Active Topics
-
[HOWTO] Comprehensive Firmware Flashing Guide for N9 (1,580)
to Nokia N9 / N950 by aspergerguy - 4 hrs, 19 mins ago -
Nokia N9-00 Prototype Build S1.12 (RM-680 codename "Dali") (250)
to Nokia N9 / N950 by en0s - 3 days ago -
[Announce] Maebble - Pebble support for Maemo (118)
to Applications by glo-worm - 3 days, 13 hrs ago -
Possible to flash Leste to eMMC? (6)
to Maemo 7 / Leste by Eri - 4 days, 3 hrs ago - more...
|
2009-09-08
, 13:43
|
|
Posts: 20 |
Thanked: 1 time |
Joined on Jan 2008
@ Toronto, Ontario
|
#22
|
Originally Posted by mbassett
the product is called an 'internet tablet'. so by that name, one assumes one will use this device to connect to other devices and browse the 'internet'. if you are using ssh, nfs, cifs, samba, bluetooth, e.t..c -- you will have ports open. if you don't use them -- turn them off. (check the linux, ubuntu, debian, and other UNIX sites of how you disable services and tweak inetd -- it's pretty straight forward)
Why on earth would an internet tablet (or a pure desktop machine for that matter) have any open ports or any services listening on such ports?!?!
if you start disabling services, installing firewall s/f and hardening -- you have to configure them properly (they have no intelligence of their own and they are usually completely unaware of changes done to the network after they are configured - so you have to remember to maintain them) and you should not expect that you device will work flawlessly 100% of the time. you will probably run into connectivity issues and will have to micro-manage it a bit.
but once again, ask yourself, what is your goal? to make sure you don't show up on scans or to have a device that does what you expect it to.
in a previous life, i used to be a network IT guy. the general rule of thumb is -- if you start to lie to the network (proxy, NAT, port blocking, filtering, e.t.c.) the network will start to kick you in the ***.
regarding security on an internet tablet. common sense dictates that you probably dont want to do your online baking and leave important information such as banking, credit card, mortgate on it. it's small and easily stealable. it usues wifi which is easily snoopable and easily trickable.
__________________
cheers,
darkog
cheers,
darkog
Last edited by darkog; 2009-09-08 at 13:51.
 |
|
2009-09-08
, 14:00
|
|
Posts: 415 |
Thanked: 182 times |
Joined on Nov 2007
@ Leeds UK
|
#23
|
Originally Posted by darkog
This depends if you are using it as a client or a server....
the product is called an 'internet tablet'. so by that name, one assumes one will use this device to connect to other devices and browse the 'internet'. if you are using ssh, nfs, cifs, samba, bluetooth, e.t..c -- you will have ports open. if you don't use them -- turn them off. (check the linux, ubuntu, debian, and other UNIX sites of how you disable services and tweak inetd -- it's pretty straight forward)
using ssh doesn't mean you have port 22 open, using sshd does.
if you start disabling services, installing firewall s/f and hardening -- you have to configure them properly (they have no intelligence of their own and they are usually completely unaware of changes done to the network after they are configured - so you have to remember to maintain them) and you should not expect that you device will work flawlessly 100% of the time. you will probably run into connectivity issues and will have to micro-manage it a bit.
but once again, ask yourself, what is your goal? to make sure you don't show up on scans or to have a device that does what you expect it to.
in a previous life, i used to be a network IT guy. the general rule of thumb is -- if you start to lie to the network (proxy, NAT, port blocking, filtering, e.t.c.) the network will start to kick you in the ***.
regarding security on an internet tablet. common sense dictates that you probably dont want to do your online baking and leave important information such as banking, credit card, mortgate on it. it's small and easily stealable. it usues wifi which is easily snoopable and easily trickable.
Any website processing those kinds of details needs at least 128 bit encryption, and you shouldn't store credit card information anywhere, except in your head and on your credit card.
