Topic: SME Security

[martinhick]

I have searched the archives for firewall and security but can find no references to testing security.

All the articles say that SME is very secure and not to worry.

If I go to grc.com and use Shields-Up to test the results come back that all ports are closed except 110, 25, telnet, and SSH. A couple are stealthed.

I was under the ipmression that a secure firewall would show everything stealthed.

Martin

[meanpenguin]

Well if you want to close them, disable remote access (ssh, telnet), and email (port 25, and 110).

You can't expect to have access to them and then also expect to be stealthed...

BTW, You should really disable telnet and POP.  They send passwords in the clear.

Ed.

[duncan]

Whilst the grc site is a useful testing resource - Steve Gibson is a hack who tends to dribble ( A real scare mongerer). Reminds me alot of Gary North and the whole Y2K thing.

The ports are open because you opened them and are running in server/gateway mode.

[martinhick]

Yes I appreciate that but why are the closed ports not stealthed

Martin

[duncan]

Yes I appreciate that but why are the closed ports not stealthed

Martin

A default - Server/Gateway install will show.

25, 80, 113 and 443 as open

Everything else as stealthed. Are you sure you are  reading it correctly and the correct IP adress is being tested?

[funkusmunkus]

hi martinhick,

I agree with duncan, Steve Gibson is a hack, he claims to be the god of security, and he's far from it, the shields up test is useful, but i wouldn't use it as a guide line.
you should how ever disable external telnet access, and pop3, and make sure you root password is a nice and complex one, and you can allow public access to ftp, but don't access it remotely as admin,again because passwords are sent in clear text, apart from that you should be fine.
you will have a few logon attempts via ssh, but as long as the password is a hard one you have nothing to worry about.

hope that helps
cheers

[arne]

I think that the firewall is just a part of the security problem.

I also think that the greatest overall security risk in incorrect configuration. So if you install a modern and complex Linux like Fedora, there is a rather big risk that you will make one or more mistakes.

It is also not so easy to make propor backup routines for such a installation.

(I have one Fedora Core 2 and one SME 6.0.1 running at the moment.)

The Fedora is the newest software, but I have no doubt that the SME is the safest and most secure installation because:

1. It has a well proven configuration made via a web based configuration panel.

2. I can easily make backups of all data files via a automated procedure.

By the way, I don't use the default firewall on the SME. It's perfectly possible to design your own firewall via a firewall script if you want to, like any other Linux. (I use a harware firewall i front and a self designed script on the SME server.)

My only experience with the SME server is that you set it up and it runs and runs for years without a problem. That gives time to make all the neccessary reconfigurations of the Fedora, and still I have not been able to make finished the backup system for the Fedora.

I think "security" that is not the firewall or one factor, it's the sum of all factors. In such a view I think the SME server is not the less secure alternative. (Even though I think you can make it even bether or "safer" by setting up a hardware firewall in front. All linux installations will be safer with a double firewall, as I will see it.)

[gobdob]

By the way, I don't use the default firewall on the SME. It's perfectly possible to design your own firewall via a firewall script if you want to, like any other Linux. (I use a harware firewall i front and a self designed script on the SME server.)

My only experience with the SME server is that you set it up and it runs and runs for years without a problem. That gives time to make all the neccessary reconfigurations of the Fedora, and still I have not been able to make finished the backup system for the Fedora.

I think "security" that is not the firewall or one factor, it's the sum of all factors. In such a view I think the SME server is not the less secure alternative. (Even though I think you can make it even bether or "safer" by setting up a hardware firewall in front. All linux installations will be safer with a double firewall, as I will see it.)

I totally agree with you with the double firewall.  The h/w firewall/routers are now super cheap the layering technique for security is a very easy way to be 'safer'.

I was told once to be absolute in your security, just turn off your server, store in a safe and throw away the key.  If that's not a solution, then just take measures to be an unlikely target.

flee

[martinhick]

I have check my SME firewall at http://scan.sygate.com and this give similar results to grc.com.

The only ports that appear to be opened are FTP and Telnet.

I have used the firewall panel in SME to deny port 23 but this still shows as open.

22(SSH), 25(SMTP), 80(HTTP) and 110(POP3) are all stealthed. All remaining ports are closed except 245 and 255.

How do I set SME to stealth the remaining ports.

Am I confusing things here and the port scan is producing results from the router (which I know has port 254 and 255 open) or am I missing the point altogether.

I have read quite a bit about firewalls and appreciate the it it not a simple subject.

As I am about to sign up to a new ISP offering static IP's I need to know that my system is reasonably secure.

I tried to change the root password for SME and was promptly locked out of my own box. Do I need to have root and admin the same or did I do something wrong.

Martin

[funkusmunkus]

Hi martinhick,

I used that sygate scan and the only services it found were webserver and smtp, all the other tests showed up as blocked, not even ports 80 or 25 came up as open, the shields-up test showed them as open, along with ports 443 and 113.
I'm really suprised that you have telnet inabled remotely, get rid of it remotely and use ssh, and unless you need ftp access get rid of that remotely as well.

[martinhick]

I do not want Telnet and when I get my static IP if I can get VNP working I will not need FTP.

The problem I am having is that even using the SME panel to deny ports 21 and 23 refuse to close.

Should  I be looking elsewhere to close those ports.

Martin

[funkusmunkus]

Yes the way to close telnet is by selecting remote access under security in the server-manager, and there  should be telnet access set it to no access or at the very least private.
and if you have a dynamic ip that shouldn't be a problem just register with www.dyndns.org, or something like that, and then go through configure this server using admin login via ssh and select the dyndns option.

hope that helps
cheers

[jdarrough]

My isp recently told me that his dialup provider indicated that my computer was infected with Korgo. I use the current version of SME 6 and it is set up as a gateway/server. According to the provider, the Korgo virus uses port 113 for it's reporting, and that is how they decided I might be infected. Once I told the provider that I had a Linux box, he knew immediately that it was NOT KORGO but the Linux box.

My question is whether or not I can close port 113, and how to do so. Anyone have any ideas?

Thanks, Jim Darrough

[martinhick]

I have closed the remote access except for 22(SSH) which is stealthed any way.

I have removed all port forwarding.

I have set deny access on 21 and 23 but both are still reported open.

Until my static IP arrives I cannot investigate further.

Does any body have any ideas.

Martin

[briank]

Jim
See http://forums.contribs.org/index.php?topic=5960.0
re closing 113
and http://forums.contribs.org/index.php?topic=22421.0
Regards
Brian