Security

run Miami:MiamiNetStat -a

If you see a *.1559 port someone's got access to your harddrives.

To block it:

go to 'Databases' menu
go to 'Services' sub menu
in that section 'Add' an entry
in this entry type the following:
for Name put in: 'DCHack'
for ID put in '1599'
for protocol type: 'tcp'
then go to the submenu called 'IP Filter'
click on Add'
in Protocol type '*'
in Service type 'DCHack'
in host type '*.*.*.*'
leave Mask blank
in Access type 'n'
in Log type 'y'
save settings

This will open a window, and log the attempts, if someone tries it.

There are some Amiga 'nukers' that attack on ports, 21 and 113, FTP and
AUTH/IDENT respectively.

There are two methods of blocking these, depending on wether or not you use
ftpd (ie, AmFTPd).

1. Deny and Log these services to all users.
Allow and Log entries for specific IPs that you wish to allow to use
these services. (ie: port 113 allow for IRC servers)

2. Allow and Log port 113 and port 21 (if you are running ftpd).
Deny and Log entries of IPs of users who attack you on these ports.

Don't accept files from any users you don't know. Any files you do accept, get
VirusCheckerII </plug>.

Load the file into a hex editor/reader (AZap works well enough), and search start them. This may be pointless as the library name could be encrypted, but
at least you'll catch any lazy would be hackers.

All DCC (Direct Client to Client) activity in IRC will open ports between you
and the Sender/Recipient. Never set your IRC software to automatically accept
DCC chats or filesends, if you get flooded with DCC requests, ports will be
opened which a would be hacker could gain access to before your IRC software
responds.

All Miami users should run MiamiNetStat from time to time. AmiTCP users should
run the "NetStat" script. You'll get an output something like this...

Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 your.domain.1026 irc.vapor.com.6667 ESTABLISHED
tcp 0 0 your.domain.1599 dev.hacker.com.1085 ESTABLISHED

The first line is the connection to irc.vapor.com, an ARCNET IRC server, I
know I am using IRC so we can assume that's safe.

On the second line, I don't know who/where "dev.hacker.com" is. If you're
running IRC, type:

/who *.dev.hacker.com

If that returns a Nick, it's up to you to decide if that person should be
connected to your system. If not, reboot.

How do TCP hacks work?

A trojan program opens a port. It could do this immediately, or 20 minutes
after you started it, so don't expect SnoopDos to start showing you info
straight away.

You don't actually need to be doing anything on the net to open ports. If you
have a static IP, eg. Demon, you should be very careful. If someone has sent
you the trojan, they will know you're IP address, they can simply ping you to
see when you're online, once they get a pong in reply, they'll be connected to
your machine and have access to everything. Your keyfiles, your email program
configs, anything that you have access to, so do they.

The easiest way to envisage this is that they have a shell window open, and
that whatever commands they type run on your machine. So if they type "assign"
in that shell, they'll get a list of all the devices, volumes (assigns are
virtual volumes) and directories on your machine. Try it yourself if you don't
believe me, open a shell and type "assign", this is the same information the
hacker will see.

As you can imagine, if they can run Assign, they can run everything from
"copy and "echo" to "format" and "reset", they can
even open up more ports so their hacker buddies can all access your machine.
The damage they do doesn't stop when they disconnect from you.

Imagine they can copy your YAM/MD config to there machine access all your
mail, send spam/malicious mail from your account and delete all incoming mail
on a regular basis.

If they steal your keyfiles for xyz-program, and they are blacklisted by the
author of xyz-program then you won't be able to update your software.

Ok, so maybe you just ran a program from Aminet which happened to be their
trojan, which is how they gained access the first time. But how do they make
sure they can gain access at a later date?

They could easily edit your startup-sequence or user-startup to run their
trojan everytime you boot, or copy over a modified version of loadwb (or
whatever) which opens a port as well as loading workbench, that way, everytime
you boot and go online, they can access your machine.

It's worth checking your startup-sequence and any other scripts from time to
time to make sure they haven't been altered without your knowledge.

Check NOW to see if you have the following files on your machine

C:LoadWB - ~29 bytes
L:wb.handler - ~382 bytes

If you find these files, and they are the same size, you should replace them
with the files from you're original workbench disks.

in addition if you have

DEVS:workbench.device ~1136 bytes

Do a version on it. More than likely it will be LoadWB 38.9
If you have this file, then open a shell and do the following

copy DEVS:workbench.device C:LoadWB
delete L:wb.handler

This is an old port opener.

Be sure to run a port checker (AScan is on aminet) at least once a week while
you are online.

Nukes,

To stop a nuke attempt on yourself:

Go to the Database section of Miami
Select the Services section
Double click on the two servcies with the name "Chargen" to disable them.
Select the IP Filter
Enter the following lines if you do not have them