headers
lina | 22 Jul 2012 09:25
Picon
Gravatar

is it rational to close the 139 port

Hi,

strangely my netstat showed my 139 and 445 ports are open.

tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN

Do I need specify

-A INPUT -p tcp --dport 139 -j REJECT

in iptables?

For all INPUT has already set -P INPUT DROP, except open for  80, 443, 22,

BTW, why need allow ping? from outside?
 59 # Allow ping
 60 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

I know so little, thanks very much for your expilanation,

Best regards,
Permalink | Reply |
headers
Stan Hoeppner | 22 Jul 2012 09:36

Re: is it rational to close the 139 port

On 7/22/2012 2:25 AM, lina wrote:

Hi Lina,

> strangely my netstat showed my 139 and 445 ports are open.
> 
> tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN

These ports are used by Samba.  If you want these ports closed simply
disable the Samba service.  If you need Samba, leave the ports open.  If
you don't know what Samba is:

http://www.samba.org/

--

-- 
Stan
Permalink | Reply |
headers
lina | 22 Jul 2012 09:41
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 3:36 PM, Stan Hoeppner <stan <at> hardwarefreak.com> wrote:
> On 7/22/2012 2:25 AM, lina wrote:
>
> Hi Lina,

Hi,
>
>> strangely my netstat showed my 139 and 445 ports are open.
>>
>> tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
>> tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
>
> These ports are used by Samba.  If you want these ports closed simply
> disable the Samba service.  If you need Samba, leave the ports open.  If
> you don't know what Samba is:
>
> http://www.samba.org/

Thanks, I don't have some basic understanding about samba,
will read something about it.
just a short quick question, is it necessary to keep it?

Best regards,
>
> --
> Stan
>
>
>
> --
(Continue reading)

Permalink | Reply |
headers
Andrei POPESCU | 22 Jul 2012 09:49
Picon

Re: is it rational to close the 139 port

On Du, 22 iul 12, 15:41:16, lina wrote:
> 
> Thanks, I don't have some basic understanding about samba,
> will read something about it.
> just a short quick question, is it necessary to keep it?

Only you can tell since we don't know what you use/need.

Kind regards,
Andrei
--

-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Permalink | Reply |
headers
lina | 22 Jul 2012 09:59
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 3:49 PM, Andrei POPESCU
<andreimpopescu <at> gmail.com> wrote:
> On Du, 22 iul 12, 15:41:16, lina wrote:
>>
>> Thanks, I don't have some basic understanding about samba,
>> will read something about it.
>> just a short quick question, is it necessary to keep it?
>
> Only you can tell since we don't know what you use/need.
I felt a bit silly to ask, and a bit annoyed about myself for knowing
so little.
seems no need to share files with outside.
have rejected all inbound towards the port 139 and 445.

>
> Kind regards,
Thanks,

Best regards,
> Andrei
> --
> Offtopic discussions among Debian users and developers:
> http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Permalink | Reply |
headers
Stan Hoeppner | 22 Jul 2012 10:30

Re: is it rational to close the 139 port

On 7/22/2012 2:59 AM, lina wrote:
> On Sun, Jul 22, 2012 at 3:49 PM, Andrei POPESCU
> <andreimpopescu <at> gmail.com> wrote:
>> On Du, 22 iul 12, 15:41:16, lina wrote:
>>>
>>> Thanks, I don't have some basic understanding about samba,
>>> will read something about it.
>>> just a short quick question, is it necessary to keep it?
>>
>> Only you can tell since we don't know what you use/need.
> I felt a bit silly to ask, and a bit annoyed about myself for knowing
> so little.
> seems no need to share files with outside.
> have rejected all inbound towards the port 139 and 445.

If you don't need it, why not disable the service and free up the memory
the smbd/nmbd daemons are using?  Maybe I wasn't clear.

Disabling the Samba service, or simply uninstalling Samba, closes those
ports.  When the ports are closed, there's no need to firewall them.  If
you do anyway, it's like putting a padlock on a steel door that's been
welded shut.  If you need a few pounds of dynamite to blow the door
open, the padlock yields zero extra protection.  Same for firewalling.
The solution is very simple:

~$ aptitude remove samba

--

-- 
Stan
(Continue reading)

Permalink | Reply |
headers
lina | 22 Jul 2012 10:37
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 4:30 PM, Stan Hoeppner <stan <at> hardwarefreak.com> wrote:
> On 7/22/2012 2:59 AM, lina wrote:
>> On Sun, Jul 22, 2012 at 3:49 PM, Andrei POPESCU
>> <andreimpopescu <at> gmail.com> wrote:
>>> On Du, 22 iul 12, 15:41:16, lina wrote:
>>>>
>>>> Thanks, I don't have some basic understanding about samba,
>>>> will read something about it.
>>>> just a short quick question, is it necessary to keep it?
>>>
>>> Only you can tell since we don't know what you use/need.
>> I felt a bit silly to ask, and a bit annoyed about myself for knowing
>> so little.
>> seems no need to share files with outside.
>> have rejected all inbound towards the port 139 and 445.
>
> If you don't need it, why not disable the service and free up the memory
> the smbd/nmbd daemons are using?  Maybe I wasn't clear.
>
> Disabling the Samba service, or simply uninstalling Samba, closes those
> ports.  When the ports are closed, there's no need to firewall them.  If
> you do anyway, it's like putting a padlock on a steel door that's been
> welded shut.  If you need a few pounds of dynamite to blow the door
> open, the padlock yields zero extra protection.  Same for firewalling.
> The solution is very simple:
>
> ~$ aptitude remove samba

Thanks, I have purged the samba just now.
(Continue reading)

Permalink | Reply |
headers
Joe | 22 Jul 2012 10:44

Re: is it rational to close the 139 port

On Sun, 22 Jul 2012 16:37:16 +0800
lina <lina.lastname <at> gmail.com> wrote:

> 
> P.S I also found
> 
> tcp        0      0 127.0.0.1:631           0.0.0.0:*
> LISTEN tcp        0      0 127.0.0.1:25
> 0.0.0.0:*               LISTEN tcp        0      0
> 0.0.0.0:538             0.0.0.0:*               LISTEN
> 
> 
> 631 is for network printer, I am confused why it need LISTEN here, I
> only print once or twice each month.
> 
> What 538 is for? I googled, but I don't have 	gdomap
> installed, strange?
> 

Run netstat -tupan as root, and it will also show you the processes
associated with the ports. The -p does that, and as root, it will show
all processes, not just yours.

--

-- 
Joe
Permalink | Reply |
headers
lina | 22 Jul 2012 10:54
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 4:44 PM, Joe <joe <at> jretrading.com> wrote:
> On Sun, 22 Jul 2012 16:37:16 +0800
> lina <lina.lastname <at> gmail.com> wrote:
>
>>
>> P.S I also found
>>
>> tcp        0      0 127.0.0.1:631           0.0.0.0:*
>> LISTEN tcp        0      0 127.0.0.1:25
>> 0.0.0.0:*               LISTEN tcp        0      0
>> 0.0.0.0:538             0.0.0.0:*               LISTEN
>>
>>
>> 631 is for network printer, I am confused why it need LISTEN here, I
>> only print once or twice each month.
>>
>> What 538 is for? I googled, but I don't have  gdomap
>> installed, strange?
>>
>
> Run netstat -tupan as root, and it will also show you the processes
> associated with the ports. The -p does that, and as root, it will show
> all processes, not just yours.

# netstat -tupan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address
State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*
LISTEN      5466/sshd
(Continue reading)

Permalink | Reply |
headers
lina | 22 Jul 2012 10:58
Picon
Gravatar

Re: is it rational to close the 139 port

sorry, this one is easy to read

# netstat -tupan | grep 538
tcp        0      0 0.0.0.0:538             0.0.0.0:*
LISTEN      2366/gdomap
udp        0      0 0.0.0.0:538             0.0.0.0:*
         2366/gdomap

Thanks,
Permalink | Reply |
headers
Pascal Hambourg | 22 Jul 2012 11:14

Re: is it rational to close the 139 port

Hello,

lina a écrit :
> root <at> debian:/etc/iptables# dpkg --get-selections | grep gdomap
> 
> no gdomap installed,
> # dpkg -L gdomap
> Package `gdomap' is not installed.
> Use dpkg --info (= dpkg-deb --info) to examine archive files,
> and dpkg --contents (= dpkg-deb --contents) to list their contents.
> 
> But # which gdomap
> /usr/bin/gdomap

To search which package a file belongs to :
$ dpkg -S /usr/bin/gdomap
will find the package gnustep-base-runtime.
$ man gdomap
will tell you what this program does. Don't ask me, I have never heard
of it before.
Maybe /etc/default/gdomap has options to tune it.

A port listening on 127.x.y.z or ::1 is fine : such addresses are
reachable only from the host itself.

--

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST <at> lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster <at> lists.debian.org
Archive: http://lists.debian.org/500BC474.7050702 <at> plouf.fr.eu.org
(Continue reading)

Permalink | Reply |
headers
lina | 22 Jul 2012 12:15
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 5:14 PM, Pascal Hambourg <pascal <at> plouf.fr.eu.org> wrote:
> Hello,
>
> lina a écrit :
>> root <at> debian:/etc/iptables# dpkg --get-selections | grep gdomap
>>
>> no gdomap installed,
>> # dpkg -L gdomap
>> Package `gdomap' is not installed.
>> Use dpkg --info (= dpkg-deb --info) to examine archive files,
>> and dpkg --contents (= dpkg-deb --contents) to list their contents.
>>
>> But # which gdomap
>> /usr/bin/gdomap
>
> To search which package a file belongs to :
> $ dpkg -S /usr/bin/gdomap
> will find the package gnustep-base-runtime.
> $ man gdomap
> will tell you what this program does. Don't ask me, I have never heard
> of it before.
> Maybe /etc/default/gdomap has options to tune it.

Thanks,

Shall I keep or purge the gdomap?

Best regards,

>
(Continue reading)

Permalink | Reply |
headers
Stan Hoeppner | 22 Jul 2012 11:31

Re: is it rational to close the 139 port

On 7/22/2012 3:37 AM, lina wrote:

> P.S I also found
> 
> tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
> tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:538             0.0.0.0:*               LISTEN

Instead of doing this piecemeal, post the output of:

~$ netstat -ant|grep LISTEN

and we'll go through the list together, trimming the fat.

