how do I turn off promiscuous mode?

how do I turn off promiscuous mode?

Post by Jare » Sun, 23 Dec 2001 01:58:42



Hi, all -

I have Realtek 8139 NIC's.  They work great.  However,  I am tired of
being constantly probed from the net, and thought one measure I should
implemnet in case they succeed is to turn off promiscuous mode on the
NIC's.  Is there a way to do this from Linux, or am I going to have to
boot DOS, use the floppy that comes with the NIC to configure it?  Is
this going to affect use of the machine as a DHCP server?

TIA -

Regards,
jh

 
 
 

how do I turn off promiscuous mode?

Post by ny_ » Sun, 23 Dec 2001 05:51:22


ifconfig interface -promisc

interface refers to the NIC eg eth0
- refers to switchinf off promiscous

check the man page for ifconfig


Quote:>Hi, all -

>I have Realtek 8139 NIC's.  They work great.  However,  I am tired of
>being constantly probed from the net, and thought one measure I should
>implemnet in case they succeed is to turn off promiscuous mode on the
>NIC's.  Is there a way to do this from Linux, or am I going to have to
>boot DOS, use the floppy that comes with the NIC to configure it?  Is
>this going to affect use of the machine as a DHCP server?

>TIA -

>Regards,
>jh


 
 
 

how do I turn off promiscuous mode?

Post by Hal Burgis » Sun, 23 Dec 2001 07:38:10



Quote:

> I have Realtek 8139 NIC's.  They work great.  However,  I am tired of
> being constantly probed from the net, and thought one measure I should
> implemnet in case they succeed is to turn off promiscuous mode on the
> NIC's.  Is there a way to do this from Linux, or am I going to have to
> boot DOS, use the floppy that comes with the NIC to configure it?  Is
> this going to affect use of the machine as a DHCP server?

No, but neither will it achieve what it sounds like you want. Nothing
about promiscuous mode will stop 'probes'. That is what firewalls are
for. If your NIC is now in promiscuous mode, then somebody or something
has put it there.

--
Hal Burgiss

 
 
 

how do I turn off promiscuous mode?

Post by Eric P. McC » Sun, 23 Dec 2001 16:49:48



> No, but neither will it achieve what it sounds like you want. Nothing
> about promiscuous mode will stop 'probes'. That is what firewalls are
> for. If your NIC is now in promiscuous mode, then somebody or something
> has put it there.

I think what he actually wants is some way to prevent people who hack
into his firewall from putting the NIC into promiscuous mode and
grabbing all his passwords off the (trusted) LAN.

I think he's worrying needlessly about that.  Putting the NIC into
promiscuous mode and listening on it requires root privileges, and if
someone hacks into his firewall and becomes root... Suffice it to say
that there are plenty of other things an attacker could do.  So just
make sure that nobody can get into your firewall.

--

"I woke up this morning and realized what the game needed: pirates,
pimps, and gay furries."  - Rich "Lowtax" Kyanka

 
 
 

how do I turn off promiscuous mode?

Post by Dean Thompso » Sun, 23 Dec 2001 16:52:24


Hi!,


> > I have Realtek 8139 NIC's.  They work great.  However,  I am tired of
> > being constantly probed from the net, and thought one measure I should
> > implemnet in case they succeed is to turn off promiscuous mode on the
> > NIC's.  Is there a way to do this from Linux, or am I going to have to
> > boot DOS, use the floppy that comes with the NIC to configure it?  Is
> > this going to affect use of the machine as a DHCP server?

> No, but neither will it achieve what it sounds like you want. Nothing
> about promiscuous mode will stop 'probes'. That is what firewalls are
> for. If your NIC is now in promiscuous mode, then somebody or something
> has put it there.

Sometimes ntop won't release the promisc mode which can be a problem, but Hal
is right.  Taking your network card off promisc mode won't stop probes, it
will only stop your network card from processing and passing up packets which
are not destined for your machine.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

how do I turn off promiscuous mode?

Post by Jare » Fri, 28 Dec 2001 05:22:39


This is all for my fw machine (MDK 8.1 running Bastille scripts).

