Firewall
Quote:
I recall that the modem required a long number when I set it up. WPA key |
You're best to tell us the brand/model details. Many units are combined modem router devices. If your computer gets a DHCP assigned local (private) IP address when you connect the unit, it is doing the routing to the internet. Does it have LAN ports?
|
From whence cometh that quote?
A home consumer grade modem is generally not a firewall in any sense of the word. To be certain, you'd need to RTFM your own modem's manual. You will sometimes see the term, "firewall router." In my experience, home "firewall routers" are not worth relying on. A home router is not at all in the same league as a firewall appliance. What is commonly referred to as a "firewall router" is a firewall only in the sense that the public ip address is different from the the LAN ips on the devices behind it. If you have any open incoming ports on that "firewall router," for all practical purposes, it is not a firewall. The WPA key is irrelevant. That is needed to establish your connection. Once the connection is established, it is available to be exploited. |
Quote:
I wouldn't follow the advice you quoted. Firewalls are not foolproof. ;) Many DSL modems, like mine, are modem/router combos that includes its own firewall. If you can give us the brand and model (and model number) we might be able to help you configure it. :) Regards... |
DLink by Verizon
DSL 2750 B Puppy Linux has a firewall that uses Iptables, but I am currently not using it. |
Quote:
Code:
# iptables -L |
Quote:
Regards... |
Thanks Ardvark.
|
I am setup for Medium.
Will High let me still surf the net, email, etc ?? Quote:
|
Yes. The firewall is to stop unwanted inbound access.
|
A couple of simple online port scanning tools
http://www.t1shopper.com/tools/port-scan/ http://mxtoolbox.com/PortScan.aspx Other tools offered http://mxtoolbox.com/NetworkTools.aspx |
Quote:
From what I see, there is no difference between the two in terms of default settings but the medium setting allows for "customization through NAT configuration." ;) Regards... |
Thanks gentlemen.
|
Quote:
Regards... |
Quote:
Quote:
|
Quote:
I wouldn't say all. Mine came with the firewall turned off by default and I had to go into the settings to change it. ;) Regards... |
TBH even a disabled firewall for a Linux system, especially one that turns off services like Sendmail and Telnet, just to name 2, has fairly low odds of being hacked simply because despite it's ephemeral nature, "security through obscurity" works since hackers wisely seek the "low hanging fruit" ie: Windows PCs. That said firewalls can add considerably to that especially the internal iptables in Linux. Additionally limiting the number of root logins can go a long way to fencing off any serious threat, provided you occupy the number allowed. Even though "adduser" is located in "/usr/sbin" it has root/root permissions and read-only for users. So barring root access effectively prevents anyone from even getting in, let alone doing any harm, AFAIK.
I currently have an iptables firewall properly setup and also limit accounts as above. I monitor connections by port range in realtime via Conky and I run rkhunter once a month and in over 16 years have never seen a threat. |
@Fixit7:
You absolutely, most certainly *DO NOT* have a consumer grade router. You have a rental grade router. The HUGE difference between them is that *all* rental grade routers have a hidden password of the day that is created from a pre-gen seed / algo for the tech to log in and do repairs. The tech back door is a higher level of access than what you have (user/root). Most rental grade routers have had the seeds and algos reverse engineered and the password of the day can be bought over at AlphaBay, etc. Additionally, the FW in a rental grade router is always a complete joke compared to the firewalls in a consumer grade router. Please look at screen shots of any Netgear home router to the see the difference. Popping the cherry of your NT appliance is even better than popping your machine. I can plant malware in your router that will set up redirectors that the AV on your machine will *never* catch. Bob's you're uncle, Fanny's your aunt and I now have *all* of your banking info. Anyone who has a 1/2 of a 1/12 of a trillionth of a clue about sec should be telling you that the LAN, WAN and wifi should *always* be segregated from each other and that your router and modem should also *always* be segregated from each other as well. Wireless is *child's play* and ENTIRELY TRIVIAL to pop now. I built a toy out of other peoples work. I set up a modified version of Kali in a VM, combined it with work from a couple of other projects and wrote couple of noobish automation scripts: I have tested it against 73 wireless routers so far and the *longest* pop (for *complete control*) took 2 minutes 47 seconds and it *has not failed even once*, yet. And those were *all* consumer grade routers. And if your wireless router / modem are the same box I can now snoop/MtM *all* of your NT traffic. If you're the least bit serious about sec go buy a DSL modem that allows you to change the default password; which will *not* come with a password of the day back door in it. Also buy a separate wireless router and set it up as an AP behind a gateway. Set up an IPFire gateway. Put Snort (get an oinkcode and use the community rules), Guardian and Tripwire on it. Segregate your NT in to Wifi / LAN (add DMZ if you want to serve anything to the world). The hardware for mine cost me ~$60 US. I got my hands on an old P4, upgraded the RAM to 2GB and added 3 NICS for Wifi/LAN/DMZ. The basic layout is: world | modem | gateway-wifi | LAN For extra points, and if you have a bunch of stuff on your LAN like I do then: LAN->DNS/DHCP/adaptive, self defending AI FW/UTM(all-n-one)->hub->Lots of junk. *Never* bank or shop wirelessly, even at home. It would be trivial for you're bored 12 year old neighbor to get your banking/CC info. I don't know *anybody* any more who has *zero* important information on a home system; unless of course you file paper tax returns, pay your bills by mail and only order stuff by phone. But hey, it's your money and you're life; do with it what you wish. You've told me before that I'm a moron. So what do I know any way. |
Quote:
And my modem is no rental either. Bought and paid for. And I also do not use wireless. And port tests show that I am protected. |
Quote:
I don't know what I'm talking about; ignore me. Cuz the *only attack in the world* is a port scan. Yep I'm so clueless that I'm only a T2 for Verizon now! (That's the job I moved states for a few months back. I was hired to be a T1 and made T2 within 2 weeks. Yep, I'm clueless!) I only service that *exact model* several times a week! Yep, I'm a doron and I don't nuffin 'bout nuffin when it comes to sec. That's why this Thursday I'm up for my 3rd and final interview for a position wherein I will travel the state helping a major healthcare system implement a new records management system so that they are in compliance with current federal standards for electronic healthcare records management and healthcare records infosec. You have a rental grade router, even if you are not currently renting it. It doesn't matter that you "bought and paid for it". We buy those things in bulk and hand them out like candy. And they *all have the password of the day back door in them*!!! As a matter of fact I know where you can buy the next three days password for $1.50. And where you can buy the the seed and algo for $50 so you can just gen it yourself. And it DOES NOT MATTER IF YOU DO NOT USE WIRELESS!!!!!!!! Your NT appliance is a combo modem/router/wireless AP. You might as well have unprotected sex w/ a $2 Bangkok whore. 90%+ of all such devices currently in circulation "leak" WPS; which means that even if you shut WPS off in the GUI interface and the device will not even set up a WPS device it *WILL* accept wirelessly sent CLI/root level commands through the WPS interface. And there is a flaw in WPS big enough to drive a fleet of Mac trucks through; which is why I was able to build a toy that has cracked 73 devices in a row that have better sec than yours in under 3 minutes each. But don't worry. My name is puddintang and I don't know nuffin 'bout nuffin. I'm sure there are no smart, bored kids in your neighborhood that know how to use Google! |
I sincerely hope you have a great day. :-)
|
All times are GMT -5. The time now is 10:34 PM. |