Re: OT: Linux kernel version in fiber modem
On Sat, 2021-12-25 at 03:15 -0800, Jonathan Ryshpan wrote: > On a whim I opened up the: >Legal Disclaimer Open Source Licenses > in the management page for my fiber modem (ATT installed 2021/03/30) > and discovered that the kernel is rather old: Since this seems to have produced a modest amount of interest, I'm posting a little more of this license file; the whole file is about 0.5 Mbytes, which seems a little long. The modem was provided to me by ATT when they installed fiber service; I haven't checked but I suspect that it's the only device that ATT supports and very likely the only one that works on the ATT network. This very long list of open source software very likely contains more vulnerabilities. - ATT License File Starts - # BGW320 version 1.0 OPEN SOURCE SOFTWARE INFORMATION For instructions on how to obtain a copy of any open source code being made publicly available by AT&T; related to open source software used in the BGW320 gateway, you may send your request in writing to: AVP, RG Software Open Source Request AT&T; 2230 E Imperial HWY El Segundo CA 90245 This document contains additional information regarding open source software licenses, acknowledgments and required copyright notices for open source packages used in the BGW320 device. radvd - Version 2.18 libssl - Version 1.1.1k motopia - ssl_api.c openssl - Version 1.1.1k dropbear - Version 2013.62 portmap - Version 6.0 tcp_wrappers - Version 7.6 libtecla - Version 1.6.2 pcre - Version 8.32 dhrystone - Version 2.2 flex - Version 2.5.4 aiccu - Version 20070115 motopia - list.h mcproxy - mcp_util.c miniupnpd voip resolver - resolverapi.h voip resolver - resolverapi.c portmap - Version 5beta SpryAssets lua - Version 5.4.0 expat - Version 2.1.0 public include - pcp.h cms_util - pcp.c dhcp-isc - Version 4.1-ESV-R8 dhcpcd motopia - md5.h motopia - list.c motopia - md5.c muhttpd - Version 1.1.5 smartdb system - broadcom.c voip SIP - sha1.c voip SIP - sha1.h dhcp - Version 4.1-ESV-R3 mini_httpd - Version 1.19 dhcpcd - ifaddrs.c ez-ipupdate - md5.c libmnl - Version 1.0.3 dhcpv6 dhcpv6 - ifaddrs.c public include - cms_lzw.h cms_util - base64decode.c cms_util - base64encode.c cms_util - lzw_decode.c voip resolver - resolverprivate.c widedhcpv6 - Version 20080615 widedhcpv6 - ifaddrs.c uClibc - Version 0.9.28.3 arptables - Version 0.0.3-4 inetd - inetd.c kernel - include motopia-arm netfilter zl880 - arris_lt.c bcmdriver include - adsldrv.h bcmdriver include - AdslMibDef.h bcmdriver include - atmapidrv.h bcmdriver include - bcmadsl.h bcmdriver include - bcmatmapi.h bcmdriver include - bcmxdsl.h bcmdriver include - DiagDef.h bcmdriver include - VdslInfoDef.h bdmf dpi pcmshim rdpa_drv rdpa_gpl rdpa_mw opensource include - bcmspucfg.h opensource include - bcmspudrv.h opensource include - bcmtypes.h opensource include - board.h bcmdrivers - enet bcmdrivers - wfd bcmdrivers - xtmrt linux kernel - Version 3.4.11 bridge-utils - Version 1.2 busybox - Version 1.30.1 conntrack-tools - Version 1.4.1 dnsmasq - Version 2.85 dproxy-nexgen - Version 0.5 ebtables ez-ipupdate - Version 3.0.11b7 ftpd - Version 1.0.24 haserl - Version 0.9.35 iproute2 iptables - Version 1.4.16.3 mtd-util - flash_eraseall.c mtd - Version 1.5.0 ntfs-3g - Version 2014.3.15 ntpclient - Version 2010_356 rp-pppoe - Version 3.11 sysstat - Version 9.0.3 urlfilterd - Version 1.0.1 libnetfilter_conntrack - Version 1.0.3 libnetfilter_cthelper - Version 1.0.0 libnetfilter_cttimeout - Version 1.0.0 libnetfilter_queue - Version 1.0.2 libnfnetlink - Version 1.0.1 bcm_boot_launcher.c bdmf_shell memaccess.c ppp - Version 2.3.11 psictl.c scratchpadctl.c send_cms_msg.c simcard public - include cms_boardctl cms_msg cms_util motopia portmirror prioritytag udev - Version 136 bridge-utils - Version 1.0.6 iproute2 - Version 2.6.35 mtd - Version 20050122.orig ntpclient - Version 2010_365 wireless_tools - Version 29 wpa_supplicant - Version 1.1 hostapd compat.h bootcfg.ko pm_interval.ko emaclib.ko wlan.ko wlan_ccmp.ko wlan_scan_ap.ko wlan_scan_sta.ko wlan_tkip.ko wlan_xauth.ko xt_mark.ko queue.h linux kernel - Version 2.6.35.12 U-Boot - Version 2009.06 PHP - Version 5.0.5 zlib - Version 1.2.11 zlib - Version 1.2.3 dhcpcd - ifaddrs.h dhcpv6 - ifaddrs.h radvd - ifaddrs.h mocana - parseasn1.c smartdb system - etc53xx.h widedhcpv6 - ifaddrs.h - Version 1.1.1.1 popt - Version 1.16 Process Control Daemon (PCD) - Version 1.1.6 syslog-ng - Version 3.8.1 eventlog - Version 0.2.12 glib - Version 2.40.0 logrotate - Version 3.11.0 libffi - Version 3.2.1 libuuid - Version 1.0.3 md5.js - Version 2.2 safeclib - Version 10052013 Argon2 - Version 1.3 curl - Version 7.70.0 ncurses - Version 6.1 mtr - Version 0.93 dbus - Version 1.10.8 systemd - Version 243 libfuse - Version 3.10.2 libattr - Version 2.4.48 util-linux - Version 2.36 - ATT License File Ends -- --
