Fullscreen HTML5Med Res (??MB)HTML4

Getting started with Linux; Pt.4 In our final article on Linux, we take a look at firewalls and security issues. In particular, we describe the risks and tell you how to protect yourself from some of the “nasties” on the Internet. By BOB DYBALL Your local network IP addresses may be “invisible” to the Internet but that doesn’t mean you’re totally protected. There are still some important security issues to consider and this includes filtering both incoming and outgoing communications. Although your network “packets” are protected to some extent by being non-routable, your network is still connected to the Internet via the router (see Pt.3). When a machine on the network accesses the Internet, packets of information for an outside address are first placed in a wrapper labelled 192.168.1.1 and sent to the gateway/ router. The router then forwards the a firewall as a super-fast censor. By way of analogy, it looks at the outside label on any envelopes going out or coming in and if they don’t have the correct details, drops them in the bin or records the information in a log file (or both). Do this to IP packets and you have a firewall. There are two basic ways of running a firewall: (1) either let everything through to begin with and then decide what you don’t want and block it; or (2) let nothing through until you need something specific and then allow only this information to pass. The first method has the advantage of being easy to set up and is Once your system is “infected”, these programs can be used remotely by a third party connected to the Internet to read, write or delete files from your PC. information to the correct address on the Internet. Conversely, each time a response is received, the router passes it back to the correct machine on the network. That’s all very well but what if you would like to stop people (staff, children, students, etc) from playing Quake over the Internet and get them back to work? Is there a way of doing this but still allow them to use email or a web browser? The answer to both these questions is “yes” and here we find that the “firewall” comes into play. Think of 86  Silicon Chip probably the best approach for those implementing their first firewall. On the other hand, if you don’t want to separately specify a block on IRC, Quake, DOOM or any number of other programs, the turn-everything-off-first approach is the best. The latter approach can get rather complicated. On my own system, a relatively simple configuration file for ipfswadm – a firewall program for Linux – just fits on 20 printed A4 pages. This compares to just 2 or 3 A4 pages for a moderately complex Samba configuration file (/etc/samba. conf)! By the way, the ipfswadm program, as used on Linux kernels up to 2.0.36, is now being replaced by ipchains under the newer 2.2.x kernel. This shouldn’t prove too much of a problem, since the tried and true 2.0.35 kernel is used in Caldera’s OpenLinux 1.3, while 2.0.36 is also used in the latest RedHat 5.2 or Slackware. Unless you have a penchant for adventure, stick to the older tested kernels, especially where security is an issue. That’s because you’ll be able to check the net for any patches to fix up security leaks in the older versions, instead of wondering if, or when, they’ll be found on a new release. If you are using ipfswadm and intend using the “let nothing in” (well almost nothing) approach, you should check out the following website: http://rlz.ne.mediaone.net/linux/firewall/ This site lets you design your own firewall. The author also offers a “home network” version of this great on-line configuration tool at no charge. You simply enter the details of your firewall requirements and it helps you set up an ipfswadm configuration file – called rc.firewall – to suit. If you want to use ipchains, check: http://www.rustcorp.com/linux/ipchains This site includes the release itself, as well as documentation, version information and links to a number of other related firewall and security websites. IP masquerading IP Masquerading is another method of letting some packets through while denying access to others. Various preset packages for this are available with many current distributions. Similarly “binaries” (ie, pre-compiled program files) for ipchains, along with the “how to” files, are available from various sources on the net. Which ever way you go, be sure to check the version numbers. Some kernels will not work with various versions of ipfswadm or ipchains. If you want to find out how to use IP Masquerading, check for a text file entitled /doc/HOWTO/mini/IP-Masquerade (again, watch the case) on the CD-ROM for your Linux distribution. Take a look at: www.everythinglinux.com.au Netbus & Back Orifice Back Orifice (a pun on the Microsoft “Back Office” product range) and NetBus are both “Trojan horse” programs; ie, they appear to be something other than what they really are. Both can seriously compromise the security of your network and can allow a hacker to get up to all sorts of mischief. Usually, they are distributed disguised as a joke program and are often spread via email. Not long back, it was the “Free Coke Tray” joke. This often appeared as a simple email attachment called runme.exe or some other appealing name. When clicked, it displayed a message asking “Do you want a free Coke tray” and, of course, when you answered yes, out popped the CDROM drawer. The joke might have ended there but for the fact that this program has been used by some people to hide the NetBus or Back Orifice programs. Once your system is “infected”, these programs can be used remotely by a third party connected to the Internet (they can be anywhere in the world) to read, write or delete files from your PC. They also have the ability to allow that person to “see” a screenshot of what you have on-line, to “see” what you type, to type in keyboard entries, to move the mouse pointer and to even display OK/cancel dialog boxes on your screen. But that’s not all. The person who releases these Trojan horses (and this might not be the person who gave it to you; they too might be a victim) can scan a block of IP addresses, waiting for one of their victims to go on-line. After that, it’s only a short step to learning trade secrets, “borrowing” credit card details, or simply deleting files on the victim’s computer just for the fun of it. It wouldn’t even matter if you were viewing a web page from a secure site. Another party could still (in theory) Linux is available from a lot more places than it used to be. Once you had to “troll” the net looking for Linux and spend interminable periods downloading the files. Having done that, you would then often find that a later version had already been released and was available somewhere else. To overcome this problem, a number of software retailers are now selling boxed copies of Linux off-theshelf, complete with manuals. No, it’s not illegal and yes you have to pay but the price is usually less than $100.00. The GPL (or Gnu Public License) allows for books, support packages and so on to be added to the Linux package and sold together for a reasonable amount. Note: sometimes the additions can be illegal to copy and distribute, as they are licensed for one person to use only. Many distributions can, however, be quite legally copied and given to your friends, so check the literature that came with your package carefully for copyright information. This GPL license system allows companies like EverythingLinux to operate. This Australian company exists to sell and support Linux and offers a package called “Bleeding Edge Linux”. And it really is “bleeding edge” stuff. They burn the CD-ROM for you after you place an order, so that you get all the latest updates and drivers. The CD-ROM is self-booting and costs just $10 plus postage. EverythingLinux also offers support packages for Linux (24 hours per day 7 days per week). Check out their website at: www.everythinglinux.com.au for all the details. JUNE 1999  87 Getting started with Linux; Pt.4 see what was happening from a screen grab sent independently of the secure log on. OK, before you panic and turn off your PCs, you can tell if your system has been “infected” fairly easily (strictly speaking, they’re not really viruses). An up-to-date anti-virus program will detect either of these programs and tell you how to remove them if necessary. Provided you take some basic precautions, a personal standalone PC should be relatively safe. That means keeping your anti-virus software upto-date and never executing email attachments unless you’re absolutely certain that it comes from a trusted source and you know what it is. The situation with networked PCs can be rather different. In this case, it’s all to easy for a disgruntled employee or student to infect a network. Note that, with NetBus and Back Orifice, the person wishing to remotely control a PC can only do so while there is an active IP connection. If you have a network which only runs either the NetBeui or IPX/SPX protocols (or both), then you are safe from these particular programs, at least. That’s because they only work with the TCP/ IP protocol. If you are running the TCP/IP protocol internally, then it’s possible for someone within the LAN to access another system on the same LAN using these programs. And, of course, if you are running a dial-up or permanent Internet connection, an external hacker can access you while ever you are on the net. To prevent access from the outside world, you need a firewall. Back Orifice defaults to port 31,337, while NetBus defaults vary from version to version, with ports 12,345, 12,346 and 12,331 being commonly used. Setting up blocks on the ports used by NetBus and Back Orifice will go a long way towards preventing problems but don’t forget that it’s quite possible Mailbag – continued from page 27 depend on such factors as peak load current, the type of load (induc­tive, capacitive or resistive) and leakage inductance in T2. Variations in leakage inductance due to variations in the gaps between core halves can be quite large. That might explain why some units will operate quite happily forever without dis­tress, while others might consistently break down no matter how many times the transistors are replaced. I would suggest fitting a 15V or 18V, 1W zener diode from gate to source of each Mosfet. A resistor of, say 47Ω in series with each of D5 and D6 might also be worthwhile (to reduce cur­rent surges through the zener diodes). Sometimes feedback loop instability, due either to inade­ quate phase margin or to noise pick-up in the loop, can cause adverse effects such as double-pulsing of the main inverter transistors. This, in turn, can increase stresses in the transis­ tors due to overheating or excessive voltage and current spikes. An unstable loop can often be identified by strange squeal­ing noises from 88  Silicon Chip a switching inverter. Placing a capacitor in the feedback loop will usually help, though it can make things worse if inadequate phase margin is the problem. A resistor (eg, 1kΩ) in series with a capacitor (eg, .001µF) from pin 1 to earth may help if instability persists. H. Nacinovich, Gulgong, NSW. Compiler for the PIC microcontroller After reading with great interest your PIC programmer featured in the March 1999 issue of SILICON CHIP, I have found a compiler for the PIC­ 16F84 microcontroller that does not require any knowledge of assembly code. It uses a high level language similar to C. The compiler has commands for Delay, LCD displays, RS232 communications and many other commands, making the PIC very simple to program. The compiler is called JAL (Just Another Language). It comes with a number of examples and a fairly comprehensive manual and best of all, it is free. The web site can be found at for a program to use ports that are normally used for something else. As an example, this technique is used legitimately by DCOM and CORBA on port 80, where you might normally use a web browser. The Happy99.exe Trojan horse is another recent example of a program that works along these lines. It sends unwanted email with the Happy99. exe attachment though a conventional port but as far as a firewall is concerned, it “looks” the same as your email client. As with Netbus and Back Orifice, Happy99.exe can easily be detected by up-to-date anti-virus programs. Achieving a happy balance between speed, security and access restrictions is not always that simple. At the very least, a log can alert you to peculiar activity. An early warning of unauthorised access will go a long way towards preventing problem people, either inside or outside your organisation, from causing real damage. Acknowledgement: to Larry Ewing at lewing<at>isc.tamu.edu for the Linux SC penguin “Tux”. http://www.xs4all.nl/~wf/wouter/pic/ jal/index.html D. Chinnery, Tom Price, WA. Ventilation in cars I note your comments in the article on the Carbon Monoxide Alarm in the May 1999 issue, where you suggest that car air condi­ tioning be set to recirculation in heavy traffic. Please note that the current Ford Falcon AU model does not have flow-through ventila­tion. The lack of flow-through ventilation will permit the buil­dup of carbon dioxide. Mercedes Benz has a sophisticated system which vents the car at predetermined intervals but the system used by Ford is not as good. I would suggest a dual model to monitor both carbon monox­ide and carbon dioxide or alternatively, a separate carbon diox­ide model. The greater number of vehicle passengers, the faster the carbon dioxide builds up. I. Deal, Melbourne, Vic. Comment: while the suggestion to periodically vent the car is a good one, we do not know of any source for a SC carbon dioxide sensor.