I just published an article on TidBITS on this very issue.

Basically, I don’t think the average Mac user needs it yet. AV comes at a performance cost that isn’t justified by the risks it addresses. It isn’t that Macs are more secure than Windows- it’s that they aren’t as big a target yet, and I’m not convinced that desktop antivirus will help much once Mac malware really starts proliferating.

If you are a lone Mac in a Windows environment you might need to install it to protect your Windows brethren (don’t be the vector that infects them — sending viruses you don’t even notice is not nice), and if you go to a lot of risky places you should consider it.

For the record, I don’t use AV on Mac or Vista, but I do use it on XP.

And if Apple is smart, they can finish off the Leopard security features and harden the platform enough that it won’t be as easy a target even as market share rises.

(I was amused reading the Slashdot comments, which I usually ignore. I don’t mind the criticism, but at least read the fricking article, guys).

Technorati Tags: Apple, Mac, antivirus

Bruce Schneier is one of the more venerated figures in the information security world, and rightfully so. But reading his article in Wired today, I think he might want to stick to encryption. (I know and like Bruce, so this isn’t a personal attack.)

Bruce has long bragged that he runs a totally open home wireless network. He considers it a kind of “pay it forward” charity. I love open WiFi and don’t have a problem with free access. Someday I might even open up part of my own network, although it’s probably not worth it considering where I live.

Bruce breaks the potential security risks down into two categories:

1. Somebody abusing his network for illegal activity- spam, file sharing, attacking other systems, and so on.
2. Connecting to his network and attacking his home systems.

He evaluates these risks as acceptable:

1. Odds are a bad guy will use one of the five open, anonymous coffee shops down the street rather than parking in front of his house for (probably) hours on end. By saying that he instantly guarantees that some prankster will park their VW van out front and spam everyone from “Bruce Schneier’s House”. Perhaps not, but he does accurately outline the potential legal risks.
2. In his own words, “I’m also unmoved by those who say I’m putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it’s on, then it simply doesn’t matter. And if my computer isn’t secure on a public network, securing my own network isn’t going to reduce my risk very much.”

While these risks might be acceptable to Bruce, I don’t recommend them for anyone else, including myself.

1. Depending on population density, your risk of abuse of an open network may be higher. I could open part of my network in my current location without much worry, but I’ve previously lived in places where the pedophile living below me would take advantage of an open network. That’s not an exaggeration- for most of the time I lived in a particular condo in Boulder the person below me was known for risky activity. Never convicted, but concerning enough I sure as hell wouldn’t want him on my network. The risk of the RIAA going after you might also be higher if you live someplace with enough close neighbors that it’s worth someone’s effort to use your network to mask their activity. It’s a low risk for me where I am now, but has been high in the past.
2. Very few people have the skills to secure their home network to the same degree as Bruce. I also suspect his network wouldn’t withstand a penetration test by a determined attacker. My home network is very secure; all systems are patched, firewalls turned on, and trust relationships are minimal. That said, I know I could crack it. I don’t encrypt all traffic (wireless is all WPA2 though) and I have some open file shares. Why? Because it’s “secure enough” for my home, and anything that leaves the walls and connects through the public Internet is totally locked down. In some cases, thanks to my consumer devices, I’m limited in the amount of security I can apply.

I wouldn’t make a big deal out of this, but Bruce is a role model to those interested in security. I can guarantee at least a few people will open up their networks to emulate Bruce, and be the worse for wear because of it.

He also mentions the risk of violating his ISP’s terms of service:

Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn’t a big risk either. The worst that will happen to you is that you’ll have to find a new ISP.

To give the press quote, if Bruce is doing this himself it looks like he has appropriately evaluated his personal risks and they are within his personal tolerance. If he’s recommending this to others, that’s just plain stupid.
I’ve thought about opening my own access up via a separate, segregated segment, but it’s not worth the effort since almost no one around me would need it.

Don’t follow Bruce’s example- he’s an industry pundit making a point. If you want to open up your wireless network, and are comfortable violating the terms of agreement with your ISP, please use a well-segregated open access point. Don’t just let anyone wander around and see what’s on your TiVo (since all TiVos have an open web server you can’t lock down without hacking, it ain’t that unusual a risk).

Oh, and the Chuck Norris thing?

