser privileges only to install updates and new software. Its never safe to run any computer in root. Yeah sure the bad guys could target them someday but its not profitable to do it right now.

 

Hi Norman,

Inherent security by design is not an attribute of Unix/Linux or Mac OSX - sorry, but that is the sad truth of the matter. Only recently, one such kernel (seL4) was specified mathematically and proven to be secure - but, it was none of the above you cited. I have attached the PDF file, seL4-microkernel.pdf, to acquaint you with what "inherent" security is based upon. I have modified the name of the file with a .txt suffix to comply with the upload requirements of Wilders, i.e. after you download the document, rename it by removing the .txt extension to read the PDF file. If you search for the topic and or the name of the file on the Internet, there is an article that is easier to read than the paper.

-- Tom

 

Probably better stated as inherently more secure when used in their respective default configurations. What's put into the field as a default install is a little different than what's inherently possible.

Blue