Re: How insecure are cable connections, versus dialup?
"Dennis G. Wicks" <[EMAIL PROTECTED]> writes: > Sorry, Gene. That link is now a petition to abolish the > DMCA! Do you have an alternate link? Google it. Here is the first result of such a google: http://naughty.monkey.org/~dugsong/dsniff/faq.html Gary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
Sorry, Gene. That link is now a petition to abolish the DMCA! Do you have an alternate link? On Wed, 11 Dec 2002, Gene wrote: > check out monkey.org/~dugsong for dsniff //gene -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
check out monkey.org/~dugsong for dsniff //gene Geordie Birch wrote: said Jason Pepas (on 2002-12-09), some folks like to sniff passwds... those are some of the ones you should worry about... ( there are ssh based pwd sniffers too ) ssh based password sniffers? can you provide us with any evidence of this? don't know about ssh2 but ettercap works great for ssh1 man-in-the-middle attacks. Geordie. -- Gene Yoo, [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
said Jeffrey Taylor (on 2002-12-09), > Quoting Alvin Oga <[EMAIL PROTECTED]>: > > cable ... its you and all your neighbors watching/sharing that copper > > > > Can you provide evidence for this? That cable modems run in > "promiscuous" mode? > > Jeffrey ettercap will sniff switched LANS. Geordie. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
said Jason Pepas (on 2002-12-09), > > some folks like to sniff passwds... those are some of the ones you > > should worry about... ( there are ssh based pwd sniffers too ) > > ssh based password sniffers? can you provide us with any evidence of this? don't know about ssh2 but ettercap works great for ssh1 man-in-the-middle attacks. Geordie. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
On Mon, Dec 09, 2002 at 10:04:30AM -0600, Jamin W. Collins wrote: > On Mon, Dec 09, 2002 at 09:25:51AM -0600, Jeffrey Taylor wrote: > > Quoting Alvin Oga <[EMAIL PROTECTED]>: > > > cable ... its you and all your neighbors watching/sharing that copper > > > > > > > Can you provide evidence for this? That cable modems run in > > "promiscuous" mode? > > When I was using COX cable (Las Vegas, NV), I was able to readily view a > large number of their customer's via SMB browsing. I brought this to > their attention and was told that it was "by design" and not viewed as a > security risk. Irrespective of whether the response you received was stupid, the fact that you could "see" your neighbors via SMB browsing is due to the broadcast nature of SMB, not the fact that your cable modem was in some promiscuous mode. It is very difficult to intercept unicast traffic intended for your neighbor on a cabple network. In my opinion, the real lesson from your anecdote is that everyone connected to the Internet should be running some sort of firewall, and that firewall should be a seperate entity between your workstation (whatever OS it has isn't important) and the Internet access point. Windows automatically broadcasts tons of crap onto the nearest ethernet; that's poor design IMO. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] THEY planted The Lone Gunmen to MIND CONTROL the public into seeing TRUTH SEEKERS as CONSPIRACY NUTS. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
On Mon, Dec 09, 2002 at 06:00:08PM +0100, Matthias Hentges wrote: > Correct. nmap displays a scanned port as "filtered" even if you DROP the > packet. If you respong to a ping but DROP all port scans it's clear to > all hackers that you have a packetfilter. And I can still ping you if you drop ping, to tell if you're up. I won't get a reponse at all, instead of the next closest router saying "ICMP Host Unreachable." You've accomplished nothing but break the standard here. -- .''`. Baloo <[EMAIL PROTECTED]> : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than to fix a system msg17909/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
Am Mon, 2002-12-09 um 16.09 schrieb Paul Johnson: > On Mon, Dec 09, 2002 at 08:10:42AM -0600, Jamin W. Collins wrote: > > Stealth firewalls are in some cases better. If you DENY a packet, then > > the remote end knows that something answered the request, as it got a > > denied response back. If you DROP the packet the remote end gets > > nothing back. > > And the other end *still* knows something there, as it didn't get a > Destination Host Unreachable and it didn't get a response back. So > you still are visible, you just get the false sense of security in > thinking you aren't. Correct. nmap displays a scanned port as "filtered" even if you DROP the packet. If you respong to a ping but DROP all port scans it's clear to all hackers that you have a packetfilter. The one and only good thing about DROP'ing is that you piss off script kiddies when they try to portscan your box since the scan will take ages. (correct me if i'm wrong) > All you really accomplish is pissing off > legitimately misguided users, Really? Normal users don't scan blocked Ports. And if they mistype an IP it's their problem not mine :) > and detouring the incompetant cracker > that wouldn't get in anyway. Correct. Skilled hackers will own your box in any case. You can only try to make it harder for them to do so (ie: it takes longer). -- Matthias Hentges [www.hentges.net] -> PGP + HTML are welcome ICQ: 97 26 97 4 -> No files, no URLs My OS: Debian Woody: Geek by Nature, Linux by Choice -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
At 2002-12-09T15:09:13Z, Paul Johnson <[EMAIL PROTECTED]> writes: > All you really accomplish is pissing off legitimately misguided users, and > detouring the incompetant cracker that wouldn't get in anyway. That's not quite true. Older (and newer, misused) port-scanners can get pretty bogged down when faced with a host dropping packets. -- Kirk Strauser In Googlis non est, ergo non est. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
hi ya jeffrey On Mon, 9 Dec 2002, Jeffrey Taylor wrote: > Quoting Alvin Oga <[EMAIL PROTECTED]>: > > cable ... its you and all your neighbors watching/sharing that copper > > > > Can you provide evidence for this? That cable modems run in > "promiscuous" mode? run tcpdump see if there are any ip# and connections that does not belong to you... it's the neighbors... c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
On Mon, Dec 09, 2002 at 09:25:51AM -0600, Jeffrey Taylor wrote: > Quoting Alvin Oga <[EMAIL PROTECTED]>: > > cable ... its you and all your neighbors watching/sharing that copper > > > > Can you provide evidence for this? That cable modems run in > "promiscuous" mode? When I was using COX cable (Las Vegas, NV), I was able to readily view a large number of their customer's via SMB browsing. I brought this to their attention and was told that it was "by design" and not viewed as a security risk. -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
Quoting Alvin Oga <[EMAIL PROTECTED]>: > cable ... its you and all your neighbors watching/sharing that copper > Can you provide evidence for this? That cable modems run in "promiscuous" mode? Jeffrey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
On Mon, Dec 09, 2002 at 08:10:42AM -0600, Jamin W. Collins wrote: > Stealth firewalls are in some cases better. If you DENY a packet, then > the remote end knows that something answered the request, as it got a > denied response back. If you DROP the packet the remote end gets > nothing back. And the other end *still* knows something there, as it didn't get a Destination Host Unreachable and it didn't get a response back. So you still are visible, you just get the false sense of security in thinking you aren't. All you really accomplish is pissing off legitimately misguided users, and detouring the incompetant cracker that wouldn't get in anyway. -- .''`. Baloo <[EMAIL PROTECTED]> : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than to fix a system msg17869/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sun, Dec 08, 2002 at 08:15:18PM -0800, Paul Johnson wrote: > Actually, according to to the RFCs, ports must respond saying they're > closed or open, not just ignore it. Hosts must be pingable. That's > TCP/IP. Stealth firewalls are in some cases better. If you DENY a packet, then the remote end knows that something answered the request, as it got a denied response back. If you DROP the packet the remote end gets nothing back. As with any of the RFCs, there comes a point were they need to be re-examined and updated accordingly. IIRC, the original configurations for MTAs suggested routing traffic for anyone (aka open-relay). With the rampant abuse of this we now see just the opposite suggested. -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
> some folks like to sniff passwds... those are some of the ones you > should worry about... ( there are ssh based pwd sniffers too ) ssh based password sniffers? can you provide us with any evidence of this? -jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
On Mon, 09 Dec 2002 02:22:34 PST, Vineet Kumar writes: >>> - install a firewall that just drops any incoming connection from your >>> cable-connected ethernet interface. (I would recommend using fwbuilder >> The security gained with this step is epsilon under Linux if you don't >> have services that aren't needed installed. >I've seen many redhat boxes in which installed rootkits included >something to the effect of 'echo "6969 stream tcp wait root /bin/sh" >> >/etc/inetd.conf'. Having a firewall up in this case prevents the >cracker from using the installed backdoor, even after an >intentionally-exposed service is broken. It's a very good safety net to >have, especially in the case of an always-on static-IP-address cable >connection, which is likely to be swept by script kiddies who then >later try to connect to the boxes their scripts successfully penetrated. Of course, the real point is to never rely on one safety net alone. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / signature.ng Description: PGP signature
Re: How insecure are cable connections, versus dialup?