--

-- 
Stan
Permalink | Reply |
headers
lina | 22 Jul 2012 12:08
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 5:31 PM, Stan Hoeppner <stan <at> hardwarefreak.com> wrote:
> On 7/22/2012 3:37 AM, lina wrote:
>
>> P.S I also found
>>
>> tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
>> tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
>> tcp        0      0 0.0.0.0:538             0.0.0.0:*               LISTEN
>
> Instead of doing this piecemeal, post the output of:
>
> ~$ netstat -ant|grep LISTEN
>
> and we'll go through the list together, trimming the fat.

# netstat -ant|grep LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:538             0.0.0.0:*               LISTEN
tcp6       0      0 :::143                  :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 ::1:631                 :::*                    LISTEN

Thanks, I only know 22, 25, 631 80 for ssh, email, cups and http, respectively,

Best regards,

P.S I will be glad to know more.
(Continue reading)

Permalink | Reply |
headers
Lars Noodén | 22 Jul 2012 12:10
Picon

Re: is it rational to close the 139 port

On 07/22/2012 01:08 PM, lina wrote:
> Thanks, I only know 22, 25, 631 80 for ssh, email, cups and http, respectively,
> 
> Best regards,
> 
> P.S I will be glad to know more.

You can get the official list of what goes where from the file /etc/services

Regards
/Lars
Permalink | Reply |
headers
Brian | 22 Jul 2012 13:32
Picon

Re: is it rational to close the 139 port

On Sun 22 Jul 2012 at 18:08:25 +0800, lina wrote:

> On Sun, Jul 22, 2012 at 5:31 PM, Stan Hoeppner <stan <at> hardwarefreak.com> wrote:
> > On 7/22/2012 3:37 AM, lina wrote:
> >
> >> P.S I also found
> >>
> >> tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
> >> tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
> >> tcp        0      0 0.0.0.0:538             0.0.0.0:*               LISTEN
> >
> > Instead of doing this piecemeal, post the output of:
> >
> > ~$ netstat -ant|grep LISTEN
> >
> > and we'll go through the list together, trimming the fat.
> 
> # netstat -ant|grep LISTEN
> tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
> tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
> tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:538             0.0.0.0:*               LISTEN
> tcp6       0      0 :::143                  :::*                    LISTEN
> tcp6       0      0 :::80                   :::*                    LISTEN
> tcp6       0      0 :::22                   :::*                    LISTEN
> tcp6       0      0 ::1:631                 :::*                    LISTEN
> 
> Thanks, I only know 22, 25, 631 80 for ssh, email, cups and http, respectively,

CUPS and the mailserver only listen for connections from localhost. This
(Continue reading)

Permalink | Reply |
headers
lina | 22 Jul 2012 16:01
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 7:32 PM, Brian <ad44 <at> cityscape.co.uk> wrote:
> On Sun 22 Jul 2012 at 18:08:25 +0800, lina wrote:
>
>> On Sun, Jul 22, 2012 at 5:31 PM, Stan Hoeppner <stan <at> hardwarefreak.com> wrote:
>> > On 7/22/2012 3:37 AM, lina wrote:
>> >
>> >> P.S I also found
>> >>
>> >> tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
>> >> tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
>> >> tcp        0      0 0.0.0.0:538             0.0.0.0:*               LISTEN
>> >
>> > Instead of doing this piecemeal, post the output of:
>> >
>> > ~$ netstat -ant|grep LISTEN
>> >
>> > and we'll go through the list together, trimming the fat.
>>
>> # netstat -ant|grep LISTEN
>> tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
>> tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
>> tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
>> tcp        0      0 0.0.0.0:538             0.0.0.0:*               LISTEN
>> tcp6       0      0 :::143                  :::*                    LISTEN
>> tcp6       0      0 :::80                   :::*                    LISTEN
>> tcp6       0      0 :::22                   :::*                    LISTEN
>> tcp6       0      0 ::1:631                 :::*                    LISTEN
>>
>> Thanks, I only know 22, 25, 631 80 for ssh, email, cups and http, respectively,
>
(Continue reading)

Permalink | Reply |
headers
Brian | 22 Jul 2012 17:53
Picon

Re: is it rational to close the 139 port

On Sun 22 Jul 2012 at 22:01:50 +0800, lina wrote:

> On Sun, Jul 22, 2012 at 7:32 PM, Brian <ad44 <at> cityscape.co.uk> wrote:
> >
> > Heaven above knows why you need a firewall. These services are quite
> > capable of getting on with life without iptables being involved. So are
> > you.
>
> Just today one website I cared about failed to open, certainly it's
> under attack.
> I don't know what other people are capable of, I feel they are capable
> of doing lots of things.
> Frankly speaking I don't have much energy/channel to arm myself some
> intense knowledge to meet some potential defense requirement
> (sometimes I read something, but mainly to forget later.).
> so the only way I can do now is to understand something very
> basic.gradually and patiently, perhaps 10 years later,
> and I don't have some strong security feelings, if something wrong
> with the laptop, I guess I will unavoidably freak out and at that time
> definitely some days will waste.

Let's take a look at what you are doing. I'll simplify it a bit but
hopefully not too much as to distort your intentions.

1. You have two tcp services which you offer on the network, ssh and a
   webserver. Other services are available to localhost only. So the
   only way the outside can communicate with your machine is through
   ports 22 and 80.

2. You use iptables to reject all connections. This effectively means
(Continue reading)

Permalink | Reply |
headers
lina | 22 Jul 2012 18:09
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 11:53 PM, Brian <ad44 <at> cityscape.co.uk> wrote:
> On Sun 22 Jul 2012 at 22:01:50 +0800, lina wrote:
>
>> On Sun, Jul 22, 2012 at 7:32 PM, Brian <ad44 <at> cityscape.co.uk> wrote:
>> >
>> > Heaven above knows why you need a firewall. These services are quite
>> > capable of getting on with life without iptables being involved. So are
>> > you.
>>
>> Just today one website I cared about failed to open, certainly it's
>> under attack.
>> I don't know what other people are capable of, I feel they are capable
>> of doing lots of things.
>> Frankly speaking I don't have much energy/channel to arm myself some
>> intense knowledge to meet some potential defense requirement
>> (sometimes I read something, but mainly to forget later.).
>> so the only way I can do now is to understand something very
>> basic.gradually and patiently, perhaps 10 years later,
>> and I don't have some strong security feelings, if something wrong
>> with the laptop, I guess I will unavoidably freak out and at that time
>> definitely some days will waste.
>
> Let's take a look at what you are doing. I'll simplify it a bit but
> hopefully not too much as to distort your intentions.
>
> 1. You have two tcp services which you offer on the network, ssh and a
>    webserver. Other services are available to localhost only. So the
>    only way the outside can communicate with your machine is through
>    ports 22 and 80.
>
(Continue reading)

Permalink | Reply |
headers
Mark Allums | 22 Jul 2012 18:44

Re: is it rational to close the 139 port

On 7/22/2012 11:09 AM, lina wrote:
> On Sun, Jul 22, 2012 at 11:53 PM, Brian <ad44 <at> cityscape.co.uk> wrote:
>> On Sun 22 Jul 2012 at 22:01:50 +0800, lina wrote:
>>
>>> On Sun, Jul 22, 2012 at 7:32 PM, Brian <ad44 <at> cityscape.co.uk> wrote:
>>>> Heaven above knows why you need a firewall. These services are quite
>>>> capable of getting on with life without iptables being involved. So are
>>>> you.
>>> Just today one website I cared about failed to open, certainly it's
>>> under attack.
>>> I don't know what other people are capable of, I feel they are capable
>>> of doing lots of things.
>>> Frankly speaking I don't have much energy/channel to arm myself some
>>> intense knowledge to meet some potential defense requirement
>>> (sometimes I read something, but mainly to forget later.).
>>> so the only way I can do now is to understand something very
>>> basic.gradually and patiently, perhaps 10 years later,
>>> and I don't have some strong security feelings, if something wrong
>>> with the laptop, I guess I will unavoidably freak out and at that time
>>> definitely some days will waste.
>> Let's take a look at what you are doing. I'll simplify it a bit but
>> hopefully not too much as to distort your intentions.
>>
>> 1. You have two tcp services which you offer on the network, ssh and a
>>     webserver. Other services are available to localhost only. So the
>>     only way the outside can communicate with your machine is through
>>     ports 22 and 80.
>>
>> 2. You use iptables to reject all connections. This effectively means
>>     the services on ports 22 and 80 become unavailable, which does not
(Continue reading)

Permalink | Reply |
headers
Erwan David | 22 Jul 2012 18:58
Favicon

Re: is it rational to close the 139 port


> However, I have noticed a tendency for things to be installed or
> started that open new ports, and it's easy to overlook them. Aptitude
> in particular will install extra packages that you don't need or want.
For this, first thing is to disable automatic installation of
recommended packages, it is much more easy to manage then.
Permalink | Reply |
headers
Andrei POPESCU | 22 Jul 2012 19:29
Picon

Disabling Recommends [was: Re: is it rational to close the 139 port]

On Du, 22 iul 12, 18:58:36, Erwan David wrote:
> 
> > However, I have noticed a tendency for things to be installed or
> > started that open new ports, and it's easy to overlook them. Aptitude
> > in particular will install extra packages that you don't need or want.
> For this, first thing is to disable automatic installation of
> recommended packages, it is much more easy to manage then.

I would not hurry to do this unless the machine in question is really 
space constrained (e.g. I have an install on a 2 GB USB stick). Since 
apt-get installs recommends by default as well Maintainers have started 
moving stuff from Depends to Recommends (to allow special use cases and 
so).

If you disable Recommends you should understand that is your 
responsibility for any missing functionality that may be important for 
you.

Kind regards,
Andrei
--

-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Permalink | Reply |
headers
Erwan David | 22 Jul 2012 19:51
Favicon

Re: Disabling Recommends [was: Re: is it rational to close the 139 port]

On 22/07/12 19:29, Andrei POPESCU wrote:
> On Du, 22 iul 12, 18:58:36, Erwan David wrote:
>>> However, I have noticed a tendency for things to be installed or
>>> started that open new ports, and it's easy to overlook them. Aptitude
>>> in particular will install extra packages that you don't need or want.
>> For this, first thing is to disable automatic installation of
>> recommended packages, it is much more easy to manage then.
> I would not hurry to do this unless the machine in question is really 
> space constrained (e.g. I have an install on a 2 GB USB stick). Since 
> apt-get installs recommends by default as well Maintainers have started 
> moving stuff from Depends to Recommends (to allow special use cases and 
> so).
>
> If you disable Recommends you should understand that is your 
> responsibility for any missing functionality that may be important for 
> you.
>
Yes, indeed. But I've seen too many packages where recommends leeds to
installing full gnome where I do not want it, that I prefer having more
control (and thus more responsibility).
Permalink | Reply |
headers
Andrei POPESCU | 22 Jul 2012 20:07
Picon

Re: Disabling Recommends [was: Re: is it rational to close the 139 port]

On Du, 22 iul 12, 19:51:33, Erwan David wrote:
> >
> Yes, indeed. But I've seen too many packages where recommends leeds to
> installing full gnome where I do not want it, that I prefer having more
> control (and thus more responsibility).

