Broadband Security

On Mon, 02 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
<xj_hi.4281$MR5.770@trndny02>, Adam wrote:
[color=blue]
>Moe Trin wrote:[/color]
[color=blue][color=green]
>> All to many popular distributions create these non-standard solutions
>> (with each distribution doing it differently), set them up with what
>> they consider to be standard jobs, and leave it at that.[/color]
>
>My only significant Linux experience is with Mandrake/Mandriva, so by
>default their way of doing things seems to me to be either the
>"standard" way, or a deliberate improvement. I'm sure there are
>numerous features in Mandr* that are either nonstandard or better in
>another distro, but I wouldn't (yet) know what they are.[/color]

Well, variety is the spice of life and all that, but there are some
standards. Start at "Linux Standard Base" [url]http://www.linuxbase.org/spec/[/url]
and work your way down through the Filesystem Hierarchy Standard from
[url]http://www.pathname.com/fhs/[/url]. There is a Linux Filesystem Hierarchy from
the LDP at [url]http://tldp.org/guides.html[/url] that helps explain the later.

Each distribution tries to follow their interpretation of those standards,
but that is just the starting point. For example, you can't drop a SuSE
or Red Hat kernel into your Mandriva install, because every d4mn one of
the distributors knows how to make the kernel "better". Still, if you
can use the command line to follow what is happening, nothing is totally
unknown. Once the kernel is loaded and starts, the world begins at
/etc/inittab (except in those few distributions that have decided to use
the new "upstart" package in place of init), and MOST of it is just
fancy shell scripting - some of it exotic, because the guys who created
the scripts know their shell, and are absolutely _flaunting_ it, but it
is still readable and even understandable if you have the man pages to
see what in the Foggy Blue Morning they're trying to do here.
[color=blue][color=green]
>> "standard ports" meaning[/color]
>
>well, my DSL router's idea of "standard" outgoing ports is:
>
>pass to port 80 >> done
>pass to port 20 >> done
>pass to port 21 >> done
>pass to port 23 >> done
>pass to port 110 >> done
>pass to port 119 >> done
>pass to port 143 >> done
>pass to port 220 >> done
>pass to port 25 >> done
>pass to port 443 >> done
>pass to port 500 >> done[/color]

So, you're not supposed to use DNS (53/udp and maybe 53/tcp) directly?
This also looks like it would kill traceroute, and using a web proxy on
8080/tcp. Oh, well.
[color=blue]
>Okay, I was wondering why they'd use some other port. I can now access
>the LUG mailing list archives. I get a few "security certificate is
>outdated" popups, but I know /those/ aren't my doing.[/color]

Yeah, but they should be corrected by kicking the appropriate admin in
the soft bits to get his attention.

Old guy

Moe Trin wrote:[color=blue]
> Well, variety is the spice of life and all that, but there are some
> standards. Start at "Linux Standard Base" [url]http://www.linuxbase.org/spec/[/url]
> and work your way down through the Filesystem Hierarchy Standard from
> [url]http://www.pathname.com/fhs/[/url]. There is a Linux Filesystem Hierarchy from
> the LDP at [url]http://tldp.org/guides.html[/url] that helps explain the later.[/color]

I've read the last one, and will look at the others. I like following
standards.
[color=blue][color=green]
>> well, my DSL router's idea of "standard" outgoing ports is:[/color][/color][list snipped][color=blue]
>
> So, you're not supposed to use DNS (53/udp and maybe 53/tcp) directly?
> This also looks like it would kill traceroute, and using a web proxy on
> 8080/tcp. Oh, well.[/color]

Well, my router has the following choices for security, among others.

High Blocks all outgoing traffic except Mail, News, Web, FTP, and IPSEC

Medium Same as high, end user can set custom rules through NAT
configuration.

There's also Low and None. I suppose that High would keep someone who
has no idea what all that means out of trouble. I picked Medium, but as
soon as I added "allow port 444 outbound" it became Custom.