* Paul Johnson ([EMAIL PROTECTED]) [021207 21:12]: > On Sat, Dec 07, 2002 at 09:20:08PM +0100, Frank Gevaerts wrote: > > What I would do (I don't since I have a dedicated firewall machine) is : > > - close all unneeded services > > Better yet, not just close, purge them. > > > - install a firewall that just drops any incoming connection from your > > cable-connected ethernet interface. (I would recommend using fwbuilder > > The security gained with this step is epsilon under Linux if you don't > have services that aren't needed installed. I've seen many redhat boxes in which installed rootkits included something to the effect of 'echo "6969 stream tcp wait root /bin/sh" >> /etc/inetd.conf'. Having a firewall up in this case prevents the cracker from using the installed backdoor, even after an intentionally-exposed service is broken. It's a very good safety net to have, especially in the case of an always-on static-IP-address cable connection, which is likely to be swept by script kiddies who then later try to connect to the boxes their scripts successfully penetrated. good times, Vineet -- http://www.doorstop.net/ -- http://www.eff.org/ msg17831/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sun, Dec 08, 2002 at 12:44:27PM -0700, Bob Proulx wrote: > *ANYTHING* falls over pretty easily when hit with DDOS. There is no > real defense against it at this time. Yeah, but we're talking two dialup boxes not even pinging as fast as they can. > > and it's not hard to get the equivilent of root on them. > > Any details? (Otherwise I will ignore this as FUD.) I can't recall the details, I don't bother remembering shit I don't use. 8:o) > What specifically do you find vulnerable about a NAT based firewall? It's trivial to source-route past NAT. Depending on NAT alone is expecting security through obscurity. -- .''`. Baloo <[EMAIL PROTECTED]> : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than to fix a system msg17810/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sun, Dec 08, 2002 at 12:46:56PM -0700, Bob Proulx wrote: > Now that is the best reason given so far for a separate component! > The modem is really a fuse to protect the system behind it. When the > fuse blows you replace the fuse. :-) This is why I say internal modems/DSL bridges/cable bridges are harmful. Do you *really* want to have something passing potentially unchecked high voltage plugged into your motherboard? Surge protectors for phone line and cable coax don't work well: The phone line ones tend to limit speed, and the cable coax ones tend to interfere with channels 2-6, any MPEG encoded channels, and cable internet service (and usually strong enough line noise to have your neighbors complain to the cable company, which in turn will track it down, and cut your service until you remove the interfering device, and send you a four-figure bill for wasted time). -- .''`. Baloo <[EMAIL PROTECTED]> : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than to fix a system msg17802/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sun, Dec 08, 2002 at 12:28:49PM -0600, Jamin W. Collins wrote: > There are viable reasons to use DROP vs DENY. Likewise, there are good > reasons not to respond to ping requests. Actually, according to to the RFCs, ports must respond saying they're closed or open, not just ignore it. Hosts must be pingable. That's TCP/IP. > Agreed, I went through 3 cable-modems during the two years I had service > recently. In each case, the modem just stopped responding. They > plugged a new one in and everything worked fine. Had I purchased my own > modem I would have been SOL and needed to purchase a new one. However, > since I leased it from them (for a very small fee), they had to provide > a replacement. It got pretty routine with replacing cable modems after a while. You wouldn't need to even check the weather map to know there's a lightning storm moving through Mossouri, all your calls would be dead modems from Kansas City. 8:o) -- .''`. Baloo <[EMAIL PROTECTED]> : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than to fix a system msg17800/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
Jamin W. Collins <[EMAIL PROTECTED]> [2002-12-08 12:28:49 -0600]: > On Sat, Dec 07, 2002 at 08:55:52PM -0800, Paul Johnson wrote: > > Do not buy a cable modem off Ebay under any circumstances. These > > things are brutally easy to fry with line surge off the cable line, > > especially if you're in a lightning prone area. > (snip) > > you're better off leasing a modem from them. > > Agreed, I went through 3 cable-modems during the two years I had service > recently. Now that is the best reason given so far for a separate component! The modem is really a fuse to protect the system behind it. When the fuse blows you replace the fuse. :-) Bob msg17751/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