Our first question comes from Tom, who is security minded but not a full-on security geek:

“In my Dlink 4300 there is functionality to log fire wall rules to a
outside logging server (I’ve seen this functionality in my old WRT54G’s
as well). At the same time Linux has logging functionality that you can
setup to receive outside log messages. How do I get my
dlink/linksys/brand X router to talk to my Linux at server and log all
of the messages?

Looking at firewall logs is a great way to get your feet wet with security. For the home user I’m not convinced it adds a lot of security, but it will be extremely educational. It won’t take long before you drop Wireshark onto your network and really start digging into traffic.

The D-Link outputs logs using syslog to any compatible syslog server. The exact configuration will vary depending on your internal network structure and which version of Linux you are using, but here’s a general overview to get it running. A number of home routers/wireless access points support this functionality.

1. Set up your Linux server
2. Start syslogd, and make sure it’s configured to run on startup (”chkconfig --list syslog“?).
3. You will probably need to adjust your syslogd configuration file before it will work properly- this varies based on which version you’re running, but a quick Google search should give you what you need; likely you need to add “-r” somewhere (/etc/sysconfig/syslog on Red Hat based systems). Wikipedia is a good place to start.
4. If you have a firewall on your Linux box, make sure UDP port 514 is open to your home network (/etc/sysconfig/iptables on Red Hat based systems).
5. On your D-Link router, go into DHCP settings and assign a permanent address to your Linux server. Otherwise, its IP address will probably change when it reboots. You’ll probably need the MAC address of your Linux server, which you can get by running ifconfig from a shell. Some D-Links make this really easy and you can lift the address right from the screen where you assign permanent addresses. If it’s not feasible, you might just want to configure your Linux server with a static address — if you do, make sure it’s not in the DHCP scope assigned by your router.
6. Now, on your router go start logging, and enter the IP address of your Linux box.
7. Give it a little while, then see if you have any log entries (depending on how your configured things in syslog.conf).

And that should be it! I know this isn’t totally detailed, but it really can vary a lot depending on what you’re running, and I don’t have everything on my end to test it. The most common mistakes are leaving the syslog server on a dynamic IP address, filtering the traffic, and bad syslog configurations.

Pepper adds: You can do all this with a Mac too — I send Linksys WRT54G & AirPort Extreme logs to mine.

Credit monitoring services, especially those from the credit agencies themselves, leave a bad taste in my mouth. I find it unconscionable that I need to pay to gain access to personal information on me that affects my life at the deepest levels. In our modern society, a good credit rating is as important for our future safety and stability (and sex, to be honest) as a sharp spear and 20/10 vision were to early man. It sucks, but money makes the world go round and we can’t feed Maslow without it (nor can most of us afford homes without good credit).

I started using credit monitoring services long before identity theft was a big issue. Back then, reports were never free and credit scores weren’t in as wide use. I wasn’t paranoid or prescient, I’d just managed to screw my credit up so badly in college that I wanted to know exactly what I needed to clean up. It would probably still be screwed up if it weren’t for online banking; I’m really bad about using the mail.

When free reports were mandated by the government I kept with the monitoring service for two reasons- to gain access to my credit score, and for identity theft monitoring.

And monitoring is not protection- I may be able to detect new activity on my credit report within 1-3 days, but by that time the damage might be done.

Along comes Debix. The government has mandated that credit services allow consumers to place “locks” on their reports. No, this won’t stop the bank from reporting you as late, but it does mean they can’t open a new account tied to your record without explicit permission. Being a bunch of wimps beholden to big money, the government only mandated they lock (place a “fraud alert” on) your record for 90 days.

For the same price (or less) as credit monitoring, Debix will place a lock on your record and renew it automatically every 90 days. They link the lock to their call center, and when a creditor calls to verify that you really want to open the account the call center routes it to up to three numbers you provide. This has the added advantage of keeping your phone number off your record.

(Full disclosure: I was given a free preview, so I didn’t pay for the service. But it’s cheaper than the credit monitoring service I’m dropping).

Pretty cool- kind of like anti-exploitation for identity theft.

They also insure you and provide a few other features. They are a direct competitor of LifeLock, but LifeLock’s been in the news a bunch here in Phoenix for some… irregularities… that make me uncomfortable with the company.

I do like seeing inquiries on my credit report, but I can get that for free on a quarterly basis rather than needing it instantly. Debix is $4/month cheaper than my monitoring was, and blocks unwanted activity.

I like that.

