Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Right now I must use an Intel-based laptop pc, which (they say) has remote management built into it's firmware and offers to the outside internet out-of-band management via it's built-in Intel e1000 nic.
To avoid that, I had been avoiding using that e1000 nic. For outside internet I have used expresscard ethernet and/or usb wifi, both by Realtek. And disabled the e1000 in the bios setup.
But recently I have started needing to use the e1000 as an inside (lan) ethernet port, connecting to a Raspberry pi running raspbian OS.
My laptop pc is configured for usb wifi to the outside internet and NAT'd ethernet between the Raspberry and the laptop.
How safe against remote management is the e1000 nic if it is only connected to a Raspberry on an inside lan connection?
If you are talking about the Intel ME, I've heard this for years but never saw any actual real-life proof of it in use. Years ago I had an e1000 and never had any issues with it. Unless you're an international black market arms trafficker or thereabouts I'd not worry about it.
EVERYTHING I ever had that allowed remote management had to be set up or enabled. If I were to have a piece of hardware that did NOT require that I set it up, I would disable that protocol to that address on my network. I like USING remote management, but refused to be USED BY remote management!
Thank you both for replying. I don't know the answer, and with the two opinions split I decided to err on the side of safety. And got an inexpensive Asix usb ethernet adapter for my inside/lan needs. It is much too simple to have anything like remote management on it, and it's task doesn't need high performance.
Does it have a wifi radio? If so then "they" are in from across the street. We can't completely discard viable conspiracy theories of collusion between companies, or between companies and govt. I have personally seen some doors in some places that said "restricted compartmentalized access only".
Then ask yourself, what value does your asset have, or can get at? The effort in will be propotional to the value of the "goods".
As for "setting up the remote access"? Fallacy in some regards. Take heartbleed as example, some say that vuln was in the code for a very long time, and as such it appears to have been well buried (considering how long it took to discover), which leads to viable conspiracies, "was it put there on purpose"? Don't know 100%, but the Inslaw debacle is clear proof something fishy is/was going on.
Unfortunately, like so many other things, "it is an Infernal Choice." If you are dealing with a single machine, or perhaps a very small number, then "it's one thing." But if you are actually dealing with hundreds, "quite another." So, what do you do?
Unfortunately, like so many other things, "it is an Infernal Choice." If you are dealing with a single machine, or perhaps a very small number, then "it's one thing." But if you are actually dealing with hundreds, "quite another." So, what do you do?
You evaluate the risk and use mitigation strategies to manage the risk and avoid external exploitation.
I would block exploitation to the device as a first cut. The OP replaced the at-risk part with a different piece of hardware, a perfectly acceptable solution.
Some of us do this for a living. Problem solving is not some foreign concept here.
Hmmm, but what if the v4 or v6 tcp-ip stack has a "filter" in it looking for a sequence of some hex values, and then the "ring 0" stack re-enables wol without your knowlegde? 100% doable, very hard to detect, and probability of such "in" is unknown.
Maybe it's better to have monitoring tools, like if the system boots you get some sort of message by remote means. Or, I believe wol events are logged, so monitoring logs for that specific event could be a good alarm for something you are not expecting to happen.
Backdoors are becoming harder and harder to detect because more and more functionality is being shoved into IC's, which come from various regions of the world. It's easy to do source code analysis, almost impossible to do transistor/code analysis of an IC that was not engineered and made by you.
I am 100% confident that the US conspires with AMD and Intel to make chips that are sold to domestic and non-domestic places where such chips give US a way to obtain "data". Likely falls under a very secret spy program. I also suspect US can/does make it's own chips in secret place where they modify say a popular Intel chip, they stamp it with Intel logo and then swap out supply chain with the grayware chips. US does it, China does it, etc etc.
If you are not the one engineering it and making it, then you have to stomach some sort of "trust" model with whatever system you have acquired. Do you trust US or China or Taiwan?
If you want total protection, leave unplugged.
If you want strong control, run the system in very isolated environment, multiple layers, lots of in-band and out-band monitoring, etc.
Your protection efforts will vary depending on the value of your assets.
I am 100% confident that the US conspires with AMD and Intel to make chips that are sold to domestic and non-domestic places where such chips give US a way to obtain "data". Likely falls under a very secret spy program. I also suspect US can/does make it's own chips in secret place where they modify say a popular Intel chip, they stamp it with Intel logo and then swap out supply chain with the grayware chips. US does it, China does it, etc etc.
I suspect you seriously overestimate the technical competence available to work for government salaries! Unlike some governments, ours tends to pay like a "lowest bidder". It makes keeping good talent restricted to certain select disciplines (law, for example).
I suspect you seriously overestimate the technical competence available to work for government salaries! Unlike some governments, ours tends to pay like a "lowest bidder". It makes keeping good talent restricted to certain select disciplines (law, for example).
In this context of technology, it's not over-estimating ability. US already runs massive qubit and can decrypt anything. The use of 10THz technology is surfacing.
That UFO object tracked by US mil aircraft, might just have been fancy constructive interference technology, because we know it being a physical object has very low probability.
Why US struggles with hypersonic craft is somewhat puzzling though.
The Thing to many is some monster. The Thing to older folks is a passive device used to spy on US officials. Interference technology is many many decades old, still used today.
Last edited by Linux_Kidd; 03-08-2024 at 05:50 PM.
Right now I must use an Intel-based laptop pc, which (they say) has remote management built into it's firmware and offers to the outside internet out-of-band management via it's built-in Intel e1000 nic.
To avoid that, I had been avoiding using that e1000 nic. For outside internet I have used expresscard ethernet and/or usb wifi, both by Realtek. And disabled the e1000 in the bios setup.
But recently I have started needing to use the e1000 as an inside (lan) ethernet port, connecting to a Raspberry pi running raspbian OS.
My laptop pc is configured for usb wifi to the outside internet and NAT'd ethernet between the Raspberry and the laptop.
How safe against remote management is the e1000 nic if it is only connected to a Raspberry on an inside lan connection?
It's an old quest to have it disabled.
Years and years ago I worked in a HS. I remember snooping (as requested by teaching staff) on a particular student to monitor the activity. No need to say they subsequently had the evidence they wanted to use on the poor kid.
You evaluate the risk and use mitigation strategies to manage the risk and avoid external exploitation.
I would block exploitation to the device as a first cut. The OP replaced the at-risk part with a different piece of hardware, a perfectly acceptable solution.
Some of us do this for a living. Problem solving is not some foreign concept here.
As it happens, I do not have a router (of my own) available to pre-filter outside net traffic. I only have access to xfinity wifi hotspots, with the router(s) controlled by them.
Under my previous situation, I used a DIY router with Slackware running on a customized "Acer Veriton L410" sff pc. Despite being old hardware, it could keep up with everything on practically no system load. And it had adequate iptables firewalling. But despite it's small size, it is heavy to carry and needs a separate monitor/kb/mouse.
So now when my dual-boot laptop is in linux mode, it gets a slightly modified version of the iptables firewall from my DIY router.
However, in windows mode it must make do with windows firefall, which makes me worry.
The Raspberry is just there (on it's own ethernet) to be a caching DNS server, because if I don't cache then eventually cloudflare stops responding to my frequently repeated DNS requests.
As far as I know, there are not any small off-the-shelf routers with a wifi wan and ethernet lan.
I did see someone proposing a Raspberry project of a "travel router", but they never followed up with publishing their howto.
Either way, whether I use a headless off-the-shelf router or my headless Raspberry, being headless makes wan wifi connections more difficult to manage. Human judgement is needed to pick and choose among the various hotspots. So far the wan wifi is being run/managed from my laptop.
I also use Xfinity. I now own my own modem and separate router and have full control of my end. Before that I used the Xfinity integrated modem and router, but added a smart switch for routing in my home network.
There IS a management interface on the Xfinity device, and you have control over SOME of it using that (web) console. The installation papers should have included detail on how to access the device for changing settings.
The cost up front is higher to get your own equipment, but if you own your equipment you have better control. IF you are trained and/or experienced in network administration it is easier because you already conquered the learning curve. The savings on the Xfinity equipment rental pays for your equipment cost in about two years. Budget and experience are factors that you need to evaluate for yourself.
System and Network Administration and Security have been in my wheelhouse for decades. I would never feel my network even minimally secure if my network security control was in the hands of some company that had no commitment to pay for damages if my network were breached! (Oh heck, I would never trust an ISP that far no matter WHAT the contract terms!)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.