oh also, 1 thing I really dislike about surricata is the fact that you have the option to configure it via terminal or via web UI :puke:
it's a shame there's no option to disable the web server AND have a quality C++/(Qt, Gtk) local UI to configure it from

that's actually 1 thing that P's me off honestly...
everyone wants to work on a web UI and then turn around and claim "oh yeah it's absolutely secure"
when web technologies are proven to be one of the most hackable things on the planet...
ActiveX died for a good reason, it's a shame electron+node.js had to resurrect it >.<

it's not even conveinient to build with electron, python or java is 10x better if that's what you're looking for, and those are just as bad by default.
heck python even runs faster with much less overhead, and that's not even including py_C

but I think I'll stop here or this post will become a book long rant about programming blindness

ok here's an update, this works, but there's a problem:

ip link add link eth0 address 00:11:11:11:11:11 eth0.1 type macvlan
ip netns add ns1
ip link add veth0 type veth peer name veth1
ip link set veth1 netns ns1
ip netns exec ns1 ifconfig veth1 hw ether 00:22:22:22:22:22

the problem is veth0 is, in the words of Dave Jones, flappin in the breeze
or in other words there's no connection...

is it possible to replace veth0 with eth0.1??

would this work??

ip link add eth0.1 type vlan peer name veth1

EDIT: sorry for the lack of context on that last bit...
my friend sent me an example command that used type vlan, so that's where I got that idea from...

but I'm asking because idk how it works, and I want to verify veth1 will still be compatible for use in ns1

ok, new approach

instead of defining the vmac and linking it through a veth to the vns
just assign the vmac directly to the vns, since it's basically what I want anyways:

ip link add link eth0 address 00:11:11:11:11:11 eth0.1 type macvlan
ip netns add ns1
ip link set eth0.1 netns ns1

now when you run:

ip netns exec ns1 ip link

you'll see the vmac adapter eth0.1 in the virtual container

hopefully this means the physical adapter can't be used to access the machine itself
obviously the virtual adapter is now contained, so that shouldn't be possible at all if my thoughts are correct.

now I just need to create an ip on the vmac, which should be easy enough with ifconfig in ns1
then configure surricata to manage access from the vmac
set up a rat-maze (the floor is made of pressure plates) of dynamics to hopefully slow down an attacker that manages to break through surricata (so I can catch them myself as they try to solve it)
and then finally set up NAT to other vns connections (possibly with similar securities)

now all I have to ask is what would be the best approach to setting up frontward forwarder servers on the host machine through this??
do I put it through the NAT or obscure it through the maze??
and of course add extra security to harden things further. :P

EDIT:
btw, all this security is not paranoia, it's low faith in "experts"
I'm just sick of hearing "oh yeah this is absolutely secure" and then watch that be taken out by a simple SHA1 issue or something.
I want extra security so I don't end up with egg on my face by relying on surricata or such, since nobody else cares enough to secure linux by default for everyone else.

everyone else: ... dem themes doh, look how coo day are

I use TAILS and have tried the PARROT distros. These seem secure enough to me. In fact the Tails OS is disliked by USGOV agencies.

https://www.theregister.com/2014/07/03/nsa_xkeyscore_stasi_scandal for example.

I wish I have more to offer here but for decades I've used the method of dropping unsolicited packets to stop attacks in their tracks. Now if you run some Fish Server that has an exploitable bug, my view is you fix the Fish Server.

tails isn't bad :)
but I wouldn't call it good either >_>
the only thing saving it is Tor, but otherwise if hackers can manage to lock on to the source IP, they can still do whatever until you bomb it.
(Tor Browser is less secure compared to Vivaldi, excluding onion domains)

Qubes is also really good for virtualization, buuuut doesn't have as much security as Tails.