Adam

On Wed, 04 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
<46Dii.4020$wu5.2348@trndny03>, Adam wrote:
[color=blue]
>I like following standards.[/color]

The good thing about standards is that there are so many to choose
from." -- Andrew S. Tanenbaum

Standards are wonderful thing;
everyone should have one of his very own

A few years ago, Friday, October 14 was World Standards Day -- in
*some* countries. In America, it was observed on October 11th. In
Finland, it was marked on October 13th. Italy planned a separate
conference on standards for October 18th. - after Shakib Otaqui
[color=blue]
>Well, my router has the following choices for security, among others.
>
>High Blocks all outgoing traffic except Mail, News, Web, FTP, and IPSEC
>
>Medium Same as high, end user can set custom rules through NAT
>configuration.
>
>There's also Low and None.[/color]

Well, I suppose that "radio buttons" are more informative than "sliders"
but I'll stick with the simple shell scripts.
[color=blue]
>I suppose that High would keep someone who has no idea what all that
>means out of trouble.[/color]

I think the clueless will still manage to get into trouble - but that's
usually a result of using a b0rken tool like Internot Exploiter as the
only tool for Internet use, and clicking OK to get those annoying popup
messages out of the way.
[color=blue]
>I picked Medium, but as soon as I added "allow port 444 outbound" it
>became Custom.[/color]

That makes sense, as it's no longer some "standard" configuration. I'm
still not used to the "Mother, May I" type of filter on outbound. I
know that my ISPs are doing some blocking (example port 25 only goes to
their mail servers - everywhere else is blocked for zombie-control)
and are happy with that.

Old guy

Moe Trin wrote:[color=blue]
> The good thing about standards is that there are so many to choose
> from." -- Andrew S. Tanenbaum[/color]

I believe he was the author of the textbook that we used when I took a
course in computer networking around 1990. I don't think I have the
book any more and don't think much of it would be useful today anyway.
Remember Telenet (the network) and Tymnet?
[color=blue][color=green]
>> Well, my router has the following choices for security, among others.[/color][/color]
[snip][color=blue][color=green]
>> I picked Medium, but as soon as I added "allow port 444 outbound" it
>> became Custom.[/color]
>
> That makes sense, as it's no longer some "standard" configuration. I'm
> still not used to the "Mother, May I" type of filter on outbound. I
> know that my ISPs are doing some blocking (example port 25 only goes to
> their mail servers - everywhere else is blocked for zombie-control)
> and are happy with that.[/color]

At least I now know what to do if I come across another website that has
to be accessed using some obscure port. Oh, and I figured out how to
use /usr/bin/fax to send a fax, so my dialup modem is still good for
something.

Adam

Followup-To:

On Fri, 06 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
<a7zji.38$CJ4.21@trndny08>, Adam wrote:
[color=blue]
>Moe Trin wrote:[/color]
[color=blue][color=green]
>> The good thing about standards is that there are so many to choose
>> from." -- Andrew S. Tanenbaum[/color]
>
>I believe he was the author of the textbook that we used when I took a
>course in computer networking around 1990. I don't think I have the
>book any more and don't think much of it would be useful today anyway.[/color]

Operating Systems, Design and Implementation, Andrew S. Tanenbaum, 1987,
ISBN 0-13-638677-6, 940pp., Prentice-Hall.

From [url]http://www.cs.vu.nl/~ast/minix.html[/url] :

WHAT IS MINIX 2.0

MINIX is a free UNIX clone that is available with all the source code.
Due to its small size, microkernel-based design, and ample documentation,
it is well suited to people who want to run a UNIX-like system on their
personal computer and learn about how such systems work inside. It is
quite feasible for a person unfamiliar with operating system internals to
understand nearly the entire system with a few months of use and study.

MINIX has been written from scratch, and therefore does not contain any
AT&T code--not in the kernel, the compiler, the utilities, or the
libraries. For this reason the complete source can be made available (by
FTP or via the WWW).

MINIX has evolved over the years, so several versions exist. Two of these
are still current. The rest are obsolete. The current versions are:
MINIX 2.0 (Intel CPUs from 8088 to Pentium)
MINIX 1.5 (Intel, Macintosh, Amiga, Atari, SPARC)

Note that the last-modification date of that webpage was 1999. It's not GPL
but is free (both speech- and beer-wise) for education and research purposes.

