If you can`t see a menu on the left side, please click here.

Come and be a pc-doctor! No platform without fundamental IT security!

Many facts delivered by press may still remind of emergency like situation, catastrophes and regulary payments, so be welcome to this two-step scientific excurs on http://www.gooken.de bzw. http://web239.serverdrome.eu! The Green LED itself is the meeting place for IT Security since computer might run secure. Its excurs is introducing the scientific concept for 10 Euro only without the accumulation of costs for consultation, training, conversion and licences. It does so by realizing a standarized company management database and a so everlasting as possible, universal (standarized) IT Security concept for your computer-system through standards, the determination of security levels, checklists and prototypes in order to resign from scans from harddiscs as much as from the amount of essential updates and upgrades depending on the file system to none at all as much as possible! In comparison with many projects, projects of The Green LED do not only consist of an everlasting character, but also find an end to the very beginning! All this direct help online is offered to beware stable positions right before law and opposite fellow men. It is is realized by adjustments and downloads consisting of SQL through company management, pdf like the computer-manual with checklist and covering security-software for prevention, diagnosis and repair to solve the survival-request of computer-age with its central rating for computers completely. Therefore The Green LED tries to contribute to the calm, troublefree enterprise! In this 2-step excurs important technics for the development of code for webdesign are teached, the prolonging Webdesign service can be ordered.

Together with the checklist it is proofed, that computer technology must not be nonsens, even if meant so and even if there is nothing really secure in this world, because of the race of the safetyendangering with the secure and a certain kind of human behind this scene. Computer-history and the constitutions of software in intransparent „black“ binary machine-code, unlucid amounts of versions and distributions have shown some more (responsible) difficulties in satisfying claims for achieving real protection. MG Chip: "The combination of raster-electron-, raster-Auger- and raster-plammet-microscope is cracking any kind of chips, however signed secure from manipulation". But resignation does not help. Nevertheless the aim in general of this excurs is to provide computer-systems with almost no lacks in security at all.

For such demand we can find a lot of software for security on the market and its amount is increasing day by day. Generelly, in conjunction with software, only the one performing the main functionality regardless from lacks in security is right, along software by software - no bugs, no updates, but stability! The excurs resigns from all those software from markets by prefering complex UNIX-/Linux distribution from CD/DVD. Following the right strategies and concepts answering questions for security software like "what do (not only) UNIX-user really need and need to know to achieve sufficient protection/security for their systems independent from any time?", good reports should focus upon the really needed one and that means upon covering prototypes.

In security matters we do not talk of what never can or even could be reached like security - but of security-levels. Aspects like additional filtering, more about prevention, data encryption and rescue, ergonomical aspects and many single points and items are treated in step 2 and the checklist. And beginning with the basic one, it is not sufficient, but fundamental (basic), to disable strangers (hacker) on the one site frompassing from the outside into the inside to intrude into the system and on the other site to disable tarned enemies (rootkits, trojans, spyware,... ) from passing by ("outgoing") sensible information from the inside to the outside. After a resctriction of activated services within the sytem-configuration of an operating system, this is realized by the concepts access-control, file-release for LAN and packet-filter consisting of firewall and additional filters.

I found out, that a firewall itself finds intuition by modells like "The Wall" from Christo of Gasometer Oberhausen 1999 (with indeed nothing but internet connected computers in its area above as if marking the point of view d of a computer user in an allround) and can be defined as a packet-filter against the intrusion by hacker and the outgoing of most data and much more in general as an instrument for the regulation of online-traffic, where fire originates from the block of intrusions by percentages only and dropped packets do not burst off at once. Is there really any need for such walls? At first, you certainly can imagine a need for regulation thinking of all the high-density of known data-highways crashing and therefore trying to "break" in and "steal" out. On this way, OS can be infected by boths, hackers and trojans: Many log-protocols in both direction, IN(coming) AND OUT(going), have shown the amount of entries a system can get in conflict with during relative short time. What you see there are many papers full of log-entries with such inputs and outputs in special content including the IP, so that a real, principal demand for good packet-filters indeed can be recorded. Some OS-kernel generally offer the possibilities to build transparent rules, but you have to find out the correct or effective iptables-/ipchains from a set out of a lot of ineffective, bad structured or just false ones. Although in a few OS implemented file-system might prevent intrusions by encryption, file-release and access-control, sandboxes in small environments especially around the browsers in the case of file-systems with a less powerful one, it is even more possible not only to block, but also to protocol the intensities cracking the access-control at the very beginning and to keep from reading files. Access control guarantees read-/write protection within a LAN and in important cases even more local freeness of virusses by commands like chmod 755 upon owner root, optional in conjunction with chattr +i for the integrity of files. Partitions can be encrypted as much as by modern partition manager as loop-devices for virtual partitions upon regular files. Notice reports about the weakness of methods like XOR-encryption. Nevertheless, processes like those for browser should always be deactivated, especially right before an USB stick is plugged in! At least, all temporary directories, the user resp. home directory and even the partition with the swap file should be encrypted by methods like AES, Serpent, Two- or Blowfish. For single files, the popular kgpg resp. gpg freeware provides a good addition. For internet choose the SSL with equal or more than 128 bit encryption. Nearby Tunnel-concepts are still interesting for the case online. See checklist for more details.

All in all, against backdoors and hacker, a firewall like the iptables based linfw3 (other OS: remark the referential character of linfw3) is needed, which iptables-code (incl. logging) has been certified by ICSA and tested by generations of mighty communities like universities, banks and industries as much as private-investigators from all over the world. With linfw3, the construction-time should become nearly no one anymore, while transparency of computer-age is increasing up to a maximum. Proofs for its correct, reliable working are supported by its many test-opportunities the modules and its strategy conditioned scientific completeness, companioned by transparent and good understandable code. Ports of each connection are iptables-natured distinguished into source- and destination, not all FW support this concept. While other FW almost depend on version and distribution, linfw3 keeps stable independent from (most) all of them. The higher flexibility: Any increasing amount of iptable-modules can be integrated. Even if your kernel or iptables-version does not support all modules of iptables, through always present includes of all fundamental blocks, linfw3 does not loose much of its effectivity - so that the system is always reacting basically secure.

So linfw3 sets an end to naivety in basic IT-security matters for a lot of more than six main reason:

1 Like Klean it is written in UNIX-SH (OS-mother UNIX). This provides unbeatable transparency of code for everyone. Rules, that can be implemented in many wrong ways, are descibed in all details instead of at last somehow but nowhere
2 its basement on (by years-long tested) built-in open-source filter-set iptables/ipchains and
3 the possibility of modification and enhancement to a standard you like
4 the block of ALL HACKER,HACKER-REQUESTS A N D ALL TROJANS in a good understandable and one of the best ways on INPUT (client/server) and FORWARD (router) by state "NEW" as much by beamy prefilter on NEW and match OWNER
5 its optional, detailed protocoling of each intrusion-attempt in possible limitation and
6 the increase of online speed up to a maximum, higher than without or by many other FW

What kind of interface (ppp0, ippp0, eth0,...) you are using doesn`t matter. Certainly I can`t give you any guarantees that this firewall solves all of your dreamt security-tasks. Also remember in security-matters, that firewalls generally can`t be blamed for all lacks in IT-security. We are going to see this in the second step of the excurs, where the question of concrete analyses of data burdened in payload is almost more user-friendly supported by the concept of what we like to call "a d d i t i o n a l (REFINING) p a c k e t - f i l t e r s" (than by iptable`s module string). This helps to reach a sufficient security-level (for any system), especially after the just two steps of this excurs have been performed.

Now we dare to compare linfw3 with other FW more concretely: GUIs are not expandable, or one can get difficulties by misunderstandings - with DIALOG everything`s explainable and bewaring software-transparency. You can choose and modify dialog-widgets in order to get an easy to handle OSD-like outfit. Help-items guarantee user`s right answers to different questions instead of not knowing what to enter. By many FW Hacker often still have chances to intrude, they do not have any (!) through the consequent integration of iptable`s state NEW. Installation- and configuration-time take several minutes or more than one hour, with linfw3 you just need one up to 5 seconds for installation (i.e. with krpm) and up to 1 to 10 minutes only for configuration. The handling with Samba might not be correct, so that Samba does not work, with linfw3 Samba works within seconds. The quality of the FW-socket can`t be tested - linfw3 presents a statistic for different iptables-version that helps quickly to separate the secure from the lacked ones to patch. Protocoling does not come to an end - linfw3 can limit the amount of log-entries by time or packets through time, packets, general restrictions and many log-levels. Many firewalls suffer from one update or upgrade to another, while linfw keeps the highest possible transparency for self-correcting: instead of authors by its users. The same for the expansion of the filtering rules: It is almost very difficult for many firewalls to expand, with linfw3 it is nearly childish and as without any dimensions. ICMP Traffic is not blocked in many firewalls, linfw3 can block all icmp- : type by -type. A lot of FW forget to block trojans (risky outgoings). linfw3 blocks trojans and programs port-ranges by port-ranges, by match OWNER, cmd- by cmd respective user- by user-id configured to group daemon of privoxy, that enables the block of scripts like special firefox-addons and ad-filter, or any new group only not belonging to root, process- by process and sessions by session-id; work in all ftp-modes (espec. by opening such ports like ftp-data and ftp), change characteristics up from single- or multi-user, client, server up to router, enjoy special hardenings of rules by choosing the right fw-strategy (DROP-policy), change log-levels from simple protocoling info(rmation) to warn(ing) by default up to alert, crit(ical) or even emerg(ency), where each intrusion is indicated by its own window in accordance with beeps- here`s the overview:

Most features of the dynamic firewall linfw3:


TESTED ON LAN/WAN/GAN - MOST SECURE, TRANSPARENT AND EASY
For beginners and advanced on their look out for the really secure solution up to the expert for the high-end one

The referential firewall you can even present in detail ... without risking hacks after configuration. Beneath virusses you can get rid of hacker, trojan (except the risc with the browser itself), dialer and connection-breakdowns! Therefore this FW is closing ENTIRELY ALL PORTS from the outside to the inside within its main part and through infinite beams - while only those from inside to outside for the from you built-up connections are opened. This is enpossibled in at least one of three main ways: 1) kernel > 2.6.12 by PID- or the relyable automized pid-Agent of LINFW3 (please notice, that we did not test kernel >= 3.X.X) 2) kernel <= 2.6.12: like 1) and/or CMD-owner especially for the browsers like mozialla-firefox for firefox and kio-http resp. kdeinit for konqueror 3) independent from the kernel version (almost, but not 100% secure) by the usage of a separate netfilter like privoxy pre- resp. reconfigured for user daemon and group daemon, where the user and the group have to be set to daemon only through GUI dialog (although we do not recommend this way!) All methods also profit from the distinction between incoming and outgoing ports, so that many connections can not be established. Hackers do also not have any chance by target DROP for THE STATE NEW on chain input, if you want, some specifications for iptables-module STRING and scriptfilter like netfilter privoxy, firefox addon-plugins like adblockplus and noscript as much as by the adblocker of konqueror, servers by additional specifications like within httpd.conf (Apache) PID-Agent for all kernel version: The PID-agent of linfw3 periodically checks out the activation of any allowed processes resp. their PID (CMD section with acceptedprograms) in 25 seconds (by preconfiguration), in order to enable only their access from inside to outside during activation. The only point is, that you have to wait up to 25 seconds each browser newstart before websides can be built up for the first time Special programs with many ports to open named in a separate list (called processeswithoutportcheck) like for internet telephony (skype, kphone, ...) can be trusted by the PID-agent in the same way, but without essential port-check! Process names to resolve for the owner-concept can be found out by process-audit fast checks of modules of "firewall-language" iptables- related to different kernel versions secure receipt of email (POP3, POP3s), news (NNTP) and up-/download of files and name resolving WHOIS-queries from resp. onto specifyable prelonging server- independent from configured modules and concepts Lined out blocking from outside to inside by state NEW at the beginning, over ports in the middle and complete like at the beginning in the end part, hardened by blocking through the rules for POLICY certified norms from universities, ICSA and international press regard of Internet-Telephony (configuration see checklist) multi-layered firewall by the native GUI for kernel-configuration Dialog, rules in dialog mode with explicit help items and transparent mode extensible protection by Dialog supported settings of kernel-flags like ECN (Early Cognestion Notification), bootprelay, TCP-keep-alive time, IP-fragtime, against redirects, sourceroute, IP-hightresh and -lowtresh, martians, ... for 2.4.x kernel or higher, for all UNIX (please mail, if not) for all protocols within the address-rooms ipv4 resp. ipv6 support of all interfaces: dsl- and analogous modems (ppp), ethernet-cards (eth) and isdn (ippp) desktop-firewall or addition for router-firewall The strong referential (universal and optimized) FW-character presents the right configuration for all FW Beneath serveral strategies, Linfw3 mainly follows the more efficient (for all better to handle) FW-strategy „forbidden is, what is not (explicit) allowed“ (and not:“ allowed is, what is not forbidden“) UNIX fundamental usability also by one shell-script only hardened, cored UNIX; highest orientation on UNIX by UNIX-sh iptables-rules are in effective order/structure protection up from the first connection built-up during system-start prevention for health and time reason from always typing „iptables“ martian-option, free from any false alarms living support by authors of iptables. For (if ever necessary) expansion you can find plenty of sources out of the internet ability for auto-configuration through own boot- resp. runlevel-init-script for quick autostarts, with statistics for quick tests on different iptables-versions/-sets; ready for Samba (Netbios) within seconds. Each modules of iptables can be activated or not and therefore be tested expandable, dialog-styled GUI in the look of iptraf, one of the best for firewalls and well-known from kernel-configuration Dialog based, scaled and percental indication of the estimated FW-Security-Level reached by each configuration, details about basing security-lacks, with the opportunity to presise all evaluating factors and information about detailed single lacks within the configuration up to any aimed exactness stability by TCP-FLAG-PROTECTION against sudden connection-breakdowns, shoot-ups (of processes like browser or FW itself), unexpected system-newstarts, annoying application-closures, systems`s and application`s hangs and halts For installation all one need is an any secure, not necessarily the newest, a rel. tested and patched iptables, eventually patch-o-matic from netfilter.org, dialog equal or greater 0.9b-20030316, because of INPUTMENU with several textfields and an editor like pico or nano, all see download-section transparent: without any black or complicate source-code easy configuration by almost simple „yes“/„no“-settings reliability: linfw3 is never the cause of any net-problems, neither during ftp-transfer, for tunneling, usage of a proxy-server or anything else working upon all protocols and ICMP-TYPES e.g. to reach stealth-mode „just-surf“-concept: preconfigured for the mode single-user detailed protocoling of all kind of attacks, if wanted, even martians. Many different test-opportunities consist of: a debugger for the syntax, a compare-base for "SHOULD- AND IS"-log-analyses-compares; full-compatible with other "additional" filters mentioned in step 2 CMD-audit for the easy prevention and deinstallation of all trojan speed-optimisation: increase of data-transfer-rates up to 30% by maximizing TCP-throughputs, minimizing UDP-(DNS)-delays by choosing the right TOS (Type-Of-Service) and through prefiltering through beamy state NEW, address-and packet-type-filter, address-verification, filter for blackholes Internet telephony in simple activation and deactivation with an example of modern HTB-filtering to widen up bottlenecks between different nets (LAN to WAN) during modifications: fast station-wise checks of syntax-errors for nearly all kind of client-/server-architectures (router, single-user, samba-, ftp-client, samba-, ftp-server, ...) fast overview of services by an integrated port-list internet-lock for breakdown-situations blacklists for single IP, for IP-ranges, for HTTPS, router and LAN prevention of smurf-, tcp-syn-flood, ip-spoofing, land- and large-packet-attacks as much as all attacks basing upon paket-overlength support of active and the more secure passive ftp-mode Rules can be limited, disposed, exchanged and/or reconfigured by time all filter-effects take effect in 128-bit-decryption. The files referring to linfw3 can be secured by one mouse-click - no chance for their manipulation from the outside log-statistics follow arbitrary time-periods The integrated alarm-system also indicates each unwelcome local visit dialog support of module TIME-MATCHING module STRING to filter any strings on packet`s field data payload (the field with the main part of information) Please notice, that a script-blocker res. ad-filter is strongly recommended! filtering of malformed or unusual packets by module UNCLEAN, MAC-addresses additional filtering with program-/process-control, CMD-, User-,Group- Process- and Session-ID by module OWNER adjustable blocking-rates of packets in percentages from 0 up to 100% (contin.), 50 by default through module RANDOM with CONNection-LIMITation and XOR-encryption of packages and connections indication of slow, bad connections by TTL optional QUOTA for volume-tariffs, TARPIT instead of DROP IP-CONNection-TRACKing for further analyses on traffic usage of CONNBYTES for download-restriction and traffic-ACCOUNT for couting visitors RECENT to trap single IP by (trap-)ports like 139 - unlimited long or restricted by time many other modules, a right place for all IP can be entered directly with subnetmask Linfw3, ... concipated (and normed) to leave within short time the word firewall forever behind yourself

For not using GID-owner only, but also CMD-owner, kernel up to 2.6.12 is recommended. In this matter, look ouf for all kernel versions in future! To take firewalls in effect, some points of the checklist by The Green LED have to be also checked out! The start of the process for iptables itself follows a delay, so that connections should be build up (manually) from a point past the newstart through the command "ifup device" with a device like eth0, and some connection opening or keeping routines may remain in the RAM during system shutdown, so that it is recommended to build down all connections completely quit before by "ifdown device". For remaining weakness of netfilter and firewall upon usersided opened connections, in conjunction with sensible data, all connection administrating processes like browser and ftp-client should be ended resp. deactivated.
Generally all points of this list contribute to higher IT security-level. Therefore The Green LED still asks you for your contributes for its completion!



You can use an Intrusion Detection System (IDS) with similar rules to iptables like lids (PDF) to verify the work of LINFW3. IDS like Samhain scan automatically from harddisc for configurable, but several, almost longer periods resp. times during the increase of the access time as much as the power consumption, while those like aide registrate attacks just past their actual time up from the point of the scan by manual or cron-tab like execution. Both IDS can be configured to scan some directories and files like those for configuration, especially etc and boot of UNIX/Linux, only.

A risc still remains in the way from the inside through boot of other OS like from USB or CD/DVD for achieving root-rights passing by even the password protection of bootloader like lilo, what is enabled through a simple reset of the BIOS or by exchanging the mainboard, furthermore offering the opportunity for password hacks. Partition manager indicate the existance of tools to "spear" access through partitions independent from file systems. Therefore only System-Administrators should be allowed to install new software!



















to step 2 "additional filter concepts for enhanced security levels"

© 2004-2011 by The Green LED - everlasting since computer might run secure