Very Computer

Hi, all -

I have Realtek 8139 NIC's.  They work great.  However,  I am tired of
being constantly probed from the net, and thought one measure I should
implemnet in case they succeed is to turn off promiscuous mode on the
NIC's.  Is there a way to do this from Linux, or am I going to have to
boot DOS, use the floppy that comes with the NIC to configure it?  Is
this going to affect use of the machine as a DHCP server?

TIA -

Regards,
jh

ifconfig interface -promisc

interface refers to the NIC eg eth0
- refers to switchinf off promiscous

check the man page for ifconfig

Quote:>Hi, all -

>I have Realtek 8139 NIC's.  They work great.  However,  I am tired of
>being constantly probed from the net, and thought one measure I should
>implemnet in case they succeed is to turn off promiscuous mode on the
>NIC's.  Is there a way to do this from Linux, or am I going to have to
>boot DOS, use the floppy that comes with the NIC to configure it?  Is
>this going to affect use of the machine as a DHCP server?

>TIA -

>Regards,
>jh

Quote:

> I have Realtek 8139 NIC's.  They work great.  However,  I am tired of
> being constantly probed from the net, and thought one measure I should
> implemnet in case they succeed is to turn off promiscuous mode on the
> NIC's.  Is there a way to do this from Linux, or am I going to have to
> boot DOS, use the floppy that comes with the NIC to configure it?  Is
> this going to affect use of the machine as a DHCP server?

No, but neither will it achieve what it sounds like you want. Nothing
about promiscuous mode will stop 'probes'. That is what firewalls are
for. If your NIC is now in promiscuous mode, then somebody or something
has put it there.

--
Hal Burgiss

I think what he actually wants is some way to prevent people who hack
into his firewall from putting the NIC into promiscuous mode and
grabbing all his passwords off the (trusted) LAN.

I think he's worrying needlessly about that.  Putting the NIC into
promiscuous mode and listening on it requires root privileges, and if
someone hacks into his firewall and becomes root... Suffice it to say
that there are plenty of other things an attacker could do.  So just
make sure that nobody can get into your firewall.

--

"I woke up this morning and realized what the game needed: pirates,
pimps, and gay furries."  - Rich "Lowtax" Kyanka

Hi!,

Sometimes ntop won't release the promisc mode which can be a problem, but Hal
is right.  Taking your network card off promisc mode won't stop probes, it
will only stop your network card from processing and passing up packets which
are not destined for your machine.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

This is all for my fw machine (MDK 8.1 running Bastille scripts).

Fair enough, I am worrying needlessly about promiscuous mode once I
shut it off.  According to nmap I'm in pretty good shape in terms of
overall exposure. One thing I am not happy with (though I don't know
if it can be improved) is the reporting on intrusion attempts.  Pretty
much all that I get from the log is a timestamp, the alleged source IP
and port info on what is being probed.  Looking at prelude, it doesn't
seem like much of an improvement if reverse DNS is blocked.  I am
running chkrootkit regularly to hopefully catch a successful
intrusion, but wish there were something I could give sysops that
would better assist those inclined to nail the miscreant customer (or
find the errant machine to harden up).  Is snort any better?  Any
other packages well reputed, or is it time to read all the hits on
freshmeat and sourceforge?

I am loathe to poke holes in the firewall for ssh, Apache, etc. until
I am comfortable with the reporting, I guess.  Even being as diligent
in applying security patches as possible, one is by definition behind
the cracker curve.

<sigh> Now to read the chroot docs.  Are there recipes out there for
postfix, qpopper, Apache, VNC server and OpenSSH?  Never mind, I'll
browse the how-to lists.

TIA -

Kind regards,
jh

Hi!,

Quote:> This is all for my fw machine (MDK 8.1 running Bastille scripts).

> Fair enough, I am worrying needlessly about promiscuous mode once I
> shut it off.  According to nmap I'm in pretty good shape in terms of
> overall exposure. One thing I am not happy with (though I don't know
> if it can be improved) is the reporting on intrusion attempts.  Pretty
> much all that I get from the log is a timestamp, the alleged source IP
> and port info on what is being probed.  Looking at prelude, it doesn't
> seem like much of an improvement if reverse DNS is blocked.  I am
> running chkrootkit regularly to hopefully catch a successful
> intrusion, but wish there were something I could give sysops that
> would better assist those inclined to nail the miscreant customer (or
> find the errant machine to harden up).  Is snort any better?  Any
> other packages well reputed, or is it time to read all the hits on
> freshmeat and sourceforge?

Personally, I use snort as the back-end looking for signatures and the DANTE
program which provides a web-interface to the front of snort.  This allows for
the automated reporting of attempts and provides a nice graphical overview of
the system.  You might like to check those options out.

Quote:

> I am loathe to poke holes in the firewall for ssh, Apache, etc. until
> I am comfortable with the reporting, I guess.  Even being as diligent
> in applying security patches as possible, one is by definition behind
> the cracker curve.

> <sigh> Now to read the chroot docs.  Are there recipes out there for
> postfix, qpopper, Apache, VNC server and OpenSSH?  Never mind, I'll
> browse the how-to lists.

What do you want to do, most of these just require one port to be opened up to
work correctly, but the VNCserver could be more of a problem if you want to
get into internal machines through port redirection.

postfix (port 25)
qpopper (port 110)
apahce (port 80)
vnc server (you will have to check those ports 5900:5910)
openssh (port 22)

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+