On passwords, securtiy and real -sweat, blook and tears- life

[A.J. Bonnema]

Bruno Wolff III wrote:
> On Sat, Apr 29, 2006 at 05:45:10 +0200,
>   "A.J. Bonnema" <abonnema at xs4all.nl> wrote:
>> What I wonder about is the following:
>>
>> * given that all ports are closed to external contact through a physical 
>> allbeit consumer oriented firewall, just means I am safe for 
>> port-scanners. But does it mean that I am safe from cracker systems / 
>> programs? Is there a way to break in, without allowing external contact 
>> through one of the ports? (not including trojans and the like).
> 
> Since the firewall lets some packets through, there is a vector to
> compromise your system using the network connection. Blocking inbound
> connections reduces the risk a lot. You don't say what the firewall does
> for UDP (which is connectionless). If it passes any UDP packets through
> (or ICMP packets), then if there were bugs in your network stack or if
> you have processes listening for UDP requests with bugs, you could be attacked
> that way.
> 

AFAIK my firewall has all ports closed for both TCP and UDP. However, I 
have no means of checking that this is true. Through the site "Shields 
Up" (www.grc.com) I have been able to check that *some* UDP ports are 
closed (windows related), but that is no surprise as I run FC5 and the 
Windows machines are currently not connected.


>> * A second issue is: suppose I would force my family to use really 
>> random passwords (like characters picked from a one-time pad). And now 
>> suppose I lose my root-password: would I be able to rectify this, 
>> without destroying the data?
> 
> You have physical access to the machine right? Unless you have encrypted
> file systems, you can boot in single user mode and change the password.
> Have a boot loader password? Boot off a rescue/live CD.
> Have the BIOS set only to boot off the first disk drive, password protected
> and you forgot the password? Pull the battery and the BIOS will reset to
> a state where you can change boot device settings.
> 

Thanks, that is what I needed. So actually I *can* use a strong password 
and if I lose it, no sweat, I can use the rescue disk to change to 
password file.

> If your firewall is blocking inbound connections, it sounds like you aren't
> expecting your family memebers to connect to your machine remotely. If that
> is the case then they don't need particularly strong passwords (since they
> have physical access, there isn't a lot of point of having them even to
> protect against each other). If you go this route, you should take some
> extra steps to prevent remote connections on your box in case something
> happens to the firewall.
> 

Yes, currently I have no external connections. However, I would very 
much like to be able to ssh into my computer, remotely. Because of the 
security implications and my current lack of knowledge I have chosen to 
keep it closed for the moment.
I was checking out some kind of door-knocking protocol, but that is 
where the commercial firewall gets in the way: there doesn't seem to be 
a way to implement this, short of replacing the firewall completely (by 
opening all ports and sending them through to one of my PCs).


Guus.
-- 
A.J. Bonnema, Leiden The Netherlands,
user #328198 (Linux Counter http://counter.li.org)