If you read this blog, odds are today and tomorrow you’ll be responsible for “fixing” the computers of your extended family. It’s also a great excuse to get you some much-needed web browsing time if the family conversations get boring. Here’s my (very short) checklist:

1. Make sure they’re behind some sort of NAT firewall/home router. Anything that keeps them from being directly connected to the Internet. Do a quick check to make sure it isn’t forwarding any ports to internal addresses. A cheap $50 router/wireless access point alone will stop most worm/network attacks. If they don’t have one, you now have a convenient excuse to visit Fry’s Electronics or your local Circuit Buy.
2. Back up their photos onto an external hard drive or CD/DVD. For many people, nothing else really matters. This should get you out of any idle chit-chat, and no one needs to know you’re reading Slashdot and drinking a beer in the back room. You can milk this one for as long as needed, and it comes across as being more helpful than just watching sports.
3. Check to see if Windows is updated. If it isn’t, assume they are infected. If they don’t have SP2, buy them a new computer.
4. Run a quick scan for any obvious spyware/malware. I ask if the computer’s been running slow lately; that’s a good indicator. Otherwise just download one of the free tools and give it a run. If their AV suite is out of date, and they use the computer for more than the most simple of tasks, assume it’s infected. At this point I will usually load up a free suite of tools (AVG Free, whatever anti-spyware is handy, and activate the Windows firewall). This is your time to work on blog entries and maybe Twitter a bit, although if the computer is infected you won’t want to log into any of your accounts. If you need more alone time, stare at the screen and curse occasionally as people walk past. They’ll leave you alone.
5. If you’re pretty sure it’s infected you have a choice. If the computer is old, tell them to buy a new one (preferably a Mac). If it’s current but blasted, tell them to back up important files and nuke it from orbit. If it’s your parents, back up and nuke it yourself. Send someone to buy you better beer (Stone Arrogant Bastard should do) so you can “concentrate” better.
6. Tell your father/uncle/father-in-law/whoever to stop going to “those” sites. When they deny it, show them their cookie files. When they still deny it, close the door to the room and open up the web cache. If they still deny it, blame your 4 year-old nephew and suggest a good child psychologist. If they don’t cave at this point, tell them Crazy Uncle Bobby touched you as a kid; maybe it’s his fault.
7. Turn on their antispam, preferably at the ISP level. This will stop a lot of email viruses.
8. No matter what, tell them you found terrorist child pornography from gambling sites on their system, and inform them to never click on anything in email. This should keep them out of trouble.

If you just backup the files, do a quick check, and figure out if you need to nuke it or keep it, that’s enough and only takes a few minutes. Feel free to extend as long as needed based on your particular family dynamics.

If your family has Macs, you might need to fake it. They’ll probably catch you.

Me? My immediate family has Macs and my wife’s side is local and I fix things as they happen. The good beer is in the fridge and I intend to fully enjoy a couple days of watching sports and making Lego robots with my nieces and nephew.

Happy Holidays- see ya in a few days.

Looks like the ipfw rules project that Chris is leading is pretty popular. We’ve set up a permanent link that we’ll redirect to the latest version as we keep refining this thing.

You can find it here.

Thanks again to everyone who has helped on this project:

windexh8er: http://www.slash32.com/
Rob
Lee: http://thnetos.wordpress.com/
Josh
Chris Pepper http://www.extrapepperoni.com/

Based on extensive feedback, these rules are now much improved over the initial draft. Thanks, all!

All the versions of this post are getting out of hand, so Rich has provided a permanent URL for the current Leopard ipfw post for future reference. Please use that link, so future visitors get the latest and greatest.

Chris

# DO NOT USE THESE RULES without customizing them first!
# Version: 2007/12/12

# For more information, see http://securosis.com/2007/11/15/ipfw-rules/
# & http://securosis.com/2007/11/16/ipfw-rules-20071116-revision/#comments

# These rules *MUST* be customized to your requirements.
# In particular, if you have a private home network (behind an AirPort
# Base Station, Linksys WRT54G, etc.), change “10.42.24.0/24″ below to
# your private network range; duplicate rules with different ranges, if use use this computer on multiple networks.
# Additionally, allow only ports you actually use; block unused ports.

