Security under Puppy: remote access

[goncal]

Hi All

I have been giving security issues a thought. Puppy boots as root without any password (although it can be added by using passwd).

My question is: whenever Puppy is up and running under xwindows, is it possible to access the computer remotely in any way under normal or specific circumstances?

I assume that all ports are closed unless specifically opened, but... e.g. imagine I have used Ctrl+Alt+Backspace to go back to the prompt; Ctrl+Alt+F2 to open a second prompt window; started an ftp download on that window; then gone back to the first window and back to xwindows with xwin. Thus, whenever ftp port is open because something is being downloaded from the Net, can anyone access that port, supposing no software or hardware firewall is active?

In case the answer to this long question is no, then does it mean that basically a Linux system would not be vulnerable by default?

The only thing I have been able to try is, telnet'ing my Puppy from a Windows98 system with telnet on its prompt, and it just said the machine was not available. Of course I could not try wget from Windoze.

Really looking forward to solving this issue which would mean peace of mind for security on a machine that is not actively visiting harmful sites.

I assume that if that was the case then no Trojans could get into the machine and noone could gain access to the information on it or take over the machine... or else...

Thanks and Greetings

Gon

[puppian]

Hi goncal,
I don't know the answer to your question but perhaps you'll be interested in these pages

http://www.goosee.com/puppy/wikka/Security
(you can do the security tests, http://bcheck.scanit.be/bcheck/ and
http://www.grc.com as suggested)

http://www.goosee.com/puppy/wikka/StealthMode
http://www.goosee.com/puppy/wikka/MorizotFirewall

Xportscan.pup & hosts_file.pup

hosts file in /etc

http://www.goosee.com/puppy/wikka/DotPups
Look for Quicktables, Monmotha Firewall, Privoxy and Tor in the Internet session and F-Prot Antivirus in the AntiVirus session

[GuestToo]

Of course I could not try wget from Windoze

when i use Windows, i usually use wget to download large files (actually, it's been months since i last booted Windows, but anyway)

for example:

http://xoomer.virgilio.it/hherold/
http://millweed.com/projects/wackget/
http://unxutils.sourceforge.net/
http://gnuwin32.sourceforge.net/

[Guest]

Hi there

Thanks for your posts, the links proved to be very interesting. I will try wget for Windows, I find it so hassle-free - and am so happy to go back to prompt commands on Linux as XP does not like users opening command windows.

I read somewhere that a telnetd and an ftpd are daemons that might be running under Linux, but as when I invoked them from the prompt I was left with a 'file not found' message I infer they are not shipped with, and are not running as standard under, our beloved Puppies. Which is good.

Also I discovered that Morizot firewall appears to work quite well as I started the FTP server on Puppy and could not get access to it even from within the home LAN (another computer connected to it directly). Uninstalling Morizot gained me access to the FTP server.

I also tried doing all this from the command line xwinless i.e. ctrl alt backspace, and when Morizot was running some messages came up on the screen letting me know that the firewall was blocking access, for telnet and ftp. Without Morizot telnet did not work anyway (absence of telnetd?) but blocking messages did not come up.

Is there any way I can start - stop Morizot from the prompt?

Thanks - Greetings -

Gon

[GuestToo]

I started the FTP server on Puppy and could not get access to it

i think the firewall is /etc/rc.d/rc.firewall-morizot
if it's setup, you can type /etc/rc.d/rc.firewall-morizot stop to stop it
to start it, type /etc/rc.d/rc.firewall-morizot
you can allow incoming ports by editing it
for example, for ftp:
pupTCP_ALLOW_PORTS="21"

you could symlink it to the cli PATH, for example, /root/my-applications/bin

i copy the rc.firewall-morizot file to /root/my-applications/bin and rename it fw ... then i can start the firewll by typing fw or stop it by typing fw stop

you can have more than one copy with different ports enabled ... for example, i have a copy that allows bit torrent ports, that starts from the script that starts Azureus

i find the firewall logging annoying when i shut down X and use console mode, so i changed the firewall script slightly to turn off logging

[rarsa]

There are several things that need to happen for someone to access your puppy computer.

- You need to have the port Open. If you close the port with a firewall, either in the router or in puppy noone will get in (Of course assuming there are no bugs in the firewall).

- You need to have a program listening in that port. Puppy does not start any of those programs by default.

- For SSH, or FTP, or VNC, etc, the 'atacker' must know or crack your password. If you initiate one of those services, make sure you choose a good password (Leters, numbers, and long enough e.g. kabo0dle).

Regarding Telnet: Puppy does not have a telnet server, but there is a sshd server DotPup. Again, you need to install sshd, activete it, assign a good root password, assign a good password to any other user you have created, open the port.

At home here is the routine that even my kids follow:
- Open the port in the firewall
- Do whatever you have to do in that port (p2p, or ssh, ot vnc, or whatever)
- Close the port.

We never leave ports open for longer than necessary.

[Guest]

Smashing really , your answers are perfect and Rarsa, you confirm what I thought was right, but it is good to know that Puppy does NOT start any daemons listening to open ports - now I am quite sure I am safe when running Puppy and will stay so.

I am sure you could probably do that with Knoppix but it is so complete and full of options and software that it feels like there must be something running in the background you would not like it to run - or am I mistaken?

Thanks again, cheers

Gon

[goncal]

Oops - just realized I have been not logging in when posting replies - a newbie really with Forums am I - sorry

Gon

[Guest]

This is one of the last Windows pages I was involved with writing.
You will see there is a security section (may be slightly out of date):
HolyGeeks
30% of my time was occupied with ensuring the computer was safe.

With Puppy, Morizot on . . . and away ya go. There is a lot more to contend with on Windows.

If you are able to use the menu 3 (do not touch the HD)
at Puppy boot up and quickly add your settings,
put on Morizot and connect to the internet.
That would take me, now I am a more experienced Pup, about 2 minutes. Now do your banking, buying or whatever.

Then turn off your computer and the memory is cleared. You can understand how secure this is.

My inclination is towards on line storage of data. I find it convenient.
However some things are best done with a small, fast and light Linux. We call it Puppy. Woof woof.

[goncal]

[quote="Anonymous"] If you are able to use the menu 3 (do not touch the HD) at Puppy boot up and quickly add your settings,
put on Morizot and connect to the internet.
That would take me, now I am a more experienced Pup, about 2 minutes. Now do your banking, buying or whatever.
[/quote]

Very wise words you used in your message, Guest. Now I did not understand about menu 3 as as far as I know it only lets you choose which HD to use and not add my settings. What more could I do with that menu?

Yes Puppy is the way to go after all those horrible Win security holes which you need to fill in with a patch and I must have something like 25 patches installed on my machine. How about that for software efficiency. Not to speak of a complicated and easily corrupted Registry, the horrible collection of prefetch files, all those daemons that remain in memory with which you are unsure what to do as some of them are controlling things you need in your system...

Cheers, Gon

[goncal]

Hello again Guest

I was flabbergasted when I had a look at HolyGeeks and I found a section recommending DOS web browsers for old machines.

Would those actually work on an old 386sx machine with a numeric coprocessor and 2MB of RAM, 80MB HD?

Now that would be an exciting experience.

Cheers Gon

[Lobster]

The guest was me Lobster
(for security reasons logging in as guest)
. . . actually I did not sign in . . .

As long as you have a modem or other connection
a 386sx running Freedos and a browser would work.
I should imagine it would also be rather secure.
People tend to hack windows or unix servers
I should imagine.

One of the strangest experiences in Puppy is one of the command line
browsers (I think available as dot pup)

I used this to get a message onto this forum but it was hard going
using such a tool.

Anyway good luck

[Flash]

...I did not understand about menu 3. As as far as I know it only lets you choose which HD to use and not add my settings. What more could I do with that menu?

Goncal, I assume guest meant boot option 3. If you choose boot option 3 (before the screen times out and defaults you to the standard boot option), the next screen will give you several choices, one of which is to not use a hard drive at all. If you choose that option, Puppy ignores any pup001 file that may be on the computer and loads into RAM. Try it. Of course, you must configure Puppy every time you boot, but for maximum security you can't beat it. If you're really paranoid you could disconnect the hard drive or even remove it entirely before you boot Puppy.

[Lobster]

Here is some more info on logging in as root
http://tinyurl.com/bo6ss

Unlike a closed system Linux is always evaluating and finding solutions. MS approach to bugs and security issues is much like that in the Old Communist Russia "There is no crime in Russia"

Anyway hope the above link will be of interest - not sure if it is relevant to live CD's like Puppy?

[goncal]

Hello Flash and Lobster

Thanks for your replies. Yes, option 3 lets you run Puppy entirely in RAM, but having to add things all the time is a little annoying. I have installed RealPlayer, also Panda free Linux antivirus as a TSR (dates from May 05 though), Morizot firewall is on, am modprob'ing drivers in and out because otherwise my sound system refuses to work... so option 3 is hyper-secure but only for hyper-secure sessions, not everyday work.

As for disconnecting the HD itself the only thing you need to do is go to the BIOS and set HD IDE settings to None everywhere - and off you go, no HD at all. This really must be hyper-secure and in that case just run Puppy in RAM and forget about everything. This is really well worth a thought for total security...

Thanks for the root-related security website. Actually this happened to me once - I kept downloading system files and installing them into root directories - and once I overwrote one of them with either a newer or older version of the same file - I forget which - and then Puppy would not boot xwin any more. They are quite right on that site - running as root does not help you get protected against yourself...

Browsing through the Net using DOS (I have a legal copy of MS 6.22 on that 386sx with 2MB RAM) is something of an experience, I really do not have that much time and energy to devote to have it up and running 100% but if it can be done relatively quickly I really want to give it a try - it must be so exciting to browse using such a simple, old and small machine.

Cheers

Gon