I'm feeling paranoid - with good reason.
Nigel Henry
cave.dnb at tiscali.fr
Thu Feb 2 23:52:41 GMT 2006
On Thursday 02 February 2006 20:06, John wrote:
> I know this is ot but.
> I strongly urge anybody that uses any sort of modem router to visit shields
> up at grc.com and see if their ports 254 and 255 are open. A search on the
> web will show that there is a problem on lots of them in this area. It
> seems that that most of them carried on shipping like that for a long time
> so it's probably a chip set problem. The zoom modem use a texas instruments
> chip set. Any sort of firewall is useless as the unit itself is at risk -
> mine definitely had it's firmware and or settings reprogrammed. Zoom also
> admitted that the firmware update does not prevent the open port. My
> current router does have a capability for remote adim but it can be turned
> off. (I hope) I ditched a Sagem adsl unit some time ago (years) as it was
> open to the same problem. They made them like that so that isp's can tweak
> them for their users etc.
> regards
> John
Hi John. If this is really so, it's almost beyond belief. To think that you
sign up for an ADSL connection, then are given, or pay a small amount for the
ADSL router/modem, which we later find out has a built in back door, so that
the ISP or any informed person can mess with our firewall, or modem settings.
I can understand the ISP's blocking port 80, so that if you want to run a
webserver from your Internet connection you have to perhaps negociate with
them, but this isn't the same as them, or anyone else messing with a piece of
hardware that you have in your possession. Incidentally John. Did grc.com, or
the other portscan show ports 254, and 255 open? Of course. If you have
bought your ADSL router/modem from a supplier, there should, on the face of
it, be no reason why your ISP, or anyone else should be able to access it,
unless there are incoming ports open as default, which should never be the
case. I'm not being flippant, but in many ways am happy to be on dialup, and
having set up my Smoothwall myself, know that all incoming ports are closed.
I'm not being complacent. If some idiot is determined enough, they will find
a way to break through anything. All I can say is. Try to make sure all
incoming ports are closed. Set a good, non dictionary based password for
access to the firewalls webserver, and I was going to say "Pray", but perhaps
thats not in good taste, as it must be very frustrating. Nigel.
>
> On Thursday 02 February 2006 18:26, Nigel Henry wrote:
> > On Thursday 02 February 2006 16:28, Basil Fowler wrote:
> > > If this can help.
> > >
> > > I use a Speedtouch 510 router, and previously a 530 (this blew up
> > > after a thunderstorm!)
> > >
> > > I am highly suspicious of any commercial firewalls - one never knows if
> > > they are leaky by intent or design. So I set up a simple secondary
> > > firewall using iptables. Put this file in /etc/sysconfig/iptables. The
> > > rules stop anything coming in:
> >
> > Hi Basil. I use a Smoothwall Express2 on dial-up as a dedicated firewall,
> > and have Guarddog the GUI frontend to IPtables on the client machines,
> > this setup works ok (IPtables under the hood always looked very complex).
> > You obviously have had plenty of practice with IPtables, but the question
> > is this.
> >
> > The secondary firewall is just fine for protecting the client machines if
> > the firewall on the ADSL router/modem is naff. But hypothetically. Port
> > 80 is open for incoming traffic on the router/modem, and I presume that
> > the webserver on the router/modem, for setting it up, is theoretically
> > accessable to a password cracker, much in the same way as you, as a user
> > would access it, with user-name and password, to set up the firewall and
> > modem in the first place from a client machine. I say this, because when
> > I first got my Smoothwall up and running, I allowed my son to access it's
> > web interface from his location on the Internet, on a very short
> > timeframe, and just to see what it looked like (he's a Windoze user).
> > Allright. I had to port forward port80 to the gateway address, and give
> > him my current local dynamic IPaddress. Sounds pretty stupid now,
> > allowing him to access my firewall. But you live and learn.
