Hello All,

First of all, let me thank all of you who have contributed your time and effort into this project. Personally, I am one of the few who must say that this is worth all the sweat and hours. I would like to thank everyone who contributed for providing the public with a beautiful method to bring Linux onto the top of the ladder. You deserve more than this little paragraph, thank you.

Now, I must be frank with you and I will be. I am a beginner at Linux, in terms of that compared to my knowledge with DOS/Windows, I practically know very little about Linux. Yes, ofcourse I know the basic commands and how to get around, I have successfully used RedHat/Mandrake/Slackware before, but because of some hardware incompabilities (and other issues), I did not ever keep my eyes on any of the Linux distributions for too long.

Knoppix has changed that, and I thank you. Once booted into the system, I was very surprized with the ease it found most of my 'incompatible' hardware, the wide variety of software it presented (although I'm pretty sure, alot of packages could be removed, alot could be added), and altogether the idea of having a Live-CD Linux running gave me an intellectual orgasm :lol:

Nevertheless, to cut the chase, I am very concerned with the security issue of Knoppix. I am well aware that Linux outperforms Windows platform, but the fact that I am not familiar with the whole system (just yet) gives me the feeling of unease while I am physically connected to the net (yes, it is called physical, wires still are physical).

Take a look at this thread :

http://www.knoppix.net/forum/viewtopic.php?t=2234

It offered basic opinions on the 'security' of Knoppix. Very well, but I hope you dont mind if I be the first to ask a few more questions and clarify some information myself.

Knoppix Security :

1) Linux itself is somewhat a better security 'tool' than Windows, but most of the times, thats the case if one knows their facts and maintains the operating system.

2) Knoppix has a very big advantage, its booted off a CD (it cant do Live writing onto the CD), and loads itself into the memory (reboot, and everything unsaved is gone, literally)

3) Knoppix (hopefully) is pre-installed with updated software patches, fixes and packs as a whole. It includes (hopefully) the most secure configurations available.

Now, onto a few (or not) of my questions.

1) Compared to other distributions/setups/configurations, the default Knoppix (3.2 at this time), is it secure in terms of that its patched, and config'ed to run without any major hassles, protecting the machine against beginner and intermediate attacks / hacker attempts from the net ?

2) Although Knoppix is a Live-CD, if one has a Hard Drive connected and mounted, whoever gains access to the system can ultimately access the Hard Drive to and perform malicious tasks which can result in damage of the files.
Specific question : NTFS is the Standard format system for some of the Windows platforms, and although it is recognized for reading by Linux, the writing algorithms/code is very shaky, thus is not enabled by default. If one (such as myself) has NTFS drives mounted (for data access) in Knoppix, is there a less of a chance of an intruder to break into the HD and attempt to destroy data, since NTFS is 'read-only' ? What are the tools that allow Knoppix to write data in NTFS format and can they be disabled ? Any other suggestions ?

3) I have various tools running on my Windows platform. Now, surely the first thing to do is to set up a firewall on Linux. Can anyone direct me to the most beginner / quickest way for me to setup a basic firewall until the time I can read up and do a detailed configuration ? I have attempted to lookup information on this, and found two packages that were a bit advanced for me, thus I came here.

4) Generally, please present your worst security concerns with Knoppix and Linux. Please refrain from overstatements such as that any working box is vulnerable, for this is a given fact. Lets keep it to the level of the vulnerability and not whether it is or not. Also, please explain what issues are there with Knoppix separately from other Linuxes, with Linux as a whole. Feel free to get as technical as you can, but without any specific details (such as a denial of service of some irrelevant protocol)

Thank you very much for the attention. I hope that everyone can input in this, for this thread might be read by many newcomers, since Linux these days literally stands for 'security, stability (and hopefully later) comfort (?)'. Please refrain from useless posts. I apologize for any misunderstandings, overstatements or improper use of language / terms. Please no flame :wink: but I am eager to read your detailed opinion and views on the subject.

I think your questions boil down to 2 :

1. Boot KNOPPIX to play around the local HD(and its data). This is unfortunately true and it should not be a concern as allowing someone to boot something from floppy/cd already opens the door, this is not just a KNOPPIX issue. There are some single floppy rescue linux image on the internet which in the proper(inproper) hand, can do anything on a harddisk.

2. attack from the the net. This should not be a problem for KNOPPIX as it doesn't start any server so all TCP port are closed(the equivalent of behind a firewall).

So KNOPPIX by default is safe. The biggest security issue with it is it has an unlocked root so anyone with enough linux knowledge can use it to gain access to whatever machine and start servers which can invite trouble. If you want to distribute it in a typical environment like school, I would advice you to remaster it to lock the root access(through password). If you use it at home, the biggest security concern is the person in front of the machine(you have the choice to wipe out the harddisk or start servers, or not), not KNOPPIX :-)

For an easy firewall apt-get install guarddog nice graphic interface. For just plain text file Arno's firewall (http://www.rocky.molphys.leidenuniv.nl/) works great simple instructions and easy NAT if you want to share the internet.