and btw, yes, dropping unsolicited packets is my intent, and yes it works 99.9% of the time.
but you have to connect to the internet and port-forward servers somehow
everything open there will be taken advantage of, so what I'm doing is setting up for the potential breakthrough
1 brick wall isn't going to be truly enough when it comes to a willing hacker, that's why cronies are paying anyone who can crack Monero.
I want to know I'm secure and not simply rely on 1 wall of protection on the front lines
IF something breaks through, I want to be able to identify and eradicate it (if software can't do it for me)

now yes if you host a server through that, and that server creates holes, THEN that's on the server
what I've set up isn't the problem there because that's doing it's proper job
thing is, I should still be able to detect that unless the traffic is encrypted with something other than HTTPS

also I've played around with my setup...
and no, netns doesn't work as expected... T3T

netns just creates an alternate link to the same machine, there is no "container" like I've been told...
or rather, there is no isolation provided by the container, everything on the host is still accessible within the container...
unless there's a way I can actually HAVE isolation with netns??

or is that just something I should look into setting up with hyper-v through kvm?
is it possible to create a runtime VM that copies what's needed for isolation??
and also is it possible to have it nuke itself like Tails so a restart can rebuild the VM based on configs??
that way if a hacker manages to compromise the system and RAT, botnet, or delete the VM, I can just restart my router, or launch a rebuild command.

it's all just backup solutions, much like how Windows has EFS to restrict file access to only the user.
(which yes, that's also something I'd like to add once Linux can do active file encryption as a 3rd backup for the worst case scenario)

also hey, btw @rprofitt, when I'm ready, could I ask how you've set up that method of dropping unsolicited packets :)
would probably be quicker to get it from you than having to DDG it when the time comes ;)
do you use surricata, or do you just disable everything at that??

"everything open there will be taken advantage of"

I wish you had followed that up with something like " if there is a service listening."

If a packet arrives and there is no service listening, in all the Linux setups I've seen that packet is dropped as it has no where to go.

alright so I just did a netstat even though I haven't set up much of anything yet...
I'm actually seeing a bunch of stuff that rather surprised me as I don't think a lot of these should be running (unix domain sockets)

  • X11
  • dbus
  • udev
  • gnupg
  • ssh
  • pulse

some of these I don't think I can remove... like the ssh socket, which probably associates with virtmanager (hyper-v stuff)
and gnupg is probably for some kernel stuff...
but is it possible to disable any of these sockets through configs??

I need X11, dbus, and udev for XFCE, but if I can disable the sockets for them, that would be great.

I'm actually surprised there's even a socket for pulse at all as I always uninstall it
ALSA+QasMixer is soooooo much better and doesn't drop streams on a busy CPU, plus it's more configurable
(yes I have these installed as maybe I could have my router ping audio through my primary speakers if an issue is detected)
so yeah, I'm not sure why that exists... probably for virtmanager if I had to guess

also, from the way you're talking, you sound like you've just never been a target of any real hacks...
real hackers can do some pretty magical things when it comes to breaking into systems...
did you know that just about all Tor exit nodes have been compromised (for tracking a bitcoin-mixer)??

also, Pupy is a RAT that runs entirely in a target's RAM, and all that's needed to infect the target is the target's IP.
I'm not sure how it does the magic to infect the target, but if I had to guess,
it probably uses something like any open port on the system, as I've been told by hackers (now ex-friends I no longer have contact with)

obviously you have to have open ports to actually use the internet, or host a game server, or whatever
but I'm trying to figure out a way I can have those ports open, and not have to worry about attackers
or in other words, have my cake and eat it too.

