Hello, >From my point you should first disable everything which is not needed. If you >don't use Wifi, just stop it.
What kind of router are you using? A Linux distribution on some PC or dedicated hardware (as modem/router sold by DLink or some other vendors)? If you router is a GNU/Linux distribution it is possible to build a strong enough firewall with it using iptables (and ip6tables if you also have ipv6 activated through Internet). Regarding your possibly attacked systems as it was already explained the best you could do is to re-install them from scratch. Kindly regards, mathias -----Message d'origine----- De : Linux User [mailto:[email protected]] Envoyé : mercredi 3 mars 2010 06:08 À : [email protected]; Linux User Objet : Re: Desperate for good firewall: ARP and DNS attacks On Wed, Mar 3, 2010 at 12:35 AM, Stephan Balmer <[email protected]> wrote: > What sort of Internet connection do you use? What hosts are connected? > Wifi present? I have an ADSL PPoE connection, although normally it's PPoA. Doesn't matter with my ISP. What do you mean by hosts connected? On my LAN? If that's what you mean, only one at the moment. Wifi present but not in use. I did use Wifi a while back and that seemed to be the beginning along with other issues. On my father's laptop I was astonished to see that he had 27 tunnelling adapters by looking at ipconfig. Lots of weird stuff went on there, and others who knew about this particular Wifi modem I had at the time told me it was junk and to throw it away. > What operating system are you using? Lenny 5.0.4 with updates. > How do you detect malware on your system? By using rootkit tools, and by simple inspection and observing the behaviour of my system. For example, on my iMac, the malware resides on a partition I can't get rid of. Apple tech support said there should only be one partition for my system and I could use the disk tool to zero it out, but the malware partition won't let itself get wiped and it tries to take over the install (and does, I've tried many times.) I'm going to have to send my iMac to the service centre and ask them to send me back the bad disk and put in a new one for me. Lots of ways I detect it. Plus the kernel is not supposed to resume from a swap partition at boot time, is it? Seems odd to me. Also I found though looking at my traffic use uploads of data that did not come from me or my father. > What do you mean by 'on multicast'? From where did you boot whom off how? I saw a lot of stuff about traffic going to a multicast address, and a professor took a look at it, and it was a multicast address traffic was going to. Also something like "snmp-trap" and IGMP stuff. To be honest I only have a small knowledge of networking. Enough to get up and going and create a very simple firewall. > Your router got taken over? Did you replace it? What/who is 'it'? Yes, I replaced several modem/routers. I don't know what/who is "it" otherwise I'd be gunning for who/it and making it stop. I have some suspicions and I'm investigating those. I've got lots of good packet captures and weird partitions not supposed to be partitioned which I ripped out with the dd command. > Just a warning: I'm no expert. That's okay, thank you for taking the time to respond. I appreciate it. > As long as these reside on ramdisks, the security issues are slight. > Attackers would have to exploit vulnerabilities in the install system over > the network. This is unlikely. Thanks for that information. So I can look elsewhere instead of being overly worried about it and focus on what's more likely. > You can download official Debian images from http://www.debian.org. An > attacker would have to go to great lengths to provide malicious ones. > So unless you have something of great value (or have annoyed somebody > a great deal) it is exteremely unlikely anybody would do this. You can also > download Debian testing images, those are generated daily and even harder to > fake. > > If you want to be extra sure, take the SHA1 hash of an image and compare > out-of-band with a trusted person. You would > > 1. Download an image from debian.org > 2. take its SHA1 hash > 3. Phone a trusted person to do the same > 4. compare SHA1 hashes > > If they are different, first verify you both downloaded the same image. > If the images really are different, publish both somewhere for people to > have a look at them. Thanks very much for that. I will do that and see what happens. > Also in this case you should consider contacting your > friendly law enforcement agency, it is likely that there is a law against > this, though I don't know where you live. Oh I will be doing that, but I would like to try and gather something that can stand up in a court of law. Otherwise I'm not sure anything could be done. As for the laws, I assumed there was, and I contacted the free legal advice line and got some help there. There are several ways I can get this done legally that I'm aware of at the moment. But I do need something that can likely result in conviction(s) and/or a Supreme Court writ for damages. Standards of proof are different obviously for those roads. Thanks very much for taking the time to reply. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected] This mail has originated outside your organization, either from an external partner or the Global Internet. Keep this in mind if you answer this message. The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/17963_1267614650_4b8e43ba_17963_16_1_a54570ca491af843b18dd8bc6169bfc00e5a3...@fr0-mailmb11.res.airbus.corp
