Re: [AFMUG] Memcached

2018-03-04 Thread David M 

I dont run a bridged net

I dont expose RFC1918 addresses

I have automated backups and updates for my 3 edges.

most routes are on OSPF some are still doing static somewhere in the 
middle there is some ibgp going on.


I do my best at being a good steward of security but sometimes its not 
enough.


automated ACL and fail2ban have been my allies in the war against Stupid :)

I am still waiting on Cambiumnetworks to unvail a switch and router to 
compliment the pure network I run.


Being pure removes the holes in my security and makes work easy for 
setting standards for only small team


to handle instead of having a large one with individual agenda to meet.

my 2 cents



On 3/3/2018 9:33 PM, Justin Wilson wrote:

Why does anyone run a bridged network?
Why does anyone expose their management ip ranges to the internet?
Why does anyone not upgrade firmware to fix security vulnerabilities 
that are years old?


Shall I go on? :-)





Justin Wilson
j...@mtin.net 

www.mtin.net 
www.midwest-ix.com 

On Mar 3, 2018, at 9:12 PM, Steve Jones > wrote:


Why does anyone have non acl input allow on infrastructure

On Mar 3, 2018 3:39 PM, "Justin Wilson" > wrote:


Do the following.

1.Dont have it listen on public ports.
2.IPtables if you must have it listen on public ports for
whatever reason.
3.Compile with libwrap and use tcpwrappers for the best security

Justin Wilson
j...@mtin.net 

www.mtin.net 
www.midwest-ix.com 


On Mar 3, 2018, at 12:13 PM, David M mailto:dmilho...@wletc.com>> wrote:

I block it on the input for any router we have.
I havent considered doing for the forward table.

On 3/2/2018 3:37 PM, Mike Hammett wrote:

You are blocking port 11211, right?



-
Mike Hammett
Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP

Re: [AFMUG] Memcached

2018-03-03 Thread Justin Wilson 
Why does anyone run a bridged network?
Why does anyone expose their management ip ranges to the internet?
Why does anyone not upgrade firmware to fix security vulnerabilities that are 
years old?

Shall I go on? :-)





Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com

> On Mar 3, 2018, at 9:12 PM, Steve Jones  wrote:
> 
> Why does anyone have non acl input allow on infrastructure
> 
> On Mar 3, 2018 3:39 PM, "Justin Wilson"  > wrote:
> Do the following. 
> 
> 1.Dont have it listen on public ports.  
> 2.IPtables if you must have it listen on public ports for whatever reason.
> 3.Compile with libwrap and use tcpwrappers for the best security
> 
> Justin Wilson
> j...@mtin.net 
> 
> www.mtin.net 
> www.midwest-ix.com 
> 
>> On Mar 3, 2018, at 12:13 PM, David M > > wrote:
>> 
>> I block it on the input for any router we have.
>> I havent considered doing for the forward table.
>> 
>> On 3/2/2018 3:37 PM, Mike Hammett wrote:
>>> You are blocking port 11211, right?
>>> 
>>> 
>>> 
>>> -
>>> Mike Hammett
>>> Intelligent Computing Solutions 
>>>   
>>>  
>>>  
>>> 
>>> Midwest Internet Exchange 
>>>   
>>>  
>>> 
>>> The Brothers WISP 
>>>  
>>> 
>>> 
>>>  
>> 
>> 
>

Re: [AFMUG] Memcached

2018-03-03 Thread Steve Jones 
Why does anyone have non acl input allow on infrastructure

On Mar 3, 2018 3:39 PM, "Justin Wilson"  wrote:

> Do the following.
>
> 1.Dont have it listen on public ports.
> 2.IPtables if you must have it listen on public ports for whatever reason.
> 3.Compile with libwrap and use tcpwrappers for the best security
>
> Justin Wilson
> j...@mtin.net
>
> www.mtin.net
> www.midwest-ix.com
>
> On Mar 3, 2018, at 12:13 PM, David M  wrote:
>
> I block it on the input for any router we have.
> I havent considered doing for the forward table.
>
> On 3/2/2018 3:37 PM, Mike Hammett wrote:
>
> You are blocking port 11211, right?
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions 
> 
> 
> 
> 
> Midwest Internet Exchange 
> 
> 
> 
> The Brothers WISP 
> 
>
>
> 
>
>
>
>
>

Re: [AFMUG] Memcached

2018-03-03 Thread Justin Wilson 
Do the following. 

1.Dont have it listen on public ports.  
2.IPtables if you must have it listen on public ports for whatever reason.
3.Compile with libwrap and use tcpwrappers for the best security

Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com

> On Mar 3, 2018, at 12:13 PM, David M  wrote:
> 
> I block it on the input for any router we have.
> I havent considered doing for the forward table.
> 
> On 3/2/2018 3:37 PM, Mike Hammett wrote:
>> You are blocking port 11211, right?
>> 
>> 
>> 
>> -
>> Mike Hammett
>> Intelligent Computing Solutions 
>>   
>>  
>>  
>> 
>> Midwest Internet Exchange 
>>   
>>  
>> 
>> The Brothers WISP 
>>  
>> 
>> 
>>  
> 
>

Re: [AFMUG] Memcached

2018-03-03 Thread David M 

I block it on the input for any router we have.

I havent considered doing for the forward table.


On 3/2/2018 3:37 PM, Mike Hammett wrote:

You are blocking port 11211, right?



-
Mike Hammett
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP

[AFMUG] Memcached

2018-03-02 Thread Mike Hammett 
You are blocking port 11211, right? 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP