[ale] How to test your public internet connection for open ports

Ron Frazier atllinuxenthinfo at c3energy.com
Fri Feb 11 16:51:03 EST 2011 

Michael T.,

For what it's worth, I just responded to Wolf's post and publicly 
acknowledged your and Michael W's, and others' expertise.

I too agree that we've beaten the horse pretty good.  So, I will be 
winding down the discussion.  You chose to make these long replies, 
which I will review, and selectively reply if I think the reply is 
relevant and hasn't been addressed.

However, having said that, many of the things which you said in the 
message I snipped below either border on, or are outright personal 
attacks on me.  I resent that, and I feel it's not appropriate.  I'm 
politely asking you to stop that.

You seem to take comments I've made about the internet, or the 
standards, as a personal attack.  They are not a personal attack.

You don't know me.  You don't know anything about me, other than what 
I've written.  I am not trolling.  I am posting my opinion on the 
subject under discussion, right or wrong, and I am attempting to learn.

As far as my being qualified to give advice on security, the only 
qualifications I need are to be more knowledgeable than my family and 
friends, which I am; and to know that the advice I give will help them 
be more secure, which I do.

The experiences I'm relating go back 5 years or so.  The older routers 
in particular, could not be trusted to be adequately set up, either by 
default, or by wizard, to be as secure as they could be.  If they've 
changed in the past few years for the better, that's great.  I'm fine 
with that.

As far as my advice to others regarding security, the following are rock 
solid, good pieces of advice for consumers, and I stand by them:

1) Get a router and put it between your PC and the cable modem.

Either by wizard or by manually checking, check and / or change:

2) WPA/WPA2 wireless encryption on with long random password - 20+ digits.
      (WEP will not do.  It is badly broken and can be cracked in a 
matter of minutes.  There have been examples of WPA with shorter 
passwords being cracked as well.)
3) Default password change
      (Yes, it's only available from the LAN.  If a virus gets loose in 
the network, it may try to access the router's configuration and change 
it through the setup screen, using the default password.  Not to mention 
children and other people that might be accessing the LAN.)
4) NAT on
      (Not security specific but needed for IPv4 setups with multiple 
computers.  Probably already on.  Check anyway.)
5) Firewall on
      (Yes, it's probably on already.  Check anyway.)
6) Remote WAN side admin off
      (Yes, it's probably already off. Check anyway.)
7) UPNP off
      (Yes, that breaks some automated setups of games and things.  But 
in terms of security, it's a risk.  If a virus gets loos in the network, 
many of them will specifically try to exploit UPNP to open holes in the 
firewall.  Not only that, sometimes, you never know it's been done.  A 
security conscious user would be better off to manually open the ports 
he needs for his game.  The friends and family members I advise are not 
gamers.)
8) SSID change to something besides Linksys, etc.
      (Not security specific.  Helps you connect to your router rather 
than your neighbor's when picking from a list.  Helps your neighbor 
connect to his.  I've seen more of this in the past, less now.)

There is absolutely NO reason to advise a consumer any way other than 
this, with the possible exception of UPNP, depending on the 
circumstances.  These settings work.  And they are entirely appropriate.

In terms of packet rejection or stealthing, the router is going to do 
what it's going to do, by design.  The user has no control over it.  I'm 
pretty sure the ones I've encountered DROP the packets.  Michael W. and 
Greg and I are having a discussion about that, and doing some testing.

The only even remotely questionable things I have advocated are:

A) Test your public IP with GRC Shields Up.
      (Certainly not harmful.  I think it's helpful.)
B) Turn Ping response off.
      (There COULD be some negatives, although I've never observed any.)
C) Change the DHCP server settings for the LAN.
      (Not security related.  A matter of personal taste.  I don't 
mention it to most people unless I think there's a reason, or unless I 
administer their routers, then I set it myself.  The 3rd octet on my 
routers and my Dad's respectively are numbered in a pattern, are all 
unique, and are not the default.  Makes it very easy to know what 
address to use if I want to access the config screen.  It also makes it 
easy to tell which router I'm attached to.  Also, it pretty much 
eliminates any possibility that I'll plug in another device and have an 
IP collision.  Season to taste.)

Sincerely,

Ron

On 02/11/2011 11:40 AM, Michael B. Trausch wrote:
> Ron,
>
> No offense, but frankly: you are absolutely not qualified to relay any
> sort of advice on security.  Being that you've continued on and on and
> on, it seems to me that one of two things are the case here.  Either:
>    

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

More information about the Ale mailing list