On Fri, Mar 22, 2024 at 9:02 AM Jan Krapivin wrote:
>
> The thing that bothers me are words: "any computer (and a fortiori any
> server) connected to the Internet is regularly targeted by automated
> connection attempts"
Change it to "any computer (and a fortiori any server) >>using IPv4
and directly<< connected to the Internet is regularly targeted by
automated connection attempts"
and yes, I'm 100% confident they're getting automated connection attempts.
Why the qualifier >>using IPv4 and directly<< connected?
The IPv4 address space is only 32 bits long. Scanning 2^32 = about
4,000,000,000 addresses for an open port is easily doable.
The IPv6 address space is a bit harder... Let's just say that 7/8th
of the IPv6 address space is reserved[1] so that means 2^125 addresses
would need to be scanned .. which just isn't going to happen.
There are ways for attackers to get the IPv6 address scan space down
to a reasonable number. I probably don't know most of them..
What's the difference between "connected" and "directly connected"?
None of my computers are directly connected to the Internet.
Everything is hiding behind a firewall that supposedly blocks _all_
unsolicited traffic coming in from the Internet.
So however much I believe no unsolicited traffic is allowed into my
network is about how much I believe there are no automated connection
attempts to my computers.
> I am not tech-savvy. Can you say with 100% (90%?) confidence that there is no
> such thing? That home PC without SSH and whatever complicated is safe (rather
> safe) from "automated connection attempts"?
What make it more fun is that it is not only SSH that could allow an
attacker in. A quick & easy check is to look for open ports - eg.
sudo ss -lptu
shows you all the programs listening for new connections (right now ..
10 minutes from now could be a whole different thing).
Except.. oops.. not _all_ the programs listening for new connections.
While writing this I tried
$ sudo ss -lwnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 0.0.0.0:255 0.0.0.0:*
users:(("atop",pid=186997,fd=4))
so there's atop allowing connections on a "raw" socket. .. whatever that is.
And there's the non-tcp/udp protocols like GRE or IPSec (think VPN
tunnels) where connections might be allowed in.
> This thread reminded of that topic -
> https://forums.debian.net/viewtopic.php?t=154002
Indeed. Is a firewall necessary or no? Some say yes, some say no.
I look at a firewall as the place where you implement your basic
network security policy. Should SSH be allowed in from the Internet?
NetBIOS? how about SNMP?
I fall into the "some say yes" camp because I say the firewall is
where those questions should be answered.
Regards,
Lee
[1]
https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
The assignable Global Unicast Address space is defined in [RFC3513] as
the address block
defined by the prefix 2000::/3. [RFC3513] was later obsoleted by [RFC4291].