Paul Johnson <[EMAIL PROTECTED]> [2002-12-08 07:29:19 -0800]: > Well, they fall over pretty easily when hit with a DDOS, *ANYTHING* falls over pretty easily when hit with DDOS. There is no real defense against it at this time. > and it's not hard to get the equivilent of root on them. Any details? (Otherwise I will ignore this as FUD.) > They don't have stateful firewalling. Newer ones do. Anything that does NAT needs stateful firewalling. Most do NAT today. (Now we can debate the definition of stateful.) > About the only thing they're advertised as doing that they actually > do is NAT. NAT is not to be relied apon for security. I strongly disagree. Anything that does NAT makes an acceptable firewall for most consumer purposes. What specifically do you find vulnerable about a NAT based firewall? Please don't keep security vulnerabilities to yourself. Security through obscurity is neither. The best security comes through open debate. If you have found a vulnerability that others have missed then please share it. Bob msg17750/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
Jamin W. Collins <[EMAIL PROTECTED]> [2002-12-08 12:21:40 -0600]: > On Sat, Dec 07, 2002 at 04:43:44PM -0700, Bob Proulx wrote: > > > Although the linux kernel iptables firewalls are excellent I still > > recommend a separate firewall box between your computer and the Evil > > Internet. > (snip) > > In my opinion the cable modem should always have had one of these > > built into it. > > Ick. Multi-function devices are in general a bad idea. Frequently they > end up restricting the end user to a small subset of possible > configurations and uses. In most cases you're better off with a > dedicated device serving a specific purpose. I actually think we are mostly in agreement. But let me debate you in the absurd. Would you suggest that your keyboard interface to your computer be separate? And your mouse? Serial port? Parallel port? Of course not. We expect that computers today will have them intergrated into the same controller chip. However, I clearly remember the days when this was not so and the motherboard was a large array of separate components. And there were many flavors of serial and parallel port capabilities. However, some components become so common and so well accepted that they are just commodities to be bought from the lowest bidder. This is the way of all of the computer peripheral interfaces and today all of the common ones are integrated onto one single VLSI chip. I propose that while firewalls today may still be somewhat spotty in terms of capabilities that they will very soon be universally the same in terms of capability. Certainly if they are then there is no reason not to treat them like a commodity as well. If a modem is $80 and a firewall is $80 then that is $160 for the set. If you need to upgrade the firewall then you spend another $75 for the newer (and in the future cheaper) replacement. I propose a combined box for $80 if they had been that way all along. If you need to upgrade the firewall you buy an upgraded combined box for $75 in the future that replaces both and don't shed a tear that the modem which was working fine and could have been saved from that bundle but is tossed as part of the combined unit. If they are integrated then there is no need for yet another power supply brick plugged into the wall and wires from there to the box. No need for yet another set of network wires connecting those two boxes. Contrast the fact that the manufacturing cost of two sets of boxes is double that of one. Contrast one single modem / switch with integrated firewall capability to a set of separates. Especially if the separates are from the same manufacturer then certainly the capability exists to put both in a single box. Now enter the newbies and the grandmas who are now assembling computer systems. They will not know the ins and outs of a whole assortment of separates. Should they need to? Especially in those cases it is better to provide the standalone complete system in a box. Especially because that comes with a good support system to help them when they need help. Really this is similar to the evolution of stereo equipment. While the high end audiophile may prefer custom crafted modular systems most people who just want to listen to the radio prefer a standalone 'boombox'. > > A firewall box like a Linksys, D-Link or Netgear or other is just > > perfect for SOHO needs. > > You'll want to be careful with these devices and make certain they > support your intended use. As these are hardware solutions, you are at > the whim of the