AnimeSuki Forums

SeijiSensei · 2007-05-10, 21:20

I'm not sure I understand what your qualms are here, Vexx.

Are you saying that to do outbound nmap scanning would violate the scanner's TOS, or that it would violate the target's TOS? Either way, I'm not sure I understand why.

I can't imagine Comcast (in my case) caring an iota about what packets I send to some random machine. Are you saying that they'd consider my actions a TOS violation because it looks like I'm trying to break into that machine? I can imagine them blocking certain outbound traffic, say connections to remote ports 25, 137-139, or perhaps the MS RPC ports like 1025-1030. But why should they care if I'm trying to connect to port 55555 on some random remote machine?

I also can't really imagine them complaining about inbound traffic either. We all get scanned all the time by machines out on the net. They don't seem to be blocking that stuff coming in here either.

Maybe Comcast is really permissive, but what kind of Internet service do you have if random ports are blocked in either direction? I actually run an SMTP server on my port 25 (my clients' backup MX) and have done so for years. Comcast has either not noticed or not cared. Now I suppose if I had a web server on port 80 they might care or at least might discover it.

I know that some people would like to claim that port scanning constitutes an intrusion, but I think that's pushing things pretty far. Sometimes I get phishing scams from some remote machine, or the scam points to some other random IP address. I have no qualms about scanning those addresses to see what's they've got there. I also don't have any qualms about telnetting to some random open port on those machines if they exist, either. I've found all sorts of "bad stuff" this way like proxies to phishing web sites. I guess I'm still in the old, pre-9/11, Internet tradition that says that machines out there are fair game for portscanning. I don't make connections with the intent of exploiting what I see, and I don't portscan machines in .mil.

Oh, and if AT&T complained about my portscanning over the business service I have with them, it'd be time for a new provider. I expect bidrectional access from ports 1-65535 if I'm paying business rates.

Epyon9283 · 2007-05-10, 21:27

Quote:

Originally Posted by Ledgem

What I'm terrified for is Mac OS X. It's a hell of a lot easier to use than Linux, in part because there's a huge lack of information about what's going on. I hate to say it, but I had more access in Windows. I may have missed something incredibly obvious, but I couldn't even open a configuration file to examine it: I can't find a notepad-equivalent in this operating system.

If you want half-way decent documentation from Apple, look at their OS X server stuff.

Most of the preference files in OS X are plist files. Double clicking on them should bring up the property list editor. This allows you to, unsurprisingly, change properties within the file. Plist files come in two varieties. An XML based variety and a binary variety. You can convert from one to the other using the plutil command. A plist file in the xml format can be edited using any text editor.

Speaking of text editors, the notepad equivalent (which is actually nicer than notepad) is textedit.app. Theres also the old favorites vim and emacs. If you crave more graphical editors and textedit doesn't do it for you, try smultron, jedit, or if you feel like ploping down some cash, textmate (what I use).

Ledgem · 2007-05-11, 00:43

Quote:

Originally Posted by Epyon9283

Speaking of text editors, the notepad equivalent (which is actually nicer than notepad) is textedit.app. Theres also the old favorites vim and emacs. If you crave more graphical editors and textedit doesn't do it for you, try smultron, jedit, or if you feel like ploping down some cash, textmate (what I use).

My experience was actually with preference files for Opera, which were in .dat and other formats. I tried using TextEdit to open the files, but for some reason it said that it couldn't. I tried it just before posting this so that I could tell you what the error was, but it works now. Fancy that.

Thanks for the recommendations and advice.

Epyon9283 · 2007-05-12, 09:38

Quote:

Originally Posted by Ledgem

My experience was actually with preference files for Opera, which were in .dat and other formats. I tried using TextEdit to open the files, but for some reason it said that it couldn't. I tried it just before posting this so that I could tell you what the error was, but it works now. Fancy that.

Thanks for the recommendations and advice.

Does opera use human readable config files on other operating systems? I'v never had to go in and mess with opera config files before.

Ledgem · 2007-05-12, 15:25

Yep, it does. Not hard to work with at all, actually. Opera scatters its directories around on the Mac OS (and probably Linux) so tracking down the proper files could be a bit more difficult compared with Windows. Otherwise, it's a wonderful browser/mail solution - I just copied over select folders straight from my Windows system and I have everything here on the Mac end.

I played with the built-in Mac firewall a bit more, and now I'm happy with it. Turned on logging, and enabled "Stealth mode" (for some reason, it is disabled by default). I also see how to create custom rules... it's still not as interactive as my Windows third-party firewall, but perhaps this is what a better computing experience is like.

grey_moon · 2007-05-20, 07:46

If you want to strengthen you nix security in regards to your firewall, you might want to check out a package called psad. Basically once you have it set up, it parses your logs and then if something (network traffic) matches a pattern it will send you a warning. You can set it to drop packets from that address for a set period too.

The pattern matches are more clever then just x packets dropped from y source, as they also utilise the snort signature set.

Checking your logs is a good thing, but log checking is a absolute nightmare, so many weird message what to they all mean? So grab a utility to parse your logs into a more useful format. I use logwatch (used to use logcheck until they got brought by Cisco), but be ready to search the web for any weird messages. I have heard they are plenty of x based parsers, but I like to mail my logs off to my external mail account, so even if my poor box gets compromised, at least the logs from the reports are untouched.

Good luck with it. Its a wonderful world is security, but remember you ain't paranoid if they are out to get you...

Edit
@ledgem - Stealth mode is actually counted as being a bit rude, network wise. The reason why is when a packet is sent to you, and you are online, the packet will reach your router which knows you are up and send it to you. Then if that is a unauthorised packet, your PC in stealth mode will drop it instead of sending back a response. So then everything has to time out!

Now you can see from that transaction is it actually possible for a dedicated naughty person to discern if a node actually is on the end of an address. Because if the packet reaches the router for an address which really does not have a PC on the end of it, it will immediately send back a destination unreachable (or something like that, been a while since I read up on it). Basically if you scan an address and your packets get timed out, that means they are getting dropped and then the next question is why!

@SeijiSensei - Hee hee nmap is very nice and Trinity may use it, but real pen testers use Nessus (and then rip out all the logo's for nessus and put in theirs for the report :P)

Ledgem · 2007-05-20, 13:06

Quote:

Originally Posted by grey_moon

Edit
@ledgem - Stealth mode is actually counted as being a bit rude, network wise. The reason why is when a packet is sent to you, and you are online, the packet will reach your router which knows you are up and send it to you. Then if that is a unauthorised packet, your PC in stealth mode will drop it instead of sending back a response. So then everything has to time out!

Now you can see from that transaction is it actually possible for a dedicated naughty person to discern if a node actually is on the end of an address. Because if the packet reaches the router for an address which really does not have a PC on the end of it, it will immediately send back a destination unreachable (or something like that, been a while since I read up on it). Basically if you scan an address and your packets get timed out, that means they are getting dropped and then the next question is why!

True enough, but I'd think that this counts more if you're running services for people. If I'm just a regular user on the net, the chances are that those random packets are either scanners or don't really have any business making contact with my system. You're correct in stating that it doesn't 100% cloak your system, but it's better than exposing closed ports. If a person is just scanning in a wide fishnet approach, they wouldn't be likely to scrutinize my system's lack of response. Not when there are plenty of fat, easy Windows systems around

SeijiSensei · 2007-05-20, 21:34

Quote:

Originally Posted by grey_moon

@SeijiSensei - Hee hee nmap is very nice and Trinity may use it, but real pen testers use Nessus (and then rip out all the logo's for nessus and put in theirs for the report :P)

I recall trying out Nessus a year or two back, but it was overkill for my needs. I recommended nmap because it's easy to use and is certainly a whole lot better than the typical scans available from web sites like Steve Gibson's. For most ordinary people, just knowing if there are open ports on their systems is a big step up in security. There are lots of run-of-the-mill Windows machines connected directly to a cable modem with some, or perhaps, no software firewall running on them. Consumer workstations ought not to have any open ports, of in the case of AS folks, perhaps a BT port. Running an nmap scan from another location would certainly be a good start.

Oh, and my reference to Trinity was more a joke than anything else. On the other hand, Fyodor seems like a pretty smart guy, and he deserves a lot of credit for giving the world the excellent tool, nmap.

grey_moon · 2007-05-20, 23:00

Quote:

Originally Posted by SeijiSensei

Oh, and my reference to Trinity was more a joke than anything else. On the other hand, Fyodor seems like a pretty smart guy, and he deserves a lot of credit for giving the world the excellent tool, nmap.

Mine was an acknowledgement to nmap and a dig at pen testers who rebrand Nessus reports (you know who you are and pls don't pen test me!

). But I totally agree with you, I would use nmap for the sweep, and then use nessus for a specific test. Ofc with permisson of all the parties involved!

Oh I should clarify my earlier post about psad... That works in addition to the nix firewall (iptables etc) and it provides the verbose reporting and active blocking that people might miss from the windows counterparts.

2007-05-10, 21:20	Link #21
SeijiSensei AS Oji-kun Join Date: Nov 2006 Age: 74	I'm not sure I understand what your qualms are here, Vexx. Are you saying that to do outbound nmap scanning would violate the scanner's TOS, or that it would violate the target's TOS? Either way, I'm not sure I understand why. I can't imagine Comcast (in my case) caring an iota about what packets I send to some random machine. Are you saying that they'd consider my actions a TOS violation because it looks like I'm trying to break into that machine? I can imagine them blocking certain outbound traffic, say connections to remote ports 25, 137-139, or perhaps the MS RPC ports like 1025-1030. But why should they care if I'm trying to connect to port 55555 on some random remote machine? I also can't really imagine them complaining about inbound traffic either. We all get scanned all the time by machines out on the net. They don't seem to be blocking that stuff coming in here either. Maybe Comcast is really permissive, but what kind of Internet service do you have if random ports are blocked in either direction? I actually run an SMTP server on my port 25 (my clients' backup MX) and have done so for years. Comcast has either not noticed or not cared. Now I suppose if I had a web server on port 80 they might care or at least might discover it. I know that some people would like to claim that port scanning constitutes an intrusion, but I think that's pushing things pretty far. Sometimes I get phishing scams from some remote machine, or the scam points to some other random IP address. I have no qualms about scanning those addresses to see what's they've got there. I also don't have any qualms about telnetting to some random open port on those machines if they exist, either. I've found all sorts of "bad stuff" this way like proxies to phishing web sites. I guess I'm still in the old, pre-9/11, Internet tradition that says that machines out there are fair game for portscanning. I don't make connections with the intent of exploiting what I see, and I don't portscan machines in .mil. Oh, and if AT&T complained about my portscanning over the business service I have with them, it'd be time for a new provider. I expect bidrectional access from ports 1-65535 if I'm paying business rates. __________________ Taking Anime Seriously - Politics by the Numbers - Sports by the Numbers - MAL List - Avatars - Images

2007-05-12, 15:25	Link #25
Ledgem Love Yourself Join Date: Mar 2003 Location: Northeast USA Age: 38	Yep, it does. Not hard to work with at all, actually. Opera scatters its directories around on the Mac OS (and probably Linux) so tracking down the proper files could be a bit more difficult compared with Windows. Otherwise, it's a wonderful browser/mail solution - I just copied over select folders straight from my Windows system and I have everything here on the Mac end. I played with the built-in Mac firewall a bit more, and now I'm happy with it. Turned on logging, and enabled "Stealth mode" (for some reason, it is disabled by default). I also see how to create custom rules... it's still not as interactive as my Windows third-party firewall, but perhaps this is what a better computing experience is like. __________________

2007-05-20, 07:46	Link #26
grey_moon Yummy, sweet and unyuu!!! Join Date: Dec 2004	If you want to strengthen you nix security in regards to your firewall, you might want to check out a package called psad. Basically once you have it set up, it parses your logs and then if something (network traffic) matches a pattern it will send you a warning. You can set it to drop packets from that address for a set period too. The pattern matches are more clever then just x packets dropped from y source, as they also utilise the snort signature set. Checking your logs is a good thing, but log checking is a absolute nightmare, so many weird message what to they all mean? So grab a utility to parse your logs into a more useful format. I use logwatch (used to use logcheck until they got brought by Cisco), but be ready to search the web for any weird messages. I have heard they are plenty of x based parsers, but I like to mail my logs off to my external mail account, so even if my poor box gets compromised, at least the logs from the reports are untouched. Good luck with it. Its a wonderful world is security, but remember you ain't paranoid if they are out to get you... Edit @ledgem - Stealth mode is actually counted as being a bit rude, network wise. The reason why is when a packet is sent to you, and you are online, the packet will reach your router which knows you are up and send it to you. Then if that is a unauthorised packet, your PC in stealth mode will drop it instead of sending back a response. So then everything has to time out! Now you can see from that transaction is it actually possible for a dedicated naughty person to discern if a node actually is on the end of an address. Because if the packet reaches the router for an address which really does not have a PC on the end of it, it will immediately send back a destination unreachable (or something like that, been a while since I read up on it). Basically if you scan an address and your packets get timed out, that means they are getting dropped and then the next question is why! @SeijiSensei - Hee hee nmap is very nice and Trinity may use it, but real pen testers use Nessus (and then rip out all the logo's for nessus and put in theirs for the report :P) __________________ Last edited by grey_moon; 2007-05-20 at 08:14.