LHC@home

OK, a little background on what I'm doing with these computers here. I've got a Linux apps class where we have several projects throughout the semester. Right now I'm doing a project where I have 2 computers (they're only on during class and stuff, but do have OK crunch time anyhow, as they're Pentium 4s).

Anyhow both boxes are running Slackware 10.2, and I grabbed the Linux BOINC client to setup on one of them so far, and am still building the other. It's running LHC@home. The box it is on is a bit of a tarpit (or sticky honey pot) I setup, which is my current project.

The other box is to test it, which I'm setting up as a hack box (have some vulnerability testing tools loaded up, and am installing others).

Given the nature of honey pots and the sort of activity they're set out there to capture, I'm setting 2 routers around it to serve as firewalls. The setup is to have them as firewalls sorta in reverse (allow all traffic in, restrict what goes out). It would be like

internal network --- > firewall --- > DMZ of sorts holding the honey pot --- > firewall --- > classroom net (which provides Internet access).

The rationale is basically to allow the hackers (which is being simulated for this project) in (so they can be monitored and all), but to prevent the honey pot from being turned into a launch point from which a man in the middle attack could be launched either on the internal network, or against the Internet (obviously bad).

I've got the honey pot setup, and also some vulnerability testing tools installed (though going to load some others), and am almost ready to setup the routers, cut this network off (accept for allowed traffic) and start crafting the access control lists.

But I would like BOINC to still be able to get out. So what ports does it use, and which ports should I open up to allow BOINC to continue to run without issue once I get my firewalls in place?

---

BOINC.exe uses http (port 80) and with 5.1 https (port ?) as well outbound only to the project servers. BOINCcli.exe and BOINCmgr.exe use either 1043 or 31416 depending on availability to call BOINC.exe for control.

---

BOINC WIKI

https should be port 443

---

thx Assuming all goes well, BOINC should still get out along with basic web browsing and stuff after I complete this thing.

So I'm gathering for now I just need to add these ports, DNS (aka port 53), and will probably add the SSH port also, and then the rest I can deny all, and all should go well.

---

If you'd like to accurately know what ports BOINC is using at anytime (assuming You're on NT/2K/XP/2K3):

1) open a command prompt (Start -> Run -> cmd [enter])
2) type "netstat -a -b > ports.txt" at the prompt
3) type "start ports.txt" at the prompt
4) look for boinc.exe, boincmgr.exe .. the incoming ports to your pc are under "local address" and outgoing port(s) will be listed under the column "foreign address"

It looks like:

Proto  Local Address        Foreign Address               State      PID
TCP    [Your PC Name]:1043  [Destination Name/IP]:xxxxx   LISTENING  1044
[boinc.exe]

Enjoy!

---

I could check that at home. I assume they would be the same. Albeit at school, it's all installed under Slackware 10.2.

I do believe there is a netstat utility under Linux, though some of the settings might be a bit different...

thx

---

Ok, faithful documentor that I am, what are we trying to establish here ... I did as you suggested, and it looks interesting ... but, what is the utility?

I am not adverse to discussing what this may be useful for here, or in e-mail till we can get something worth writing down ... I mean, we started the network trouble shooting guide but, not a network guys this is strange territory to me ...

---

Oh, thx. Was just inquiring about the ports used so as to figure out what ports I need to open up to allow BOINC through. The actual project I'm doing with honey pots, a hacking box with actual intrusion detection software to test it is a bit OT from BOINC, though I do want to run BOINC on these boxes, even with the actual box I'm running this stuff from properly isolated. As I have the hard drives dedicated to me for the semester however to setup whatever I chose on, I also decided "oh, extra crunch time", for which the teacher was also interested and plans on looking into BOINC himself now... Hence this thread.

A little info if you're curious

http://en.wikipedia.org/wiki/Honeypot
http://www.sans.org/resources/idfaq/honeypot3.php

Obviously outisde the BOINC related question, I want to keep the specifics on what I'm doing and how I'm testing this to a minimum, as it is NOT my goal to construct a hackers guide of any sort. I'm close to graduating however (this semester) and before finishing up, this is something which was mentioned in some of my classes in passing which I'm interested in looking into, getting some experience on how it works/how to setup.

Obviously also, with such boxes placed on a network, people want to tightly control what a would be hacker could do, once they're in the box designed to lure them, aka what can get out of the box.

I think I've got what I need for now, though I've got class tomarrow and if I get the routers can setup the ACLs and the internal network for this, and test from there. With luck, LHC will still be able to return results and get WU, even while man in the middle attacks won't be able to leave the "honey net" area I'll be isolating off. I should know more tomarrow, assuming the teacher is able to procure the extra needed equipment by then...

Course outside my project, this would probably be of use for a network administrator that has a corporate network behind a firewall and is also security conscious (but would like to use BOINC as well), in that they don't want to open any more ports then absolutely needed by the software.

---

<blockquote><font>Ok, faithful documentor that I am, what are we trying to establish here ... I did as you suggested, and it looks interesting ... but, what is the utility?
I am not adverse to discussing what this may be useful for here, or in e-mail till we can get something worth writing down ... I mean, we started the network trouble shooting guide but, not a network guys this is strange territory to me ...</font></blockquote>Paul,

Netstat is a built-in network statistical analysis program common to the Windows platform (NT4, Win9x/Me, Win2000, WinXP, Win2003). It is installed by default and should be run within a command prompt window (cmd or command on older 9x systems). If you need the commandline switches explained just run "netstat -?". It can tell a uesr a lot about what connections (read: ports) are opened on a host and its destinations. Drop me a line at ttmcmurry@yahoo.com if you want to talk more about it.