manufacturer as to what it can and can not do. Some of > these devices didn't support GRE packets (necessary for PPTP based VPN > connections) or IPSEC connections. Many of these short comings have > been addressed by the manufacturers, but these problems can (and in some > cases still do) exist. Agreed. Speak with your wallet. Buy only something that works for you. Buy it, test it, verify the marketing claims. If you buy something and find that it does not work for you then return it and buy one that does. Bob P.S. I run my own linux firewall router. As a tinkerer I find it delightful. Technically it is a superior solution. But don't let me suggest to my mom that she should build and install one. They are not consumer electronic components. msg17749/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sat, Dec 07, 2002 at 08:55:52PM -0800, Paul Johnson wrote: > Don't have any ports open that you don't need, avoid DROP (use DENY), > leave yourself pingable. If you don't need to be running a service, > don't do it. There are viable reasons to use DROP vs DENY. Likewise, there are good reasons not to respond to ping requests. > Do not buy a cable modem off Ebay under any circumstances. These > things are brutally easy to fry with line surge off the cable line, > especially if you're in a lightning prone area. (snip) > you're better off leasing a modem from them. Agreed, I went through 3 cable-modems during the two years I had service recently. In each case, the modem just stopped responding. They plugged a new one in and everything worked fine. Had I purchased my own modem I would have been SOL and needed to purchase a new one. However, since I leased it from them (for a very small fee), they had to provide a replacement. -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
On Sat, Dec 07, 2002 at 04:43:44PM -0700, Bob Proulx wrote: > Although the linux kernel iptables firewalls are excellent I still > recommend a separate firewall box between your computer and the Evil > Internet. (snip) > In my opinion the cable modem should always have had one of these > built into it. Ick. Multi-function devices are in general a bad idea. Frequently they end up restricting the end user to a small subset of possible configurations and uses. In most cases you're better off with a dedicated device serving a specific purpose. > A firewall box like a Linksys, D-Link or Netgear or other is just > perfect for SOHO needs. They run around $80 right now. Look for a > rebate or sale and save. No disk drive to crash, no need for backup, > no fan, quiet and can be left on for instant access. You can add a > second or third computer trivially. You can run any OS you want > behind the firewall since these are usually configured by a web > interface. You'll want to be careful with these devices and make certain they support your intended use. As these are hardware solutions, you are at the whim of the manufacturer as to what it can and can not do. Some of these devices didn't support GRE packets (necessary for PPTP based VPN connections) or IPSEC connections. Many of these short comings have been addressed by the manufacturers, but these problems can (and in some cases still do) exist. -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
On Sat, Dec 07, 2002 at 11:26:48PM -0600, Nicolaus Kedegren wrote: > Exactly what security issues have you read about? I am pretty curious as > most of these little boxes seem to be NAT, and not much more. And since > a great deal of people are using these boxes, it would be interesting to > hear what problems you read about. Me, myself and I haven't heard of any > problems. Well, they fall over pretty easily when hit with a DDOS, and it's not hard to get the equivilent of root on them. They don't have stateful firewalling. About the only thing they're advertised as doing that they actually do is NAT. NAT is not to be relied apon for security. -- .''`. Baloo <[EMAIL PROTECTED]> : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than to fix a system msg17733/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sat, Dec 07, 2002 at 09:10:55PM -0800, Paul Johnson wrote: > On Sat, Dec 07, 2002 at 09:20:08PM +0100, Frank Gevaerts wrote: > > What I would do (I don't since I have a dedicated firewall machine) is : > > - close all unneeded services > > Better yet, not just close, purge them. > > > - install a firewall that just drops any incoming connection from your > > cable-connected ethernet interface. (I would recommend using fwbuilder > > The security gained with this step is epsilon under Linux if you don't > have services that aren't needed installed. Lots of services may be needed locally. Not every service is trivial to reconfigure to only use selected interfaces. Also, whenever you install some package to experiment with it, you have to be careful it doesn't liaten on your external interfaces. Frank > -- > .''`. Baloo <[EMAIL PROTECTED]> > : :' :proud Debian admin and user > `. `'` > `- Debian - when you have better things to do than to fix a system -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
