No, I didn’t.
Anyway, an update: downloaded and installed ZoneAlarm. Spent a while responding to dialogs asking me if I want to let, say, Internet Explorer to access the internet :rolleyes: but that’s par for the course when you’re setting it up. Everything’s working great; I’m having no problems streaming web radio or anything like that.
The only thing, a couple of times, it’s told me it’s refused a ping. (I know what a ping is.) Just wondering if I should be concerned about that.
Nah. 99%+ of pings you get are benign. Many of them will be Windows Messenger spam on port 137, which while annoying, is harmless. One of the likliest signs of an attemted attack is someone running a port scan on you, which will show up as hundreds of pings in a very short time frame from the same IP address. Even then you’ve got nothing to worry about, because ZoneAlarm will keep them out.
You just pegged my bullshit meter, UnuMondo. Aside from the fact that you provided no cites for your assertion, it seems you forgot that ZoneLabs, makers of ZoneAlarm, are in the business of making money. Implementing a backdoor in their flagship product, marketed for its abilities to block intrusion and protect privacy, would not sit well with the customers who keep them in business.
While I agree 100% with the Free Zone Alarm, my experience with the ‘Pro’ version was not good. Went back to free. Was probably operator error on my part but … :: shrug :::
With the hard ware router and switch and Zone Alarm and NOT using Out Look Express, and being careful about attachments and being real quick with the ‘delete’ key if i do not recognize things, I be fine.
I am glad it is not a business account where I HAVE to open unknown mail with attachments, I think I would have to have a separate computer with nothing on it and real simple to back up programs and to reformat before I would venture out in some of the places you guys go to.
:: It[s scary out there. :::
Tracking hashes for executable files is the obvious approach. But that’s not enough - unless Zone Alarm tracks hashes for all memory pages in all processes in realtime, it won’t be able to stop code injection. I think it’s safe to assume it doesn’t do that because it would be painfully slow.
Incorrect. Besides, I’m not talking about modifying executable files on disk (which is virtually impossible to do without affecting the hash) but injecting code into a running process. With administrative privileges this is easy to do.
If the malicious code wish to disable the firewall entirely it can disable that popup before doing so. But even without notification the user will probably notice if the personal firewall software gets disabled so that’s not what sneaky software would do; there are plenty of other ways to bypass personal firewalls.
Now this I agree with and it’s precisely the reason why I don’t recommend personal firewalls.
Say what? No, this is dead wrong. At least under Windows (all versions since at least 3.0) such an attempt by a process to write code to RAM space in use by another program WILL result in a page fault error. It is categorically impossible for any program to add code to a running process under Windows. Period.
Exhibit A: the Win32 API function WriteProcessMemory.
Exploits based on code injection have been demonstrated. Saying that it’s impossible is just plain silly.
Show me such an exploit then. The WriteProcessMemory API will only allow authorized processes to access running process RAM and only after verifying that the RAM area to be written allows writing. Only an extremely poorly-written program will be vulnerable to this.
I’m not into writing trojans and don’t keep an archive of exploits, but through a quick Google search I found Bypassing Personal Firewalls which looks like the kind of code injection I was thinking about. I don’t know anything about that particular code, but I’ve used similar techniques when debugging.
Yes, I found that too, but I can’t get the code to compile and run, so I can test it. And the followup posts seem to cast doubt on this:
If I could jump in and ask about HARDWARE firewalls…
I bought a Linksys router.
Should I modify/change any default settings to make it more safe?
I d/l’ed Zonealarm Pro for a month’s free trial. Had nothing but problems with it. It would not let mozilla on the web no matter what I did.
Went back to the free zonealarm and it’s all running smoothly again.
Weird.
ForbiddenFruitsalad: I wasn’t aware myself about code ‘injection’ and I believe I misunderstood your concept. I am not a programmer. I am under the impression that unless the program allows, you cannot overwrite memory space in use. Sounds more like (as Q.E.D. stated) a page fault to me.
