[ale] How to test your public internet connection for open ports
David Tomaschik
david at systemoverlord.com
Fri Feb 11 12:09:09 EST 2011
Not to nitpick, but....
On Fri, Feb 11, 2011 at 11:55 AM, Michael B. Trausch <mike at trausch.us> wrote:
> I lied. *this* is my last post on this thread.
>
>> * They usually have a stupid well published default password. That
>> definitely needs to be changed.
>
> Only accessible on the LAN, unless explicitly enabled by the user on the
> WAN side. If the workstations on the network are secure, this makes
> absolustely zero difference whatsoever.
>
Except for the tiny detail that DNS rebinding attacks
(http://en.wikipedia.org/wiki/DNS_rebinding) are comparatively hard to
defend against. And DNS rebinding attacks have been a headache for
routers for a while, even those with 3rd party firmware like DD-WRT.
But I suspect that most COTS routers allow admin password setting
during the installation. I've seen others that use the MAC address
(or a subset thereof) as the default password.
> There is no reason to change the DHCP settings unless the user is an
> advanced user such as myself, utilizing multiple subnetworks in
> different ranges. For example, I have three routed networks that are
> tied together using a virtual network built over top of the Internet,
> all in RFC 1918 space. I'm phasing that out, however. It's getting
> replaced with public IPv6 addresses and the use of IPsec to secure
> communications between those networks. Two of those networks do that
> right now. The third will happen in the next month.
>
> --- Mike
I'm curious as to what you're doing with those 3 networks tied
together, if you don't mind sharing. I'm also curious as to why you
chose IPSec as opposed to something like OpenVPN. (I know there are
good reasons for both, just curious what yours are.)
--
David Tomaschik, RHCE, LPIC-1
GNU/Linux System Architect
GPG: 0x5DEA789B
david at systemoverlord.com
More information about the Ale
mailing list