Paul Johnson wrote: > On Sat, Dec 07, 2002 at 09:20:08PM +0100, Frank Gevaerts wrote: > > What I would do (I don't since I have a dedicated firewall machine) is : > > - close all unneeded services > > Better yet, not just close, purge them. Yes, absolutely. If you have no need for any piece of software, why not just get rid of it entirely? > > - install a firewall that just drops any incoming connection from your > > cable-connected ethernet interface. > > The security gained with this step is epsilon under Linux if you don't > have services that aren't needed installed. There may be services that are needed locally, but which should not accept connections from outside the LAN. These services should be configured to listen only on the internal interface. A firewall is still of some value, however, to protect against mistakes in service configuration (or the possibility of an upgrade causing a service's behavior to change unexpectedly). These are incremental steps of security; if the firewall protects you against errors in service configuration (or bugs in services that cause them to listen to all interfaces even when they've been told not to), and service configuration protects against errors in the firewall, then you can feel more confident of your security than you ought to with either technique alone. Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
Paul Johnson wrote: > On Sat, Dec 07, 2002 at 04:43:44PM -0700, Bob Proulx wrote: > > A firewall box like a Linksys, D-Link or Netgear or other is just > > perfect for SOHO needs. > > Reading about security issues lately, you'd actually introduce more > insecurities than would be solved if you're already running Linux. > Avoid these like the plague. I haven't been keeping up with D-Link or Netgear issues since I don't have any of their products, but I have seen the Linksys reports. They're really much less of a problem than you might think, since to be remotely exploitable, you'd have to have the "admin web server listens on WAN port" option enabled. It is off by default, and most people have no reason to have ever turned it on. Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
On Sat, Dec 07, 2002 at 09:16:41PM -0800, Paul Johnson wrote: > On Sat, Dec 07, 2002 at 04:43:44PM -0700, Bob Proulx wrote: > > A firewall box like a Linksys, D-Link or Netgear or other is just > > perfect for SOHO needs. > > Reading about security issues lately, you'd actually introduce more > insecurities than would be solved if you're already running Linux. > Avoid these like the plague. > > -- > .''`. Baloo <[EMAIL PROTECTED]> > : :' :proud Debian admin and user > `. `'` > `- Debian - when you have better things to do than to fix a system Exactly what security issues have you read about? I am pretty curious as most of these little boxes seem to be NAT, and not much more. And since a great deal of people are using these boxes, it would be interesting to hear what problems you read about. Me, myself and I haven't heard of any problems. -- Best Regards Nicolaus Kedegren msg17689/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sat, Dec 07, 2002 at 04:43:44PM -0700, Bob Proulx wrote: > A firewall box like a Linksys, D-Link or Netgear or other is just > perfect for SOHO needs. Reading about security issues lately, you'd actually introduce more insecurities than would be solved if you're already running Linux. Avoid these like the plague. -- .''`. Baloo <[EMAIL PROTECTED]> : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than to fix a system msg17688/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sat, Dec 07, 2002 at 09:20:08PM +0100, Frank Gevaerts wrote: > What I would do (I don't since I have a dedicated firewall machine) is : > - close all unneeded services Better yet, not just close, purge them. > - install a firewall that just drops any incoming connection from your > cable-connected ethernet interface. (I would recommend using fwbuilder The security gained with this step is epsilon under Linux if you don't have services that aren't needed installed. -- .''