# Thanks to:
# Rich Mogull http://securosis.com
# windexh8er: http://www.slash32.com/
# Rob
# Lee: http://thnetos.wordpress.com/
# Josh
# Chris Pepper http://www.extrapepperoni.com/
# Apple (Server Admin is a good way to create an ipfw ruleset)
# http://www.apple.com/server/macosx/
# FreeBSD (where Apple got ipfw) http://www.freebsd.org/

# We don’t really want this, but it’s unavoidable on Mac OS X Server, so
# document it here (serialnumberd).
# 100 allow udp from any 626 to any dst-port 626

# Let me talk to myself over the loopback.
add 200 allow ip from any to any via lo0

# Loopback traffic on a ‘real’ interface is bogus.
add 300 deny log logamount 1000 ip from any to 127.0.0.0/8

# Block multicast unless you need it.
# add 400 deny log logamount 1000 ip from 224.0.0.0/4 to any in

# If we let a conversation begin, let it continue.
# Let my clients go!
add 500 allow tcp from any to any out keep-state
add 510 allow udp from any to any out keep-state
# Block replies, if we don’t recall initiating the conversation.
add 520 deny log tcp from any to any established in

# Allow DHCP responses (keep-state can’t handle DHCP broadcasts).
add 600 allow udp from any to any src-port 67 dst-port 68 in

# Do you never need fragmented packets?
# add 700 deny udp from any to any in frag

# Let yourself ping.
# add 1000 allow icmp from 10.42.24.0/24 to any icmptypes 8

# Server Admin provides these by default.
add 1100 allow icmp from any to any icmptypes 0
add 1110 allow igmp from any to any

# mDNS (Bonjour) from trusted local networks (fill in your own,
# preferably non-standard, networks after ‘from’).
# For Back to My Mac, you might need this from ‘any’.
# add 5000 allow udp from 10.42.24.0/24 to any dst-port 5353
# add 5010 allow udp from 10.42.24.0/24 5353 to any dst-port 1024-65535 in

# ssh — should be restricted to trusted networks if at all possible; if
# open to the Internet, make sure you don’t have “PermitRootLogin yes”
# in sshd_config (at least use
# PermitRootLogin without-password“, please!)
add 5200 allow tcp from any to any dst-port 22

# iTunes music sharing
# add 5300 allow tcp from 10.42.24.0/24 to any dst-port 3689

# AFP
# add 5400 allow tcp from 10.42.24.0/24 to any dst-port 548

# HTTP (Apache); HTTPS
# add 5500 allow tcp from any to any dst-port 80
# add 5510 allow tcp from any to any dst-port 443

# L2TP VPN — is this complete?
# add 5600 allow udp from any to any dst-port 1701
# add 5610 allow esp from any to any
# add 5620 allow udp from any to any dst-port 500
# add 5630 allow udp from any to any dst-port 4500

# iChat: local
# add 5700 allow tcp from 10.42.24.0/24 to any dst-port 5298
# add 5710 allow udp from 10.42.24.0/24 to any dst-port 5298
# add 5720 allow udp from 10.42.24.0/24 to any dst-port 5297,5678

# Server Admin SSL (Mac OS X Server only)
# add 5800 allow tcp from 10.42.24.0/24 to any dst-port 311
# add 5810 allow tcp from 10.42.24.0/24 to any dst-port 427
# add 5820 allow udp from 10.42.24.0/24 to any dst-port 427

# syslog — uncommon
# add 5900 allow udp from 10.42.24.0/24 to any dst-port 514

# ipp (CUPS printing)
# add 6000 allow tcp from 10.42.24.0/24 to any dst-port 631

# MTU discovery
add 10000 allow icmp from any to any icmptypes 3

# Source quench
add 10100 allow icmp from any to any icmptypes 4

# Ping out; accept ping answers.
add 10200 allow icmp from any to any icmptypes 8 out
add 10210 allow icmp from any to any icmptypes 0 in

# Allow outbound traceroute.
add 10300 allow icmp from any to any icmptypes 11 in

# My default policy: log and drop anything that hasn’t matched an allow
# rule above
add 65534 deny log logamount 1000 ip from any to any

# Hard-coded default allow rule (compiled into Darwin kernel)
add 65535 allow ip from any to any

Thanks to the feedback, I’ve tweaked these rules a bit. I realized I was blocking DHCP, so I added that as well.

Get the latest rule set.

Chris

# DO NOT USE THESE RULES without customizing them first!
# Version: 2007/11/16

# For more information, see http://securosis.com/2007/11/15/ipfw-rules/

# These rules *MUST* be customized to your requirements.
# In particular, if you have a private home network (behind an AirPort
# Base Station, Linksys WRT54G, etc.), change “10.42.24.0/24″ below to
# your private network range.
# Additionally, allow only ports you actually use; other ports should be
# blocked by the ipfw firewall.

# Thanks to:
# Rich Mogull http://securosis.com
# windexh8er: http://www.slash32.com/
# Lee: http://thnetos.wordpress.com/
# Chris Pepper http://www.extrapepperoni.com/
# Apple (Server Admin is a good way to create an ipfw ruleset)
# http://www.apple.com/server/macosx/
# FreeBSD (where Apple got ipfw) http://www.freebsd.org/

# We don’t really want this, but it’s unavoidable on Mac OS X Server, so
# document it here (serialnumberd).
# 100 allow udp from any 626 to any dst-port 626

# Let me talk to myself over the loopback.
add 200 allow ip from any to any via lo0

# Loopback addresses on non-loopback interfaces are bogus.
add 300 deny log logamount 1000 ip from any to 127.0.0.0/8
add 310 deny log logamount 1000 ip from 224.0.0.0/4 to any in

# Block multicast if you don’t use it.
# add 400 deny log ip from 224.0.0.0/4 to any in

# Accept responses to my client programs.
add 500 check-state

# If we let the conversation begin, let it continue.
add 600 allow tcp from any to any established
# Let my programs go!
add 610 allow tcp from any to any out keep-state
add 620 allow udp from any to any out keep-state
# Block bogus inbounds that claim they were established.
# add 630 deny log tcp from any to any established in

# Change this to DENY fragments if you don’t need them.
add 700 allow udp from any to any in frag

# Allow DHCP responses (DHCP broadcasts, which seems to defeat
# keep-state).
add 800 allow udp from any to any src-port 67 dst-port 68 in

# add 1000 allow icmp from 10.9.7.0/24 to any icmptypes 8

# Server Admin provides these by default.
add 1100 allow icmp from any to any icmptypes 0
add 1110 allow igmp from any to any

# mDNS (Bonjour) from trusted local networks (fill in your own,
# preferably non-standard, networks after ‘from’).
# For Back to My Mac, you might need this from ‘any’.
# add 5000 allow udp from 10.42.24.0/24 to any dst-port 5353
# add 5010 allow udp from 10.42.24.0/24 5353 to any dst-port 1024-65535 in

# DNS (note TCP is required, but this one should scare you — much
# better to only allow packets from your trusted nameservers, if you
# always use the same ones).
add 5100 allow tcp from any to any dst-port 53
add 5110 allow udp from any to any dst-port 53
add 5120 allow tcp from any to any dst-port 53 out keep-state
add 5130 allow udp from any to any dst-port 53 out keep-state

# ssh
add 5200 allow tcp from any to any dst-port 22

# iTunes music sharing
# add 5300 allow tcp from 10.42.24.0/24 to any dst-port 3689

# AFP
# add 5400 allow tcp from 10.42.24.0/24 to any dst-port 548

# HTTP (Apache); HTTPS
# add 5500 allow tcp from any to any dst-port 80
# add 5510 allow tcp from any to any dst-port 443

# L2TP VPN
# add 5600 allow udp from any to any dst-port 1701
# add 5610 allow esp from any to any
# add 5620 allow udp from any to any dst-port 500
# add 5630 allow udp from any to any dst-port 4500

# iChat: local
# add 5700 allow tcp from 10.42.24.0/24 to any dst-port 5298
# add 5710 allow udp from 10.42.24.0/24 to any dst-port 5298
# add 5720 allow udp from 10.42.24.0/24 to any dst-port 5297,5678

# Server Admin SSL (Mac OS X Server only)
# add 5800 allow tcp from 10.42.24.0/24 to any dst-port 311
# add 5810 allow tcp from 10.42.24.0/24 to any dst-port 427
# add 5820 allow udp from 10.42.24.0/24 to any dst-port 427

# syslog
# add 5900 allow udp from 10.42.24.0/24 to any dst-port 514

# ipp (CUPS printing)
# add 6000 allow tcp from 10.42.24.0/24 to any dst-port 631

# MTU discovery
add 10000 allow icmp from any to any icmptypes 3

# Source quench
add 10100 allow icmp from any to any icmptypes 4

# Ping out; accept ping answers.
add 10200 allow icmp from any to any icmptypes 8 out
add 10210 allow icmp from any to any icmptypes 0 in

# Allow me to traceroute.
add 10300 allow icmp from any to any icmptypes 11 in

# My default policy: log and drop anything that hasn’t matched an allow
# rule above
add 65534 deny log logamount 1000 ip from any to any

# Hard-coded default allow rule (compiled into Darwin kernel)
add 65535 allow ip from any to any

Rules revised.

