How safe is my iMac?
How do I test how secure my iMac 800 is from hackers? I use Brickhouse X and the only default I changed was to allow iDisk access. But what sort of security auditing software can I use to test my system? MacAnalysis looks like it's only for servers. I know my iMac is probably safe, I'm just curious.
Comments
<a href="http://www.grc.com" target="_blank">www.grc.com</a>
click on the sheildsup! logo.
If BrickHouse is properly configured, you should get "stealth" on all tests.
[ 04-25-2002: Message edited by: starfleetX ]</p>
Check the /etc/inetd.conf file to seen what ports have been uncommented.
I normally have to enable ftp, telnet and ntp by hand.
If you are talking about other ports then ignore this mail.
<strong>I normally have to enable ftp, telnet and ntp by hand.
</strong><hr></blockquote>
Why?
If you want to connect to your computer, you really should use SSH, not telnet.
If you protest that "not every computer I want to use has SSH", then go here:
<a href="http://www.isnetworks.com/ssh" target="_blank">http://www.isnetworks.com/ssh</a>
and download the free Mindterm applet, which is a SSH client that runs in a browser window. Put the applet web pages in your Apache docs folder, and you can access your Mac via SSH from anywhere.
As for FTP: (1) you can turn it on in the Sharing preference pane. (2) As you no doubt know, it also sends cleartext passwords.
So the safer route is to turn on FTP, but have your firewall block the port. Instead of using FTP directly, log in with SSH, and set up an FTP tunnel. (The Mindterm documentation shows how to do this automatically).
As for NTP, I don't know what reason you might have for using it, but be aware that root exploits on NTP do turn up occasionally. Unless you have a special time that you are trying to synchronize your other computeres to, why not just set each machine on the LAN to synchronize to the same external NTP server?
My university laboratory's Solaris box was rooted and trashed (this was a number of years ago) thanks to some random service we had turned on unwittingly. Once is enough to experience that!
And besides, leaving your box open to crackers isn't just your problem - it's mine, too, since they can then use your machine to launch new attacks.
[ 04-26-2002: Message edited by: Mithras ]</p>
StarFleet X - I ran the port scanner app you suggested and it listed a couple of ports as "stealth," while the rest were listed as "closed." The app then suggested that being listed as "closed" was not as good as being listed as "stealth," and that I needed to change this. Apparently the knowledge that a particular port is closed may be useful to a hacker.
I'm using the Brickhouse firewall app. Is there any way to get it to list all of my ports as "stealth" rather than "closed." Thanks.
I'm using the Brickhouse firewall app. Is there any way to get it to list all of my ports as "stealth" rather than "closed." Thanks.<hr></blockquote>
Good question. <img src="confused.gif" border="0">
ShieldsUP! shows my ports as 'Closed' and not 'Stealth', but I want Stealth! How do I get 'Stealth'?
'Stealthed' ports are a, strictly speaking, a violation of proper TCP/IP rules of conduct. Proper conduct requires a closed port to respond with a message indicating that the open request was received, but has been denied. This lets the sending system know that its open request was received so that it doesn't need to keep retrying. But, of course, this "affirmative denial" also lets the sending system know that a system actually exists on the receiving end . . . which is what we want to avoid in the case of malicious hackers attempting to probe our systems.
I coined the term 'Stealth' when I developed this site's port probing technology to describe a closed port that chooses to remain completely hidden by sending nothing back to its attempted opener, preferring instead to appear not to exist at all.
Since 'Stealthing' is non-standard behavior for Internet systems, it is behavior which must be created and enforced by means of a firewall security system of some sort. The native TCP/IP interface software used by personal computers will ALWAYS reply that a port is closed. Therefore, some additional software or hardware, in the form of a 'stealth capable firewall' must be added to the computer system in order to squelch its "closed port" replies.
To get full stealth-mode status from your system, I highly recommend using the completely FREE ZoneAlarm 2 firewall from ZoneLabs, Inc. Visit their website at <a href="http://www.ZoneLabs.com" target="_blank">www.ZoneLabs.com</a> to learn more about this excellent and free firewall, then download the latest version.
<strong>I'm using the Brickhouse firewall app. Is there any way to get it to list all of my ports as "stealth" rather than "closed." Thanks.</strong><hr></blockquote>As others have pointed out, "stealth" means you are invisible to scans. My guess is that you just have BrickHouse configured for the wrong type of connection. I've spent a lot of time configuring mine and have gone from knowing nothing about firewalls to setting up dozens of rules so nothing would leave or enter my computer without my knowledge. Paranoid? You bet'cha! Though, it was pretty easy to learn by just tinkering with BrickHouse and running those portscans.
Start off by running BrickHouse's setup assistant. Note: it's *very* important to carefully read the first screen. By default, it configures for regular ethernet connections. I forgot that I was using PPPoE for my DSL connection and had everything configured wrong, blocking absolutely nothing. Once I switched over, everything showed up as stealth.
If you have any questions on specifics, feel free to post them.
[ 04-30-2002: Message edited by: starfleetX ]</p>
I ran both options against the port checker app and got the same results. Two ports are in stealth mode and the rest are open.
In BrickHouse, be should have Deny for the default incoming filter. Also, don't forget to hit the Save, Apply, and Install buttons whenever you make changes.
Hmmm... if you are still having trouble, try this. Click "Add Filter" and use these settings:
Action: Deny
Service: Custom Service
Protocol: TCP
Port: 1-65535
Source: other... Host IP: any
Destination: other... Host IP: any
That should block *all* traffic coming in and out of your computer. Apply and try to go somewhere online. You should get error messages saying the host is unavailable. In OmniWeb, I get the message "Unable to connect: Permission denied" when that filter is up.
Now, let's add another filter so you can at least surf the internet. Add a filter with these settings:
Action: Allow
Service: World Wide Web
Source: My Computer
Destination: The Internet
Drag this filter above the first one so it is higher in the list. Apply and try a web browser again. Now, visit one of those portscan sites and let it test you.
[ 04-30-2002: Message edited by: starfleetX ]</p>
[ 04-30-2002: Message edited by: starfleetX ]
[ 04-30-2002: Message edited by: starfleetX ]
[ 04-30-2002: Message edited by: starfleetX ]</p>
Thanks! I did just that (but you meant "allow" not "deny") and everything worked just fine. Consider this another notch on your bedpost of good deeds. Take care.
GG
p.s. I'm in Virginia in the D.C. suburbs, not too far from you.
[ 04-30-2002: Message edited by: gobble gobble ]</p>
[ 04-30-2002: Message edited by: gobble gobble ]</p>
Action: Allow
Service: Custom Service (you can rename it to "StarCraft" if you want)
Protocol: UDP
Port: 6112
Source: any
Destination: any
Action: Allow
Service: Custom Service (you can rename it to "StarCraft" if you want)
Protocol: TCP
Port: 6112
Source: My Computer
Destination: The Internet
[ 04-30-2002: Message edited by: starfleetX ]</p>
[ 04-30-2002: Message edited by: gobble gobble ]</p>