My LAN is behind a Netgear router, which does NAT. On the CentOS server I have fail2ban running. This morning my router reported 3 different IPs attempting to send UDP packets to port 38950, Since each address is only seen 4-5 times, I presume that fail2ban took over after that. GRC reports that ports are stealthed (port 143 was open, but is now closed), but then: Unsolicited Packets: RECEIVED (FAILED) ? Your system's personal security countermeasures unwisely attempted to probe us in response to our probes. While some users believe that "tracking down" the source of Internet probes is useful, experience indicates that there is little to gain and potentially much to lose. The wisest course of action is to simulate nonexistence ? which your system has failed to do. Your counter-probes immediately reveal your system's presence and location on the Internet. So, two questions really. First, what should I be looking for on the router, to turn off this 'tracking down' activity? Then, I want to read from my own IMAP server when I'm away from home. Is there a better way than opening port 143? Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20081223/7c24bdee/attachment-0003.sig>
> Then, I want to read from my own IMAP server when I'm away from home. Is > there a better way than opening port 143?The easiest would be if you had a fixed external IP and only allow it; but I guess that won't be the case. Maybe using an other port than 143? But I don't think that would fool port scanners. Or you could firewall everything and try "port knocking" to open it on demand and let you go through... JD
On 12/23/08, Anne Wilson <cannewilson at googlemail.com> wrote:> My LAN is behind a Netgear router, which does NAT. On the CentOS server I > have fail2ban running. This morning my router reported 3 different IPs > attempting to send UDP packets to port 38950, Since each address is only seen > 4-5 times, I presume that fail2ban took over after that. > > GRC reports that ports are stealthed (port 143 was open, but is now closed), > but then: >Try www.auditmypc.com or nmap-online.com rather than grc to look for open ports> So, two questions really. First, what should I be looking for on the router, > to turn off this 'tracking down' activity?Maybe your router is sending host / port unreachable icmp messages. You could try to see what is actually happening using wireshark on another computer from outside your LAN> > Then, I want to read from my own IMAP server when I'm away from home. Is > there a better way than opening port 143? >ssh tunnelling? fwknop? (if you want all ports to appear closed) <http://cipherdyne.org/fwknop/> mike
Anne Wilson wrote on Tue, 23 Dec 2008 13:06:01 +0000:> My LAN is behind a Netgear router, which does NAT. On the CentOS server I > have fail2ban running. This morning my router reported 3 different IPs > attempting to send UDP packets to port 38950,which is per se nothing to worry about and there's no connection to IMAP that you mention in the rest of your mail. Since each address is only seen> 4-5 times, I presume that fail2ban took over after that.I doubt you have it checking port 38950, do you? And the fail2ban doesn't run on your router. So, there is no connection.> > GRC reportsWhat is that?> > So, two questions really. First, what should I be looking for on the router, > to turn off this 'tracking down' activity?You may want to ask the GRC developer what he means by that.> > Then, I want to read from my own IMAP server when I'm away from home. Is > there a better way than opening port 143?You can VPN to your router and then use your LAN like normal. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Lanny Marcus wrote:> On Wed, Dec 24, 2008 at 12:43 PM, Bill Campbell <centos at celestial.com> wrote: > <snip> > >>> Hi Warren, Nice explanation. I would like to ask what you >>> recommend people do if they want to be able to ssh in from >>> anywhere on the internet. Say they are going to be traveling and >>> they know they will have to login from machines they have no >>> control over, like an internet cafe or a Hotel's business >>> services suite? >>> > <snip> > I again offer you my "solution", which is to take with me "Live CDs" > for CentOS 5.2 and Knoppix. I reboot the box in an Internet cafe, from > a Live CD, do what I need/want to do, and when I am done, I remove the > Live CD and reboot the public box again. I have not installed anything > on their box and I am much safer, surfing, etc., on a public box.If you MUST use a public computer, this is the only sensible approach. If you cannot boot a public computer from a Live CD or USB, you should not use it at all. Marginally, if you can have Firefox run from a CD or USB, you are marginally protected. You have no idea what has been installed on a public computer. There could even be a key capture device on the system that would get you even a Live CD. Don't like to carry a compter? Got a few hundred to protect your life? Get an ASUS. If you have $1500 get an OQO (you can carry that almost in your pocket). Just get your own computing platform. Once upon a time, MIT had a little red button on their public SUN systems. You pushed the button and got a assured clean boot from their protected server (and I know the people protecting those servers, they were never compromised). After you finished, you could hit the red button and leave nothing behind. I don't know what they do at MIT or anywhere else these days. I would never trust a public computer for anything I would not leave on an empty seat in an airport. Yes I have printed off presentations at hotel business centers and used their airline boarding pass systems. But that is IT! Either your own boot environment (and check for key stroke loggers), or your own system. Next we will address security WRT to your own system. I *****AM**** paranoid, it is my business!