It appears the exploit you link to is not valid remotely, therefore, not really applicable to this discussion. If someone is hacking into your computer by sitting in front of your monitor, you’ve got bigger problems besides which firewall is going to protect you.
like ‘call a locksmith’
Omar: I’m almost 100% sure linksys default setting is ‘stealth’, which should be fine for your use. Although remote administration is disabled by default, it’s suggested that you change the default password to something other than ‘admin’.
Linksys router will protect bad stuff from coming in, as it closes all your ports. Zone alarm will protect bad stuff from getting out. A good combination all-in-all.
I’m running Linux, so I don’t usually worry about this kind of stuff. Yes, there are bad guys that target Linux, but not many.
Last Friday, I set up a Laptop with XP to use a dial-up connection for a guy who’s going to need internet access while traveling in China.
We dialed into the provider here to see that everything was working fine, and got scragged by the RPC Blaster with in thirty seconds of dialing in. The plan was to download the firewall and anti-virus software that his ISP provides for their users, but we never made it. After the second reboot - 1 minute after the first one - we switched tactics and rigged him through the company network (which has a firewall) to download the software and the Microsoft patch.
My home computer (Linux) hasn’t had a firewall on it before. All of the services are locked down to only respond to the local address and I’m on dial up, so there wasn’t much danger. After seeing how much crap is out there, I decided to put one up anyway.
A quick recompile (and a couple fo hours to figure out that I’d installed the new kernel under wrong name so that my default boot sequence was getting the wrong thing) and a go round with Guarddog, I’ve got an iptables based firewall.
In the first minute of operation, it logged FOUR hits by RPC blaster. Three from England, and one from my own provider here in Germany.
That kind of thing makes you feel like a cop in a bulletproof vest, walking down the street in the really BAD part of town - you’re pretty safe, but there’s always the chance somebody’ll pot you where the jacket doesn’t cover…
Firewall. Definitely and always.
Firewalls are useful and can offer real protection when properly set up. But you need to understand what a firewall is, what it can and can’t do. Personal firewall software is a flawed implementation of the firewall concept and claim to do things it cannot. People who understand these things tend to agree that “Personal Firewalls” are Mostly Snake-oil.
Riiiiight. It’s quotes like this:
…make this guy sound like one of those tinfoil-hat conspiracy theorist types. Despite the fact that you can easily turn off warnings and alerts, this guy suggests that those alerts are solely to get you to buy an upgrade? Please.
The default configuration warns and blocks lots of things that are normal network traffic and/or harmless. He suggests that the reason for doing so is because it makes users think such “protection” is needed. In any case it seems to have that effect; the people who can’t tell the difference between UDP and ICMP (or worse, think all ICMP traffic should be blocked) are usually the first to recommend Zone Alarm.
Whew! There’s a winner.
This dude seems to lack a little in understanding himself.
A personal firewall inside of a company’s provate net is crap, and will most likely get you the results he’s naming - bunch of hits from harmless stuff like some other user on the network accidently trying to access your machine.
On a home machine that is connected striaight to the ISP, it is a much different story.
There is no valid reason for me to be hit with requests on port 135 (RPC- used by Blaster) or on port 1054 (which is used by a trojan named AckCMD and by a commercial system monitoring program for windows) or port 137 (used by a couple of other trojans.)
These are hits from just the last few minutes. Since I don’t have any services active on those ports - and the Windows trojans can’t work on my Linux box - they are just an irritant. The worst that will happen is that my dial-up connection won’t disconnect when it should. Without the firewall, the request can cause my system to send a reject - and that will reset the time out on the dial up and keep the connection live.
As for not helping to catch hackers, I’ve got addresses from which someone was trying to connect to trojans. I’ve also got addresses from users who still have Blaster or lovsan. If the ISPs were interested, I could give them the info and they could send a friendly note to the users to either run a virus scan or that they’ve been sending out suspicious packets and to stop doing it because it makes them look like a hacker. That’d help the clueless and perhaps cut down on the “script kiddie” activity.
With an IP address and a date and time, an ISP would have no trouble at all identifiying users who are infected or hacking.