Travis

---

<blockquote>BOINC.exe uses http (port 80) and with 5.1 https (port ?) as well outbound only to the project servers..... </blockquote>

This is a definite *and* 443 and not an *or* ???? Some commercial installations won't let 443 out you know so if it is an *and* then you might lose some users here. 443 quite often gets firewalled out.

---

Port 443 is 100% reserved for HTTPS (HTTP with SSL encryption) communication.

http://grc.com/port_443.htm

John McLeod VII was saying the 5.x clients use SSL for client-server communications and it's a fantastic idea, IMHO. Firewalls should not block port 443 by default but if for some god-forsaken reason it would, then open it. If closed, you'd never be able to do online banking, sign into your yahoo/netscape/google/aol web based email, or purchase items online from major vendors. And let me know the name of that particular firewall so I can never recommend it to any of my customers. :)

Travis

---

<blockquote>Port 443 is 100% reserved for HTTPS (HTTP with SSL encryption) communication.

http://grc.com/port_443.htm

John McLeod VII was saying the 5.x clients use SSL for client-server communications and it's a fantastic idea, IMHO. Firewalls should not block port 443 by default but if for some god-forsaken reason it would, then open it. If closed, you'd never be able to do online banking, sign into your yahoo/netscape/google/aol web based email, or purchase items online from major vendors. And let me know the name of that particular firewall so I can never recommend it to any of my customers. :)

Travis</blockquote>

One can open it up (and luckily for me, the thing is being built on some routers (OK they didn't have spare PIX's sitting around or something) and as such they're won't be any hidden surprises. It also means I have to build it all from scratch...

However some places of business likely wouldn't let it through then. I'm not sure about BOINC, but I happen to have had several teachers who had a job at Sandia (National Labs) which is located here in Albuq, at Edwards Air Force Base. Needless to say, being a military instilation security is tight. However, they won't allow any encryption in there that they themselves don't control.

Let me put it this way. One professor who worked there (I guess as part of their IT staff) mentioned that he couldn't order any hardware online because of this, so sure enough it does interfere with this. Then again his employer was clear "though shalt not..." Another student jokingly suggested "well I could send you a PGP encrypted email at work. The teacher looked horrified and was like "no, please dont!!!"

They also moniter their network rather thoroughly, as when one of the teachers was called in to teach networking to some of the employees at Sandia (on the base), he without thinking brought his laptop with an IP sniffer installed to teach his class there about these. Next thing he knew, everyone's beeper was going off at once, and the class told him "turn that thing off now. You're going to get us all in trouble."

Most places of employment wouldn't enforce all the same policies as a military instillation however...

---

<blockquote>Port 443 is 100% reserved for HTTPS (HTTP with SSL encryption) communication.

http://grc.com/port_443.htm

John McLeod VII was saying the 5.x clients use SSL for client-server communications and it's a fantastic idea, IMHO. Firewalls should not block port 443 by default but if for some god-forsaken reason it would, then open it. If closed, you'd never be able to do online banking, sign into your yahoo/netscape/google/aol web based email, or purchase items online from major vendors. And let me know the name of that particular firewall so I can never recommend it to any of my customers. :)

Travis</blockquote>

Well thanks for that; I understand the technology so I know what 443 is for. Like I said 443 is blocked by many organisations to prevent the very thing you talk about: online banking, spending their time buying on ebay/paypal whatever whatever when they should be at work. They do not want an employee claim against them in anyway so they block it so it can only be done at home / away from work equipment. They don't want employees doing private stuff in work time. Lots of reasons for an outfit to block it off.

So if there is a move to SSL I think you may see a drop off in users. I thought SSL was going to be an option which is why I asked about *and* or *or* - quite frankly I don't see the need. Who wants to hack a result going back to UCB. I can see people sitting around moitoring and waiting for bank transactions to hack details from but LOL why would anyone do that for a seti WU. Nice to have a choice I would say but it cannot be mandatory surely.

Oh and there is no particular firewall being talked about here - I was talking about configuration.

---

One would think it would be more effective for an organization to block access to particular domains versus blocking the https:// port. A good number of client/server apps even within an organization these days are using web based apps which are secure. That doesn't sound like a "best security practice" in my book. A great example is GE Captial who uses a single sign on "SSO" amongst all their connected companies. All apps which require a form of security clearance go through it and it makes their lives easier. If internally they blocked port 449 their corporation breaks down to a halt. Another example is Microsoft Exchange server 2003.. block 449 either internally or externally and web-based email breaks and is useless. :/

T

---

While bored in class tonight, I found the following information:

The IANA (Internet Assigned Numbers Authority) has a list of all ports which are well-known (0-1023), private/registered (1024-49151), or public (49152-65535).

BOINC is registered

Boinc-client port 1043/tcp client control
Boinc-client port 1043/udp client control

If you'd like the complete list (which was updated 10 Oct 2005) visit the IANA site.

[edit.. removed comment on what I thought was port 1044, it was PID 1044.. OY!]

---

<blockquote>I thought SSL was going to be an option which is why I asked about *and* or *or* - quite frankly I don't see the need.</blockquote>

Surely the encryption is secondary to the *authentication*.

<blockquote>Who wants to hack a result going back to UCB.</blockquote>

Depends if they can insert a malformed result into your reply to break into UCB...

But there's a lot more people out there who would love for you to download and run software from them. How do you know if your SETI app/WU is from UCB, and not from EvilTrojans.com?

In 5.x HTTPS is used for passing the user ID and password to the web site for attaching to the project. HTTP is used by most projects for the normal work unit stuff.

There are other ways of attaching to a project. You can either create a properly formed XML file, or you can bring one from a machine that is outside of the organization.

---

BOINC WIKI