Please do file bugs where appropriate.

Kind regards,
Andrei
--

-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Permalink | Reply |
headers
Erwan David | 22 Jul 2012 20:15
Favicon

Re: Disabling Recommends [was: Re: is it rational to close the 139 port]

On 22/07/12 20:07, Andrei POPESCU wrote:
> On Du, 22 iul 12, 19:51:33, Erwan David wrote:
>> Yes, indeed. But I've seen too many packages where recommends leeds to
>> installing full gnome where I do not want it, that I prefer having more
>> control (and thus more responsibility).
> Please do file bugs where appropriate.
>
>
In the past I was too often attacked or mocked, when doing such bug
reports that I stopped.
Permalink | Reply |
headers
Andrei POPESCU | 22 Jul 2012 20:29
Picon

Re: Disabling Recommends [was: Re: is it rational to close the 139 port]

On Du, 22 iul 12, 20:15:33, Erwan David wrote:
> On 22/07/12 20:07, Andrei POPESCU wrote:
> > Please do file bugs where appropriate.
> >
> In the past I was too often attacked or mocked, when doing such bug
> reports that I stopped.

Would you care to provide some examples?

Kind regards,
Andrei
--

-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Permalink | Reply |
headers
Erwan David | 22 Jul 2012 20:51
Favicon

Re: Disabling Recommends [was: Re: is it rational to close the 139 port]

On 22/07/12 20:29, Andrei POPESCU wrote:
> On Du, 22 iul 12, 20:15:33, Erwan David wrote:
>> On 22/07/12 20:07, Andrei POPESCU wrote:
>>> Please do file bugs where appropriate.
>>>
>> In the past I was too often attacked or mocked, when doing such bug
>> reports that I stopped.
> Would you care to provide some examples?
>
bug 375500, but you do not have the whole discussion
Note that rephrasing it in 505662 leads to silence.

SOme other but I cannot find them back, since they are old : I now
prefer directly installing non packaged programs when I encounter such
behaviour.
And first thing I disable automatic installation of recommended packages.
Permalink | Reply |
headers
Andrei POPESCU | 23 Jul 2012 08:24
Picon

Re: Disabling Recommends [was: Re: is it rational to close the 139 port]

On Du, 22 iul 12, 20:51:04, Erwan David wrote:
> >
> bug 375500, but you do not have the whole discussion
> Note that rephrasing it in 505662 leads to silence.
> 
> SOme other but I cannot find them back, since they are old : I now
> prefer directly installing non packaged programs when I encounter such
> behaviour.
> And first thing I disable automatic installation of recommended packages.

You could:

- provide patches (after testing that the dependency on gconf2 is really 
  not needed)
- if still no answer/reaction bring the issue to -devel or Technical 
  Committee

You probably already know the Gnome team is chronically understaffed...

Kind regards,
Andrei
--

-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Permalink | Reply |
headers
Erwan David | 23 Jul 2012 09:45
Favicon

Re: Disabling Recommends [was: Re: is it rational to close the 139 port]

On Mon, Jul 23, 2012 at 08:24:45AM CEST, Andrei POPESCU <andreimpopescu <at> gmail.com> said:
> On Du, 22 iul 12, 20:51:04, Erwan David wrote:
> > >
> > bug 375500, but you do not have the whole discussion
> > Note that rephrasing it in 505662 leads to silence.
> > 
> > SOme other but I cannot find them back, since they are old : I now
> > prefer directly installing non packaged programs when I encounter such
> > behaviour.
> > And first thing I disable automatic installation of recommended packages.
> 
> You could:
> 
> - provide patches (after testing that the dependency on gconf2 is really 
>   not needed)
> - if still no answer/reaction bring the issue to -devel or Technical 
>   Committee
> 
> You probably already know the Gnome team is chronically understaffed...

I do not want gnome, I do niot use it and I think that gnome is from the beginning a very bad idea.
So my place is *not* in gnome team.
Permalink | Reply |
headers
Celejar | 23 Jul 2012 06:19
Picon

Re: is it rational to close the 139 port

On Sun, 22 Jul 2012 18:58:36 +0200
Erwan David <erwan <at> rail.eu.org> wrote:

> 
> > However, I have noticed a tendency for things to be installed or
> > started that open new ports, and it's easy to overlook them. Aptitude
> > in particular will install extra packages that you don't need or want.
> For this, first thing is to disable automatic installation of
> recommended packages, it is much more easy to manage then.

True, but the downside is that you're going to experience random,
confusing absences of functionality in various applications, and it can
sometimes be difficult to figure out why ...

--

-- 
Celejar <celejar <at> gmail.com>
Permalink | Reply |
headers
Mark Allums | 23 Jul 2012 19:00

Re: is it rational to close the 139 port

On 7/22/2012 11:19 PM, Celejar wrote:
> On Sun, 22 Jul 2012 18:58:36 +0200
> Erwan David <erwan <at> rail.eu.org> wrote:
>
>>
>>> However, I have noticed a tendency for things to be installed or
>>> started that open new ports, and it's easy to overlook them. Aptitude
>>> in particular will install extra packages that you don't need or want.
>> For this, first thing is to disable automatic installation of
>> recommended packages, it is much more easy to manage then.
>
> True, but the downside is that you're going to experience random,
> confusing absences of functionality in various applications, and it can
> sometimes be difficult to figure out why ...

It's dependency hell.  Removing one highly useless package will very 
often remove 98% of GNOME and another 120 packages.  I think this idea 
of recommended packages should be restricted to dialog box advisories 
only, and with good explanations as to why they they are recommended.

Mark
Permalink | Reply |
headers
Andrei POPESCU | 25 Jul 2012 13:35
Picon

Re: is it rational to close the 139 port

On Lu, 23 iul 12, 12:00:37, Mark Allums wrote:
> >
> >True, but the downside is that you're going to experience random,
> >confusing absences of functionality in various applications, and it can
> >sometimes be difficult to figure out why ...
> 
> It's dependency hell.  Removing one highly useless package will very
> often remove 98% of GNOME and another 120 packages.  I think this
> idea of recommended packages should be restricted to dialog box
> advisories only, and with good explanations as to why they they are
> recommended.

I think you are missing the point: if a package is only recommended
removing it would not remove 98% of Gnome.

Kind regards,
Andrei
--

-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Permalink | Reply |
headers
lina | 22 Jul 2012 22:14
Picon
Gravatar

Re: is it rational to close the 139 port

On 23 Jul, 2012, at 0:44, Mark Allums <mark <at> allums.com> wrote:

> On 7/22/2012 11:09 AM, lina wrote:
>> On Sun, Jul 22, 2012 at 11:53 PM, Brian <ad44 <at> cityscape.co.uk> wrote:
>>> On Sun 22 Jul 2012 at 22:01:50 +0800, lina wrote:
>>> 
>>>> On Sun, Jul 22, 2012 at 7:32 PM, Brian <ad44 <at> cityscape.co.uk> wrote:
>>>>> Heaven above knows why you need a firewall. These services are quite
>>>>> capable of getting on with life without iptables being involved. So are
>>>>> you.
>>>> Just today one website I cared about failed to open, certainly it's
>>>> under attack.
>>>> I don't know what other people are capable of, I feel they are capable
>>>> of doing lots of things.
>>>> Frankly speaking I don't have much energy/channel to arm myself some
>>>> intense knowledge to meet some potential defense requirement
>>>> (sometimes I read something, but mainly to forget later.).
>>>> so the only way I can do now is to understand something very
>>>> basic.gradually and patiently, perhaps 10 years later,
>>>> and I don't have some strong security feelings, if something wrong
>>>> with the laptop, I guess I will unavoidably freak out and at that time
>>>> definitely some days will waste.
>>> Let's take a look at what you are doing. I'll simplify it a bit but
>>> hopefully not too much as to distort your intentions.
>>> 
>>> 1. You have two tcp services which you offer on the network, ssh and a
>>>    webserver. Other services are available to localhost only. So the
>>>    only way the outside can communicate with your machine is through
>>>    ports 22 and 80.
>>>
(Continue reading)

Permalink | Reply |
headers
Andrei POPESCU | 23 Jul 2012 08:29
Picon

Re: is it rational to close the 139 port

On Lu, 23 iul 12, 04:14:10, lina wrote:
> 
> Thanks for your suggestions.  I didn't realize aptitude would install 
> something else, and sometimes I treated the recommended as something 
> complimentary.  Many times I left the laptop to install and myself run 
> outside to take a break. 

I don't watch it downloading and installing packages either, but I do 
have a good look at what it plans to do before confirming ;)
When in doubt I look at package descriptions and even go up the 
dependency chain and then, on occasion, chose to not install specific 
Recommends.

All of this is very easy to do with aptitude in interactive mode.

Kind regards,
Andrei
--

-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Permalink | Reply |
headers
Chris Bannister | 22 Jul 2012 22:27
Picon

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 10:01:50PM +0800, lina wrote:
> Just today one website I cared about failed to open, certainly it's
> under attack.

And how does a firewall help in that case. 

If you don't want your intranet web server being accessed 
from outside, then that's what a firewall is for. 
It doesn't make any sense having a firewall on a standalone 
machine, like a laptop, if you see what I mean.

Well, that's my understanding of it. 

> P.S, In the past, if some books/webpage/blogs or anything which
> inspired you lots in this area, appreciate to share. I don't have CS
> background.

http://www.debian-administration.org/articles/552

--

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X
Permalink | Reply |
headers
Henrique de Moraes Holschuh | 22 Jul 2012 16:09
Picon
Favicon

Re: is it rational to close the 139 port

On Sun, 22 Jul 2012, Brian wrote:
> The ssh and webserver daemons are available on the network. Presumably
> this is what you want. Their security will depend on how you have
> configured them. Debian sshd can be run safely with the default install.

Sort of.  The recommended "almost worry-free" configuration for SSH nowadays
is to have it refuse any sort of password-based autentication, and accept
only key-based authentication (and token-based if you use kerberos or MS
AD), *restricted* to the set of users that indeed are allowed to ssh to the
box[1] and no root logins.  Depending on the situation, you also have to
restrict port forwarding and agents forwarding even for authorized users.

