Re: [gentoo-user] Re: In the fear of getting hacked (WLAN setup)
On Mon, Jul 20, 2015 at 10:37 AM, Nikos Chantziaras wrote: > On 18/07/2015 08:43 μμ, Andrew Savchenko wrote: >> >> Yes and no. If user enabled network interface and has no network >> daemons running, kernel still listens to that interface (ARP, icmp >> and so on) and may be hacked using vulnerabilities in network >> stack, protocol handlers or even network device drivers. > > Which is not a realistic scenario. We can assume that for all intents and > purposes, the OP is safe. > It is a completely realistic scenario and has in fact happened in the past (ping of death and so on). That said, all you can do to protect against it is update your kernel when a vulnerability is discovered, unless you want to go funding your own kernel audit. This scenario applies to virtually any router in existence to some degree - at least with a linux router you build yourself you know for sure what is running on it and it is easy to update if a vulnerability does get discovered. Just run a supported kernel and you should be fine. You'll probably want a longterm kernel on something like a router. So, it isn't a reason to panic, but you could conceivably have a linux router whose only userspace process is an init that sets up iptables/iproute/etc and then just does an idle loop, and it could still have a vulnerability. The kernel is software like anything else, and it can contain bugs. That shouldn't make you afraid to use linux, but as with any networked device you should understand security and ensure that if there is a problem you'll find out about it and be able to fix it. That is true of linux, any embedded OS, or of almost any device that contains RAM. -- Rich
[gentoo-user] Re: In the fear of getting hacked (WLAN setup)
On 18/07/2015 08:43 μμ, Andrew Savchenko wrote: On Sat, 18 Jul 2015 06:47:21 +0300 Nikos Chantziaras wrote: The problem I (possibly needless) see is: While I am tinkering and testing the configuration I may setup an open Wifi access point without noticing it in first glance and BANG! get hacked ... in the worst case: unrecognized... If you don't have any daemons running that provide network services (have opened listen ports), you can't get hacked. Yes and no. If user enabled network interface and has no network daemons running, kernel still listens to that interface (ARP, icmp and so on) and may be hacked using vulnerabilities in network stack, protocol handlers or even network device drivers. Which is not a realistic scenario. We can assume that for all intents and purposes, the OP is safe.
[gentoo-user] Re: In the fear of getting hacked (WLAN setup)
J.Rutkowski pancakebungalow.com> writes: > I'm in the process of doing this with a beaglebone black[1] I had lying > around. I wanted to have a minimal wireless access point and firewall > for my home office. It's cheap, low maintenance (after install), and > completely configurable. Tying embedded systems into the > Project:Installer would be amazing! It would be awesome to see an > installer handle distcc. > -Josh > [1] http://beagleboard.org/BLACK Ah:: Excellent move there Josh! I have an older Pandaboard:: will it work too? Will it support multiple ethernet interfaces, even if you have to use a USB-2-RJ45 converters? Also, please make your iptable ruleset modular so folks can test/deploy on other devices. Do not forget to leverage the existing gentoo home router page in your design, if possible? [1] James [1] https://wiki.gentoo.org/wiki/Home_Router
Re: [gentoo-user] Re: In the fear of getting hacked (WLAN setup)
On Sun, Jul 19, 2015, at 02:13 PM, James wrote: > The number of 'gadgets' with wireless ethernet is currently exploding > on many markets. Inclusion of connecting, routing and securing wireless > devices via gentoo centric firewall is definitely an opportunity for the > greater gentoo community. It think leveraging such a project on > top of the new Project::Installer offering is something that happens. > > I'd be most curious to see a gentoo-embedded-firewall, that runs on a > variety of gentoo-embedded arch's such as PPC, arm7v, arm8v specifically. > That way low cost (low power consumption embedded boards) could be > purchased, setup and deploy for our userbase and to attract new gentoo > members. > I'm in the process of doing this with a beaglebone black[1] I had lying around. I wanted to have a minimal wireless access point and firewall for my home office. It's cheap, low maintenance (after install), and completely configurable. Tying embedded systems into the Project:Installer would be amazing! It would be awesome to see an installer handle distcc. -Josh [1] http://beagleboard.org/BLACK
[gentoo-user] Re: In the fear of getting hacked (WLAN setup)
Mick gmail.com> writes: > > > > BANG! get hacked ... in the worst case: unrecognized... > > thank you very much for all tips and trick on this topic. The only > > router/dsl-modem I own is the own I got from my first DSL provider > > in times, when the DSL modem/router was not controlled by the > > provider ;) > > So the chain has only one link. Perhaps you need to convert an old pc to a firewall? If you look at several of the associative thread lately, you can see that useful gentoo based appliances, such as a robust firewall, are strictly the domain of (gentoo) experts. But it does not have to be that way. A secure firewall could be avaiable on the gentoo platform. However, atm, we struggle with offering a simple if not guided installation proceedure for gentoo linux. Let us hope that the Project::Installer will result in an offering where somebody could then define how to build a gentoo-centric firewall for our user base. Until then I'd suggest using a linux distro specifically tuned to building a firewall with a wireless interface support [1]. > > May be I get my tablet rooted and will able to convince the kernel > > to accept an USB/Ethernet USB-gadget (or how it is called). Wifi/WLAN > > is a weird thing. I dont trust it that far, as I trust a good ole > > cable going from 'A' to 'B'... ;) > > > > A little old school, but who cares. Better safe than sorry... > > > > Thanks a lot again! > > Best regards, > > Meino > > I didn't answer immediately, because I am not entirely clear what is the > attack vector that you are worried about. True. But we could offer a generic gentoo firewall, from which folks build additional feature into for their needs beyond the basics. > I you are going to use your PC to create a wireless access point, so > that the tablet can wirelessly connect to the Internet through this, > then using WPA2-CCMP encryption of your wireless connection should be > enough for most practical purposes. The number of 'gadgets' with wireless ethernet is currently exploding on many markets. Inclusion of connecting, routing and securing wireless devices via gentoo centric firewall is definitely an opportunity for the greater gentoo community. It think leveraging such a project on top of the new Project::Installer offering is something that happens. I'd be most curious to see a gentoo-embedded-firewall, that runs on a variety of gentoo-embedded arch's such as PPC, arm7v, arm8v specifically. That way low cost (low power consumption embedded boards) could be purchased, setup and deploy for our userbase and to attract new gentoo members. James [1] http://www.tecmint.com/install-ipfire-firewall-distribution/
Re: [gentoo-user] Re: In the fear of getting hacked (WLAN setup)
On Sunday 19 Jul 2015 11:18:45 meino.cra...@gmx.de wrote: > walt [15-07-19 04:08]: > > On Sat, 18 Jul 2015 05:34:53 +0200 > > > > meino.cra...@gmx.de wrote: > > > Hi, > > > > > > in order to connect my ASUS Memp Pad 7 ME176CX to the internet I need > > > a working WLAN (my DSL router/modem is of the copper area - no > > > Wifi/WLAN). The hardware (an USB dongle) is already there...it needs > > > "only" be configured and setup. > > > > > > The problem I (possibly needless) see is: While I am tinkering and > > > testing the configuration I may setup an open Wifi access point > > > without noticing it in first glance and > > > BANG! get hacked ... in the worst case: unrecognized... > > > > I heard this on a podcast about security from someone (Steve Gibson) > > who knows a lot about the subject. He suggested using all those old > > home routers (you have sitting around collecting dust) in a new way. > > > > Apparently we can't trust any individual black-box home router to be > > secure any more, but maybe we can combine them to make hackers work > > harder: > > > > The idea is to chain all those home routers in series (instead of using > > them as the manufacturers intended) and then, as the last step, to plug > > your (new) wireless router into the end of the chain of old routers. > > > > I have no idea if this idea is good or bad, I'm just passing it along. > > Hi all, > > thank you very much for all tips and trick on this topic. The only > router/dsl-modem I own is the own I got from my first DSL provider > in times, when the DSL modem/router was not controlled by the > provider ;) > So the chain has only one link. > > May be I get my tablet rooted and will able to convince the kernel > to accept an USB/Ethernet USB-gadget (or how it is called). Wifi/WLAN > is a weird thing. I dont trust it that far, as I trust a good ole > cable going from 'A' to 'B'... ;) > > A little old school, but who cares. Better safe than sorry... > > Thanks a lot again! > Best regards, > Meino I didn't answer immediately, because I am not entirely clear what is the attack vector that you are worried about. I you are going to use your PC to create a wireless access point, so that the tablet can wirelessly connect to the Internet through this, then using WPA2- CCMP encryption of your wireless connection should be enough for most practical purposes. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: In the fear of getting hacked (WLAN setup)
walt [15-07-19 04:08]: > On Sat, 18 Jul 2015 05:34:53 +0200 > meino.cra...@gmx.de wrote: > > > Hi, > > > > in order to connect my ASUS Memp Pad 7 ME176CX to the internet I need > > a working WLAN (my DSL router/modem is of the copper area - no > > Wifi/WLAN). The hardware (an USB dongle) is already there...it needs > > "only" be configured and setup. > > > > The problem I (possibly needless) see is: While I am tinkering and > > testing the configuration I may setup an open Wifi access point > > without noticing it in first glance and > > BANG! get hacked ... in the worst case: unrecognized... > > I heard this on a podcast about security from someone (Steve Gibson) > who knows a lot about the subject. He suggested using all those old > home routers (you have sitting around collecting dust) in a new way. > > Apparently we can't trust any individual black-box home router to be > secure any more, but maybe we can combine them to make hackers work > harder: > > The idea is to chain all those home routers in series (instead of using > them as the manufacturers intended) and then, as the last step, to plug > your (new) wireless router into the end of the chain of old routers. > > I have no idea if this idea is good or bad, I'm just passing it along. > > > Hi all, thank you very much for all tips and trick on this topic. The only router/dsl-modem I own is the own I got from my first DSL provider in times, when the DSL modem/router was not controlled by the provider ;) So the chain has only one link. May be I get my tablet rooted and will able to convince the kernel to accept an USB/Ethernet USB-gadget (or how it is called). Wifi/WLAN is a weird thing. I dont trust it that far, as I trust a good ole cable going from 'A' to 'B'... ;) A little old school, but who cares. Better safe than sorry... Thanks a lot again! Best regards, Meino
[gentoo-user] Re: In the fear of getting hacked (WLAN setup)
On Sat, 18 Jul 2015 05:34:53 +0200 meino.cra...@gmx.de wrote: > Hi, > > in order to connect my ASUS Memp Pad 7 ME176CX to the internet I need > a working WLAN (my DSL router/modem is of the copper area - no > Wifi/WLAN). The hardware (an USB dongle) is already there...it needs > "only" be configured and setup. > > The problem I (possibly needless) see is: While I am tinkering and > testing the configuration I may setup an open Wifi access point > without noticing it in first glance and > BANG! get hacked ... in the worst case: unrecognized... I heard this on a podcast about security from someone (Steve Gibson) who knows a lot about the subject. He suggested using all those old home routers (you have sitting around collecting dust) in a new way. Apparently we can't trust any individual black-box home router to be secure any more, but maybe we can combine them to make hackers work harder: The idea is to chain all those home routers in series (instead of using them as the manufacturers intended) and then, as the last step, to plug your (new) wireless router into the end of the chain of old routers. I have no idea if this idea is good or bad, I'm just passing it along.
Re: [gentoo-user] Re: In the fear of getting hacked (WLAN setup)
H, On Sat, 18 Jul 2015 06:47:21 +0300 Nikos Chantziaras wrote: > > The problem I (possibly needless) see is: While I am tinkering and > > testing the configuration I may setup an open Wifi access point > > without noticing it in first glance and > > BANG! get hacked ... in the worst case: unrecognized... > > > > What is the "best practice" here? > > Is there a certain independant configuration, which I can set, > > which prevents this scenario? > > > > Thank you very much in advance for any help! > > Best regards, > > Meino > > > > PS: If one knows the ASUS Memo Pad 7 ME176CX and knows a > > way to locally connect this tablet to the internet...this > > would be a way to go also. I would appreciate any hint in > > this case (Using Lollipop 5.0). > > If you don't have any daemons running that provide network services > (have opened listen ports), you can't get hacked. This is usually a > problem for Windows, which by default has a gazillion of services > running (NetBIOS, printer/media/filesystem/everything sharing, > messaging, remote desktop, etc.) > > On Gentoo, if *you* didn't set up a service, then nothing is listening > on the network. Yes and no. If user enabled network interface and has no network daemons running, kernel still listens to that interface (ARP, icmp and so on) and may be hacked using vulnerabilities in network stack, protocol handlers or even network device drivers. By default Gentoo has no interfaces enabled, but usually they are set up during initial install. And users may be unaware that even without any network applications they may be vulnerable with enabled interfaces. Proper configuration of kernel, especially iproute2 and iptables can minimize such risks, of course. Best regards, Andrew Savchenko pgpKQ3DbwKSv3.pgp Description: PGP signature
[gentoo-user] Re: In the fear of getting hacked (WLAN setup)
gmx.de> writes: > What is the "best practice" here? > Is there a certain independant configuration, which I can set, > which prevents this scenario? Briefly:: 'eix -Cc net-wireless' will tell you what the packages in this category do. You either have to purchase a wireless router, or build one with a wireless card, iptables and set up NAT. You'll need some additional software packages from net-wireless. Once you get the wireless device setup, its a good idea to test your wireless network security. net-wireless/airsnort is the grand_daddy Many others exist:: net-wireless/airtraf net-wireless/aircrack-ng is a good start. You can run these from a laptop with a wireless interface. Google for wiki sites or arch linux sites and howto setup and use. hth, James
[gentoo-user] Re: In the fear of getting hacked (WLAN setup)
On 18/07/2015 06:34 πμ, meino.cra...@gmx.de wrote: Hi, in order to connect my ASUS Memp Pad 7 ME176CX to the internet I need a working WLAN (my DSL router/modem is of the copper area - no Wifi/WLAN). The hardware (an USB dongle) is already there...it needs "only" be configured and setup. The problem I (possibly needless) see is: While I am tinkering and testing the configuration I may setup an open Wifi access point without noticing it in first glance and BANG! get hacked ... in the worst case: unrecognized... What is the "best practice" here? Is there a certain independant configuration, which I can set, which prevents this scenario? Thank you very much in advance for any help! Best regards, Meino PS: If one knows the ASUS Memo Pad 7 ME176CX and knows a way to locally connect this tablet to the internet...this would be a way to go also. I would appreciate any hint in this case (Using Lollipop 5.0). If you don't have any daemons running that provide network services (have opened listen ports), you can't get hacked. This is usually a problem for Windows, which by default has a gazillion of services running (NetBIOS, printer/media/filesystem/everything sharing, messaging, remote desktop, etc.) On Gentoo, if *you* didn't set up a service, then nothing is listening on the network.
