On 04/01/18 19:11, Chris Green wrote:
> The Natural Philosopher  wrote:
>> On 04/01/18 11:47, Axel Berger wrote:
>>> Chris Green wrote:
>>>> What do you mean by 'external LAN interface'?
>>>
>>> Your router does connect you to the Internet, doesn't ist? External
>>> administration is so "convenient" and "comfortable" that it may be
>>> offered by default and if not your security need not be worth much.
>>
>> No. External administration is not offered by defaukt on a second hand
>> Cisco 527W
>>
>>>
>>> On the other hand, getting at you that way will require knowledge and
>>> effort. I expect you to be safe just because nobody as qualified would
>>> consider it worth his time to look at your PI experiments. Now, if you
>>> hosted a sizeable customer database there of ran a political website ...
>>>
>>
>> Even there, its surprsinsing how resileinet one can be. I do run a very
>> public websitre
>>
>> Have a look at what was happening in October...
>>
>> ...a massive increase in traffic TO the server...
>>
>> Till I got bored with the huge logs and firwalled out the fruitless
>> attempts to log in as root with every possible password.
>>
>> Hint to hackers. Root login is in any case disallowed. Even with the
>> roopt password.
>>
>> My point is that even with a relatively high profile and exposed machine
>> that has sshd enabled to all comers, they couldnt hack the thing in a
>> month of trying.
>>
>> Whereas I know of people with varoius 'web tools' like joomla who were
>> hacked every few DAYS
>>
> Yes, it's amazing how many hits an open ssh port gets!  :-)
>
> I have mine set up to only allow connections from two outside sites
> where I have ssh login accounts.  Thus I connect from 'somewhere' to
> one of these two accounts and then from there to my home system.
>
Basically I have unlimited access from my (fixed) home address - I had
opened ssh up so I could access it from  abroad, but I am back home now,
so I have shut the lot down.

Now the only globally open ports are smtp, ssmtp, pop3, http and https.
And one other I won't mention.

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssmtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:xxxxx
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable

On the internet the default should always be 'only let in what you
absolutely need, and then only once you have worked out how to hack it,
and blocked that too'

I havenm't had a virus since I abandonedd Windows, and I have never been
hacked. Yet. But I have been subjected to sccessful denial of service
attacks.

Greens dont like gridwatch.


--

--- SoupGate-Win32 v1.05