Unfortunately, that's not something easy to automate in the general case,
and any compromise we take will generate a lot of complains, so we ship a
*reasonably safe* default... but last I checked, they're safe only if you
don't ever set any easily brute-forceable passwords, etc.

If you never need to SSH into the box, remove openssh-server.

[1] AllowUsers foo bar.  And root must never be one of them :p

--

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Permalink | Reply |
headers
lina | 22 Jul 2012 16:33
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 10:09 PM, Henrique de Moraes Holschuh
<hmh <at> debian.org> wrote:
> On Sun, 22 Jul 2012, Brian wrote:
>> The ssh and webserver daemons are available on the network. Presumably
>> this is what you want. Their security will depend on how you have
>> configured them. Debian sshd can be run safely with the default install.
>
> Sort of.  The recommended "almost worry-free" configuration for SSH nowadays
> is to have it refuse any sort of password-based autentication, and accept
> only key-based authentication (and token-based if you use kerberos or MS
> AD), *restricted* to the set of users that indeed are allowed to ssh to the
> box[1] and no root logins.  Depending on the situation, you also have to
> restrict port forwarding and agents forwarding even for authorized users.

Thank you, this is very helpful, I have never realized that.

All mine server ForwardAgent was set to yes.

Another thing I am a little concern,

I can ssh from remote server back to laptop without password.

but on the remote server, actually someone who has root privilege can
easily su lina and ssh to my laptop (sorry to assume like that, we
have a great system administrators in those servers).

my concern is that it's a good idea to put the public keys from remote
servers into my authorized_keys, just for scp convenience?
Thanks with best regards,
>
(Continue reading)

Permalink | Reply |
headers
Andrei POPESCU | 22 Jul 2012 19:37
Picon

Re: is it rational to close the 139 port

On Du, 22 iul 12, 22:33:49, lina wrote:
> 
> Another thing I am a little concern,
> 
> I can ssh from remote server back to laptop without password.

Passphraseless keys?

> but on the remote server, actually someone who has root privilege can
> easily su lina and ssh to my laptop (sorry to assume like that, we
> have a great system administrators in those servers).

Sounds like it from your description.

> my concern is that it's a good idea to put the public keys from remote
> servers into my authorized_keys, just for scp convenience?

I think you are mixing things. The client (in the case about the remote 
server) needs a private key accepted by the "server" (in you case above 
the laptop), that is, they are listed in the authorized_keys on the 
"server".

Back to your question a general recommendation is to not put or use 
sensitive material (and SSH private keys and their passphrase do count 
as such) on machines where you don't trust root.

Hope this explains,
Andrei
--

-- 
Offtopic discussions among Debian users and developers:
(Continue reading)

Permalink | Reply |
headers
Erwan David | 22 Jul 2012 16:45
Favicon

Re: is it rational to close the 139 port

On 22/07/12 16:09, Henrique de Moraes Holschuh wrote:
> On Sun, 22 Jul 2012, Brian wrote:
>> The ssh and webserver daemons are available on the network. Presumably
>> this is what you want. Their security will depend on how you have
>> configured them. Debian sshd can be run safely with the default install.
> Sort of.  The recommended "almost worry-free" configuration for SSH nowadays
> is to have it refuse any sort of password-based autentication, and accept
> only key-based authentication (and token-based if you use kerberos or MS
> AD), *restricted* to the set of users that indeed are allowed to ssh to the
> box[1] and no root logins.  Depending on the situation, you also have to
> restrict port forwarding and agents forwarding even for authorized users.
>
> Unfortunately, that's not something easy to automate in the general case,
> and any compromise we take will generate a lot of complains, so we ship a
> *reasonably safe* default... but last I checked, they're safe only if you
> don't ever set any easily brute-forceable passwords, etc.
>
> If you never need to SSH into the box, remove openssh-server.
>
> [1] AllowUsers foo bar.  And root must never be one of them :p
>
Beware you must be sure to keep an access to the machine before applying
the restrictions, ie. if you're dealing
with a rented server (be it physical or virtual) in a datacenter far away...

This access might be through an out of band management connection (KVM,
Idrac, ILO, or something else), but you'd better check it works before
restraining ssh access.
(Continue reading)

Permalink | Reply |
headers
Brian | 22 Jul 2012 17:31
Picon

Re: is it rational to close the 139 port

On Sun 22 Jul 2012 at 11:09:26 -0300, Henrique de Moraes Holschuh wrote:

> On Sun, 22 Jul 2012, Brian wrote:
> > The ssh and webserver daemons are available on the network. Presumably
> > this is what you want. Their security will depend on how you have
> > configured them. Debian sshd can be run safely with the default install.
> 
> Sort of.  The recommended "almost worry-free" configuration for SSH nowadays
> is to have it refuse any sort of password-based autentication, and accept
> only key-based authentication (and token-based if you use kerberos or MS
> AD), *restricted* to the set of users that indeed are allowed to ssh to the
> box[1] and no root logins.  Depending on the situation, you also have to
> restrict port forwarding and agents forwarding even for authorized users.
> 
> Unfortunately, that's not something easy to automate in the general case,
> and any compromise we take will generate a lot of complains, so we ship a
> *reasonably safe* default... but last I checked, they're safe only if you
> don't ever set any easily brute-forceable passwords, etc.

No default configuration file will ever suit everyone or fit their
needs, but the Debian sshd_config doesn't seem to me to be have any
insecure aspects to it. A strong password goes without saying, as does a
strong passphrase for key-based authentication, but there may be extra
considerations which influence the choice of one method over the other.

I'm with the Debian maintainer regarding logging in as root and have
never grasped why if a key is good enough for a user it should be less
secure for root.
(Continue reading)

Permalink | Reply |
headers
Tom H | 29 Jul 2012 19:12
Picon

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 11:31 AM, Brian <ad44 <at> cityscape.co.uk> wrote:
>
> No default configuration file will ever suit everyone or fit their
> needs, but the Debian sshd_config doesn't seem to me to be have any
> insecure aspects to it.

Some might say that "PermitRootLogin yes" default is insecure...
Permalink | Reply |
headers
Brian | 29 Jul 2012 19:30
Picon

Re: is it rational to close the 139 port

On Sun 29 Jul 2012 at 13:12:31 -0400, Tom H wrote:

> On Sun, Jul 22, 2012 at 11:31 AM, Brian <ad44 <at> cityscape.co.uk> wrote:
> >
> > No default configuration file will ever suit everyone or fit their
> > needs, but the Debian sshd_config doesn't seem to me to be have any
> > insecure aspects to it.
> 
> Some might say that "PermitRootLogin yes" default is insecure...

Some might and indeed they do say it, often vociferously. But I've yet
to see a sound reason advanced for the opinion.
Permalink | Reply |
headers
Henrique de Moraes Holschuh | 29 Jul 2012 20:00
Picon
Favicon

Re: is it rational to close the 139 port

On Sun, 29 Jul 2012, Brian wrote:
> On Sun 29 Jul 2012 at 13:12:31 -0400, Tom H wrote:
> > On Sun, Jul 22, 2012 at 11:31 AM, Brian <ad44 <at> cityscape.co.uk> wrote:
> > > No default configuration file will ever suit everyone or fit their
> > > needs, but the Debian sshd_config doesn't seem to me to be have any
> > > insecure aspects to it.
> > 
> > Some might say that "PermitRootLogin yes" default is insecure...
> 
> Some might and indeed they do say it, often vociferously. But I've yet
> to see a sound reason advanced for the opinion. 

Well, it is the one account that will accept remote logins (in Debian) that
exists everywhere.  It is indeed an insecure default, mostly because by
default we also allow password-based logins.

Check your logs, and verify the frequency of brute-force attempts per
username.

--

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Permalink | Reply |
headers
Brian | 29 Jul 2012 21:32
Picon

Re: is it rational to close the 139 port

On Sun 29 Jul 2012 at 15:00:04 -0300, Henrique de Moraes Holschuh wrote:

> Well, it is the one account that will accept remote logins (in Debian) that
> exists everywhere.

True. But the security of an account doesn't depend on whether the
username is known or unknown. If it does, you have problems. However,
seeing attempts to login with admin, user, bob, cora, crystal, opened,
etc, etc (just a selection from today's auth.log) is amusing. Yes, root
is there too - but I am still unperturbed.

>                     It is indeed an insecure default, mostly because by
> default we also allow password-based logins.

I am not going to argue that password-based logins are better than
key-based logins, or vice-versa. Site policy will determine which is
used. But if it can be demonstrated that a twenty character password can
be forced in a time-frame which makes sense I'll stop doing it and most
likely be grateful for the hole in my reasoning being exposed.

> Check your logs, and verify the frequency of brute-force attempts per
> username.

I stopped doing this a year or two back when it got up to a couple of
million a year. Frightening, eh? Not if you realise the idiocy of the
attempts and the futility involved. Even the the ones which were
purposefully targetted and which had an actual username had no chance of
succeeding. What do they do?  Guess at ten characters and work up? 10,
11, 12. etc. Time and statistics are on my side.
(Continue reading)

Permalink | Reply |
headers
Henrique de Moraes Holschuh | 30 Jul 2012 03:27
Picon
Favicon

Re: is it rational to close the 139 port

On Sun, 29 Jul 2012, Brian wrote:
> used. But if it can be demonstrated that a twenty character password can
> be forced in a time-frame which makes sense I'll stop doing it and most

That depends.  Are you using any dictionary words or easy character
permutations thereof to make a pass-phrase?  If so, your 20-char password is
a lot weaker than what one might expect at first glance.

> And this is without enlisting any further help from rate-limiting with
> iptables, denyhosts, port knocking etc, all of which reduce worry but do
> not increase security.

Hmm, they do increase security against on-line brute-force attacks, although
it is a marginal increase.  And they're not part of the default, therefore
uninteresting: you can already tighten ssh up properly if you're not going
to go with the defaults.

> not because there are brute-force attempts on the account being made. If
> keys or a strong password are employed the root account is no more
> susceptible to be broken into than any other account.

Too many "ifs" when dealing with a default configuration.  As far as I'm
concerned, Debian should ship with root logins disabled, denying logins to
anyone not in the users group, x11 and agent forwarding disabled, and only
RSA-based and GSSAPI/kerberos auth enabled.

But this IS a very beaten old horse, and I am not going to bother with it.