As for the disadvantages of a “personal firewall,” breaking traceroute (I’m assuming he means beaing able to trace back to me) is no bad thing - I don’t want to be found. If he means me tracing some one else, then he is as clueless as they come. What in heaven’s name is to stop me from opening my firewall outbound for traceroute? Not a thing, mine is rigged that way now.
Here’s traceroute to the straightdope THROUGH my firewall:
traceroute to straightdope.com (65.201.198.8), 30 hops max, 40 byte packets
1 212.185.253.205 (212.185.253.205) 128 ms 116 ms 120 ms
2 212.185.253.198 (212.185.253.198) 119 ms 120 ms 120 ms
3 MZ-EB1.MZ.DE.net.dtag.de (62.154.10.219) 120 ms 118 ms 120 ms
4 NYC-gw15.USA.net.DTAG.DE (62.156.131.158) 210 ms 210 ms 210 ms
5 sl-gw31-nyc-12-0.sprintlink.net (144.223.27.133) 243 ms 210 ms 210 ms
6 sl-bb23-nyc-12-0.sprintlink.net (144.232.13.33) 210 ms 207 ms 210 ms
7 sl-bb20-nyc-8-0.sprintlink.net (144.232.7.13) 229 ms 210 ms 210 ms
8 sl-bb22-nyc-8-0.sprintlink.net (144.232.7.106) 210 ms 210 ms 209 ms
9 sl-bb21-chi-9-0.sprintlink.net (144.232.9.149) 250 ms 240 ms 230 ms
10 sl-gw31-chi-10-0.sprintlink.net (144.232.26.30) 230 ms 230 ms 220 ms
11 sl-chicagoreader-1-0.sprintlink.net (144.223.0.22) 230 ms 240 ms 230 ms
12 node8.chicagoreader.com (65.201.198.8) 239 ms 250 ms 240 ms
If he can’t manage that, then I don’t think he’s half the firewall expert he likes to think he is.
A physically seperate firewall IS better, I’ll give him that. If he thinks I’m gonna do, though, he’s go another think coming. Somebody else will need to explain to my wife why I should need two PCs running to check e-mail or futz around here on the Dope. I ain’t doing it. She fusses when I forget to turn off a light in a room when I leave it. I’m also not going to try to explain why I need a $200 router - if they make them for 33.6K dial ups.
A concerted DOS attack can bring a firewall to its knees, and if the firewall is running on the machine you work on, then your work will get clobbered, too. Give him that much.
On the other hand, while it may be better to duck into a bunker when there’s shooting going on, a bullet proof vest is better than prancing around in your birthday suit. Which is about the difference between a seperate firewall and a personal firewall.
I will grant you that if you have a trojan on your system then you need to get rid of it instead of stopping it from communicating. On the other hand, it is better to keep the bloody thing quiet until your anti-virus software can kill and dispose of the thing. Belt and suspenders. (Yah, yah. Snicker about it you Brits.)
Paranoid, clueless idgit.
That sounds ambiguous. Is the difference between a separate firewall and a personal firewall like the difference between ducking into a bunker and wearing a bullet proof vest, or the difference between a bullet proof vest and a birthday suit?
Also, running whois on some of the addresses from the hits I’ve gotten brings back info from the provider from these clowns. The info from the provider includes an explicit request to report abuse or scans:
Mortimer kernel: DROPPED IN=ppp0 OUT= MAC= SRC=62.227.69.76 DST=62.227.60.51 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=4997 DF PROTO=TCP SPT=4967 DPT=135 SEQ=199663724 ACK=0 WINDOW=32767 RES=0x00 SYN URGP=0 OPT (020405B401010402)
inetnum: 62.225.192.0 - 62.227.255.255
netname: DTAG-DIAL12
descr: Deutsche Telekom AG
country: DE
admin-c: DTIP
tech-c: DTST
status: ASSIGNED PA
**remarks: ************************************************************
remarks: * ABUSE CONTACT: abuse@t-ipnet.de IN CASE OF HACK ATTACKS, *
remarks: * ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC. *
remarks: ************************************************************ **
No use at all, eh?
This is the ISP I use, by the way. I’m being attacked by my fellow users, and were I running an unpatched Windows XP with no firewall, I’d be cursing right now instead of posting.