[ale] How to test your public internet connection for open ports
Ron Frazier
atllinuxenthinfo at c3energy.com
Fri Feb 11 03:21:16 EST 2011
Hi Michael T,
See my reply to David, which covers most of this. Other replies in
line. I've snipped out the parts I want.
On 02/11/2011 02:13 AM, Michael B. Trausch wrote:
>
> The average consumer doesn't configure _anything_ manually. At least,
> not in my own personal experience. Hell, they don't even set passwords,
> or if they do, they're taped to the keyboard or the monitor. Hardly
> shining beacons of security, humans.
>
>
You're right. But the context of our discussion was those average or
above average consumers who listen to Mr. Gibson's podcast, so they're
already in tune to the need for security.
>
> The default configuration of any NAT appliance is going to be absolutely
> all that the average consumer requires. By default, all consumer
> devices that I am aware of do not forward incoming connections on any
> port to any system on the LAN side of the device, thereby raising the
> bar sufficiently high enough that your typical script kiddie isn't going
> to bother with it. IOW, unsolicited connections aren't allowed.
>
>
That's partly incorrect. The default settings generally do silently
drop, or stealth, unsolicited packets, which is exactly what Steve is
recommending. However, there are usually other defaults which must be
checked and sometimes changed.
* They usually have no active wireless encryption. That definitely
needs to be on.
* They usually have a stupid well published default password. That
definitely needs to be changed.
* They frequently have UPNP on. That should be turned off.
* They sometimes have remote internet side administration on. That
should be turned off.
* The NAT and firewall settings should be on. I've seen at least one
example where they weren't.
* It may be appropriate to change the SSID and DHCP settings.
In short, I would NEVER just take a home router out of the box and wire
it up and assume I'm done. Nor would I recommend it.
> If someone other than a script kiddie is interested in your data, there
> is more likely than not a reason for that (and you're probably aware of
> that and enhancing your security in really useful and meaningful ways,
> such as employing encryption, running any services that are run in a
> manner so as to be private, and so forth). If someone who has serious
> skills (probably both in programming and in social engineering) wants to
> get at your data, I assure you, they'll get there. It won't matter what
> you have in place in terms of port filtering; the one thing I can say
> for sure is that they won't come through a TCP or a UDP port. At least,
> not via a normal connection.
>
>
Not a concern inside my house.
> I could say a lot more. It'd only be repeating things that either
> myself or Mike W. or others on the list have said, pointed to,
> referenced, or whatever. It comes down to this: The things you
> advocate make you feel better and perceive an increase in your security.
> That's what the United States Federal Government does with its DHS, as
> well. I'm going to guess that you like that. I don't. I am concerned
> with real security, not façades that make it appear as if we have more
> security than we do.
>
>
I KNOW the things I advocate increase my security. The only question is
how much. I want the network to be as safe as it can, with the
equipment I have available.
> Regardless of the topic or problem domain, security requires one thing
> above all else: intimate knowledge of what it is that you are attempting
> to secure. That's why we have consultants to secure our cars against
> early failure. And contractors who do our electrical wiring for us, to
> secure ourselves against early deadedness. We pay consultants and
> contractors for their knowledge and ability to apply it. Or at least,
> that's the hope.
>
> --- Mike
>
>
The best we can hope for from the afore mentioned consumers is to have a
passing knowledge of security, and they probably won't have the money to
pay us for it.
Sincerely,
Ron
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list