Some Security concerns i have over network access

English Network/Internet
#1

First off How do you disable IPV6 access on all connections used on the pc-is there a way to test for ipv6 connectivity?

Secondly how secure is a default opensuse 11.04 machine out of the box? should i be making some changes to the default configuration?

Thirdly what does the default firewall settings do? on my network i use my wpa2 psk aes connection via my local wireless network-in the event that some can hack into my wireless would the opensuse firewall prevent direct access to my pc from a attacker on the same wireless subnet?

Fourthly when does opensuse 11.04 go out of date? in a year from now?

#2

On Thu, 19 May 2011 16:36:04 +0000, linux ftw1 wrote:

> First off How do you disable IPV6 access on all connections used on the
> pc-is there a way to test for ipv6 connectivity?

Go to a terminal prompt and type “/sbin/ifconfig”. If you don’t see ipv6
information listed on your external interfaces (you may see it on the
loopback, I don’t recall offhand and I haven’t disabled it yet). There’s
a setting in the network configuration to disable it; a reboot is
recommended after disabling it to remove the kernel module IIRC (though
that can probably be done without a reboot).

> Secondly how secure is a default opensuse 11.04 machine out of the box?
> should i be making some changes to the default configuration?

By default, all inbound connections are blocked with a few exceptions.
Go into YaST and select the firewall configuration to see what ports are
open. It’s pretty straightforward.

BTW, I’m assuming you mean 11.4 - there is no version “11.04” for
openSUSE - the version numbers are all xx.x in format.

> Thirdly what does the default firewall settings do? on my network i use
> my wpa2 psk aes connection via my local wireless network-in the event
> that some can hack into my wireless would the opensuse firewall prevent
> direct access to my pc from a attacker on the same wireless subnet?

Any inbound connection is blocked other than for the ports that are
opened.

If someone hacked into your wpa2-encrypted network, I’d be concerned that
the key isn’t strong enough. IIRC, wpa2 is not yet broken, or if it is,
it’s brute-force and generally a brute-force attack will succeed quickly
if you haven’t chosen a strong enough key.

> Fourthly when does opensuse 11.04 go out of date? in a year from now?

http://en.opensuse.org/Lifetime

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

#3

Fourthly when does opensuse 11.04 go out of date? in a year from now?

The “stable” openSUSE is as per hendersj’s link, 18 months.
There is one openSUSE variant that doesn’t go out of date; viz Tumbleweed. This is still being developed ATM, so probably not for inexperienced users at this stage.
And there’s Evergreen too, which will last a long time. I don’t know what stage of development Evergreen has reached.

#4

Ok for the ipv6 there was no mention of ipv6 in the terminal command so i thinks that turned off.
Went to a website to test ipv6 and it seems im using only ipv4

For the firewall i have the following configuration
-Firewall Starting

• Enable firewall automatic starting

• Firewall starts after the configuration gets written

Internal Zone

• No interfaces assigned to this zone.

Demilitarized Zone

• No interfaces assigned to this zone.

External Zone

Interfaces

• eth0

• Broadcom WLAN controller / wlan0

Open Services, Ports, and Protocols

• Zone has no open ports.

So im guesing that in the event someone accessed my wireless since wlan0 has no open ports then a attacker shouldn’t be able to access my pc directly. For the network data im using a vpn to protect against sniffing.

Yes i meant 11.4 according to that link usable till December 2012.

#5

Forgot to say i also ticked a box under firewall settings called ‘protect firewall from internal zone’. Before i unticked this box there were a lot of ports greyed out in the background for the internal zone-now that ive ticked this box the internal zone has no entries. Does this mean that the internal zone (my local wireless subnet i think) has no open ports for a attacker on the same wireless to connect to my pc?

#6

bump bump bump

#7

There is a global tab setting in yast-network devices-network settings that has an enable ipv6 tick box. I’m not entirely convinced it works completely but I haven’t fully checked yet.

As to security I too have had my doubts basically because actually getting into the suse filewall and understanding it is not an easy task for many people even many competent ones. I’m not sure how this stands at the moment but I have used this utility in the past following a couple of rather spooky experiences via the web.

Guarddog

There was talk of including it in kde a long time ago but kde people were not too keen on getting into that sort of thing. I mentioned it on the kde mailing list some time ago and I believe there was a fair amount of interest. This one works in a sensible manner. All ports are disabled by default. It also helps in respect to which ports do what in as much as suggesting what to open for what. Installation was easy and if the suse one was started it just stated that there appeared to be a firewall already running.

If security is a real concern some linux mags in the past have included code to set up a simple linux box as a router that provides internet access. This could obviously include a local zone as well. The idea behind the code was to strip it to the essentials to make it easier to pick up and do further work on. Similar code may be available elsewhere.

From private correspondence it seems my spooky experiences were down to a back door that has long since been closed. No other details but I would be suspicious of any seldom used or unused network protocols especially older ones. Problem here is it seems to be difficult to get a list of what is supported and what ports they use and even if the are really needed.

#8

That shows that there are no interfaces for the internal zone. Everything is in the external zone.

I’m pretty sure that is the default.

If there are no interfaces in the internal zone, then it doesn’t matter whether the firewall is on for the internal zone.

You can reconfigure some of your interfaces to be in the internal zone, if you want that.

At present, I also have everything in the external zone. But, at one time, I did put my eth0 in the internal zone. It is behind a router, so part of the home network. The idea was to have no firewall for that, so I left the firewall off for internal zone. But you could have different firewall settings for internal zone if you wanted.

On my laptop, I have always kept everything in the external zone and fully firewalled.

The above comments were to help illustrate the use of the different zones. Unless you have special needs, simplest is to keep everything in the external zone.

#9

On 05/21/2011 12:36 PM, linux ftw1 wrote:
>
> bump bump bump

heh! you must have bought three support contracts…

this forum is a volunteer effort where users try to help other users…

personally, i try real hard to help those who have shown a willingness
to both help themselves and others…so far you have done neither…

in the hopes you are the kind who will hang around and be as helpful as
you are demanding i offer:

(examples of helping yourself) questions one and four in your initial
post are easily found by a couple of smartly worded google searches:

http://tinyurl.com/3v2utzl
http://tinyurl.com/3ud9tb7

and your second (how secure out of the box) is impossible to answer
unless you state your needs…that is, it is either not secure enough or
far more secure than you need…my experience is that an out of the box
openSUSE is far more secure than i need if behind a NAT router and
with STRONG passwords…one for me and another for root…

third Q i can’t help with…


dd CAVEAT: http://is.gd/bpoMD
[NNTP via openSUSE 11.4 [2.6.37.6-0.5] + KDE 4.6.0 + Thunderbird 3.1.10]
Dual booting with Sluggish Loser7 on Acer Aspire One D255

#10

linux ftw1 wrote:
> Does this mean that the internal zone (my local wireless subnet i think)
> has no open ports for a attacker on the same wireless to connect to my pc?
>
That is what it means and if you are so concerned about your security you
should never trust anything you can see, but you have to do tests with
appropriate tools to simulate an intrusion.


PC: oS 11.3 64 bit | Intel Core2 Quad Q8300@2.50GHz | KDE 4.6.3 | GeForce
9600 GT | 4GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.6.0 | nVidia
ION | 3GB Ram