1 |
"Julien Cassette" <hazynrg@×××××.com> posted |
2 |
5c4f3a5c0804061351o7ab513d3u3934e26bf11104b8@××××××××××.com, excerpted |
3 |
below, on Sun, 06 Apr 2008 22:51:47 +0200: |
4 |
|
5 |
[reordered this part first] |
6 |
> Regards.Hi,<br>I see many lines similar to these ones in my |
7 |
> netstat:<br><br>tcp |
8 |
> 0 0 |
9 |
> localhost:9050 |
10 |
|
11 |
Please kill the crap HTML. /That/ is a security issue, and folks aware |
12 |
of it won't be using a (local at least) client that parses it let alone |
13 |
spits it out, for that reason. The raw HTML then looks like crap, as the |
14 |
above should demonstrate. |
15 |
|
16 |
Really, gmail or not, one would expect that someone interested enough in |
17 |
security to be running tor would know not to post that HTML crap (altho I |
18 |
guess it's easy to have it reset to html, as it's not uncommon even for |
19 |
folks that know not to post html). |
20 |
|
21 |
> I see many lines similar to these ones in my netstat: |
22 |
|
23 |
[whitespace reformatted for better non-wrap posting] |
24 |
|
25 |
> tcp 0 0 localhost:9050 localhost:48065 TIME_WAIT - |
26 |
> tcp 0 0 localhost:8118 localhost:35457 TIME_WAIT - |
27 |
> tcp 0 0 localhost:9050 localhost:48043 TIME_WAIT - |
28 |
> tcp 0 0 localhost:48059 localhost:9050 TIME_WAIT - |
29 |
> tcp 0 0 localhost:8118 localhost:35521 TIME_WAIT - |
30 |
> |
31 |
> Is it a security issue? |
32 |
|
33 |
> The ports are TOR's but this stuff also appear when I use an application |
34 |
> like Azureus for example. |
35 |
> BTW, my machine is set as DMZ in the router, dunno if this may cause |
36 |
> something... |
37 |
|
38 |
localhost normally indicates connections from your computer to itself on |
39 |
the "loopback" (lo) interface. Assuming you trust the stuff running on |
40 |
your own computer, it SHOULDN'T be an issue, PROVIDED the localhost isn't |
41 |
somehow faked, possible but relatively unlikely. You can double-check by |
42 |
using the --numeric (-n) or --numeric-hosts netstat commandline options. |
43 |
The reported IPs should then be 127/8, that is, 127.x.y.z, which is |
44 |
reserved as localhost. However, of that entire /8 block only 127.0.0.1 |
45 |
is normally used, so most likely they'll all be 127.0.0.1. |
46 |
|
47 |
Kyle already mentioned the --program (-p) option, which is good, but note |
48 |
that it'll only report the programs if you own them -- unless you run the |
49 |
netstat as root, of course. |
50 |
|
51 |
Normally you'd not have so many localhost entries, but when you run a |
52 |
local proxy (FWIW, I run privoxy here, but not tor, so am used to seeing |
53 |
them from that), you do tend to get more as other things run thru it. If |
54 |
you run a privoxy/tor chain, you'll have even more as you'll have both the |
55 |
app/privoxy and the privoxy/tor connections, all on localhost (with the |
56 |
tor/world connections as well, but those aren't localhost and would be |
57 |
the same as direct app/world connections where no local proxy is used). |
58 |
|
59 |
Then there's the connection status. TIME_WAIT indicates a connection |
60 |
that has been completed and mostly torn down, except the system has a |
61 |
timeout on the final piece of the tear-down to keep anything else from |
62 |
trying to use the same socket during the period packets may still be in |
63 |
transit, thus keeping any potential new connection from getting mixed up |
64 |
by packets arriving for the old one. That's why the sent/received count |
65 |
is zero -- the connection is already torn down and the sent/received |
66 |
information lost -- it's just waiting for the timeout. (This paragraph |
67 |
may not be absolutely correct and definitely lacks detail, but it should |
68 |
be sufficient from a security aware sysadmin's point of view, the way I |
69 |
and presumably you approach it. If you want technically correct, the |
70 |
RFCs are freely available. =8^) |
71 |
|
72 |
-- |
73 |
Duncan - List replies preferred. No HTML msgs. |
74 |
"Every nonfree program has a lord, a master -- |
75 |
and if you use the program, he is your master." Richard Stallman |
76 |
|
77 |
-- |
78 |
gentoo-amd64@l.g.o mailing list |