--

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
(Continue reading)

Permalink | Reply |
headers
Mark Allums | 30 Jul 2012 06:18

Re: is it rational to close the 139 port

On 7/29/2012 8:27 PM, Henrique de Moraes Holschuh wrote:
> On Sun, 29 Jul 2012, Brian wrote:
>> used. But if it can be demonstrated that a twenty character password can
>> be forced in a time-frame which makes sense I'll stop doing it and most

On (exceedingly) rare occasions, it does happen that the twenty-char 
password is guessed in twelve minutes.  On average, it might be 
100-million years, but there is no guarantee.

Or there is a previously undiscovered backdoor, or a previously unknown 
flaw or exploit.  It happens.

Enable it if you need it, disable it if you don't.  Or even limit 
availability to 8am-to-5pm five days a week.  Every little bit you can 
do helps a little bit.

Minimal attackable surface, and all that...

Be paranoid.
Permalink | Reply |
headers
Andrei POPESCU | 30 Jul 2012 11:21
Picon

Re: is it rational to close the 139 port

On Du, 29 iul 12, 22:27:08, Henrique de Moraes Holschuh wrote:
> On Sun, 29 Jul 2012, Brian wrote:
> > used. But if it can be demonstrated that a twenty character password can
> > be forced in a time-frame which makes sense I'll stop doing it and most
> 
> That depends.  Are you using any dictionary words or easy character
> permutations thereof to make a pass-phrase?  If so, your 20-char password is
> a lot weaker than what one might expect at first glance.

http://xkcd.com/936/

(I wonder how much truth there is behind this comic...)

Kind regards,
Andrei
--

-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Permalink | Reply |
headers
Henrique de Moraes Holschuh | 30 Jul 2012 12:14
Picon
Favicon

Re: is it rational to close the 139 port

On Mon, 30 Jul 2012, Andrei POPESCU wrote:
> On Du, 29 iul 12, 22:27:08, Henrique de Moraes Holschuh wrote:
> > On Sun, 29 Jul 2012, Brian wrote:
> > > used. But if it can be demonstrated that a twenty character password can
> > > be forced in a time-frame which makes sense I'll stop doing it and most
> > 
> > That depends.  Are you using any dictionary words or easy character
> > permutations thereof to make a pass-phrase?  If so, your 20-char password is
> > a lot weaker than what one might expect at first glance.
> 
> http://xkcd.com/936/
> 
> (I wonder how much truth there is behind this comic...)

Don't bother wondering.  Read the paper.

http://arstechnica.com/business/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices/
http://www.readwriteweb.com/enterprise/2012/03/passphrases-maybe-not-as-secur.php

You need to have gibberish passphrases if you want it to be secure...

--

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Permalink | Reply |
headers
Brad Rogers | 30 Jul 2012 12:30
X-Face
Face
Picon

Re: is it rational to close the 139 port

On Mon, 30 Jul 2012 07:14:06 -0300
Henrique de Moraes Holschuh <hmh <at> debian.org> wrote:

Hello Henrique,

>You need to have gibberish passphrases if you want it to be secure...

On one web site I use that requires a login, even pass phrases are
impossible to use as at least one character has to be 'punctuation' plus
the more usual 'at least one character needs to be a numeral'.

Which would put me back to "Now, which I was a 1?" and "Was it a or
 <at> ?"

Ah, well.......

--

-- 
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
He looked the wrong way at a policeman
I Predict A Riot - Kaiser Chiefs
Permalink | Reply |
headers
Stan Hoeppner | 30 Jul 2012 15:57

Re: is it rational to close the 139 port

On 7/30/2012 5:14 AM, Henrique de Moraes Holschuh wrote:

> You need to have gibberish passphrases if you want it to be secure...

Gibberish implies one wouldn't be able to remember the password/phrase.
 What you want is something recognizable to you but gibberish to all
others.  I've been using such passwords for years.  The creation
methodology is simple.

Take a couple or few short acronyms familiar to you but obscure to the
general population.  Inject numbers associated with the things the
acronyms identify.  Use case variation on the alpha portions.  Then add
a special character to the front and rear, and some padding characters
to increase length, as length is ultimately the key to unguessable
passwords.  For example:

... <at> AsCi6144Bm#---

That's 18 characters, not unwieldy, nor hard to remember, if you know
what the component parts are and the special character and padding
policies.  Looks like complete gibberish yes?

According to https://www.grc.com/haystack.htm it will take *1.28
trillion centuries* at one hundred trillion guesses/second to brute
force guess this password.

At http://www.passwordmeter.com/ it gets a 100% score and very strong
complexity rating, although you can achieve this with this tool using a
much less complex password.
(Continue reading)

Permalink | Reply |
headers
John Hasler | 30 Jul 2012 16:28
Favicon

Re: is it rational to close the 139 port

Stan Hoeppner writes:
> Gibberish implies one wouldn't be able to remember the
> password/phrase.

Which is why, as Bruce Schneir recommends, you _write it down_.
--

-- 
John Hasler
Permalink | Reply |
headers
Brad Rogers | 30 Jul 2012 17:19
X-Face
Face
Picon

Re: is it rational to close the 139 port

On Mon, 30 Jul 2012 09:28:51 -0500
John Hasler <jhasler <at> newsguy.com> wrote:

Hello John,

>Which is why, as Bruce Schneir recommends, you _write it down_.

Yeah, on a Post-It note.  Stuck to the monitor.   :-))

--

-- 
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
That's what I call you
Heaven Sent - INXS
Permalink | Reply |
headers
John Hasler | 30 Jul 2012 18:54
Favicon

Re: is it rational to close the 139 port

I wrote:
> Which is why, as Bruce Schneir recommends, you _write it down_.

Brad Rogers writes:
> Yeah, on a Post-It note.  Stuck to the monitor.

That's what people do when you tell them not to write it down.  _Tell_
them to write it down and tell them _how_.  They keep their credit cards
and cash safe: they can keep a little black book of passwords safe.
Yes, it's a risk.  It's a smaller one than the other choices, which are
either memorable but weak passwords or strong ones that they will write
down improperly no matter what they are told.

If someone's little black book of passwords is lost or stolen, they will
know it and will promptly change the passwords, most likely before the
book falls into the hands of anyone who can actually use it.  That is,
if they were _authorized_ to create that book.  If they weren't they
won't want to admit having violated policy and so will say nothing and
hope the passwords never get used.
--

-- 
John Hasler
Permalink | Reply |
headers
Brad Rogers | 30 Jul 2012 19:15
X-Face
Face
Picon

Re: is it rational to close the 139 port

On Mon, 30 Jul 2012 11:54:14 -0500
John Hasler <jhasler <at> newsguy.com> wrote:

Hello John,

>Brad Rogers writes:
>> Yeah, on a Post-It note.  Stuck to the monitor.  
>That's what people do when you tell them not to write it down.  _Tell_
>them to write it down and tell them _how_.

As it happens, I agree with you; write 'em down, and keep 'em safe.

--

-- 
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
Go away, come back, go away, come back
Leave Me Alone (I'm Lonely) - P!nk
Permalink | Reply |
headers
Chris Bannister | 31 Jul 2012 10:31
Picon

Re: is it rational to close the 139 port

On Mon, Jul 30, 2012 at 06:15:26PM +0100, Brad Rogers wrote:
> On Mon, 30 Jul 2012 11:54:14 -0500
> John Hasler <jhasler <at> newsguy.com> wrote:
> 
> Hello John,
> 
> >Brad Rogers writes:
> >> Yeah, on a Post-It note.  Stuck to the monitor.  
> >That's what people do when you tell them not to write it down.  _Tell_
> >them to write it down and tell them _how_.
> 
> As it happens, I agree with you; write 'em down, and keep 'em safe.

Or just have one, but make it a good 'un, and never tell anyone.

Reasons: 1) If someone can brute force guess it, you've got other
           problems. i.e. -- you're targetted!
	2) Clothes, possessions, etc. can be searched. You may never
	know until its too late!
	3) If someone wants it, at least you'll know about it¹

Well, actually 2 - one for really important stuff, other for unimportant
stuff; I can trust my bank to keep it safe, but local supermarket is
another story.

¹ I consider this an advantage. See reason 2)

--

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the
(Continue reading)

Permalink | Reply |
headers
Mike McClain | 31 Jul 2012 17:51
Favicon

[OT] secure passwords (was Re: is it rational to close the 139 port)

On Tue, Jul 31, 2012 at 08:31:56PM +1200, Chris Bannister wrote:
> On Mon, Jul 30, 2012 at 06:15:26PM +0100, Brad Rogers wrote:
> > On Mon, 30 Jul 2012 11:54:14 -0500
> > John Hasler <jhasler <at> newsguy.com> wrote:
> > 
> > Hello John,
> > 
> > >Brad Rogers writes:
> > >> Yeah, on a Post-It note.  Stuck to the monitor.  
> > >That's what people do when you tell them not to write it down.  _Tell_
> > >them to write it down and tell them _how_.
> > 
> > As it happens, I agree with you; write 'em down, and keep 'em safe.
> 
> Or just have one, but make it a good 'un, and never tell anyone.
<snip> 

    If a password is any place but in your head I question its
security but here's a scheme for secure passwords that are not 
subject to dictionary lookups and are easy to remember.

    Take a name and a number out of your childhood that you'll
remember forever like your first pet and the first phone number
you memorized, scrambled together. For instance: Spottie and 765-4321, 
becomes S7p6o5t4t3i2e1. Now throw in a little punctuation:
..S7p6o5t4t3i2e1!! and you have a password that's personal, easy to 
remember and quite difficult to crack. Don't take my word for it,
take your password to GRC.com or another password checker on the web
and see for yourself.
(Continue reading)

Permalink | Reply |
headers
Stan Hoeppner | 1 Aug 2012 00:57

Re: [OT] secure passwords (was Re: is it rational to close the 139 port)

On 7/31/2012 10:51 AM, Mike McClain wrote:

>     If a password is any place but in your head I question its
> security 

Agreed.

>     Take a name and a number out of your childhood that you'll
> remember forever like your first pet and the first phone number
> you memorized, scrambled together. For instance: Spottie and 765-4321, 
> becomes S7p6o5t4t3i2e1. Now throw in a little punctuation:
> ..S7p6o5t4t3i2e1!! and you have a password that's personal, easy to 
> remember and quite difficult to crack. Don't take my word for it,
> take your password to GRC.com or another password checker on the web
> and see for yourself.

Disagreed.  Too complicated.  E.g.

*******dash*******

GRC says: 2.43 billion centuries to crack  <at>  100 trillion guesses/sec.
Length is the key to strong passwords, not complication.  The Sun will
turn into a Red Giant and destroy the solar system in ~4 billion years,
so this pwd will survive the end of the world, and possibly the end of
the universe.  And yet it's so simple to create and remember.