`. Baloo <[EMAIL PROTECTED]> : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than to fix a system msg17687/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sat, Dec 07, 2002 at 06:01:19PM -0800, Alvin Oga wrote: > cable ... its you and all your neighbors watching/sharing that copper Not quite. It's about as insecure as any other network either way. The shared bandwidth problem is a myth on cable, but severe on DSL (DSL users get to fight with all other DSL users in thier entire city for what bandwidth's left in the ATM cloud after all the gauranteed connections (ISDN, T1/T3, etc) get thier share, cable users share with whoever else is on thier node, usually no more than 70 folks, and the bandwidth to the node is usually more than will ever be used by all the users pegging at their bandwidth cap (usually 3 or 5 Mbps/household). -- .''`. Baloo <[EMAIL PROTECTED]> : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than to fix a system msg17686/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sat, Dec 07, 2002 at 03:04:25PM -0500, Chip Rose wrote: > I'm thinking of getting a Cox cable connection/modem, and was wondering > how hard it is to make the static IP address secure. Don't have any ports open that you don't need, avoid DROP (use DENY), leave yourself pingable. If you don't need to be running a service, don't do it. > A cable modem that I could > lease or buy on Ebay, and a network interface card, and turn off all > unneeded services - how easy would it be for someone to hack me, and what > all could they generally accomplish? Hack you? Impossible. Crack? Depends on how well you make yourself look undesirable. (Please learn the difference between hacking and cracking, it's a very important distinction. You can look it up in the jargon file, http://ursine.dyndns.org/jargon/) Do not buy a cable modem off Ebay under any circumstances. These things are brutally easy to fry with line surge off the cable line, especially if you're in a lightning prone area. If you still want to buy your own cable modem, get a 3Com OfficeConnect. This modem should work on most cable systems. Call your cable operator to see if they can provision this modem beforehand. If this particular model isn't available or your cable operator can't handle it, you're better off leasing a modem from them. -- .''`. Baloo <[EMAIL PROTECTED]> : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than to fix a system msg17685/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
hi ya chip On Sat, 7 Dec 2002, Jeffrey Taylor wrote: > Your exposure is how much time you spend connected. Cable or dial-up > makes little difference. In both cases you should have a firewall. ... > Quoting Chip Rose <[EMAIL PROTECTED]>: > > I'm thinking of getting a Cox cable connection/modem, and was wondering > > how hard it is to make the static IP address secure. I don't have a lot > > of knowledge in this area. What is needed? A cable modem that I could > > lease or buy on Ebay, and a network interface card, and turn off all > > unneeded services - how easy would it be for someone to hack me, and what > > all could they generally accomplish? Is getting a cable connection a > > no-no for someone of my limited knowledge level? PPP dialups shoould be more secure ... ( less people on that copper ) - just you and the isp and anybody else using that ppp server cable ... its you and all your neighbors watching/sharing that copper cable or ppp makes no differences for ya in terms of security - get the benefit of faster downloads w/ cable (no difference ==> you wont know till some homework has been done) some folks like to sniff passwds... those are some of the ones you should worry about... ( there are ssh based pwd sniffers too ) - they break into the easiest box to break into and sniff passwds of eveybody else ( login once and stay logged in -- my paranoia level ) if security is an issue - keep your ppp dialup passwd different from other passwd - keep your email acct ( [EMAIL PROTECTED] ) different than your login acct ( crose ) and diff pwd - keep your vpn login and pwd different than the above - lots of other "security howto" depending on your paranoia level ( basic minimum, backup your stuff you care about, ( use secure services like ssh instead of telnet/ftp/ppp, ( harden your server ( turn stuff off you dont need ), ( get a separate box for your firewall and gateway ( ...blah... if someone wanted to play with your box.. - they can have you send out their spam for thjem - they can "rm -rf /" your machine - they can run games, or use your machine for distributing whatever their buddies will be downloading - tightening your box - follow debian's security-hwoto - get somebody to help you setup your firewall have fun alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