Fair enough, I am worrying needlessly about promiscuous mode once I
shut it off.  According to nmap I'm in pretty good shape in terms of
overall exposure. One thing I am not happy with (though I don't know
if it can be improved) is the reporting on intrusion attempts.  Pretty
much all that I get from the log is a timestamp, the alleged source IP
and port info on what is being probed.  Looking at prelude, it doesn't
seem like much of an improvement if reverse DNS is blocked.  I am
running chkrootkit regularly to hopefully catch a successful
intrusion, but wish there were something I could give sysops that
would better assist those inclined to nail the miscreant customer (or
find the errant machine to harden up).  Is snort any better?  Any
other packages well reputed, or is it time to read all the hits on
freshmeat and sourceforge?

I am loathe to poke holes in the firewall for ssh, Apache, etc. until
I am comfortable with the reporting, I guess.  Even being as diligent
in applying security patches as possible, one is by definition behind
the cracker curve.

<sigh> Now to read the chroot docs.  Are there recipes out there for
postfix, qpopper, Apache, VNC server and OpenSSH?  Never mind, I'll
browse the how-to lists.

TIA -

Kind regards,
jh


> Sometimes ntop won't release the promisc mode which can be a problem, but Hal
> is right.  Taking your network card off promisc mode won't stop probes, it
> will only stop your network card from processing and passing up packets which
> are not destined for your machine.

 
 
 

how do I turn off promiscuous mode?

Post by Dean Thompso » Fri, 28 Dec 2001 20:21:49


Hi!,

Quote:> This is all for my fw machine (MDK 8.1 running Bastille scripts).

> Fair enough, I am worrying needlessly about promiscuous mode once I
> shut it off.  According to nmap I'm in pretty good shape in terms of
> overall exposure. One thing I am not happy with (though I don't know
> if it can be improved) is the reporting on intrusion attempts.  Pretty
> much all that I get from the log is a timestamp, the alleged source IP
> and port info on what is being probed.  Looking at prelude, it doesn't
> seem like much of an improvement if reverse DNS is blocked.  I am
> running chkrootkit regularly to hopefully catch a successful
> intrusion, but wish there were something I could give sysops that
> would better assist those inclined to nail the miscreant customer (or
> find the errant machine to harden up).  Is snort any better?  Any
> other packages well reputed, or is it time to read all the hits on
> freshmeat and sourceforge?

Personally, I use snort as the back-end looking for signatures and the DANTE
program which provides a web-interface to the front of snort.  This allows for
the automated reporting of attempts and provides a nice graphical overview of
the system.  You might like to check those options out.

Quote:

> I am loathe to poke holes in the firewall for ssh, Apache, etc. until
> I am comfortable with the reporting, I guess.  Even being as diligent
> in applying security patches as possible, one is by definition behind
> the cracker curve.

> <sigh> Now to read the chroot docs.  Are there recipes out there for
> postfix, qpopper, Apache, VNC server and OpenSSH?  Never mind, I'll
> browse the how-to lists.

What do you want to do, most of these just require one port to be opened up to
work correctly, but the VNCserver could be more of a problem if you want to
get into internal machines through port redirection.

postfix (port 25)
qpopper (port 110)
apahce (port 80)
vnc server (you will have to check those ports 5900:5910)
openssh (port 22)

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

1. promiscuous mode - turn off

I am running RedHat Linux 5.0 and would like to make it virtually impossible for a hacker to get in
and setup a packet sniffer.  As I understand it, if the ethernet card is put in promiscuous mode then
it listens to every packet on the network and can then pick up passwords etc.  I was told that under
BSD, you can tell it to compile the kernel and not allow promiscuous mode, is this possible under
Linux (kernel 2.0.32)?  -- Even on Linux the hacker would have to have root access on a machine to
setup a packet sniffer .. and if he has root access he could recompile the kernel anyway ... but I
would still like to simply have promiscuous mode not be a possiblity (or extremely difficult)

Thanks

--

Jon Church

2. Where's the tar temp file?

3. Turning off ethernet promiscuous mode (Was: [SUMMARY] identd for Indy/IRIX 5.3)

4. 1.3 G tape

5. turn off promiscuous mode

6. Starnge problem with Spea Mirage (S3 805)

7. Turning off ethernet promiscuous mode

8. multiple mode turned off

9. multiple mode turned off?

10. how do i turn off the "sendmail" daemon in the command mode???

11. What is ndelay mode and why does the shell keep turning it off?

12. Echo in telnet mode -- How to turn it off?