Always practice the K.I.S.S. principle.

--

-- 
Stan
(Continue reading)

Permalink | Reply |
headers
Glenn English | 1 Aug 2012 02:03

Re: [OT] secure passwords (was Re: is it rational to close the 139 port)


On Jul 31, 2012, at 4:57 PM, Stan Hoeppner wrote:

> On 7/31/2012 10:51 AM, Mike McClain wrote:
> 
>>    If a password is any place but in your head I question its
>> security 
> 
> Agreed.

Dud'n work, guys. I fell off my bike a couple years ago and completely 
lost all my passwords. Rebuilding my servers (and laptops and iPads) was 
no fun at all. Write 'em down and put the paper in a safe-deposit box.

>>    Take a name and a number out of your childhood that you'll
>> remember forever like your first pet and the first phone number
>> you memorized, scrambled together.

That's pretty much what mine were: first letters and punctuation of 
a well known line from a song or poem. When your brain is hit real hard 
by a sharp rock, they're gone. 

--

-- 
Glenn English
hand-wrapped from my Apple Mail
Permalink | Reply |
headers
Stan Hoeppner | 1 Aug 2012 04:45

Re: [OT] secure passwords (was Re: is it rational to close the 139 port)

On 7/31/2012 7:03 PM, Glenn English wrote:

> Dud'n work, guys. I fell off my bike a couple years ago and completely 
> lost all my passwords. Rebuilding my servers (and laptops and iPads) was 
> no fun at all. Write 'em down and put the paper in a safe-deposit box.

If you can't remember the passwords due to injury, it seems pretty clear
you wouldn't remember renting the box at the bank either.

--

-- 
Stan
Permalink | Reply |
headers
Bob Proulx | 1 Aug 2012 05:00
Favicon
Gravatar

Re: [OT] secure passwords (was Re: is it rational to close the 139 port)

Stan Hoeppner wrote:
> Glenn English wrote:
> > Dud'n work, guys. I fell off my bike a couple years ago and completely 
> > lost all my passwords. Rebuilding my servers (and laptops and iPads) was 
> > no fun at all. Write 'em down and put the paper in a safe-deposit box.
> 
> If you can't remember the passwords due to injury, it seems pretty clear
> you wouldn't remember renting the box at the bank either.

Fortunately for most of us there is the support group of family.  They
know these things and would help me with them.  If I become
incapacitated there is an envelope of instructions that I keep updated
with current information on my accounts.  Mostly it tells how to get
into particular computer files where I keep my current account
information stored.  If I had amnesia this would be sufficient for me
to recover.  If I do not recover then it would facilitate the transfer
of my estate.  Of course not everyone is fortunate enough to have a
supportive family to draw upon for help.

Bob
Permalink | Reply |
headers
Glenn English | 1 Aug 2012 05:23

Re: [OT] secure passwords (was Re: is it rational to close the 139 port)


On Jul 31, 2012, at 9:00 PM, Bob Proulx wrote:

> Fortunately for most of us there is the support group of family.They
> know these things and would help me with them.   

I was 67 years old when it happened, and the family I have left 
is 1000 miles away. Fortunately, my sister flew here to take care 
of me. She dealt with the bank and the lawyers, and would have 
brought me the passwords so I could do my rootly duties from the 
hospital.

> If I become
> incapacitated there is an envelope of instructions that I keep updated
> with current information on my accounts.  Mostly it tells how to get
> into particular computer files where I keep my current account
> information stored.  

I didn't have that at the time. I do now -- that and a lot more.

> Of course not everyone is fortunate enough to have a
> supportive family to draw upon for help.

My friends were a lot of help, too. 

Stay away from bicycles. Get a recumbent trike -- it won't toss your 
brain into a pile of rocks...

--

-- 
Glenn English
(Continue reading)

Permalink | Reply |
headers
lina | 1 Aug 2012 04:48
Picon
Gravatar

Re: [OT] secure passwords (was Re: is it rational to close the 139 port)

On Wed, Aug 1, 2012 at 8:03 AM, Glenn English <ghe <at> slsware.com> wrote:
>
> On Jul 31, 2012, at 4:57 PM, Stan Hoeppner wrote:
>
>> On 7/31/2012 10:51 AM, Mike McClain wrote:
>>
>>>    If a password is any place but in your head I question its
>>> security
>>
>> Agreed.
>
> Dud'n work, guys. I fell off my bike a couple years ago and completely
> lost all my passwords. Rebuilding my servers (and laptops and iPads) was
> no fun at all. Write 'em down and put the paper in a safe-deposit box.
I backup my password on the notebook but in a very ancient encrypted way,
even people read it, but also not easy to guess well.
so here avoid the safe-deposit box.
>
>>>    Take a name and a number out of your childhood that you'll
>>> remember forever like your first pet and the first phone number
>>> you memorized, scrambled together.
>
> That's pretty much what mine were: first letters and punctuation of
> a well known line from a song or poem. When your brain is hit real hard
> by a sharp rock, they're gone.
>
> --
> Glenn English
> hand-wrapped from my Apple Mail
>
(Continue reading)

Permalink | Reply |
headers
lina | 1 Aug 2012 04:44
Picon
Gravatar

Re: [OT] secure passwords (was Re: is it rational to close the 139 port)

On Wed, Aug 1, 2012 at 6:57 AM, Stan Hoeppner <stan <at> hardwarefreak.com> wrote:
> On 7/31/2012 10:51 AM, Mike McClain wrote:
>
>>     If a password is any place but in your head I question its
>> security
>
> Agreed.
>
>>     Take a name and a number out of your childhood that you'll
>> remember forever like your first pet and the first phone number
>> you memorized, scrambled together. For instance: Spottie and 765-4321,
>> becomes S7p6o5t4t3i2e1. Now throw in a little punctuation:
>> ..S7p6o5t4t3i2e1!! and you have a password that's personal, easy to
>> remember and quite difficult to crack. Don't take my word for it,
>> take your password to GRC.com or another password checker on the web
>> and see for yourself.
>
> Disagreed.  Too complicated.  E.g.
>
> *******dash*******
>
> GRC says: 2.43 billion centuries to crack  <at>  100 trillion guesses/sec.
> Length is the key to strong passwords, not complication.  The Sun will
> turn into a Red Giant and destroy the solar system in ~4 billion years,
> so this pwd will survive the end of the world, and possibly the end of
> the universe.  And yet it's so simple to create and remember.
The computation speed is also evolving.
it's hard to imagine the speed after 100~200 years.
So I guess that password may extinguish before  the end of universe.
>
(Continue reading)

Permalink | Reply |
headers
Bob Proulx | 1 Aug 2012 01:57
Favicon
Gravatar

Re: [OT] secure passwords (was Re: is it rational to close the 139 port)

Mike McClain wrote:
>     If a password is any place but in your head I question its
> security but here's a scheme for secure passwords that are not 
> subject to dictionary lookups and are easy to remember.
> 
>     Take a name and a number out of your childhood that you'll
> remember forever like your first pet and the first phone number
> you memorized, scrambled together. For instance: Spottie and 765-4321, 
> becomes S7p6o5t4t3i2e1. Now throw in a little punctuation:
> ..S7p6o5t4t3i2e1!! and you have a password that's personal, easy to 
> remember and quite difficult to crack. Don't take my word for it,
> take your password to GRC.com or another password checker on the web
> and see for yourself.

The problem is how many of those can you keep straight in your head?
How many web sites and systems all need one of those unique passwords?
And you aren't reusing those passwords on multiple unrelated sites are
you?

As with all things xkcd has already addressed this problem.

  http://xkcd.com/792/

Reusing passwords is a problem.  Which means that trying to remember
the unique password for that site is going to be a burden.  If you
have some scheme of encoding the site into the password using some
algorithm unique and secure to you then great.

I generate truly random passwords and write them down.
(Continue reading)

Permalink | Reply |
headers
John Hasler | 1 Aug 2012 02:25
Favicon

Re: [OT] secure passwords

Bob writes:
> If you have some scheme of encoding the site into the password using
> some algorithm unique and secure to you then great.

> I generate truly random passwords and write them down.

So do I.  The problem is that the _general public_ is constantly being
told "Never, ever, ever write down a password!".  This leads directly to
widespread re-use of trivial passwords.  Most people would be better off
with a list of random passords taped to the monitor than with what they
use now.
--

-- 
John Hasler
Permalink | Reply |
headers
Andrei POPESCU | 1 Aug 2012 18:59
Picon

Re: [OT] secure passwords (was Re: is it rational to close the 139 port)

On Ma, 31 iul 12, 17:57:38, Bob Proulx wrote:
> 
> The problem is how many of those can you keep straight in your head?
> How many web sites and systems all need one of those unique passwords?
> And you aren't reusing those passwords on multiple unrelated sites are
> you?
> 
> As with all things xkcd has already addressed this problem.
> 
>   http://xkcd.com/792/

Thanks!

> Reusing passwords is a problem.  Which means that trying to remember
> the unique password for that site is going to be a burden.  If you
> have some scheme of encoding the site into the password using some
> algorithm unique and secure to you then great.

There is a password manager that does exactly this... (searching), well 
it's not exactly a manager...

http://passwordmaker.org

Kind regards,
Andrei
--

-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Permalink | Reply |
headers
Celejar | 1 Aug 2012 16:22
Picon

Re: is it rational to close the 139 port

On Tue, 31 Jul 2012 20:31:56 +1200
Chris Bannister <cbannister <at> slingshot.co.nz> wrote:

> On Mon, Jul 30, 2012 at 06:15:26PM +0100, Brad Rogers wrote:
> > On Mon, 30 Jul 2012 11:54:14 -0500
> > John Hasler <jhasler <at> newsguy.com> wrote:
> > 
> > Hello John,
> > 
> > >Brad Rogers writes:
> > >> Yeah, on a Post-It note.  Stuck to the monitor.  
> > >That's what people do when you tell them not to write it down.  _Tell_
> > >them to write it down and tell them _how_.
> > 
> > As it happens, I agree with you; write 'em down, and keep 'em safe.
> 
> Or just have one, but make it a good 'un, and never tell anyone.
> 
> Reasons: 1) If someone can brute force guess it, you've got other
>            problems. i.e. -- you're targetted!
> 	2) Clothes, possessions, etc. can be searched. You may never
> 	know until its too late!
> 	3) If someone wants it, at least you'll know about it¹
> 
> Well, actually 2 - one for really important stuff, other for unimportant
> stuff; I can trust my bank to keep it safe, but local supermarket is
> another story.