John R Pierce wrote:> Lanny Marcus wrote: > >> On Wed, Dec 24, 2008 at 12:43 PM, Bill Campbell <centos at celestial.com> wrote: >> <snip> >> >> >>>> Hi Warren, Nice explanation. I would like to ask what you >>>> recommend people do if they want to be able to ssh in from >>>> anywhere on the internet. Say they are going to be traveling and >>>> they know they will have to login from machines they have no >>>> control over, like an internet cafe or a Hotel's business >>>> services suite? >>>> >>>> >> <snip> >> I again offer you my "solution", which is to take with me "Live CDs" >> for CentOS 5.2 and Knoppix. I reboot the box in an Internet cafe, from >> a Live CD, do what I need/want to do, and when I am done, I remove the >> Live CD and reboot the public box again. I have not installed anything >> on their box and I am much safer, surfing, etc., on a public box. >> >> > > > i'm quite surprised many such internet cafes would let you run your own > software on their hardware. many of the 'cafe' systems I've seen are > booted off the network, or don't have CD drives, or could even be > running Linux already, such as these > http://www.dnalounge.com/backstage/src/kiosk/Typically the case. The systems are 'locked' down boot wise, you might be able to do something they cannot charge for. Bring your own computer. For $300 you can have an ASUS computer for these basic tasks. If they have not implemented NAC, you can unplug the cafe system if need be (done that enough times).
Anne Wilson wrote:> On Thursday 25 December 2008 11:12:19 Lanny Marcus wrote: > >> On Wed, Dec 24, 2008 at 12:43 PM, Bill Campbell <centos at celestial.com> >> wrote: <snip> >> >> >>>> Hi Warren, Nice explanation. I would like to ask what you >>>> recommend people do if they want to be able to ssh in from >>>> anywhere on the internet. Say they are going to be traveling and >>>> they know they will have to login from machines they have no >>>> control over, like an internet cafe or a Hotel's business >>>> services suite? >>>> >> <snip> >> I again offer you my "solution", which is to take with me "Live CDs" >> for CentOS 5.2 and Knoppix. I reboot the box in an Internet cafe, from >> a Live CD, do what I need/want to do, and when I am done, I remove the >> Live CD and reboot the public box again. I have not installed anything >> on their box and I am much safer, surfing, etc., on a public box. >> > > I'll bet you're popular at those cafes :-)Going WAY back. Comdex Atlanta, learly 90s. The hotel I got stuffed in quite a ways from downtown, had 'old' hardwired phones, no RJ11 jacks. But I was a REAL road warrior, I had my full tool kit of tools, jumper cables and the like. I had the phone apart and my computer wired in and cleaning came in for some reason (I was running late and had not left for the show yet). She freaked and called security. I had to show management that I knew more about their phone system than anyone around and would put everything back. SHEESH! Then there was that 5 star hotel in Chicago where their integrated data jack could not support speeds faster than 1200bps no matter what they claimed (and I finally nailed the pbx rep on the junk they sold the hotel in front of the hotel manager). It never ends. We are always dealing with the lowest common denominator, GREED! Followed by stupidity. Scott Bradner, one of the original IETFers (his middle initial is 'O' and he LOVES to sign things with just his initials) once said at an IETF plenary session: "The clue level in the Internet is a constant. The Internet is growing geometrically. I leave the math to you."