Chip Rose <[EMAIL PROTECTED]> [2002-12-07 15:04:25 -0500]: > I'm thinking of getting a Cox cable connection/modem, and was > wondering how hard it is to make the static IP address secure. I > don't have a lot of knowledge in this area. What is needed? A > cable modem that I could lease or buy on Ebay, and a network > interface card, and turn off all unneeded services - how easy would > it be for someone to hack me, and what all could they generally > accomplish? Is getting a cable connection a no-no for someone of my > limited knowledge level? You will like the high speed connection. Don't be scared off. Everyone will recommend a backup so recover from in the case of trouble. A CD writer is convenient and doubles for this. A high reason crackers want systems on high speed networks is so they can have a fast network source. A thousand cable 'bots from all over the planet all pinging a site can overwhelm it in a distributed denial of service attack which cannot be blocked since the sources are all over the place. And there are other purposes. Who can understand the reasoning of the sociopath? Don't try. Just block them. Although the linux kernel iptables firewalls are excellent I still recommend a separate firewall box between your computer and the Evil Internet. That way you can have a lot more freedom over what you do on your own computer. You can install software without worrying as much about how that is going to affect your security. You are independent of the OS you are running behind it. In my opinion the cable modem should always have had one of these built into it. A firewall box like a Linksys, D-Link or Netgear or other is just perfect for SOHO needs. They run around $80 right now. Look for a rebate or sale and save. No disk drive to crash, no need for backup, no fan, quiet and can be left on for instant access. You can add a second or third computer trivially. You can run any OS you want behind the firewall since these are usually configured by a web interface. Bob msg17665/pgp0.pgp Description: PGP signature
Re: How insecure are cable connections, versus dialup?
On Sat, Dec 07, 2002 at 03:04:25PM -0500, Chip Rose wrote: > I'm thinking of getting a Cox cable connection/modem, and was wondering > how hard it is to make the static IP address secure. I don't have a lot > of knowledge in this area. What is needed? A cable modem that I could > lease or buy on Ebay, and a network interface card, and turn off all > unneeded services - how easy would it be for someone to hack me, and what > all could they generally accomplish? Is getting a cable connection a > no-no for someone of my limited knowledge level? While a cable connection might be a more attractive target to crackers than a dialup connection, breaking in on a cable-connected machine is not easier than breaking in on a dialup machine. What I would do (I don't since I have a dedicated firewall machine) is : - close all unneeded services - install a firewall that just drops any incoming connection from your cable-connected ethernet interface. (I would recommend using fwbuilder to build the firewall script. I have used it on my small home firewall, the firewall at work, and at several customer sites, including one with 6 subnets. I think it should also work well on a standalone PC, although it might be overkill) Frank > Thank, > > Chip > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How insecure are cable connections, versus dialup?
Your exposure is how much time you spend connected. Cable or dial-up makes little difference. In both cases you should have a firewall. Disabling unneeded servers is a good idea in all cases. Debian 3.0 installs and enables all kinds of insecure services (e.g., SunRPC, portmapper) by default. Jeffrey Quoting Chip Rose <[EMAIL PROTECTED]>: > I'm thinking of getting a Cox cable connection/modem, and was wondering > how hard it is to make the static IP address secure. I don't have a lot > of knowledge in this area. What is needed? A cable modem that I could > lease or buy on Ebay, and a network interface card, and turn off all > unneeded services - how easy would it be for someone to hack me, and what > all could they generally accomplish? Is getting a cable connection a > no-no for someone of my limited knowledge level? > > Thank, > > Chip > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
How insecure are cable connections, versus dialup?
I'm thinking of getting a Cox cable connection/modem, and was wondering how hard it is to make the static IP address secure. I don't have a lot of knowledge in this area. What is needed? A cable modem that I could lease or buy on Ebay, and a network interface card, and turn off all unneeded services - how easy would it be for someone to hack me, and what all could they generally accomplish? Is getting a cable connection a no-no for someone of my limited knowledge level? Thank, Chip -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]