Re: Firewall, anti-virus, and port forwarding
From: Gerald Vogt (vogt_at_spamcop.net)
Date: Fri, 25 Feb 2005 16:43:12 +0900
> Everything I've read mentions "intrusions" of one form or another, but
> in very general terms. I hear the word trojan thrown around a lot, and
> I understand that there are trojans that exploit specific ports, but is
No. Trojans or better Trojans horses are as I remember Greek history
those that who invited some malware in because it was nicely wrapped. A
trojan is something that comes with something else. If you install some
calendar software and it opens a backdoor to your system...
To exploit "a port" you must have a server running on a port which has a
security vulneribily which can be exploited from remote. The attacker
sends for example a specially crafted message to the server which causes
a buffer overflow which again allows him to inject code to your machine
which is executed. Opening a port to a server is per se not dangerous in
this sense. It can however have side effects if the server does not
allow proper authentication. If you run file-sharing like that then
anyone can access your files. This is technially not an exploit but a
misconfiguration on your side.
Problem with Windows is that in the default installation it has a couple
of server/services listening to the internet which you have to
explicitly disable to shut them down. Some of the possible exploits in
the past are often probed which can give you some headache if you
install Windows from CD and obviously does not have all the newest updates.
A worm tries to exploit ports in your sense I suppose. They try to find
machines that can be exploited and spread themselves this way (and
> Does allowing certain ports to be forwarded really open up my system to
> attack? Is the attack actually someone who is able to poke around my
> system, accessing and changing files and configurations, or is it
> merely something akin to a trojan; and if so, wouldn't my anti-virus
> (Norton Pro) detect it?
And attack is an attempt to get access to your system or in the case of
a denial-of-service attack just the attempt to block your system. An
attacker does not get access to your system unless there is something
exploitable. The only thing you can do to prevent this is either not run
the server or keep it updated with the most current security updates and
pray. The same thing is true for Windows itself.
If something actually gets through, ie. finds a vulnerablilty and
exploits it to get access to your computer then there are two major
kinds of exploits here:
- one exploit allows the attacker to circumvent the built in
authentication/authorization framework of your server. If your server
has a management functionality which can be used from remote and which
is protected by some password this kind of exploit could for example
allow the attacker access to this functionility without specifying a
password. This kind of exploit is obviously undetectable for anti-virus
software because technically nothing has been uploaded to your computer.
- the other exploit uses the vulnerablity to inject code into the server
to get control. It then tries to download the rest of its code to the
local machine. This has to be stored somewhere on the hard disk. This is
detectable by the anti-virus software if it recognizes the file/virus.
This again is not trivial. Most anti-virus software will properly detect
the common malware. It does not detect all. I doubt it will detect many
of the viruses that target servers like you want to use. An anti-virus
will probably give you only very limited protection in your specific area.
> Thanks in advance for your time; I know I'll sleep a lot better knowing
> my downloads of TailSpin or Animaniacs episodes wasn't inviting the
> world to read my emails or change my router configurations.
Well, it always has the potential. If you provide a server it is
potentially vulnerable. If you don't really know the source of the
program code and don't know if you can trust it, it could contain a
trojan backdoor, too. You must also take into consideration the quality
of the program code and how many potential flaws it contains. It is a risk.
If I were you and want to provide the server at times, I would get a
second computer for this purpose. Set it up the way you like it and
update it. Then make a image of your hard disk. Run the server and then
let's say every two weeks (depending on the risk again) reformat the
hard disk and restore the image. This way you have a limited time frame
in which a machine can be infected. Frequently check the machine for any
irregularities and immediately restore the image in case you notice
For your network connection use a router that completely seperates the
server from your normal private computer. No traffic is supposed to go
between them. This way an exploited game server cannot be used to access
your computer which is the case for many standard LAN configurations.
The router itself must be protected so that noone can just come and