As suggested by windexh8er, here’s a set of ipfw rules to customize for your own Macs or FreeBSD systems. Note that your private home network should have a non-standard IP range, both to support VPN across standard IP ranges, and for improved security, so your personal allow rules don’t match other networks you may find yourself wandering through.

The rules are below, but you’ll probably have an easier time if you download the rule file from http://securosis.com/wp-content/uploads/2007/11/ipfw-securosis.txt.

In WaterRoof, you can import these rules with “Tools > Rules Configuration > Import rules from file..”. To check your ipfw rules, use “sudo ipfw list“. When you’re satisfied with your rules, install them for future reboots with “Tools > Rules Configuration > Save to startup configuration” and “Tools > Startup Script > Install Startup Script”.

# DO NOT USE THESE RULES without customizing them first!
# Version: 2007/11/15

# For more information, see http://securosis.com/2007/11/15/ipfw-rules/

# These rules *MUST* be customized to your requirements.
# In particular, if you have a private home network (behind an AirPort
# Base Station, Linksys WRT54G, etc.), change "10.42.24.0/24" below to
# your private network range.
# Additionally, allow only ports you actually use; other ports should be
# blocked by the ipfw firewall.

# Thanks to:
# Rich Mogull http://securosis.com
# windexh8er: http://www.slash32.com/
# Lee: http://thnetos.wordpress.com/
# Chris Pepper http://www.extrapepperoni.com/
# Apple (Server Admin is a good way to create an ipfw ruleset)
#   http://www.apple.com/server/macosx/
# FreeBSD (where Apple got ipfw) http://www.freebsd.org/

# We don't really want this, but it's unavoidable on Mac OS X Server, so
# document it here (serialnumberd)
# 100 allow udp from any 626 to any dst-port 626 

# Let me talk to myself over the loopback
add 200 allow ip from any to any via lo0 

# Loopback addresses on non-loopback interfaces are bogus
add 300 deny log logamount 1000 ip from any to 127.0.0.0/8
add 310 deny log logamount 1000 ip from 224.0.0.0/4 to any in 

# Block multicast if you don't use it
# add 400 deny log ip from 224.0.0.0/4 to any in 

# Accept responses to my client programs
add 500 check-state 

# If we let the conversation begin, let it continue
add 600 allow tcp from any to any established 

# Let my programs get out.
add 700 allow tcp from any to any out keep-state
add 710 allow udp from any to any out keep-state 

# Change this to DENY fragments if you don't need them.
add 800 allow udp from any to any in frag 

# Block bogus inbounds that claim they were established
# add 900 deny log tcp from any to any established in 

# add 1000 allow icmp from 10.9.7.0/24 to any icmptypes 8 

# Server Admin provides these by default
add 1100 allow icmp from any to any icmptypes 0
add 1110 allow igmp from any to any 

# mDNS (Bonjour) from trusted local networks (fill in your own,
# preferably non-standard, networks after 'from')
# For Back to My Mac, you might need this from 'any'
# add 5000 allow udp from 10.42.24.0/24 to any dst-port 5353
# add 5010 allow udp from 10.42.24.0/24 5353 to any dst-port 1024-65535 in

# DNS (note TCP is required, but this one should scare you -- much
# better to only allow packets from your trusted nameservers, if you
# always use the same ones)
add 5100 allow tcp from any to any dst-port 53
add 5110 allow udp from any to any dst-port 53
add 5120 allow tcp from any to any dst-port 53 out keep-state
add 5130 allow udp from any to any dst-port 53 out keep-state 

# ssh
add 5200 allow tcp from any to any dst-port 22 

# iTunes music sharing
#add 5300 allow tcp from 10.42.24.0/24 to any dst-port 3689 

# AFP
#add 5400 allow tcp from 10.42.24.0/24 to any dst-port 548 

# HTTP (Apache); HTTPS
# add 5500 allow tcp from any to any dst-port 80
# add 5510 allow tcp from any to any dst-port 443 

