On Mon, Jul 7, 2008 at 6:29 PM, Vetrivel Arumugham <[address removed]> wrote:
> Pls lemme know the available tools ( preferably OpenSoucre ; also
> commercial ) for Internet Security , Firewall & AntiVirus / AntiSpyware /
> Anti-RootKit Tools for a personal LINUX system ( Debian based or Ubuntu ).
> Am NOT an advanced user of OpenSource security tools !
> I use iptables - customized it using online documents & arno-iptables.
> Only my PC is present in the (wired) home-network ; since its only PC I
> didn't use any Router ( Linksys router which has a h/w firewall ). My PC is
> directly connected to the Cable modem through a lan cable.
> But still , sometimes my PC seems hacked.
> Some bookmarks I made in Firefox - DISAPPEARED yesterday within 20 minutes -
> when I was away from PC and the Modem was online and connected to PC - I
> didn't set the modem standby ; I didn't update Firefox / didn't apply any
> Forefox or OS patches / I didn't install any other application !!!!!!!
> Using StarHub Maxonline .
> I checked my PC ( LINUX) - using www.GRC.com - SHields Up online port
> scanning service.
> https://www.grc.co... ; and it displays all ports are in
> Stealth mode.
If you've access to another Linux computer, you could run your own
port-scanning. Online port-scanner isn't that great. Install nmap and
run it this way:
$ nmap -A -T4 -p[masked] <your_ip_address>
That will do a complete scan. If you see any open ports, you can
research it online and see whether it is reasonable for it to be
opened (you can put it up here too for others to comment). You should
have most/all ports closed/filtered if you've set your iptables
For iptables, make sure you've a strict default policy, i.e. drop
INPUT and FORWARD, and allow OUTPUT and ESTABLISHED. After that you
might need to provide some allowances if you're using service like
bittorrent or if your computer served as a HTTP/FTP/... server; but
these are exceptions, your default policy should always be the
> How can I close a particular port using iptables ?
> I installed Firestarter GUI client ; but due to some problem it was NOT
> working hence uninstalled it.
You could set default policy to DROP, that will leave the port as
closed; otherwise, you could also use REJECT (which leaves the port as
> What are the different remote access methods apart from the below ?
> telnet , ftp , sftp , ssh , ping ...
Lots more. http, https, ftps to mention the least (there are more if
you're using stuffs like VPN or remote access software). And ping is
not used for remote access; it's more of a diagnosis tool (obviously,
it can also be used by bad guys to detect whether your computer is
> Even if the respective daemons are shut-down ( in a personal LINUX system) ,
> is it possible to access data in my
> system using Firefox browser ( ports 80 & 443) ? if someone knows IP
> assigned to my system by StarHub DHCP server?
Nope. Unless your computer is infected by rootkits/worms/trojans. If
you're sure your system is clean, nobody can access your computer when
you leave all ports closed. The best way to detect
rootkits/worms/trojans IMHO is using sniffer like wireshark
(previously ethereal), but it's pretty difficult for novice to do. You
can use the sniffer to detect outgoing connections made from your
> Last week I was unable to access Yahoo-eMail; got error " Error 999 -
> ....... check your system for any viruses / spyware....
> ; There might be unknown activity coming from your ISP; yahoo
> recommends to report this
> issue to your ISP".
It's a Yahoo catch-all error code. They use it to rate-limit IP
addresses (preventing DoS attack). So either your IP was used to
attack Yahoo servers before (by other people), or your computer has
been infected by rootkits, or you simply accesses Yahoo servers too
rapidly. If the error does not occur again, it should be safe to
> ISSUE-4) IGMP+Query attack from StarHub Servers and unknown servers:
> When I boot my PC in Windows mode ( I have ZoneAlarm Internet security -
> which is set on medium protection level)
> I used to get lot of security-alerts from ZoneAlarm Internet firewall ,
> "The firewall has blocked an Internet Multicast ( IGMP Query) to your
> computer from cm1.zeta134.maxonline.com.sg [masked]) "
> Same such IGMP queries from many of StarHub Maxonline servers ( at least 10
> to 20 servers).
> But this happens - not regularly but random.
> Whats the port number for this IGMP Query and how it can be blocked when
> using LINUX using IPtables ? and why they are sending such queries to a
> CIvilian's computer ? Or are they arising from outside their network.
> Have sent an eMail from them. Yet to receive respsonse.
Not sure about this. It could be for your cable TV. But I'm not too
sure how Starhub does this. Btw, it may not be starhub server, IMHO,
ISPs usually give a name to all IP address that belongs to them
(including the ones the assign to customers), so this make diagnosis
pretty hard unless we've better info.
> There are NO commercial firewalls( software based) / Internet security
> tools available - as far as my GOOGLE & Yahoo search.
For Linux? Not sure, but I love iptables, it has superb control. There
was one software that I used quite some time ago. It was pretty easy
to use but I couldn't remember the name. If you're in debian-based
system, you could find some choices of firewall using the package
manager (synaptic for the GUI).
> Thanks in Advance! & Hope to attend the next SLMG group !