And if your overly paranoid like me, use vpn and ssl on public connections ;-)
__________________
Life on the edge....always waiting to fall
Life on the edge....always waiting to fall
| The Following User Says Thank You to deadmalc For This Useful Post: | ||
|
|
2010-02-05
, 03:08
|
|
Posts: 99 |
Thanked: 24 times |
Joined on Feb 2010
|
#25
|
is iptables installed by default? mine doesn't have it.
|
|
2010-02-05
, 16:20
|
|
Posts: 287 |
Thanked: 127 times |
Joined on Oct 2009
@ Sweden
|
#26
|
It's not installed and the kernel doesn't have the required hooks enabled either.
|
|
2010-02-22
, 14:06
|
|
Posts: 66 |
Thanked: 30 times |
Joined on Feb 2010
|
#27
|
Originally Posted by lma
How do you find out which process is listening on a port? The fuser command seems broken (c.f. http://talk.maemo.org/showthread.php?t=43912) and the netstat command does not support the -p option in Maemo X Terminal.
Alternatively you can use netstat on the device, if you trust that it hasn't already been compromised and a rootkit installed ;-)
On mine it currently says:
...
From the above list, the scariest one is 7275, since supllistenerd runs as root and it's a closed source component so can't be audited independently. Note that it's not in the default Diablo installation either though (comes from agps-ui).
|
|
2010-02-22
, 20:58
|
|
Posts: 2,802 |
Thanked: 4,491 times |
Joined on Nov 2007
|
#28
|
Originally Posted by fhofer
Try lsof -i
How do you find out which process is listening on a port?
|
|
2010-02-23
, 10:03
|
|
Posts: 66 |
Thanked: 30 times |
Joined on Feb 2010
|
#29
|
Originally Posted by lma
thanks for the hint. but I am not sure if the output of lsof -i is complete. this is what I get:
Try lsof -i
Code:
~/MyDocs/Scripts $ lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME browser 1405 user 14u IPv4 7251 UDP *:60211 ~/MyDocs/Scripts $ netstat -tulne Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:28782 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN netstat: no kernel support for AF INET6 (tcp) udp 0 0 0.0.0.0:2948 0.0.0.0:* udp 0 0 0.0.0.0:60211 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 127.0.0.1:3001 0.0.0.0:* udp 0 0 127.0.0.1:3002 0.0.0.0:* netstat: no kernel support for AF INET6 (udp)
|
|
2011-09-05
, 23:13
|
|
Posts: 21 |
Thanked: 32 times |
Joined on Mar 2010
@ Ridgecrest, California, USA
|
#30
|
Originally Posted by fhofer
You could always nmap your phone. It's actually not a bad idea to do this from another machine to all the machines in your house (including phones, TVs, consoles, appliances, etc). BTW, I tried installing the Debian Bastille hardening package (which sets up the firewall), and got about as far as it asking for libcurses-perl, and got lazy and stopped. It might break a lot of things, but it might also be nice to have a more secure phone. Sure, it might break the UPnP stuff that works pretty nicely out of the box in the Media Player, but that's something I don't think I'd miss too much.
thanks for the hint. but I am not sure if the output of lsof -i is complete. this is what I get:
what about the udp port 2948?Code:~/MyDocs/Scripts $ lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME browser 1405 user 14u IPv4 7251 UDP *:60211 ~/MyDocs/Scripts $ netstat -tulne Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:28782 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN netstat: no kernel support for AF INET6 (tcp) udp 0 0 0.0.0.0:2948 0.0.0.0:* udp 0 0 0.0.0.0:60211 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 127.0.0.1:3001 0.0.0.0:* udp 0 0 127.0.0.1:3002 0.0.0.0:* netstat: no kernel support for AF INET6 (udp)
now run (as root)
Nokia n800
OS 2008
Pharos iGPS 360-BT
ElmScan 5 BlueTooth
BlackBerry Bold (9000)
AT&T Wireless