# L2TP VPN
# add 5600 allow udp from any to any dst-port 1701
# add 5610 allow esp from any to any
# add 5620 allow udp from any to any dst-port 500
# add 5630 allow udp from any to any dst-port 4500 

# iChat: local
#add 5700 allow tcp from 10.42.24.0/24 to any dst-port 5298
#add 5710 allow udp from 10.42.24.0/24 to any dst-port 5298
#add 5720 allow udp from 10.42.24.0/24 to any dst-port 5297,5678 

# Server Admin SSL (Mac OS X Server only)
# add 5800 allow tcp from 10.42.24.0/24 to any dst-port 311
# add 5810 allow tcp from 10.42.24.0/24 to any dst-port 427
# add 5820 allow udp from 10.42.24.0/24 to any dst-port 427 

# syslog
# add 5900 allow udp from 10.42.24.0/24 to any dst-port 514 

# ipp (CUPS printing) 

# add 6000 allow tcp from 10.42.24.0/24 to any dst-port 631 

# MTU discovery
add 10000 allow icmp from any to any icmptypes 3 

# Source quench
add 10100 allow icmp from any to any icmptypes 4 

# Ping out; accept ping answers
add 10200 allow icmp from any to any icmptypes 8 out
add 10210 allow icmp from any to any icmptypes 0 in 

# Allow me to traceroute
add 10300 allow icmp from any to any icmptypes 11 in 

# My default policy: log and drop anything that hasn't matched an allow
# rule above
add 65534 deny log logamount 1000 ip from any to any

# Hard-coded default allow rule (compiled into Darwin kernel)
add 65535 allow ip from any to any

I say we take off and nuke the entire site from orbit. It’s the only way to be sure.

-Ripley (Sigourney Weaver) in Aliens

While working at home has some definite advantages, like the Executive Washroom, Executive Kitchen, and Executive HDTV, all this working at home alone can get a little isolating. I realized the other month that I spend more hours every day with my cats than any other human being, including my wife.

Thus I tend to work out of the local coffee shop a day or two a week. Nice place, free WiFi (that I help secure on occasion), and a friendly staff. Today I was talking with one of the employees about her home computer. A while ago I referred her to AVG Free antivirus and had her turn on her Windows firewall. AVG quickly found all sorts of nasties- including, as she put it, “47 things in that quarantine thing called Trojans. What’s that?”

Uh oh. That’s bad.

I warned her that her system, even with AV on it, was probably so compromised that it would be nearly impossible to recover. She asked me how much it would cost to go over and fix it, and I didn’t have the heart to tell her.

Truth is, as most of you professional IT types know, it might be impossible to clean out all the traces of malware from a system compromised like that. I’m damn good at this kind of stuff, yet if it were my computer I’d just nuke it from orbit- wipe the system and start from scratch.

While I have pretty good backups, this can be a bit of a problem for friends and family. Here’s how I go about it on a home system for friends and family:

1. Copy off all important files to an external drive- USB or hard drive, depending on how much they have.
2. Wipe the system and reinstall Windows from behind a firewall (a home wireless router is usually good enough, a cable or DSL modem isn’t).
3. Install all the Windows updates. Read a book or two, especially if you need to install Service Pack 2 on XP.
4. Install Office (hey, maybe try OpenOffice) and any other applications.
5. Double check that you have SP2, IE7, and the latest Firefox installed. Install any free security software you want, and enable the Microsoft Malicious Software removal tool and Windows firewall. See Security Mike for more, even though he hasn’t shown me his stuff yet.
6. Set up their email and such.
7. Take the drive with all their data on it, and scan it from another computer. Say a Mac with ClamAV installed? I usually scan with two different AV engines, and even then I might warn them not to recover those files.
8. Restore their files.

This isn’t perfect, but I haven’t had anyone get re-infected yet using this process. Some of the really nasty stuff will hide in data files, but especially if you hold onto the files for a few weeks at least one AV engine will usually catch it. It’s a risk analysis; if they don’t need the files I recommend they trash them. If they really need the stuff we can restore it as carefully as possible and keep an eye on things. If it’s a REALLY bad infection I’ll take the files on my Mac, convert them to plain text or a different file format, then restore them. You do the best you can, and can always nuke it again if needed. In her case, I also recommended she change any bank account passwords and her credit card numbers.

It’s the only way to be sure…