Re: OT: Linux kernel version in fiber modem
There was an article that compared linux based DIY routers with off the shelf home routers and the numbers were pretty conclusive. A basic x86 processor from Intel or AMD is much more powerful than most of the low cost MIPs processors shipped in consumer routers. Why is something more powerful needed? Because the low cost MIPs processors cannot more than a few tens of megabits per second. Here is the article https://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/ . The ISP in my area installs an ONT on the side of your home, it is basically a powered fiber optic to ethernet transceiver and a couple of things, and your home router can be plugged directly into this optical transceiver via CAT6. You can run the basic services necessary on the DIY router to run your home network, for very basic home network just DHCP & DNS server, and that can be accomplished using the service dnsmasq. If you need wifi you can plug a port from your DIY router into a LAN port of the wifi router (first disable the DHCP service on the wifi router) and use it as a wifi bridge to your DIY router. This architecture has some other benefits, the main benefit being flexibility. Since the DIY router is running your favorite linux distro you can host other services. An key additional service I have tossed on the DIY router is VPN to provide connectivity back to my home network to provide better privacy and security when using public/untrusted wifi networks using Wireguard (could also use Openvpn or IPSec). Though I agree there are some security implications and running these sevices on an internet connected device is not suitable for a corporate environment, but for your home usage can even attach some storage and the DIY router can also act as a CIFS/NFS server or can run services like OwnCloud/NextCloud. I've used three APU2* devices from http://pcengines.ch for different projects and they have worked well. They are low power, I believe they run at 12 watts max, have 4 core AMD processors (supposed to be powerful enough to NAT at 1Gb/sec), 4GB ram, a couple of gigabit ports, PCMCIA, USB, and possibly eSATA. There is no fan or moving parts, I have dropped one or two APU2s on hard surfaces and they have not shown any failure (just a dead AC/DC adapter after a severe electrical storm), they are pretty much rock solid. Regards, -Jamie On Mon, Dec 27, 2021 at 9:16 PM Tim via users wrote: > On Mon, 2021-12-27 at 17:35 -0600, Roger Heflin wrote: > > I have always ran my own router behind the ISP's firewall/modem. I > > usually DMZ my personal router's ip address and then rely on the > > security of my own newer router that I have full control of. > > > > I also forward ports to my server so that it can provide my public ip > > services via the router I have supplied. I also always turn off the > > wifi on the vendor's device (or if possible don't get wifi on the > > vendor's device at all if that is an option). > > I had tried that, but performance was dire. That could just be the > combination of those particular devices. If my old modem/router packs > it in, I'll just buy a decent one directly from someone other than my > ISP. > > > George: > > switches will forward just about any underlying packets at the layer > > 2 level, they don't care about protocols at all, and generally it > > takes an expensive switch to even look at protocols. But it is > > possible that the new switch does not support 10base-t and the set > > top boxes may need something ancient like that. > > I was thinking it's more likely to be something like UPnP. Though it > could be at the remote end. > > All the smart devices I have run at 100 mb/s ethernet, none run at 10 > mb/s or 1 gb/s. > > All of which went dumb a while ago, for several days, when something at > Sony stopped working, and they go into stupid-mode when they can't > authenticate with their mummy. I have a sony TV, and several Sony > bluray/smart set-top boxes for various TVs. The TV deleted all the > channels associated with the ABC, no streaming playing from any > services on any devices, the devices wouldn't store their settings, > even playing DVDs required mucking around, unplugging the power to be > able to eject a disc. A few days later on, they all went good again. > > You might just want to try switching your network around, now, for the > set-top boxes, and see if it behaves any differently. > > -- > > uname -rsvp > Linux 3.10.0-1160.49.1.el7.x86_64 #1 SMP Tue Nov 30 15:51:32 UTC 2021 > x86_64 > > Boilerplate: All unexpected mail to my mailbox is automatically deleted. > I will only get to see the messages that are posted to the mailing list. > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproje
Re: OT: Linux kernel version in fiber modem
On Mon, 2021-12-27 at 17:35 -0600, Roger Heflin wrote: > I have always ran my own router behind the ISP's firewall/modem. I > usually DMZ my personal router's ip address and then rely on the > security of my own newer router that I have full control of. > > I also forward ports to my server so that it can provide my public ip > services via the router I have supplied. I also always turn off the > wifi on the vendor's device (or if possible don't get wifi on the > vendor's device at all if that is an option). I had tried that, but performance was dire. That could just be the combination of those particular devices. If my old modem/router packs it in, I'll just buy a decent one directly from someone other than my ISP. > George: > switches will forward just about any underlying packets at the layer > 2 level, they don't care about protocols at all, and generally it > takes an expensive switch to even look at protocols. But it is > possible that the new switch does not support 10base-t and the set > top boxes may need something ancient like that. I was thinking it's more likely to be something like UPnP. Though it could be at the remote end. All the smart devices I have run at 100 mb/s ethernet, none run at 10 mb/s or 1 gb/s. All of which went dumb a while ago, for several days, when something at Sony stopped working, and they go into stupid-mode when they can't authenticate with their mummy. I have a sony TV, and several Sony bluray/smart set-top boxes for various TVs. The TV deleted all the channels associated with the ABC, no streaming playing from any services on any devices, the devices wouldn't store their settings, even playing DVDs required mucking around, unplugging the power to be able to eject a disc. A few days later on, they all went good again. You might just want to try switching your network around, now, for the set-top boxes, and see if it behaves any differently. -- uname -rsvp Linux 3.10.0-1160.49.1.el7.x86_64 #1 SMP Tue Nov 30 15:51:32 UTC 2021 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
I have always ran my own router behind the ISP's firewall/modem. I usually DMZ my personal router's ip address and then rely on the security of my own newer router that I have full control of. I also forward ports to my server so that it can provide my public ip services via the router I have supplied. I also always turn off the wifi on the vendor's device (or if possible don't get wifi on the vendor's device at all if that is an option). George: switches will forward just about any underlying packets at the layer 2 level, they don't care about protocols at all, and generally it takes an expensive switch to even look at protocols. But it is possible that the new switch does not support 10base-t and the set top boxes may need something ancient like that. On Mon, Dec 27, 2021 at 10:01 AM George N. White III wrote: > > On Mon, 27 Dec 2021 at 01:06, Tim via users > wrote: >> >> On Sat, 2021-12-25 at 12:19 -0500, Mauricio Tavares wrote: >> > The joy of IoT: devices that are treated as appliances: never >> > get patched and are updated by being tossed and replaced with one >> > with newer vulnerabilities. >> >> And house lighting that's out of your control when the remote server >> controlling it goes down... > > > I have fibre TV and internet service. The fibre modem has a battery, but > if the power is out for longer than 20 minutes, the set-top boxes try to > reconnect and fail before the modem comes back. At work I had problems > with a computer room A/C that was installed without the proper delay relay > needed to prevent tripping the breaker (located in a locked closet). I > suppose we will need a whole