OS/2 eZine - The Best OS/2 Reading Anywhere!

May 16, 2002

Do you have an OS/2 product or service you'd like to advertise?

Securing your Internet Connection

If your computer is connected to the internet 24 hours a day, 7 days a week, you might worry that hackers can access it from the outside. With today's systems, this is certainly a valid concern. And for OS/2 users, there's an easy way to determine what kind of trouble they might be able to get into and if you have the right additional software, to prevent it.

Step 1, Get a Firewall

The most important thing you can do if you have an always on connection is to install a firewall. This can be a dedicated gateway/router appliance with a built-in firewall, the firewall built into TCP/IP 4.1 and above for OS/2 (Zampa (http://www.mo.himolde.no/~ltning/os2/)) or an aftermarket product like InJoy Firewall (http://www.fx.dk/). If you don't run a firewall, you're pretty much asking crackers to come in and muck with your computer. My always-on connection has been scanned a couple times a day since day one, from locations from Florida to China, so don't think you're immune.

If you're worried about the arcane nature of firewalls, don't be. A firewall simply enforces a set of rules as to what sort of traffic may pass through the firewall either from you to the internet, or from the internet to you.

If you are using a Windows XP machine as your gateway to the internet (connected to the cable or ADSL modem), I should mention that Microsoft's Internet Connection Firewall (http://www.pcmag.com/article/0,2997,s=1508&a=21992,00.asp) included in Windows XP only protects you from incoming attacks, if you have installed some software that reports your actions back to the mothership then it will still be able to do that, ICF does nothing to prevent outgoing traffic. You might want to consider installing something like ZoneAlarm (http://www.zonealarm.com/) which will prevent outgoing traffic as well.

Assuming you have a firewall and are running an OS/2 machine as your gateway to the internet, you are ready to find out your vulnerabilities. To do this, you need to run a utility on your gateway machine that is just chock-full of interesting information about your TCP/IP stack.

Step 2, netstat

Netstat offers a surprising amount of information about your TCP stack. Enter netstat without any parameters at an OS/2 prompt to see some of its options. The one we're interested in today is the -s option, which displays the status of all the sockets on your machine.

This is the output on my local web/mail/ftp serving machine. For the purpose of securing our machine from intruders, we're most interested in the LOCAL PORT column. This shows which ports are in use on our machine and if possible, lists the services that those ports provide.

Step 3, Identifying the Ports

As expected, we see ftp..21 (the FTP server) www-http..80 (web), smtp..25 and pop3..110 (email) and syslog..514 (UNIX syslog) but there are some other ports there we're not so sure about. A little experimentation with turning various pieces of software off and then rerunning netstat helps us figure out the rest of them. 3306 is MySQL which should definitely NOT be available to the outside world, 1924 is WebMail/2, and 1021 is the firewall's administrative facility. That leaves only 56323 to wonder about. A look in the left column tells us that that is a local connection from the software that uses syslog.

If you have ports you are unsure about, open \mptn\etc\services. This file lists many of the common internet services and the port numbers assigned to them. Three ports to particularly watch out for are 137-139. These are the ports used by NetBios over TCP/IP, and if they are open to the outside world, it is pretty much a wide open door for crackers to muck with your system.

Step 4, Configure the Firewall

Once you have decided which ports need to be accessed from the outside (mail/ftp/web etc.) and which do not (MySQL, Webmail, Firewall) you are ready to do a little work on the firewall configuration to allow outside access to those ports that need it, and to prevent access to those that don't. Then we can sleep a little better at night knowing that our system is a little more secure.

The way I always configure a firewall is to block everything by default, and then specifically allow access only to the ports needed by the applications I am running. This way you are better protected from security leaks when you install new software.

I should also mention that there are two types of ports, UDP and TCP. Firewalls can selectively block either type, and you can see what sort of port a given service uses by looking in the \mptn\etc\services file. Some services use TCP only, some use UDP only, and others use both. You should be sure to only allow access to the port and port type used by the specified service you want to pass through the firewall. If a service only uses one type of port, such as UDP, it is quite likely that the other type of port may be used by another service that you don't want to be able to pass through freely.

Step 5: Check your Firewall

One great way to test your firewall's effectiveness is to go to Gibson Research Corporation (http://grc.com/default.htm) and use ShieldsUP! This will probe your computer via the internet to test a number of common ports your system to see if they are accessible to the outside world. This is not a substitute for running netstat as shown above, but it will tell you if you've made any big mistakes.

Step 6: Securing Other Machines on the LAN

If you are using a firewall like InJoy which supports NAT, or if you are using a router/gateway appliance to allow more than one computer on a LAN to share an internet connection, there are some things to know about securing those machines.

NAT or Network Address Translation is a facility built into most firewalls which causes the firewall to make all the computers on a LAN look like one single computer as far as anyone on the outside is concerned. It is the NAT engine's responsibility to make sure that when a computer on your LAN requests a web page that the resulting web page ends up getting back to the computer that requested it in the first place. This allows you to connect more than one computer to the internet through a single internet IP address.

In general, as long as you are using private network addresses (like 192.168.0.x or 10.x.x.x) on your LAN, you don't have to worry about anyone cracking into your machine (other than the gateway/firewall machine) from the outside world. So even if some cracker fakes up such an address and sends it to your gateway, these addresses are not routable, so they should be stopped by the NAT engine or the firewall.

What you may have to worry about is software that transmits information to the internet, for example reporting your music preferences, the files you have downloaded, the DVD's you've watched, or the websites you prefer. Often these programs misuse standard internet port numbers so that they can sneak past firewalls. Fortunately, these are mainly the domain of Windows computers, but if you're running a family network, chances are good you have at least one of these malware magnets around. If you have a Windows PC, you should look at ZoneAlarm (http://www.zonealarm.com/) for preventing unauthorized outgoing traffic and at AdAware (http://www.lavasoftusa.com/aaw.html) for removing any spyware applications you may have picked up. I am particularly careful about spyware, but a recent AdAware scan on my Windows machine turned up a couple of nasties.

Step 7, Learn More about Computer Security

Want to learn more about internet security and how computers actually work? Read the magazine 2600 - The Hacker Quarterly (http://www.2600.com) which is full of surprising and useful information about the computers around you. Unfortunately, their website doesn't have much in the way of content, so pick up a copy of the magazine at your local bookseller.

Robert Basler is the president of Aurora Systems, Inc. (http://www.aurora-systems.com) and has been a dedicated OS/2 user since he tired of rebooting Windows 3.1 twenty times a day. He spends what free time he can manage travelling the world. Photo was taken at Franz Josef glacier, New Zealand.

This article is courtesy of www.os2ezine.com. You can view it online at http://www.os2ezine.com/20020516/page_6.html.