For an easy firewall apt-get install guarddog nice graphic interface. For just plain text file Arno's firewall (http://www.rocky.molphys.leidenuniv.nl/) works great simple instructions and easy NAT if you want to share the internet.

I like shorewall. It's reasonably easy to set up, and very powerful.

John -
Regarding you question 1 - pretty much yes. It doesn't run any services, and usually includes the latest secruity updates. There was a stage when it didn't include the latest KDE update, but that was becasue there wasn't a debian package for it.

q 2 - it doesn't matter what filesystem is on the disk or weather it is mounthed or not, becasue if they had root they have access to the raw disk and could di anything e.g. repartition it.

q 3 - You don't need a firewall unless you are running services on your external interface and don't want them accable publicly.
You can see what services are running by doing a
nmap 192.168.1.1 - where that ip address is your ethernet address

q 4 - Running off a cd, I couldn't hack knoppix remotely afaik. I guess the biggest concern with running off the cd, is that if someone gains any access, they gain root access.

Hmm. I have an idea - How bout a cheatcode - rootpassword

So boot up knoppix with rootpassword=MyPassword and instead of the sudo, you have a root password, that is only used for that session, this way, if someone does get user level access, they don't have root access.

And John Doe, Please change the email address in your profile or your account will be deleted.

Hello All and thank you for your input,

I have read your answers and came down with the following ideas:

I) As of the moment, Knoppix is patched and somewhat secure to the known attacks/exploits from the net. Thus as long as one keeps the physical access to the computer safe/restricted, the outside (to the internet) can be considered to be safe.

2) Firewall is needed only if one runs a service or keeps TCP port open.

3) The largest problem with Knoppix is the root access (which by default has no password ? I have tried 'su' and gained root level without any password). I very much appreciate the 'rootpassword' parameter at the bootup, it probably saved me hours of work of figuring out how I would make sure that the root password would be something of my choice.

Thank you, I will look into this tonight and update the thread with any additional questions that may arise. If anyone else who is reading this thread wishes to act keypoints about Knoppix's default security and security issues that may arise with fresh bootup of Knoppix on any random machine, please dont be shy and contribute.

PS: The email is changed temporarily.

Another nice firewall is Firestarter. I'm currently using 0.9.1 (in unstable). It has to be the easiest firewall available to linux, but it's still powerfull. It also lets you easily set up internet connection sharing if you have two nics.

The only downside is that it is a GUI only program. That makes it fine in the case of the laptop I'm using right now, but I'd like to explore some CLI firewalls. Shorewall looks interteresting. Maybe I'll give that a try sometime.

Hmm. I have an idea - How bout a cheatcode - rootpassword

So boot up knoppix with rootpassword=MyPassword and instead of the sudo, you have a root password, that is only used for that session, this way, if someone does get user level access, they don't have root access.
Hehe, you probably want to change that to "rootpassword", and then *interactively* ask a new root password while booting. Unless you like entering a password in plaintext... :shock:

--Good point, as I believe the kernel parms are accessible via either dmesg or other means... ;-)

--Seriously, thanks for all the firewall tips. I'll be investigating them and passing them on to a friend.



Hmm. I have an idea - How bout a cheatcode - rootpassword

So boot up knoppix with rootpassword=MyPassword and instead of the sudo, you have a root password, that is only used for that session, this way, if someone does get user level access, they don't have root access.
Hehe, you probably want to change that to "rootpassword", and then *interactively* ask a new root password while booting. Unless you like entering a password in plaintext... :shock:

Hehe, you probably want to change that to "rootpassword", and then *interactively* ask a new root password while booting. Unless you like entering a password in plaintext... :shock:

This will enter your root password in plain text? Yikes. Thanks.

Your concerns John Doe are why I choose to run a Linux router. If you want cute and fuzzy blinky blinky lights- get netgear or dlink or whomevers toothpick and duct-tape fortress and wait until some software engineering geeks decide it's time for a firmware update because bloody hell- somebody is causing stack overflows on their poorly tested products again. If they had safety inspections for routers like they do for most consumer products then those companies would be out of business.

If you want real security build your own router. Boot the OS from a removable disc, either a floppy or cdrom. If your router OS is installed on a hard drive then it can be written to- period.

As has already been pointed out, anything on a ramdisk will never survive a reboot. Assuming you don't leave the floppy in the drive or turn the write protection on you're in good shape.

Security is a matter of what it takes to make you feel secure. How do you fare in a port scan- a thoughrough port scan, not just the most commonly used ports from a site that wants to sell you wimpdoze security fixes. If you run a windows machine I would be extremely nervous about security- it has more holes than swiss cheese.

Think about this: I firmly beleive that it is not an option to be secure but rather, it is your responsibility. Afterall, what thrill is there in creating viri? You can't take credit for it so you need to hear about how many machines it affected. What if everyone was doing all that they could to be secure? Surely then hackers would lose much of their motivation and satisfaction.

I almost never install anything with a cute GUI based installer-why? They can't be trusted. If it's not open source it isn't on my box. If you're a windoze user you already know more than you ever wanted to about freeware apps and the extra *cough* features they sometimes bring along.

Build a router, make it small, make it cool looking- install Linux to your network machines, put each users /home directory on a seperate partition, don't get lazy with permissions and you will likely never reinstall an OS again.

Well ok that's not entirely true. You see...............Linux in and of itself is highy addictive and you will soon find yourself saying "so many distro's so little time". :D

--With a sufficient number of users, you will eventually run out of available seperate partitions, even with Extended/Logical in effect. Somewhere around 16, 20 or mebbe 24 I think. (Altho I've never had to have that many myself. I think the most I've gone up to is around 12 or 13, and that's on an 80-gig HD.) However, you might get around this limitation with multiple HD's and multiple "home-only" server boxes with NFS.

--Putting /home itself on a separate partition is a good idea though, as it can last through various flavors of Linux as well as being a bit more secure.

--Which flavor do you run on your Linux router? Have you used LRP*, and do you recommend it?

--The part that I'm most interested in, having never done a software router myself (tried the Linksys hardware DSL sharing solution, but since it only uses class C (192.168...) it didn't work with my Class A setup {10.0...}) is the actual rules that people use in RL. Rickenbacherus, if you or anyone else could post an example of what specific rules you use and why, it would be a great help to me.

( * LRP:
http://freshmeat.net/projects/linuxrouterproject/?topic_id=864,
http://www.linuxrouter.org/ )


Your concerns John Doe are why I choose to run a Linux router....(snip)

If you want real security build your own router. Boot the OS from a removable disc, either a floppy or cdrom. If your router OS is installed on a hard drive then it can be written to- period.

(snip)
Build a router, make it small, make it cool looking- install Linux to your network machines, put each users /home directory on a seperate partition, don't get lazy with permissions and you will likely never reinstall an OS again.

Well ok that's not entirely true. You see...............Linux in and of itself is highy addictive and you will soon find yourself saying "so many distro's so little time". :D

--With a sufficient number of users, you will eventually run out of available seperate partitions, even with Extended/Logical in effect. Somewhere around 16, 20 or mebbe 24 I think. (Altho I've never had to have that many myself. I think the most I've gone up to is around 12 or 13, and that's on an 80-gig HD.) However, you might get around this limitation with multiple HD's and multiple "home-only" server boxes with NFS.

True....I have never had that many either but certainly it would be possible to run out.

Here is _Shields Up (https://grc.com/x/ne.dll?bh0bkyd2) which just scans some commmon ports- note the hilarious dialouge about windows network machines....
----------------------------------------------------------------------------------------------------------

Shields UP! is checking YOUR computer's Internet
connection security . . . currently located at IP:

xx.xx.xx.xx

Please Stand By. . .

Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!


Preliminary Internet connection refused!
This is extremely favorable for your system's overall Windows File and Printer Sharing security. Most Windows systems, with the Network Neighborhood installed, hold the NetBIOS port 139 wide open to solicit connections from all passing traffic. Either this system has closed this usually-open port, or some equipment or software such as a "firewall" is preventing external connection and has firmly closed the dangerous port 139 to all passersby. (Congratulations!)


Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
----------------------------------------------------------------------------------------------------------

Now- just for the fun of it let's add these rules to the ipchains:

/sbin/ipmasqadm autofw -A -r tcp 1 65535 -h 192.168.0.99
/sbin/ipmasqadm autofw -A -r udp 1 65535 -h 192.168.0.99
These rules will stealth all ports by forwarding them to a non-existant machine on my network.

Ok let's do the port scan at shieldsup again:
---------------------------------------------------------------------------------------------------------
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.

Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
----------------------------------------------------------------------------------------------------------

Here's Sygate's (http://scan.sygatetech.com/) results:

FTP DATA

20

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

FTP

21

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

SSH

22

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

TELNET

23

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

SMTP

25

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

DNS

53

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

DCC

59

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

FINGER

79

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

WEB

80

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

POP3

110

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

IDENT

113

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

NetBIOS

139

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

HTTPS

443

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

Server Message Block

445

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

SOCKS PROXY

1080

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

WEB PROXY

8080

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.

SOURCE PORT

61897

BLOCKED

This is the port you are using to communicate to our Web Server. A firewall that uses Stateful Packet Inspection will show a 'BLOCKED' result for this port.



I think that this should quash any doubts about how secure a Linux router can be. I'd love to see some dlink and netgear results.

I use Coyote Linux which borrows heavily from LRP. In fact some of the LRP add-on packages have been converted for use in Coyote. I can access my router via web browser, make backup copies of my router floppy, ssh, restart firewall rules with a simple command of firewall-r and a host of other features.
Of course I'll need to unstealth a port for ssh to work again.