Wade,
> I have DSL and use a cast-off 486/66 as a firewall. The
> DSL I have down here in Stafford, VA is bridged, not routed
> so I have a LOT of junk traffic.
I've been concerned about this myself. I'm looking into getting a SDSL
line to my house whenever COVAD or it's brethren decide, in their
infinite wisdom, to offer such services out of my local CO. Hopefully,
that will be this year sometime. Anyway, like you and some news articles
have stated, high speed lines are more likely to be hacked thus security
for a xDSL line is paramount.
> I turned on detailed logging and in about 1 hour had 200K
> in my /ver/log/messages. The others on the DSL were using
> a lot of SMB (Windows) networking stuff, probably looking
> for shares on unaware folks. This junk really messed
> with my logging....
Yet another concern. I could make a project out of finding the
individuals who like to scan for open ports. It's not illegal, nor
should it be, but it is interesting.
> On the firewall, close all ports you don't need. Run
> port sentry (at least on a few ports that you have closed,
> like the "r" ports). Check your logs and the result of
> portsentry every day or two. Read some security
> howtos and docs such as those at http://www.linuxstart.com.
Have you thought of creating a minimal firewall that boots from a
CD-ROM and does not have any writable media? This way the potential
hacker has no place to put his hacking tools. I think Linux and the
xBSD projects have solutions for this. Anyway, just an idea.
> I also have a problem with my DSL just "going away". I
> have a static IP and a server running 24/7 (except when
> my 6 year old turns it off -- http://www.gatorlinux.com).
> I tried accessing it the day after I put it online and
> could not. All it took was for my wife to try to visit
> a site from home, then I could remotely access the site.
> The solution to this was to have a script to do a ping
> every x seconds (10 or so) to my provider's mail server.
> (Any host would do, but I wanted to keep the traffic
> local to the ISP.)
Don't ya just hate it when the munchkins wonder into your study looking
for something to do?? ;->
Try not to ping the mail server. It is a heavy traffic box and at peak
times you may not get all (or any) of your pings back. Ask your ISP
for the logically closest pingable appliance on the other side of your
connection that stays up 24x7. I was thinking that some sort of router
is located at the CO that you can ping.
About your xDSL service just going away, there has been a rash of articles
concerning this very thing. It seems that the telco-style broadband
companies are having a hard time coordinating between the RBOCs, the ISPs,
and themselves. This technology is so new that the communications channels
and responsibilities are not yet clearly defined thus long delays occur
with connections go down. Also, because of the exploding demand of high
speed, cheap access, marketing and sales of broadband services are in
overdrive mode. The traditional, telco-style providers do not want to be
usurped by the cable or wireless companies. I'm sure you are aware that
the wireless broadband solutions are now coming online. Anyway, this is
good and bad for the consumer. It's good that the providers are pushing
hard to provide cheap, high speed access to homes and businesses but it's
bad when they have to work out the installation and support details on
consumer time. However, it's viewed by COVAD and it's brethren to be
necessary because of the "time to market" problem. Ah well, that means
for the foreseeable future, the customer will continue to see long
installation delays and the long user outages.
> People are scanning dialup hosts as well. A year or so
> ago, someone tried several times to use my laptop as
> a mail relay, but the RedHat supplied config denied it
> and logged it (I think I posted to the RedHat list
> at the time).
No one serious will use a 56K or less dialup line as a mail relay. Even
ISDN is iffy because of the low speed. You probably saw someone trying
to use it to relay mail for a specific purpose like voicing an unpopular
opinion to Usenet or someone out to agitate "the masses" with unpopular
views. I think the netizens call them trolls. Anyway, it's all numbers.
You can't send out a lot of mail from a 56K line.
The numbers:
56K = 57344 bits per second (bps)
57344 bps = 7,168 characters per second (cps)
Because of line noise, packet headers and footers, you really only get
roughly 5,000 cps on a 56K line. Given that they message is say, 1,000
cps long, that would mean that 5 messages per second could be sent out
of sockets could be constructed instantaneously. Of course this is not
possible but I would bet that at least 2 could be made per second. So,
we have 2 1,000 cps messages being send per second. That would mean that
a total of 172,800 messages could be send in a day. (2 msgs * 60 secs *
60 mins * 24 hours). That's a lot of messages but it would be caught
rather quickly unless you had a 24x7 connection and it was night time
and you did not pay attention to your logs. A lot of ifs. Anyway,
a fractional T1 or a DSL line would give your significantly better
throughput and thus be a more viable solution.
. . . and Sendmail, Qmail, etc can be configured to stop relays, as you
mentioned . . . . ;->
> At least with Linux we have control over what is
> available on our hosts and have visibility into our
> systems. We have good logs and programs like rpm, tripwire,
> and port sentry to try to keep our systems safe. We
> also are much less likely to get hammered by a virus
> or by "active" email (melissa). Browsing with
> Windows, IE, and Active X is like finding someone on
> the street and having unprotected sex with them!
Yep, a properly configured firewall and hosts behind that firewall will
solve a world of ills. However, this is no cure-all. Individual
vigilance is the key.
Just my $0.02 worth.
Paul
---------------------------------------------------------------------------
Paul B. Brown [EMAIL PROTECTED]
President
Brown Technologies Network, Inc. http://www.btechnet.com/
Systems and Applications Design, Development, Deployment, and Maintenance
---------------------------------------------------------------------------
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