> >
> > > *nat
> > > [0:0] -A POSTROUTING -o ppp0 -j MASQUERADE
> > > [0:0] -A POSTROUTING -o eth0 -j MASQUERADE
> > > COMMIT
> > >
> > > *mangle
> > > COMMIT
> > >
> > > *filter
> > >
> > > :OUTPUT ACCEPT [0:0]
> > > :INPUT ACCEPT [0:0]
> > > :FORWARD ACCEPT [0:0]
> > >
> > > [0:0] -A INPUT -j DROP -m state --state NEW,INVALID -i ppp0
> > > [0:0] -A INPUT -j LOG -m state --state NEW,INVALID -i eth0
> > > [0:0] -A INPUT -j DROP -m state --state NEW,INVALID -i eth0
> > > # *[0:0] -A INPUT -p icmp -j DROP
> > >
> > > [0:0] -A FORWARD -j DROP -m state --state NEW,INVALID -i ppp0
> > > [0:0] -A FORWARD -j LOG -m state --state NEW,INVALID -i eth0
> > > [0:0] -A FORWARD -j DROP -m state --state NEW,INVALID -i eth0
> > > # *[0:0] -A FORWARD -p icmp -j DROP
> > >
> > > COMMIT
> > >
> > > Note: You will notice that all connection attempts that have got
> > > through the firewall are logged. You do not have to separate out
> > > legitimate traffic.
> > >
> > > The section "Masquerade" is used because the computer is also the
> > > gateway to the home network.
> > >
> > > ppp0 is a dial-up link for use why my ADSL line is down for any reason.
> > >
> > > To identify the sources of connection attempts, I use this script - it
> > > is too much like hard work to program a graphical interface - and much
> > > too much like Windows - inflexible.
> > >
> > > #!/bin/bash
> > >
> > > # lists domain names of hosts trying to make contact with bluebottle
> > >
> > > # allow other files than default /var/log/messages
> > > if [ "x$1" = "x" ]
> > > then
> > > MESSAGES="messages"
> > > COMMAND="cat"
> > > else
> > > MESSAGES="$1"
> > > echo "${MESSAGES}" | grep 'gz' > /dev/null
> > > if [ $? -eq 0 ]
> > > then
> > > COMMAND="zcat"
> > > else
> > > COMMAND="cat"
> > > fi
> > > fi
> > >
> > > # define functions
> > >
> > > # Collect ip nos of attackers from log file
> > > ip_nos(){ ${COMMAND} /var/log/${MESSAGES} | grep ' SRC=' | awk '{print
> > > $9}' \
> > >
> > > | sed 's/SRC=//' | sort | uniq ; }
> > >
> > > # Tidy up output from nslookup
> > > tidy_up(){ sed '-e /^$/d' -e '/SpeedTouch/d' -e '/10.0.0.138/d' ; }
> > >
> > > # do the work
> > > for ip_no in $(ip_nos)
> > > do
> > > nslookup -silent $ip_no | tidy_up
> > > echo
> > > done
> > >
> > > Using this I have discovered that the BBC's RealPlay servers try to
> > > create a back channel - naughty.
> >
> > I'm interested in this, as I have to use RealPlayer to get audio streams
> > from BBC.co.uk, and do from time to time experience mysterious problems.
> > I'd read that the BBC were developing open source codecs, but havn't
> > heard much in recent months. I'd be happy to hear your experiences,
> > offlist, as this is a bit OT. Nigel.
> >
> > > Perhaps other users of the list would like to suggest improvements.
> > >
> > > I hope that you do not connect to the internet as root!
> > >
> > > Basil Fowler
> > >
> > > On Wednesday 01 Feb 2006 22:48, John wrote:
> > > > Hi
> > > > That zoom adsl router I mentioned a while ago seems to have been
> > > > reprogrammed by some one over the net. It behaved oddly even after a
> > > > firmware update so I've just fitted another type. Seems that lot's of
> > > > these units have a simple route into port 254 and maybe 255 too.
> > > > I need to see if there is anything resident on my machine. Anyway is
> > > > there anything available that will show and maybe log traffic through
> > > > my eth0 connection. A graphical interface would be much preferred
> > > > ideally identifying the transmission source, ascii data translations
> > > > etc.
> > > >
> > > > Regards
> > > > John
> > >
> > > ___________________________________________________
> > > This message is from the kde mailing list.
> > > Account management: https://mail.kde.org/mailman/listinfo/kde.
> > > Archives: http://lists.kde.org/.
> > > More info: http://www.kde.org/faq.html.
> >
> > ___________________________________________________
> > This message is from the kde mailing list.
> > Account management: https://mail.kde.org/mailman/listinfo/kde.
> > Archives: http://lists.kde.org/.
> > More info: http://www.kde.org/faq.html.
___________________________________________________
This message is from the kde mailing list.
Account management: https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.
More information about the kde
mailing list