Tanenbaum was/is an instructor at a university in .nl, and he created
Minux as a teaching aide. Linus based his original designs on Minux.
See his historic posting dated 25 Aug 91 20:57:08 GMT in the newsgroup
comp.os.minix,

Old guy

Moe Trin wrote:[color=blue][color=green][color=darkred]
>>> The good thing about standards is that there are so many to choose
>>> from." -- Andrew S. Tanenbaum[/color]
>> I believe he was the author of the textbook that we used when I took a
>> course in computer networking around 1990. I don't think I have the
>> book any more and don't think much of it would be useful today anyway.[/color]
>
> Operating Systems, Design and Implementation, Andrew S. Tanenbaum, 1987,
> ISBN 0-13-638677-6, 940pp., Prentice-Hall.[/color]

No, his book "Computer Networking" was the one we used for networking
class. For Operating Systems class we used a different book, possibly
"Logical Design of Operating Systems" by Shaw and somebody, 2nd ed. Our
big project in OS class was taken from the appendix of the 1st ed.,
simulate a multiprocessing batch OS in a HLL, with swapping pages in and
out, busy waits, interrupts, etc. That project was notable for two
things: one, it was about the only group project that came out better
than if I'd done it alone, and two, it was one of those rare times when
I *knew* that we deserved an A on the project. Our OS even "billed"
users for their batch jobs... at about ten times the going rate!

Adam

Adam wrote:[color=blue]
> it was about the only group project that came out better than if
> I'd done it alone[/color]

I like that attitude from those who deserve it.

On Sun, 08 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
<_7Xji.376$CJ4.193@trndny08>, Adam wrote:
[color=blue]
>Moe Trin wrote:[/color]
[color=blue][color=green]
>> Operating Systems, Design and Implementation, Andrew S. Tanenbaum, 1987,
>> ISBN 0-13-638677-6, 940pp., Prentice-Hall.[/color]
>
>No, his book "Computer Networking" was the one we used for networking
>class. For Operating Systems class we used a different book, possibly
>"Logical Design of Operating Systems" by Shaw and somebody, 2nd ed.[/color]

Neither of those ring a bell. I've had several networking classes,
and the textbook was usually TCP/IP Illustrated by W. Richard Stevens
or something crappy written mainly by the instructor.
[color=blue]
>Our big project in OS class was taken from the appendix of the 1st ed.,
>simulate a multiprocessing batch OS in a HLL, with swapping pages in
>and out, busy waits, interrupts, etc.[/color]

Somehow, I managed to never take an O/S basics course. I got conned into
taking O/S specific classes - Novell 3.12 and 4.0, and one on NT 3.51,
but thankfully never had to work with those O/S.
[color=blue]
>That project was notable for two things: one, it was about the only
>group project that came out better than if I'd done it alone, and two,
>it was one of those rare times when I *knew* that we deserved an A on
>the project. Our OS even "billed" users for their batch jobs... at
>about ten times the going rate![/color]

Why not? We've got all these expenses we've incurred to give you
this sterling time-share... Sorta like GE used to gouge us during
the mid-sixties.

Old guy

Scott B. wrote:[color=blue]
> Adam wrote:[color=green]
>> it was about the only group project that came out better than if
>> I'd done it alone[/color]
>
> I like that attitude from those who deserve it.[/color]

Is that an insult or a compliment? :-)

Adam

Moe Trin wrote:[color=blue]
> I've had several networking classes,
> and the textbook was usually TCP/IP Illustrated by W. Richard Stevens
> or something crappy written mainly by the instructor.[/color]
[snip][color=blue]
> Somehow, I managed to never take an O/S basics course.[/color]

Our classes emphasized theory, not how to set up or use any particular
network or OS. All the requirements of our simulated multiprocessing
batch OS came as a shock to those students whose idea of an "operating
system" was PC DOS 3.3.
[color=blue][color=green]
>> Our OS even "billed" users for their batch jobs... at
>> about ten times the going rate![/color]
>
> Why not? We've got all these expenses we've incurred to give you
> this sterling time-share... Sorta like GE used to gouge us during
> the mid-sixties.[/color]

The whole program was academic, not practical, and I didn't even think
it was a terribly good program at the time (this was NOT at U-M). Most
of it I've forgotten since then, if I even knew it at the time. One
advantage of academia is that having completed a course in something is
nearly as good as actually knowing it.

Adam