house systemd to ensure all the circuits come > up in the proper sequence. > >> >> My ISP supplied my modem/router years ago, then sent me a new one >> recently. It was worse than the old one. I don't know if it's any >> better or worse security-wise, but operationally speaking it's a >> disaster. > > > My switch died this year. I was using it for computers, access points, and > the set-top boxes. The set-top boxes wouldn't talk to the replacement > switch (I assume they use some non-IP ethernet protocol the new > switch doesn't support). Fortunately it was easy to move the cables > feeding the set-top boxes to my ISP supplied modem/router. > > -- > George N. White III > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On Mon, 27 Dec 2021 at 01:06, Tim via users wrote: > On Sat, 2021-12-25 at 12:19 -0500, Mauricio Tavares wrote: > > The joy of IoT: devices that are treated as appliances: never > > get patched and are updated by being tossed and replaced with one > > with newer vulnerabilities. > > And house lighting that's out of your control when the remote server > controlling it goes down... > I have fibre TV and internet service. The fibre modem has a battery, but if the power is out for longer than 20 minutes, the set-top boxes try to reconnect and fail before the modem comes back. At work I had problems with a computer room A/C that was installed without the proper delay relay needed to prevent tripping the breaker (located in a locked closet). I suppose we will need a whole house systemd to ensure all the circuits come up in the proper sequence. > My ISP supplied my modem/router years ago, then sent me a new one > recently. It was worse than the old one. I don't know if it's any > better or worse security-wise, but operationally speaking it's a > disaster. > My switch died this year. I was using it for computers, access points, and the set-top boxes. The set-top boxes wouldn't talk to the replacement switch (I assume they use some non-IP ethernet protocol the new switch doesn't support). Fortunately it was easy to move the cables feeding the set-top boxes to my ISP supplied modem/router. -- George N. White III ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On Sun, 2021-12-26 at 12:23 -0600, Chris Adams wrote: > Often, when the vendors do any security updates, they'll do just the > minimum needed (which does make sense, since it's also the least > likely to break devices that can be difficult or impossible to > recover from an update failure). If the kernel doesn't have any > known and exploitable security issues, it'll be left as-is. That's one of the things I have against domestic NASs. You buy one and find out that it's software is actually 2 years out of date (so much for being a "new" thing). You may or may not find that there's any updates available for it. You're quite likely to find that updates simply remove a (potentially) vulnerable feature (possibly one that you actually want), rather than fix it. Samsung do that trick with their phones. If enough people complain about their faulty software, they delete it instead of fix it. It's about the only way of de-bloating their shovelware. -- uname -rsvp Linux 3.10.0-1160.49.1.el7.x86_64 #1 SMP Tue Nov 30 15:51:32 UTC 2021 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On Sat, 2021-12-25 at 12:19 -0500, Mauricio Tavares wrote: > The joy of IoT: devices that are treated as appliances: never > get patched and are updated by being tossed and replaced with one > with newer vulnerabilities. And house lighting that's out of your control when the remote server controlling it goes down... My ISP supplied my modem/router years ago, then sent me a new one recently. It was worse than the old one. I don't know if it's any better or worse security-wise, but operationally speaking it's a disaster. -- uname -rsvp Linux 3.10.0-1160.49.1.el7.x86_64 #1 SMP Tue Nov 30 15:51:32 UTC 2021 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On Sun, Dec 26, 2021 at 1:24 PM Chris Adams wrote: > > Often, when the vendors do any security updates, they'll do just the > minimum needed (which does make sense, since it's also the least likely > to break devices that can be difficult or impossible to recover from an > update failure). If the kernel doesn't have any known and exploitable > security issues, it'll be left as-is. fair point. as far as I know, vendors also do their own patching to old kernel versions too. which