| 1 |
"Julien Cassette" <hazynrg@×××××.com> posted |
| 2 |
5c4f3a5c0804061351o7ab513d3u3934e26bf11104b8@××××××××××.com, excerpted |
| 3 |
below, on Sun, 06 Apr 2008 22:51:47 +0200: |
| 4 |
|
| 5 |
[reordered this part first] |
| 6 |
> Regards.Hi,<br>I see many lines similar to these ones in my |
| 7 |
> netstat:<br><br>tcp |
| 8 |
> 0 0 |
| 9 |
> localhost:9050 |
| 10 |
|
| 11 |
Please kill the crap HTML. /That/ is a security issue, and folks aware |
| 12 |
of it won't be using a (local at least) client that parses it let alone |
| 13 |
spits it out, for that reason. The raw HTML then looks like crap, as the |
| 14 |
above should demonstrate. |
| 15 |
|
| 16 |
Really, gmail or not, one would expect that someone interested enough in |
| 17 |
security to be running tor would know not to post that HTML crap (altho I |
| 18 |
guess it's easy to have it reset to html, as it's not uncommon even for |
| 19 |
folks that know not to post html). |
| 20 |
|
| 21 |
> I see many lines similar to these ones in my netstat: |
| 22 |
|
| 23 |
[whitespace reformatted for better non-wrap posting] |
| 24 |
|
| 25 |
> tcp 0 0 localhost:9050 localhost:48065 TIME_WAIT - |
| 26 |
> tcp 0 0 localhost:8118 localhost:35457 TIME_WAIT - |
| 27 |
> tcp 0 0 localhost:9050 localhost:48043 TIME_WAIT - |
| 28 |
> tcp 0 0 localhost:48059 localhost:9050 TIME_WAIT - |
| 29 |
> tcp 0 0 localhost:8118 localhost:35521 TIME_WAIT - |
| 30 |
> |
| 31 |
> Is it a security issue? |
| 32 |
|
| 33 |
> The ports are TOR's but this stuff also appear when I use an application |
| 34 |
> like Azureus for example. |
| 35 |
> BTW, my machine is set as DMZ in the router, dunno if this may cause |
| 36 |
> something... |
| 37 |
|
| 38 |
localhost normally indicates connections from your computer to itself on |
| 39 |
the "loopback" (lo) interface. Assuming you trust the stuff running on |
| 40 |
your own computer, it SHOULDN'T be an issue, PROVIDED the localhost isn't |
| 41 |
somehow faked, possible but relatively unlikely. You can double-check by |
| 42 |
using the --numeric (-n) or --numeric-hosts netstat commandline options. |
| 43 |
The reported IPs should then be 127/8, that is, 127.x.y.z, which is |
| 44 |
reserved as localhost. However, of that entire /8 block only 127.0.0.1 |
| 45 |
is normally used, so most likely they'll all be 127.0.0.1. |
| 46 |
|
| 47 |
Kyle already mentioned the --program (-p) option, which is good, but note |
| 48 |
that it'll only report the programs if you own them -- unless you run the |
| 49 |
netstat as root, of course. |
| 50 |
|
| 51 |
Normally you'd not have so many localhost entries, but when you run a |
| 52 |
local proxy (FWIW, I run privoxy here, but not tor, so am used to seeing |
| 53 |
them from that), you do tend to get more as other things run thru it. If |
| 54 |
you run a privoxy/tor chain, you'll have even more as you'll have both the |
| 55 |
app/privoxy and the privoxy/tor connections, all on localhost (with the |
| 56 |
tor/world connections as well, but those aren't localhost and would be |
| 57 |
the same as direct app/world connections where no local proxy is used). |
| 58 |
|
| 59 |
Then there's the connection status. TIME_WAIT indicates a connection |
| 60 |
that has been completed and mostly torn down, except the system has a |
| 61 |
timeout on the final piece of the tear-down to keep anything else from |
| 62 |
trying to use the same socket during the period packets may still be in |
| 63 |
transit, thus keeping any potential new connection from getting mixed up |
| 64 |
by packets arriving for the old one. That's why the sent/received count |
| 65 |
is zero -- the connection is already torn down and the sent/received |
| 66 |
information lost -- it's just waiting for the timeout. (This paragraph |
| 67 |
may not be absolutely correct and definitely lacks detail, but it should |
| 68 |
be sufficient from a security aware sysadmin's point of view, the way I |
| 69 |
and presumably you approach it. If you want technically correct, the |
| 70 |
RFCs are freely available. =8^) |
| 71 |
|
| 72 |
-- |
| 73 |
Duncan - List replies preferred. No HTML msgs. |
| 74 |
"Every nonfree program has a lord, a master -- |
| 75 |
and if you use the program, he is your master." Richard Stallman |
| 76 |
|
| 77 |
-- |
| 78 |
gentoo-amd64@l.g.o mailing list |
Archives