I wrote my last comment when I was half asleep, as it was around 9PM for me when I looked at this thread...
but yeah, basically, any open socket on your linux system can be compromised by hackers, even if they're root-only access.
it's not hard to do privilage escallation if you have access to the target machine, as there are thousands of ways to do it.
heck, you can even use bash to write a program in the target's home directory that can do some sort of escallation...

now you see why, in my python IPC discussion, I'm against the use of sockets for IPC.
Linux is not as secure as everyone would like to believe, but linux has much more functionality than the much more secure BSD, which I also need.
Void Linux is my balance to allow me to do what I need to.

the dismissive mindset of just using basic TCP/IP setups and dismissing human error for disabling everything is extremely restrictive for what should be allowed to operate within the walled garden created by the bulky hardware at the top level f the network.
(eg: I can't run XFCE on my router like I want to because it adds compromisable sockets I can't disable)

what I want to do with my setup is allow those basic configurations to continue, but have an overseer (HIPS) that can watch open ports for malicious packets.
and if any malicious packets get past that, additional layers of security should take over to add further restrictions, like the rat maze of dynamics I wanted to set up, and also EFS to restrict malicious file access/modification even further.
don't just focus on level-1 security, and leave it at that (oh well, I guess I'm compromised if they get past that)
focus on level-2 and level-3 restrictions as well.
currently Windows is more secure (not really) than Linux if you focus on additional layers of security.
(not really because Windows can be ripped apart by hackers much easier than Linux, and doesn't actually try to protect anything)

Let's define what an open port is.

To me an open port is one that is not blocked by firewall or other means and has a listener.

I'm sure you have followed the back and forth discussions about GRC and similar.
Example: https://www.reddit.com/r/PrivateInternetAccess/comments/8xquqi/why_are_pias_grc_shieldsup_results_complete_crap/

So let's be very defined here. Open ports does not mean "exploitable."

oh I see, open to public access, not open in general... my mistake. x.x
even still, I can't exactly be comfortable with them just being there... it's not enough for me...
especially in the case of SSH, where I've removed sshd completely (I don't need it, nor want it)
sure I can just block everything with iptables, but can I do better and disable some of these sockets entirely??

also, no, I haven't followed too many things there and such, I actually haven't even heard about GRC, though it looks really interesting! ;)

main reason I haven't is because I haven't been directed towards such research... (been focused on other things)
I've mainly been going off my own intuition about security, which I've picked up from many various experiences...
I know it's not everything though, so any resource helps, big thanks :)

but anyways, getting back to netns
I take it it's not possible to isolate a namespace without resorting to a hyper-v kvm solution... right??
(morale: better to have and not need than need and not have)
I wonder if I can do away with virt-manager to where I can get rid of the vbridge interfaces and ssh/pulse sockets :)

oh hey, maybe I CAN do what I want
I completely forgot about sandboxing which should provide the isolation I'm looking for:
https://shubham0d.github.io/sandboxing-and-program-isolation-in-linux-using-many-approaches/index.html

this'll help because hyper-v/kvm is a B to set up as well as inefficient when it comes to system resource
I doubt I can really do too much with only 2GB of DDR
sure I have a board that can do 4GB dual-channel, but I'm currently trying to replace the caps on that
I also have a board that can do 3GB single-channel with 5 PCI slots, unlike the 3 I'm working with on both previous boards

actually...
if I can get 1 of those other 2 boards working again, which would you recommend I use??
more power, or more devices?? (I need both, but I have a 2nd sub-router I can use for the 3-slot option)

and no, the garbage is not an option XD
life is forcing me to make due with what I got :)

Sorry for the delay. DW has been slammed with spam recently and I only get so much time here.

You write "open to public access" in regard to ports (I assume.) I maintain that open ports are a non-issue when there is no listener and you have a good stack.

Bad stack you ask? Going back to Microsoft's old stacks in Windows 3.1x, NT and 95 those were exploitable. https://en.wikipedia.org/wiki/WinNuke for example.

Today you won't find that or rather should never see that again. But hey, new programmers creating their own or borrowing ancient codes could bring these horrors back.

-> Can you define what "open to public access" means? To me that would mean there's a server or service responding.

don't worry, it's fine, I'm pretty aware you're busy when you're not responding ;)

To me that would mean there's a server or service responding.

yes exactly, that's what I want to have surricata examine and protect
and yes surricata would be sandboxed which would achieve that isolation I wanted

and no I'm not worried about the network stack
I'm pretty sure that's more robust than windows ;)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.