Re: adsl, firewalls, etc.

[Ray Olszewski <ray@comarre.com>]

Andrew wrote:
> Midwinter greetings,
> 
> I have just moved one rung up on the evolutionary scale and got myself 
> an adsl connection. I am probably going to make a few relatively minor 
> changes to my home lan because of this, but before going any further 
> there is one issue worrying me:
> 
> The free modem my isp provided has no support under Linux so I had to 
> take the router option. It's a Draytek Vigor 2500. The defect 
> configuration leaves ports 20 (ftp-data),  23 (telnet) and 80 (http) 
> open, the rest are stealthed (according to Shields Up). Am I right in 
> thinking this is not such a good idea? I haven't yet had any success in 
> trying to add rules to close these ports, and my isp 'cordially' informs 
> me that this is up to me to sort out, so for the time being I am simply 
> disconnecting when not in use (about 16 hours a day). Am I being 
> over-paranoid?

Andrew -- Your report was a bit too sketchy to get a good answer, in 
that you didn't say if you did your scan from the LAN side or the WAN 
side of the router. Ports open on one interface need not be open on the 
other.

Unfortunately, Draytek apparently doesn't make its manual for the Vigor 
2500 available online (as a PDF, say), so I couldn't check the details 
behind your report very much. But this entry in the FAQ -- 
http://www.draytek.co.uk/support/kb_vigor_portforwarding.html -- at 
least implies that the telnet and http ports are open on both interfaces.

Now using insecure protocols for configuration on the LAN side isn't 
great (I'd much prefer to see manufacturers use ssh and https), but it 
isn't a disaster either ... especially not in SOHO settings. Using them 
on the WAN side, though ... this brings to mind the old playground 
epithet, "Dumb as a stick." Now you'll want to check this by redoing 
your port scan on the WAN side, but if I've read the FAQ right, 
Draytek's designers have achieved dumb-as-a-stick status by opening 
these ports (telnet, http) on BOTH interfaces.

Were I confronting this situation, I would not buy Draytek products and 
I'd tell them why. But you're stuck with the thing, so that's not really 
practical advice for you. How do you minimize the risks? Here's what I'd do.

1. Move the telnet and http connections to different ports. Use obscure 
ones, not obvious ones like 8080 for http. The URL I quoted above tells 
you how to do this over the Web interface.

2. Protect these connections with good, hard-to-guess passwords.

3. Never, never, never connect to either of them from the WAN side, or 
when there is any risk of a snooper being present on the LAN side (e.g., 
if you ever start running WiFi).

This is not a perfect solution, but it should be enough to protect you 
from casual attackers. (The real threat distinctive to insecure 
protocols is password sniffing, and attackers can't sniff a password 
that you never transmit.) And you need something like this for the 8 
hours you are connected, even if you continue to turn the connection off 
for the other 16 hours. In the end, though, it's mostly "security 
through obscurity" ... not the preferred approach to security, but 
better than none at all (and in settings like yours, genuinely better 
than its detractors make it out to be).

I didn't address the ftp issue because, frankly, I don't understand it. 
Are you sure your testing software reported port 20 as one of the open 
ones? I ask because opening port 20 (ftp-data) but not 21 (ftp-control) 
is unusual, and the FAQ does mention some use of the tftp port (69/UDP) 
for firmware upgrades.

PS -- Was calling it the "defect configuration" a purposely humorous 
description or just a typo?

PPS -- I started to look into your (later) modem inquiry, but I couldn't 
find a listing for a "Vigor 318" on the Dreytek site. Another URL 
indicated that it is a USB modem. This may not be fatal, but it does 
make Chuck's advice, which was based on his experience with DSL modems 
that use Ethernet on the LAN side (which, typically, are trivially easy 
to get working with Linux), not very relevant to your situation.

I Googled "Vigor 318 Linux" and got a few hits, but only one (an 
unhelpful one) was in English. So while getting this device to work with 
Linux might be possible, it probably won't be a snap. So the Vigor 2500 
probably is the better of your (poor) options.

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs