LightweightPortableSecurity vs Puppy - Puppy wins

For discussions about security.
Message
Author
mollo
Posts: 20
Joined: Mon 23 Apr 2012, 00:08
Location: Spain

LPS Firewall???

#61 Post by mollo »

Hi
I didn't want to start a new topic for this LPS related question but where is the firewall in LPS??, I tried to write iptables -L and ipchains -L but the result was nothing or not found, I'm new to Linux written commands but looking at that result makes me think that there's no firewall at all in LPS and I suppose that is a backdoor no mater how many times you reboot your OS, isn't it?, with all ports open, it's not important how secure are your browser settings as anyone can spy what you are doing typing or whatever, is that correct??, I read somewhere that Linux has the firewall built in its kernel, is this correct for the LPS distro too??, if so, is there a way to install iptables or any other GUI for adding or changing firewall settings??.
One last question, I was trying both LPS 1.3.6 and 1.3.5 and found that strangely the 1.3.5 you can still download at the LPS site has a different md5 than the md5 value I found in another site which kept the 1.3.5 hashes data (LPS site doesn't keep an archive of md5 sums), can anybody confirm the correct md5 for LPS 1.3.5 Public iso??
Thanks in advance for any answer and sorry for my poor English.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#62 Post by rcrsn51 »

Open a terminal and type

Code: Select all

lsmod | grep iptable
That may tell you if the firewall is already running.

[Edit] I looked in LPS and it does not appear to have the kernel modules for the firewall, which sounds counter-intuitive for a security Linux.

But if LPS is not running any services and has no open ports, then maybe it's smart enough to know that it doesn't need a firewall.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#63 Post by nooby »

this being for the Military personal of US Army or Navy or any Military
would it not be logical to expect them monitor each usage for to find out
if anything bad is going on among themselves?

So sure the OS is very safe but maybe also very nosy to find out
whom are doing what?

Just me wild guessing.
I use Google Search on Puppy Forum
not an ideal solution though

mollo
Posts: 20
Joined: Mon 23 Apr 2012, 00:08
Location: Spain

#64 Post by mollo »

Thanks rcrsn51 for your fast reply, then I suppose it's impossible or very difficult to install those missing kernel modules for the firewall?
LPS has Java, Flash and others and those are "running services" so a firewall is mandatory, correct?, how do I know if LPS has all ports closed except the one/ones needed for Internet?, is it possible to create a distro with all ports closed without the need for a firewall?, I thought the task for opening or closing ports was done by the firewall.
Is there any online test for checking ports like the acid tests for the browser?
Thanks

nooby:
LPS Public it's just that, a public version just made by the U. S. Air Force, anyways, there's nothing suspicious in its licence agreement, in fact, it's a short and clear licence agreement, but if LPS has no firewall means that anyone can see what you are doing, correct?.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#65 Post by rcrsn51 »

mollo wrote:Is there any online test for checking ports like the acid tests for the browser?
I booted LPS on Machine A and Puppy on Machine B. From B, I ran PeasyPort and scanned all 65535 ports of A. There were no open ports.

mollo
Posts: 20
Joined: Mon 23 Apr 2012, 00:08
Location: Spain

#66 Post by mollo »

rcrsn51:
Thanks for that test but how is that possible, I mean, don't you need port 80 to be open to access Internet??, if there are no open ports how can you access www or send mails?, thanks again.

Do anybody have the correct md5 value for both public and public deluxe isos of LPS 1.3.5??
Thanks

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#67 Post by rcrsn51 »

It's the web server that has port 80 open, not the client. LPS is not running a web server.

mollo
Posts: 20
Joined: Mon 23 Apr 2012, 00:08
Location: Spain

#68 Post by mollo »

Your desktop or laptop with Puppy, Windows or any other OS is also a client but you need firewalls in all of them to open or close ports, if your pc (client) had all ports closed then you won't be able to access Internet (server), send/receive mails and so on, correct?, then no matter if your pc runs LPS or Puppy, you need a firewall yes or yes so noone can invade your pc through one of its open ports, correct?

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#69 Post by rcrsn51 »

Murga-linux.com runs a web server. It advertises its presence to the rest of the world on Port 80. Knowing that, an attacker could bombard the server with specially-crafted data aimed at Port 80 in hopes of confusing the server and making something bad happen. Hopefully, the software running on the server is smart enough to prevent this, or it is running a firewall that rejects any strange-looking data.

When you run the web browser on LPS, you are NOT opening Port 80. Instead LPS opens a temporary port from a pool of 65535 choices. This is why you can have two different browsers running at the same time - each one gets a temporary port to communicate with a server.

An attacker has no idea that your computer is temporarily using Port 12345. And even if it did, what would your own firewall do? Block Port 12345? Then you would lose your connection to the remote server!

And how would you set up your firewall in advance to block a randomly-chosen port?

Things like Java and Flash are NOT services. They do not advertise their presence on your computer to the rest of the world.

bob.ca
Posts: 2
Joined: Sun 12 Jul 2015, 17:54
Location: California

LPS firewall

#70 Post by bob.ca »

Hi All,

I enjoyed reading this LPS thread. I booted LPS (today) 1.4.1 (public deluxe) for the first time in a long time (I see LPS is now at version 1.5.7). Also booted Puppy (last weekend) for the first time in a long while too.

Regarding the subject (LPS firewall - Mollo asked about a firewall). GRC.COM has a firewall "checker". I went there today, selected the Services tab, then selected "ShieldsUp!". Appears that other than a ping response, LPS is running a firewall.

I know Puppy runs a firewall, but haven't checked it at GRC yet. I'm not too concerned, suspect it works just fine (smile).

Regarding browser updates: I was happy to see that the firefox browser now updates for puppy (select help, about firefox, then update, if you want (very cool)).

LPS does NOT allow the firefox browser to update. It would be cool if LPS did allow an update.

How/who created the puppy firefox update? What would it take to do the same for LPS? Maybe that function is there in the most recent LPS version?

Bob

mollo
Posts: 20
Joined: Mon 23 Apr 2012, 00:08
Location: Spain

#71 Post by mollo »

Hi Bob

It's fun to remember that after asking for a firewall in LPS here and IIRC in another forum (a military one), the next LPS version included one firewall so it was a nice coincidence.
I know that ShieldsUp site, I know it can be obvious so sorry for that but are you sure the firewall ShieldsUp is detecting is the one built in LPS and noth the one built in your router?, I said because that thing happened to me but I didn't try to disable the router firewall to test the software one.
Again IIRC, I think LPS allowed to update the browser pressing Help and then About Firefox but if that was so, it was many versions ago, now you can't do it that way but if you go to Tools and then Options you can mark the feature Install Updates Automatically but I didn't try that so don't know if it works, also don't know if the manual update can be re-enabled through the hidden Firefox config menu.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#72 Post by Lobster »

:D

Thanks guys. This was a fascinating thread to reread and visit. Security I find fascinating but only need so much ...

So for example the CAC direct communication channel used by the military ... might there be an open source dropbox/openleaks where encrypted info can be left for a limited time?

I don't use Puli or even GROWL or even encrypt my data. Just not paranoid enabled.

However from the vulnerbility of monitoring by public wifi in coffee shops, libraries etc an idea for open source communication that may already exist?

A push type honeypot.

In other words an unencrypted or minimally secured top channel giving the impression of standard internet usage, whilst ones latest kickstarter recipe for the ideal tin foil hat is sent to Mr Robot ...
Last edited by Lobster on Tue 28 Jul 2015, 15:41, edited 1 time in total.
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#73 Post by rcrsn51 »

mollo wrote: but are you sure the firewall ShieldsUp is detecting is the one built in LPS and not the one built in your router?
Exactly. If you are running LPS or Puppy on a LAN behind a router with an IP address like 192.168.2.100, how could an attacker find your machine among the millions of other computers in the world with that same internal IP address at any given moment?

And suppose that your router has some vulnerability that lets it be compromised. Once an attacker can see inside your network, running a firewall on individual machines won't get you much. Either you have open ports for things like filesharing or you don't.

mollo
Posts: 20
Joined: Mon 23 Apr 2012, 00:08
Location: Spain

#74 Post by mollo »

rcrsn51

I suppose that if that vulnerability isn't found in your software firewall then that second firewall would be able to keep your computer still safe/invisible depending on if it answers or remains silent to questions (or whatever they are called) received from that attacker. I think firewalls can answer open, closed or not to answer at all to questions received depending on firewall AI, am I correct?.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#75 Post by 8Geee »

Lobster...

have you taken a hammer to your Google/android Smatphone yet?
Or did you patch the StageFright?

Or is a smartphone TOO open ? :idea:
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#76 Post by Lobster »

8Geee wrote:Lobster...

have you taken a hammer to your Google/android Smatphone yet?
Or did you patch the StageFright?

Or is a smartphone TOO open ? :idea:
I hammered it, drowned it and prayed to the Buddha for its rebirth in a future pureland for sentient AI.

No smartphone. No ads, no zombified walking. Suits me.
Last edited by Lobster on Tue 04 Aug 2015, 11:32, edited 1 time in total.
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#77 Post by 8Geee »

and me too.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

bob.ca
Posts: 2
Joined: Sun 12 Jul 2015, 17:54
Location: California

LPS firewall

#78 Post by bob.ca »

Hi Mollo and rcrsn51,

Yep, I'm a little embarrassed ... thank you! I totally forgot that I'm behind a NAT router, and I don't think ShieldsUp at GRC.com can tell the difference between the computer and the router.

Mollo - I'm impressed that you asked for a firewall on LPS and they added it (smile).

Bob

Post Reply