brings me to… > So, an old kernel version can indicate unmaintained software, or it can > also indicate conservative update practices. Unforunately, the first > case is much more likely. yeah, that’s what I worry is what happened here. I have no reason to believe they’re maintaining it in any way. which does leave the potential for something to slip through the cracks eventually. (it may not have happened, but it can. even if you’re fully up to date, it still very well could be an issue) to be honest - I always assume the worst because I’m never quite sure if something I’m using is being maintained in some way. (that’s part of the reason I swapped away from Android for the time being.) Sent from my iPhone -- -slade ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
Once upon a time, Slade Watkins said: > goes without saying but… old versions of the kernel are certainly way more > prone to these attacks and 100% shouldn’t be included on hardware meant to > be connected to the internet. (let alone send that connection to other > devices and otherwise manage the network…) The kernel is generally not a security issue on most of these devices; there haven't been many remotely-exploitable kernel vulnerabilities over time (at most, they're typically denial-of-service type attacks). I wouldn't really worry too much about just an old kernel version. The security issues with embedded/IoT type things tend to be more in the vendor software, often something that was slapped together with no thought to security and never well maintained. They have debugging passwords accidentally left enabled, poor input processing, etc., and they often run everything as root, losing the key protections of a Unix/Linux environment (so there's no need for kernel security holes to gain privilege). Often, when the vendors do any security updates, they'll do just the minimum needed (which does make sense, since it's also the least likely to break devices that can be difficult or impossible to recover from an update failure). If the kernel doesn't have any known and exploitable security issues, it'll be left as-is. So, an old kernel version can indicate unmaintained software, or it can also indicate conservative update practices. Unforunately, the first case is much more likely. -- Chris Adams ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On 12/26/21 10:52, Qiyu Yan wrote: 在 2021-12-25星期六的 03:15 -0800,Jonathan Ryshpan写道: On a whim I opened up the: Legal Disclaimer Open Source Licenses in the management page for my fiber modem (ATT installed 2021/03/30) and discovered that the kernel is rather old: linux kernel - Version 3.4.11 There are about 163 other open source components, probably most of similar ages. Is this a security problem? Yes, for such a old device, the vendor may have stopped receiving vulnerable reports or publishing updates. And you device is connected to network, that make things worse. Usually, a botnet is made up of those unmaintained but still running device. I happened to have read a article about a botnet build on hacked modems in China, https://blog.netlab.360.com/pink-en/ in this case, when devices gets hacked, the only to "fix" is a replacement. And try and get your FIber ISP to provide you with new gear. I cannot replace it with my own. Must use what they provide... ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On 12/26/21 09:23, James Szinger wrote: On Sat, 25 Dec 2021 03:15:50 -0800 Jonathan Ryshpan wrote: On a whim I opened up the: Legal Disclaimer Open Source Licenses in the management page for my fiber modem (ATT installed 2021/03/30) and discovered that the kernel is rather old: linux kernel - Version 3.4.11 There are about 163 other open source components, probably most of similar ages. Is this a security problem? I would not worry too much about it. All the equally old stuff in userspace is a bigger concern. On the other hand, my ISP already has complete control of my cable modem; they apply firmware updates and manage the configuration. All I can do is log in and view the status report. The modem is effectively part of the ISP infrastructure, which is already beyond my control. My modem runs in bridge mode and I have a separate router to interface with the LAN. This provides a clear demarcation between the ISP and my LAN. Kind of the same, except. My public IPv4 and IPv6 space is between my ISP gear and my firewall. So my public servers have to be there. Got them locked down as much as I can. I tried setting up one zone on my firewall in bridged mode, but I gave up on that. I really need new firewall gear and need to try that again... Everything else is behind my firewall. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On Dec 26, 2021, at 11:22, Slade Watkins wrote: > > I’m surprised they didn’t at least update the kernel included on OP’s modem > to a version that is still being maintained in the longterm…(4.4.y or later I > believe?) I am not surprised. I remember at a previous location, I had an analog TV adapter from Comcast, and I turned the TV on once to see a text login prompt with a 2.2.18(?) kernel. The custom GUI running on the OS in the cable TV adapter had crashed and a power cycle brought it back. — Jonathan Billings ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On Sun, Dec 26, 2021 at 10:52 AM Qiyu Yan wrote: > Usually, a botnet is made up of those unmaintained but still running > device. > > I happened to have read a article about a botnet build on hacked modems > in China, https://blog.netlab.360.com/pink-en/ in this case, when > devices gets hacked, the only to "fix" is a replacement. I’m surprised they didn’t at least update the kernel included on OP’s modem to a version that is still being maintained in the longterm…(4.4.y or later I believe?) goes without saying but… old versions of the kernel are certainly way more prone to these attacks and 100% shouldn’t be included on hardware meant to be connected to the internet. (let alone send that connection to other devices and otherwise manage the network…) Sent from my iPhone > -- -slade ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
在 2021-12-25星期六的 03:15 -0800,Jonathan Ryshpan写道: > On a whim I opened up the: > Legal Disclaimer Open Source Licenses > in the management page for my fiber modem (ATT installed 2021/03/30) > and discovered that the kernel is rather old: > linux kernel - Version 3.4.11 > There are about 163 other open source components, probably most of > similar ages. > > Is this a security problem? Yes, for such a old device, the vendor may have stopped receiving vulnerable reports or publishing updates. And you device is connected to network, that make things worse. Usually, a botnet is made up of those unmaintained but still running device. I happened to have read a article about a botnet build on hacked modems in China, https://blog.netlab.360.com/pink-en/ in this case, when devices gets hacked, the only to "fix" is a replacement. > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en- > US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproje > ct.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure -- Qiyu Yan GPG keyid: 0x4FC914F065F2DF12 About: https://fedoraproject.org/wiki/User:Yanqiyu signature.asc Description: This is a digitally signed message part ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On Sat, 25 Dec 2021 03:15:50 -0800 Jonathan Ryshpan wrote: > On a whim I opened up the: >Legal Disclaimer Open Source Licenses > in the management page for my fiber modem (ATT installed 2021/03/30) > and discovered that the kernel is rather old: >linux kernel - Version 3.4.11 > There are about 163 other open source components, probably most of > similar ages. > > Is this a security problem? I would not worry too much about it. All the equally old stuff in userspace is a bigger concern. On the other hand, my ISP already has complete control of my cable modem; they apply firmware updates and manage the configuration. All I can do is log in and view the status report. The modem is effectively part of the ISP infrastructure, which is already beyond my control. My modem runs in bridge mode and I have a separate router to interface with the LAN. This provides a clear demarcation between the ISP and my LAN. Jim ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On 12/25/2021 6:15 AM, Jonathan Ryshpan wrote: > On a whim I opened up the: > *Legal DisclaimerOpen Source Licenses* > in the management page for my fiber modem (ATT installed 2021/03/30) and > discovered that the kernel is rather old: > *linux kernel - Version 3.4.11* > There are about 163 other open source components, probably most of > similar ages. > > Is this a security problem? you should contact them and ask. the 3.4.y tree stopped receiving updates in 2016 (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/?h=linux-3.4.y) so it's definitely possible. best, slade -- This email message may contain sensitive or otherwise confidential information and is intended for the addressee(s) only. If you believe to have received this message in error, please let the sender know *immediately* and delete the message. Thank you for your cooperation! ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On Sat, Dec 25, 2021 at 6:16 AM Jonathan Ryshpan wrote: > > On a whim I opened up the: > Legal Disclaimer Open Source Licenses > in the management page for my fiber modem (ATT installed 2021/03/30) and > discovered that the kernel is rather old: > linux kernel - Version 3.4.11 > There are about 163 other open source components, probably most of similar > ages. > > Is this a security problem? > The joy of IoT: devices that are treated as appliances: never get patched and are updated by being tossed and replaced with one with newer vulnerabilities. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
On Sat, 25 Dec 2021 at 07:34, Roger Heflin wrote: > The vendor must answer that question. No one else knows what patches were > or were not applied to that system > Assume that bad actors and nation-state intelligence services know quite a bit about such systems, including admin passwords and keys used for remote management. Using such knowledge is generally specifically targeted as too liberal usage might result in loss of attack vectors for future use. Leaks that expose such vectors have occurred and can then be used by botnet systems used for DNS attacks, etc. It can be interesting to run one of the external port scanning services like https://www.grc.com Shields Up! These days most home internet services block internet access to incoming ports, but may use some ports for management. > > On Sat, Dec 25, 2021, 6:16 AM Jonathan Ryshpan > wrote: > >> On a whim I opened up the: >> *Legal Disclaimer Open Source Licenses* >> in the management page for my fiber modem (ATT installed 2021/03/30) and >> discovered that the kernel is rather old: >> *linux kernel - Version 3.4.11* >> There are about 163 other open source components, probably most of >> similar ages. >> >> Is this a security problem? >> > I outlived a friend whose small engineering business did work for the US Gov't. He started out with typical home/small business internet, but as security requirements tighted up he was considering moving to a cloud provider and VPN. The effort needed to secure internet access to systems of potential interest to "nation-state" attackers exceeds the resources of individuals and small business. I do have reason to believe that internet providers in areas with concentrations of individuals working in sensitive industries get extra scrutiny (think about email admins for users with high-level security clearances), but for most of us I would not trust home internet providers to put that level of effort into their customer's security. -- George N. White III ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: OT: Linux kernel version in fiber modem
The vendor must answer that question. No one else knows what patches were or were not applied to that system On Sat, Dec 25, 2021, 6:16 AM Jonathan Ryshpan wrote: > On a whim I opened up the: > *Legal Disclaimer Open Source Licenses* > in the management page for my fiber modem (ATT installed 2021/03/30) and > discovered that the kernel is rather old: > *linux kernel - Version 3.4.11* > There are about 163 other open source components, probably most of similar > ages. > > Is this a security problem? > > -- > > Sincerely Jonathan Ryshpan > > The above message, which does not represent > the opinion of the Berkeley Linux Team, is sold > by weight, not by volume. > Some settling of the contents may have occurred > during shipment. > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
OT: Linux kernel version in fiber modem
On a whim I opened up the: Legal Disclaimer Open Source Licenses in the management page for my fiber modem (ATT installed 2021/03/30) and discovered that the kernel is rather old: linux kernel - Version 3.4.11 There are about 163 other open source components, probably most of similar ages. Is this a security problem? -- Sincerely Jonathan Ryshpan The above message, which does not represent the opinion of the Berkeley Linux Team, is sold by weight, not by volume. Some settling of the contents may have occurred during shipment. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure