This list does not make much sense to me. You should work on that.
• All repos have the same priority.
• The KDE4-Playground repo contains mainly untested packages, they’re aimed at testers and developers, not endusers.
• You use quite a lot of ‘home:’-repositories, my experience says that at least 90% of them contain sheer trash (I don’t mean “alpha” or “unstable” but simply “trash”). Especially when compiling from source, one should take care that dependencies and devel-packages are set up right.
• “server”, “security” & “monitor” are mainly aimed at server systems, not home desktops.
I never said I am an enduser only or anything like that. I test stuff/security for clients in SOX age. I need server, security and nmap for various reasons.
It boots fast and without any conflicts. I may not be able to document what I did but I did it right. The system is now like a rock. I scanned open ports, fixed them and did a lot of stuff with VMware server.
Firewall keep ports open, scan yourself and close the ports, it wont mess up your web activity if you initiate from your desktop but hack stuff wont work against you.
This time I wiill try to give some serious remarks.
First, you should enable only the famous four repos (OSS, nonOSS, Update and Packman) and when you need a package from another repos (where you should assess its reliability very carefully when you are after a very stable and secure system), you disable that repos immediatly you installed the package. Thus your* zypper lr -d* list gives me the shivers (and you dependancy problems).
Second. I have not much remarks about “hardening the desktop” (why the desktop and not the rest of the system?), because that includes a long list of varying subjects (where the trustable repos are part of and not a seperate thing). I assume those lists are to be found on the Internet also.
Third. It is simple to see what ports are open with
netstat -atu
No need to scan the ports. And when you have switched off everything you do not need there, I doubt if you realy need a so called “personal firewall” on the system. You better have a well managed firewall on the perifiral of your network.
Have installed smoothwall on second machine, @ suse firewall; i have no comments to make. The tools that I use offer me ease. I do not have dependency issues any more. I have checked the repos and find them authentic.
The sysadmin/manager uses netstat because it is an easily vailable tool to tell him what is going on and if stopping services worked as intended. He does not need a second system with portscanning software, which might not even be available.
When the sysadmin is satisfied with this and the rest of the hardening, he reports so.
Then the security department can test with portscans, passwords crackers, etc. (preferably when the sysadmin is at home and asleep ).
It may be true that the roles of sysadmin and security admin reside in the same person, but seeing the difference between roles is always important.
Below please find out puts from various port scanning utilities and compare those at your convenience. I will give my reasons choosing specific apps at the bottom of the post.
Starting Nmap 5.00 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-06-25 20:11 SGT
NSE: Loaded 30 scripts for scanning.
Initiating Ping Scan at 20:11
Scanning 64.13.134.52 [4 ports]
Completed Ping Scan at 20:11, 0.42s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:11
Completed Parallel DNS resolution of 1 host. at 20:11, 8.02s elapsed
Initiating SYN Stealth Scan at 20:11
Scanning scanme.nmap.org (64.13.134.52) [1000 ports]
Discovered open port 22/tcp on 64.13.134.52
Discovered open port 53/tcp on 64.13.134.52
Discovered open port 80/tcp on 64.13.134.52
Completed SYN Stealth Scan at 20:12, 28.24s elapsed (1000 total ports)
Initiating Service scan at 20:12
Scanning 3 services on scanme.nmap.org (64.13.134.52)
Completed Service scan at 20:12, 12.19s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against scanme.nmap.org (64.13.134.52)
Initiating Traceroute at 20:12
64.13.134.52: guessing hop distance at 11
Completed Traceroute at 20:12, 2.32s elapsed
Initiating Parallel DNS resolution of 17 hosts. at 20:12
Completed Parallel DNS resolution of 17 hosts. at 20:12, 11.70s elapsed
NSE: Script scanning 64.13.134.52.
NSE: Starting runlevel 1 scan
Initiating NSE at 20:12
Completed NSE at 20:12, 5.70s elapsed
NSE: Script Scanning completed.
Host scanme.nmap.org (64.13.134.52) is up (0.39s latency).
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e (DSA)
|_ 2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA)
25/tcp closed smtp
53/tcp open domain
70/tcp closed gopher
80/tcp open http Apache httpd 2.2.3 ((CentOS))
|_ html-title: Go ahead and ScanMe!
113/tcp closed auth
31337/tcp closed Elite
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.27, Linux 2.6.18
Uptime guess: 0.458 days (since Fri Jun 25 09:12:44 2010)
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .
Nmap done: 1 IP address (1 host up) scanned in 72.76 seconds
Raw packets sent: 2050 (91.790KB) | Rcvd: 71 (3634B)
I guess you can interpret the outcome or I will do a pm and explain it there. In normal sense many daemons run on a Linux desktop and to take appropriate measures you need efficient tools. If you scan from a localhost (the way you suggested) the firewall will read it and allow it to go thru. In order to understand your risks you should check your firewall against untrusted hosts that can scan you while your firewall is fully functional. When you get hacked the people on the other side of the fence discover your open ports, apps and mess with you when ready.
As per my experience and practice I never accept default settings of any operating system. Users should ensure that their operating system (especially Linux) is very secure and efficient.
As per your suggestion regarding repos, I know what I am doing. I freaked out at first over kde, now comfortable with it. As of now I have managed all updates and have not had any conflicts pending. I believe one should choose the road less traveled.
Yes, I can read it, but with difficulty. I assume that the computer output was formatted to be easier to read (I know that for sure for netstat), but you spoiled that by not putting the computer text beween CODE tags. There is the # button in the toolbar above the text input field for that.
It would also have been easier when you had used the* n *option with netstat (I suppose you studied the man page before executing something I, as an untrusted outsider, tried to lure you into). Because Nmap gives you the ports in numbers.
(And a | grep LISTEN also makes it more consise and to the point, but again I only pointed you to nstat, leaving it to you if you want to use it and how).
As long as you know what you are doing and are satisfied with that, I am fine with that also.
Well, I can still do that. Give me a moment. I wont paste my IP, I am not allowed to do that from my work place. You will get other things the way you want.
@ Henk - I tried nestat --all, it listed all ports but it still isnt mature, tried to paste the code here but it declined saying ‘The text that you have entered is too long (47669 characters). Please shorten it to 15000 characters long’.
The --all will also show the internal (Unix domain sockets). As they are only about program to program communications internaly to your system, they have nothing to do with listening ports on the network. That is why I gave the t (TCP) and u (UDP) options. Also the l option is nice, then you do not have to grep for LISTEN. And do not forget the p option if you wantto know which program does the listening.
And do not try to publish that long list here. Nobody will be interested. I gave you the notion of the existence of netstat. Use it as you like. When you have a problem that must be illustrated with it, start a thread and post that part of the netstat output that is of interest.
Thanks a bunch. As of now I got all I needed, I may or may not use all the software bundle or I may install something that meets my requirements. For recording packages and communications I have snort that logs to file.