There have been numerous well-publicized breaches at banks, major
retailers, etc. (and doubtless even more unpublicized ones). If / when
(Continue reading)

Permalink | Reply |
headers
Chris Bannister | 3 Aug 2012 09:26
Picon

Re: is it rational to close the 139 port

On Wed, Aug 01, 2012 at 10:22:09AM -0400, Celejar wrote:
> There have been numerous well-publicized breaches at banks, major
> retailers, etc. (and doubtless even more unpublicized ones). If / when
> hackers get your credentials to one institution, do you really want
> them to have the keys to all your accounts?

OK, I downloaded pwgen, issued "pwgen -s 15 3" changed chosen password. 
All I have to worry about now is someone getting hold of that piece of
paper. IOW, http://xkcd.com/792/, and Glenn's post tipped my thinking.

Perhaps it is misleading for pwgen to state:

[...]
-s, --secure  These should only be used for machine passwords, since
otherwise it's almost guaranteed that users will simply write the
password on a piece of paper taped  to the monitor...

--

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X
Permalink | Reply |
headers
Celejar | 3 Aug 2012 16:28
Picon

Re: is it rational to close the 139 port

On Fri, 3 Aug 2012 19:26:56 +1200
Chris Bannister <cbannister <at> slingshot.co.nz> wrote:

> On Wed, Aug 01, 2012 at 10:22:09AM -0400, Celejar wrote:
> > There have been numerous well-publicized breaches at banks, major
> > retailers, etc. (and doubtless even more unpublicized ones). If / when
> > hackers get your credentials to one institution, do you really want
> > them to have the keys to all your accounts?
> 
> OK, I downloaded pwgen, issued "pwgen -s 15 3" changed chosen password. 
> All I have to worry about now is someone getting hold of that piece of
> paper. IOW, http://xkcd.com/792/, and Glenn's post tipped my thinking.
> 
> Perhaps it is misleading for pwgen to state:
> 
> [...]
> -s, --secure  These should only be used for machine passwords, since
> otherwise it's almost guaranteed that users will simply write the
> password on a piece of paper taped  to the monitor...

I use the '-s' switch for all my passwords, and I store them in a
master file on my machine (which uses full disk encryption).

Celejar
Permalink | Reply |
headers
Bonno Bloksma | 31 Jul 2012 12:08
Picon

RE: is it rational to close the 139 port

Hi,

>> Gibberish implies one wouldn't be able to remember the 
>> password/phrase.

> Which is why, as Bruce Schneir recommends, you _write it down_.

Which is what I do. Whenever I need a new password I open my editor, close my eyes, randomly hit several keys on
my keyboard and Bingo new random password. I store it securely on my computer and that's it.
Oh, and to make sure it is indeed hard enough to guess. If I do not see enough captitals, numbers en
punctuations in there I will insert a few extra.

Bonno Bloksma
Permalink | Reply |
headers
Celejar | 1 Aug 2012 16:23
Picon

Re: is it rational to close the 139 port

On Tue, 31 Jul 2012 10:08:28 +0000
Bonno Bloksma <b.bloksma <at> tio.nl> wrote:

> Hi,
> 
> >> Gibberish implies one wouldn't be able to remember the 
> >> password/phrase.
> 
> > Which is why, as Bruce Schneir recommends, you _write it down_.
> 
> Which is what I do. Whenever I need a new password I open my editor,
> close my eyes, randomly hit several keys on my keyboard and Bingo new
> random password. I store it securely on my computer and that's it.
> Oh, and to make sure it is indeed hard enough to guess. If I do not see
> enough captitals, numbers en punctuations in there I will insert a few
> extra.

Just use something like pwgen or apg.

> Bonno Bloksma

Celejar
Permalink | Reply |
headers
Chris Bannister | 31 Jul 2012 09:56
Picon

strong passwords (was ... Re: is it rational to close the 139 port)

On Mon, Jul 30, 2012 at 07:14:06AM -0300, Henrique de Moraes Holschuh wrote:
> On Mon, 30 Jul 2012, Andrei POPESCU wrote:
> > 
> > http://xkcd.com/936/
> > 
> > (I wonder how much truth there is behind this comic...)
> 
> Don't bother wondering.  Read the paper.
> 
> http://arstechnica.com/business/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices/
> http://www.readwriteweb.com/enterprise/2012/03/passphrases-maybe-not-as-secur.php
> 
> You need to have gibberish passphrases if you want it to be secure...

Right!, so people write it down on the side of the monitor cause they
can't remember it. Yeah, I've seen it. 

--

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X
Permalink | Reply |
headers
Brian | 30 Jul 2012 22:17
Picon

Re: is it rational to close the 139 port

On Sun 29 Jul 2012 at 22:27:08 -0300, Henrique de Moraes Holschuh wrote:

> On Sun, 29 Jul 2012, Brian wrote:
> > used. But if it can be demonstrated that a twenty character password can
> > be forced in a time-frame which makes sense I'll stop doing it and most
> 
> That depends.  Are you using any dictionary words or easy character
> permutations thereof to make a pass-phrase?  If so, your 20-char password is
> a lot weaker than what one might expect at first glance.

There are four dictionary words in this passphrase

   Allow*12Root(Logins)NOW!

but it doesn't matter because you either get the whole thing or nothing.
The password checkers referenced elsewhere in this thread give it 10/10.
Attacking an sshd password is an online activity so, while I suppose it
could be in a dictionary, this is a brilliant password; suitable for a
user or for root. Even if it got guessed after a couple of hundred years
you would be past caring!

Debian's default of enabling root logins is sensible. How hard is it to
change it should an administrator want to? What damage does it do if
left as it is?
Permalink | Reply |
headers
Bob Proulx | 31 Jul 2012 00:13
Favicon
Gravatar

Re: is it rational to close the 139 port

Brian wrote:
> Henrique de Moraes Holschuh wrote:
> > Brian wrote:
> > > used. But if it can be demonstrated that a twenty character password can
> > > be forced in a time-frame which makes sense I'll stop doing it and most
> > 
> > That depends.  Are you using any dictionary words or easy character
> > permutations thereof to make a pass-phrase?  If so, your 20-char password is
> > a lot weaker than what one might expect at first glance.
> 
> There are four dictionary words in this passphrase
> 
>    Allow*12Root(Logins)NOW!
> 
> but it doesn't matter because you either get the whole thing or nothing.
> The password checkers referenced elsewhere in this thread give it 10/10.
> Attacking an sshd password is an online activity so, while I suppose it
> could be in a dictionary, this is a brilliant password; suitable for a
> user or for root. Even if it got guessed after a couple of hundred years
> you would be past caring!

I completely agree with you.

I am going to drift a little by complaining about some password
plugins that will complain about the *plaintext* of the password at
the time you create it.  I have seen a number of them that look at the
plaintext of the password and complain about dictionary words in it.
I once tried to use a password similar to "a1Sith4x" (a completely
randomly generated password, see "pwgen") but a password strength
checking pluggin on that system complained about it containing a
(Continue reading)

Permalink | Reply |
headers
Richard Hector | 23 Jul 2012 07:23
Picon

Re: is it rational to close the 139 port

On 22/07/12 21:31, Stan Hoeppner wrote:
> ~$ netstat -ant|grep LISTEN

... or

~$ netstat -lnt

:-)

Richard
Permalink | Reply |
headers
Joe | 22 Jul 2012 10:35

Re: is it rational to close the 139 port

On Sun, 22 Jul 2012 15:59:29 +0800
lina <lina.lastname <at> gmail.com> wrote:

> On Sun, Jul 22, 2012 at 3:49 PM, Andrei POPESCU
> <andreimpopescu <at> gmail.com> wrote:
> > On Du, 22 iul 12, 15:41:16, lina wrote:
> >>
> >> Thanks, I don't have some basic understanding about samba,
> >> will read something about it.
> >> just a short quick question, is it necessary to keep it?
> >
> > Only you can tell since we don't know what you use/need.
> I felt a bit silly to ask, and a bit annoyed about myself for knowing
> so little.
> seems no need to share files with outside.
> have rejected all inbound towards the port 139 and 445.
> 

These ports should never be open to the Net, or any potentially hostile
computers, as there is a great deal of activity by bots looking for open
Windows shares.

If this machine is part of a network which shares files using the
Windows SMB protocol, and this machine hosts shares, then the ports
need to be open to the other network machines. If it's a standalone
computer, or doesn't host any shares, you don't need samba running at
all, or even installed. If you need to access SMB shares on other
machines, the client programs to do this do not need the main samba
program to be installed.
(Continue reading)

Permalink | Reply |
headers
lina | 22 Jul 2012 10:44
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 4:35 PM, Joe <joe <at> jretrading.com> wrote:
> On Sun, 22 Jul 2012 15:59:29 +0800
> lina <lina.lastname <at> gmail.com> wrote:
>
>> On Sun, Jul 22, 2012 at 3:49 PM, Andrei POPESCU
>> <andreimpopescu <at> gmail.com> wrote:
>> > On Du, 22 iul 12, 15:41:16, lina wrote:
>> >>
>> >> Thanks, I don't have some basic understanding about samba,
>> >> will read something about it.
>> >> just a short quick question, is it necessary to keep it?
>> >
>> > Only you can tell since we don't know what you use/need.
>> I felt a bit silly to ask, and a bit annoyed about myself for knowing
>> so little.
>> seems no need to share files with outside.
>> have rejected all inbound towards the port 139 and 445.
>>
>
> These ports should never be open to the Net, or any potentially hostile
> computers, as there is a great deal of activity by bots looking for open
> Windows shares.
>
> If this machine is part of a network which shares files using the
> Windows SMB protocol, and this machine hosts shares, then the ports
> need to be open to the other network machines. If it's a standalone
> computer, or doesn't host any shares, you don't need samba running at
> all, or even installed. If you need to access SMB shares on other
> machines, the client programs to do this do not need the main samba
> program to be installed.
(Continue reading)

Permalink | Reply |
headers
Joe | 22 Jul 2012 11:18

Re: is it rational to close the 139 port

On Sun, 22 Jul 2012 16:44:13 +0800
lina <lina.lastname <at> gmail.com> wrote:

> 
> Checked, now only 22 80 open with 443 closed.
> another thing is that the nmap can scan my MAC address correctly.
> is it bad? (I guess I will feel comfortable if the MAC address is
> hidden)
> 

All network communication is actually based on MAC addresses, if it
can't be seen, you can't talk.

