[ale] How to test your public internet connection for open ports

Michael H. Warfield mhw at WittsEnd.com
Fri Feb 11 18:38:02 EST 2011


Hey Ron,

Yeah, I know you addressed this to Michael T.  Sometimes I type before I
look and I've done that more that once in this thread.  Still,
somethings are just as applicable to me.

On Fri, 2011-02-11 at 16:51 -0500, Ron Frazier wrote: 
> Michael T.,

> For what it's worth, I just responded to Wolf's post and publicly 
> acknowledged your and Michael W's, and others' expertise.

> I too agree that we've beaten the horse pretty good.  So, I will be 
> winding down the discussion.  You chose to make these long replies, 
> which I will review, and selectively reply if I think the reply is 
> relevant and hasn't been addressed.

> However, having said that, many of the things which you said in the 
> message I snipped below either border on, or are outright personal 
> attacks on me.  I resent that, and I feel it's not appropriate.  I'm 
> politely asking you to stop that.

I can't speak for Michael T.  I can only speak for myself.  Don't take
any of what's been said personally.  Some of us (me especially) can get
pretty intense over subjects we're passionate about.  It happens that
Michael T. and I share a passion for security and that really takes a
different way of thinking that can sometimes be hard to explain.  Like
Bruce Schneier likes to say, "we don't think like other people".  And I
know I certainly have a reputation for being rather brusk and abrasive
at times.  [Nobody start piling in on that, ok?]

Over the years many of us have developed pretty think hides and I've
been flamed plenty of times and made plenty of mistakes myself.  Stuck
my foot in my mouth often enough that "fillet de sole" becomes a
familiar taste.  And I even made more that a couple of mistakes in this
thread by typing without thinking, not the least of which was forgetting
the whole thing with TCP defaulting to RESETs and not ICMP UNREACH.
DoH!  I know better.  There were a couple of others.  Suffice it to say,
even if you return ALL the right error codes, you really can never be
"invisible" on the net.  Some of us are advanced enough to see through
even that (exercise left to the readers).  It's certain that if the bad
guys want you bad enough they can too.

If I said anything you felt was too personal or too ad hominem, my
apologies, no offense was intended.

Regards,
Mike

> You seem to take comments I've made about the internet, or the 
> standards, as a personal attack.  They are not a personal attack.
> 
> You don't know me.  You don't know anything about me, other than what 
> I've written.  I am not trolling.  I am posting my opinion on the 
> subject under discussion, right or wrong, and I am attempting to learn.
> 
> As far as my being qualified to give advice on security, the only 
> qualifications I need are to be more knowledgeable than my family and 
> friends, which I am; and to know that the advice I give will help them 
> be more secure, which I do.
> 
> The experiences I'm relating go back 5 years or so.  The older routers 
> in particular, could not be trusted to be adequately set up, either by 
> default, or by wizard, to be as secure as they could be.  If they've 
> changed in the past few years for the better, that's great.  I'm fine 
> with that.
> 
> As far as my advice to others regarding security, the following are rock 
> solid, good pieces of advice for consumers, and I stand by them:
> 
> 1) Get a router and put it between your PC and the cable modem.
> 
> Either by wizard or by manually checking, check and / or change:
> 
> 2) WPA/WPA2 wireless encryption on with long random password - 20+ digits.
>       (WEP will not do.  It is badly broken and can be cracked in a 
> matter of minutes.  There have been examples of WPA with shorter 
> passwords being cracked as well.)
> 3) Default password change
>       (Yes, it's only available from the LAN.  If a virus gets loose in 
> the network, it may try to access the router's configuration and change 
> it through the setup screen, using the default password.  Not to mention 
> children and other people that might be accessing the LAN.)
> 4) NAT on
>       (Not security specific but needed for IPv4 setups with multiple 
> computers.  Probably already on.  Check anyway.)
> 5) Firewall on
>       (Yes, it's probably on already.  Check anyway.)
> 6) Remote WAN side admin off
>       (Yes, it's probably already off. Check anyway.)
> 7) UPNP off
>       (Yes, that breaks some automated setups of games and things.  But 
> in terms of security, it's a risk.  If a virus gets loos in the network, 
> many of them will specifically try to exploit UPNP to open holes in the 
> firewall.  Not only that, sometimes, you never know it's been done.  A 
> security conscious user would be better off to manually open the ports 
> he needs for his game.  The friends and family members I advise are not 
> gamers.)
> 8) SSID change to something besides Linksys, etc.
>       (Not security specific.  Helps you connect to your router rather 
> than your neighbor's when picking from a list.  Helps your neighbor 
> connect to his.  I've seen more of this in the past, less now.)
> 
> There is absolutely NO reason to advise a consumer any way other than 
> this, with the possible exception of UPNP, depending on the 
> circumstances.  These settings work.  And they are entirely appropriate.
> 
> In terms of packet rejection or stealthing, the router is going to do 
> what it's going to do, by design.  The user has no control over it.  I'm 
> pretty sure the ones I've encountered DROP the packets.  Michael W. and 
> Greg and I are having a discussion about that, and doing some testing.
> 
> The only even remotely questionable things I have advocated are:
> 
> A) Test your public IP with GRC Shields Up.
>       (Certainly not harmful.  I think it's helpful.)
> B) Turn Ping response off.
>       (There COULD be some negatives, although I've never observed any.)
> C) Change the DHCP server settings for the LAN.
>       (Not security related.  A matter of personal taste.  I don't 
> mention it to most people unless I think there's a reason, or unless I 
> administer their routers, then I set it myself.  The 3rd octet on my 
> routers and my Dad's respectively are numbered in a pattern, are all 
> unique, and are not the default.  Makes it very easy to know what 
> address to use if I want to access the config screen.  It also makes it 
> easy to tell which router I'm attached to.  Also, it pretty much 
> eliminates any possibility that I'll plug in another device and have an 
> IP collision.  Season to taste.)
> 
> Sincerely,
> 
> Ron
> 
> On 02/11/2011 11:40 AM, Michael B. Trausch wrote:
> > Ron,
> >
> > No offense, but frankly: you are absolutely not qualified to relay any
> > sort of advice on security.  Being that you've continued on and on and
> > on, it seems to me that one of two things are the case here.  Either:
> >    
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/62f4ae2a/attachment.bin 


More information about the Ale mailing list