Try arp -a as root to see what other computers yours has recently
talked to. A cache is kept to speed things up, but only for a few
minutes, otherwise your computer has to broadcast to look up a link
between IP address and MAC.

If you have a rainy afternoon to while away, install Wireshark and have
a play with it. Try various network connections while a capture is
running, and play with the filtering. One day you will need to use it
in anger.

Here is a fragment of a capture showing my workstation trying to find
the server using the ARP protocol. It hasn't connected for a time, so
the server isn't in its cache:

No.  Time  Source  Destination Protocol Length Info 

5 5.007111000    Giga-Byt_xx:xx:xx Hewlett-_xx:xx:xx ARP 42
(Continue reading)

Permalink | Reply |
headers
Pascal Hambourg | 22 Jul 2012 11:32

Re: is it rational to close the 139 port

Joe a écrit :
> 
> All network communication is actually based on MAC addresses

No. Communication over an ethernet network is, but not all network
communication is.

--

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST <at> lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster <at> lists.debian.org
Archive: http://lists.debian.org/500BC8CA.9010608 <at> plouf.fr.eu.org
Permalink | Reply |
headers
Joe | 22 Jul 2012 12:30

Re: is it rational to close the 139 port

On Sun, 22 Jul 2012 11:32:58 +0200
Pascal Hambourg <pascal <at> plouf.fr.eu.org> wrote:

> Joe a écrit :
> > 
> > All network communication is actually based on MAC addresses
> 
> No. Communication over an ethernet network is, but not all network
> communication is.
> 
> 

I realise that, but there are only so many levels of complexity which
are worth introducing at once. The more 'buts' and 'excepts' in an
explanation, the harder it is to follow.

The point being made was that MAC addresses cannot be concealed, which
is valid wherever MAC addresses exist. The issue does not arise in
those interfaces which don't use Ethernet at the PC, such as DSL modems
and cellphone dongles and virtual interfaces like VPNs, nor away from
the PC across routers into other broadcast domains. But a computer
within a local network will communicate entirely by Ethernet, either
wired or wireless.

--

-- 
Joe
Permalink | Reply |
headers
lina | 22 Jul 2012 12:44
Picon
Gravatar

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 5:18 PM, Joe <joe <at> jretrading.com> wrote:
> On Sun, 22 Jul 2012 16:44:13 +0800
> lina <lina.lastname <at> gmail.com> wrote:
>
>>
>> Checked, now only 22 80 open with 443 closed.
>> another thing is that the nmap can scan my MAC address correctly.
>> is it bad? (I guess I will feel comfortable if the MAC address is
>> hidden)
>>
>
> All network communication is actually based on MAC addresses, if it
> can't be seen, you can't talk.
>
> Try arp -a as root to see what other computers yours has recently
> talked to. A cache is kept to speed things up, but only for a few
> minutes, otherwise your computer has to broadcast to look up a link
> between IP address and MAC.
Thanks, packet looks for the IP address first or MAC address first?
(seems I read something before, it's a book/document written in 2001,
kinda of aged? still don't understand.)
>
> If you have a rainy afternoon to while away, install Wireshark and have
> a play with it. Try various network connections while a capture is
> running, and play with the filtering. One day you will need to use it
> in anger.
(Here "in anger", you implied that the wireshark was not so much fun
to play with?
just curious...
I installed but never see how can it be useful, or mainly I don't know
(Continue reading)

Permalink | Reply |
headers
Stephan Seitz | 22 Jul 2012 15:54

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 06:44:04PM +0800, lina wrote:
>Thanks, packet looks for the IP address first or MAC address first?
>(seems I read something before, it's a book/document written in 2001,
>kinda of aged? still don't understand.)

IPv4 hasn’t change since then, and IPv6 is working quite similiar.
But this is a question about ethernet networks and routing, so let me try 
to explain it a little.

IPv4:
You probably have already seen IPv4 addresses. They are 32bit addresses, 
normally written with a separating dot after 8bit, e.g. 192.168.1.20 or 
193.99.144.85. If you see a .1., it should be .001.

The netmask has the same length. It is used together with the IP address 
to separate the network part of the address from the host part.
Examples:
IP: 192.168.0.1, netmask: 255.255.255.0 means 192.169.0 is the network 
part, .1 is the host part (short form 192.168.0.1/24).
IP: 10.20.4.3, netmask: 255.255.0.0 means 10.20 is the network part, 4.3 
is the host part (short form 10.20.4.2/16).

You can reach any host within the network part without needing a router 
or gateway. 10.20.4.3/16 can reach directly 10.20.120.75, but not 
10.10.4.6.

The program subnetcalc will help you to understand network and hosts:
stse <at> minas-ithil:~$ subnetcalc 192.168.1.1 255.255.255.0
Address       = 192.168.1.1
                    11000000 . 10101000 . 00000001 . 00000001
(Continue reading)

Permalink | Reply |
headers
Lisi | 23 Jul 2012 15:30
Picon

Re: is it rational to close the 139 port

On Sunday 22 July 2012 11:44:04 lina wrote:
> > If you have a rainy afternoon to while away, install Wireshark and have
> > a play with it. Try various network connections while a capture is
> > running, and play with the filtering. One day you will need to use it
> > in anger.
>> Here "in anger", you implied that the wireshark was not so much fun
> to play with?

No, "in anger" in this context means that you are just playing now, but one 
day you may actually need to use it in earnest to solve an immediate, 
possibly urgent, problem.

Lisi
Permalink | Reply |
headers
Claudius Hubig | 22 Jul 2012 11:56

Re: is it rational to close the 139 port

Hello lina,

this is a rather strange name :)

lina <lina.lastname <at> gmail.com> wrote:
> BTW, why need allow ping? from outside?
>  59 # Allow ping
>  60 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

It doesn’t help to block ICMP echo requests:

- if you block them by dropping them, the other party knows that
  you are (most likely) there, since otherwise the last-but-one hop
  would return ‘No route to host’.
- if you block them by rejecting them, the other party knows that you
  are there.
- if you accept them, the other party knows that you are there and is
  able to link no replies to network problems (see first point).

While it is technically possible to block these requests for IPv4,
you should never block ICMPv6, since it is necessary to do SLAAC.

Best regards,

Claudius
--

-- 
              A board is the planck unit of boredom.                
http://chubig.net                          telnet nightfall.org 4242
Permalink | Reply |
headers
Pascal Hambourg | 22 Jul 2012 14:54

Re: is it rational to close the 139 port

Claudius Hubig a écrit :
> 
> While it is technically possible to block these requests for IPv4,
> you should never block ICMPv6, since it is necessary to do SLAAC.

Not only SLAAC (which is optional) but also neighbour discovery, which
is mandatory in most cases on a shared medium such as ethernet as it
plays a similar role as ARP does for IPv4. However only a few ICMPv6
types are used by neighbour discovery, and echo request/reply are not
part of them. Namely :
neighbour solicitation
neighbour advertisement
router solicitation
router advertisement

--

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST <at> lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster <at> lists.debian.org
Archive: http://lists.debian.org/500BF821.3080609 <at> plouf.fr.eu.org
Permalink | Reply |
headers
Henrique de Moraes Holschuh | 22 Jul 2012 15:49
Picon
Favicon

Re: is it rational to close the 139 port

On Sun, 22 Jul 2012, lina wrote:
> strangely my netstat showed my 139 and 445 ports are open.
> 
> tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
> 
> Do I need specify
> 
> -A INPUT -p tcp --dport 139 -j REJECT
> 
> in iptables?

It is good practice to not let ports 135, 137, 138, 139 and 445 get through
the interface to *EXTERNAL* networks/Internet.  They're used for services
that ought to stay restricted to your internal network and VPNs.  And
they're required only if you use Windows-style network shares in your
internal network.

The same goes to port 631 (CUPS/IPP printing) and a few other ports that are
used by services that nobody in an external network has any business messing
with in the general case.

If you don't need Windows-style networking at all, it is best to
disable/remove/purge package "samba", which provices these services.  This
ought to close the 445 and 139 ports.

> BTW, why need allow ping? from outside?

It is useful for diagnostics initiated from the outside, and that's it. If
you don't need it (i.e. you never ping your box from an outside network),
(Continue reading)

Permalink | Reply |
headers
Camaleón | 22 Jul 2012 16:01
Picon

Re: is it rational to close the 139 port

On Sun, 22 Jul 2012 15:25:03 +0800, lina wrote:

> strangely my netstat showed my 139 and 445 ports are open.
> 
> tcp        0      0 0.0.0.0:445             0.0.0.0:*            LISTEN 
> tcp        0      0 0.0.0.0:139             0.0.0.0:*            LISTEN
> 
> Do I need specify
> 
> -A INPUT -p tcp --dport 139 -j REJECT
> 
> in iptables?

(...)

That makes no sense.

If you have both ports open is because you have a running service that 
has opened them.

If you have such service is because you need it, otherwise it should be 
stopped.

If you need that service you will break it if you add a rule to your 
iptables.

The question is, what do you want to do?

Greetings,
(Continue reading)

Permalink | Reply |
headers
Mike McClain | 22 Jul 2012 17:24
Favicon

Re: is it rational to close the 139 port

Hi Lina,

On Sun, Jul 22, 2012 at 03:25:03PM +0800, lina wrote:
<snip> 
> 
> BTW, why need allow ping? from outside?
>  59 # Allow ping
>  60 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> 
> I know so little, thanks very much for your expilanation,
> 

I've found www/grc.com/ and his 'ShieldsUp' scan to be very helpful
in securing my system and he's posted some good reading material there.

Keep grinnin',
Mike
--

-- 
Satisfied user of Linux since 1997.
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Permalink | Reply |
headers
Tom H | 29 Jul 2012 19:04
Picon

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 3:25 AM, lina <lina.lastname <at> gmail.com> wrote:
>
> strangely my netstat showed my 139 and 445 ports are open.
>
> tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
>
> Do I need specify
>
> -A INPUT -p tcp --dport 139 -j REJECT
>
> in iptables?
>
> For all INPUT has already set -P INPUT DROP, except open for  80, 443, 22,

If you're DROPping everything except 22/80/443, then the 139/445
LISTENs are useless because nothing can access them remotely; so you
must not be using them and you may as well disable/uninstall samba.

If I've misunderstood and you want to disable 139 and enable 445, you
can. You'll then be accessing samba shares via smb-over-tcp rather
than smb-over-netbios-over-tcp. You'll also have to use ip addresses
to access samba shares unless you're running a dns server (or *if* - I
have no idea whether this is feasible or logical - you run wins on 137
or 138, I've forgotten which it is).
Permalink | Reply |

Gmane