adsl, firewalls, etc.

adsl, firewalls, etc.

[Andrew]

Midwinter greetings,

I have just moved one rung up on the evolutionary scale and got myself 
an adsl connection. I am probably going to make a few relatively minor 
changes to my home lan because of this, but before going any further 
there is one issue worrying me:

The free modem my isp provided has no support under Linux so I had to 
take the router option. It's a Draytek Vigor 2500. The defect 
configuration leaves ports 20 (ftp-data),  23 (telnet) and 80 (http) 
open, the rest are stealthed (according to Shields Up). Am I right in 
thinking this is not such a good idea? I haven't yet had any success in 
trying to add rules to close these ports, and my isp 'cordially' informs 
me that this is up to me to sort out, so for the time being I am simply 
disconnecting when not in use (about 16 hours a day). Am I being 
over-paranoid?

TIA
Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

[joy merwin monteiro]

nopes i know a person who simply kills pppd on my friends route
for the fun of it, using telnet :D

there is no such thing as over paranoid.
someone can break in and change your router config
and change password for admin.

block them but youll need a port open for remote admin, so......

Joy

On 12/19/05, Andrew <ald2@arrakis.es> wrote:
> Midwinter greetings,
>
> I have just moved one rung up on the evolutionary scale and got myself
> an adsl connection. I am probably going to make a few relatively minor
> changes to my home lan because of this, but before going any further
> there is one issue worrying me:
>
> The free modem my isp provided has no support under Linux so I had to
> take the router option. It's a Draytek Vigor 2500. The defect
> configuration leaves ports 20 (ftp-data),  23 (telnet) and 80 (http)
> open, the rest are stealthed (according to Shields Up). Am I right in
> thinking this is not such a good idea? I haven't yet had any success in
> trying to add rules to close these ports, and my isp 'cordially' informs
> me that this is up to me to sort out, so for the time being I am simply
> disconnecting when not in use (about 16 hours a day). Am I being
> over-paranoid?
>
> TIA
> Andrew
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
>


--
Girls are like slugs.... You know they are around for a reason, but
you cant imagine what.
                                                                      
                               -- Calvin
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

[chuck]

Andrew wrote:

> Midwinter greetings,
>
> I have just moved one rung up on the evolutionary scale and got myself 
> an adsl connection. I am probably going to make a few relatively minor 
> changes to my home lan because of this, but before going any further 
> there is one issue worrying me:
>
> The free modem my isp provided has no support under Linux so I had to 
> take the router option. It's a Draytek Vigor 2500. The defect 
> configuration leaves ports 20 (ftp-data),  23 (telnet) and 80 (http) 
> open, the rest are stealthed (according to Shields Up). Am I right in 
> thinking this is not such a good idea? I haven't yet had any success 
> in trying to add rules to close these ports, and my isp 'cordially' 
> informs me that this is up to me to sort out, so for the time being I 
> am simply disconnecting when not in use (about 16 hours a day). Am I 
> being over-paranoid?
>
> TIA
> Andrew

Hi, Andrew:

"The free modem my isp provided has no support under Linux so I had to 
take the router option."

 I disagree.

 I have had two aDSL acounts; Earthlink and the local telephone company 
Ameritech (now SBC/Yahoo).
Each setup came with a DSL modem and an ethernet card at no charge other 
than a one year commitment.
Both accounts came with Windows(r) software and not Linux software.
Both modems worked flawlessly with Linux.  I used RoaringPenguin (PPPOE).
I don't know what protocol your ISP (Spain?) uses, but there may already 
be a Linux application for it.
There may be no need for explicit Linux support from the ISP as current 
Linux distributions may already contain
the needed application(s).  Sorry that this information is not your 
current solution, but I wanted to post
this response so that others may opt to accept the standard modem.

 Your answer, now, lies in the configuration of the router.  Unless you 
are offering a service to other internet hosts
or want to enable remote access to your router, you do not need any open 
ports
on the WAN side of your router.

 One is not paranoid is everyone else is really out to get one.
However, paranoia is not a solution.
IMHO, disconnecting two thirds of the time is a silly solution.
OBTW, are you disconnecting the modem from the telephone line or 
disconnecting your computer from the modem?

Suggestion:
Disable remote access to the router via WAN (and wireless, if applicable).
Else; Change the router's internal web server to a different port;
         e.g. between 2000 - 65535 and not 8080.

HTH, Chuck


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

[Andrew]

>> The free modem my isp provided has no support under Linux so I had to 
>> take the router option. It's a Draytek Vigor 2500. The defect 
>> configuration leaves ports 20 (ftp-data),  23 (telnet) and 80 (http) 
>> open, the rest are stealthed (according to Shields Up). Am I right in 
>> thinking this is not such a good idea? I haven't yet had any success 
>> in trying to add rules to close these ports, and my isp 'cordially' 
>> informs me that this is up to me to sort out, so for the time being I 
>> am simply disconnecting when not in use (about 16 hours a day). Am I 
>> being over-paranoid?
>>
> "The free modem my isp provided has no support under Linux so I had to 
> take the router option."
>
> I disagree.
>
> I have had two aDSL acounts; Earthlink and the local telephone company 
> Ameritech (now SBC/Yahoo).
> Each setup came with a DSL modem and an ethernet card at no charge 
> other than a one year commitment.
> Both accounts came with Windows(r) software and not Linux software.
> Both modems worked flawlessly with Linux.  I used RoaringPenguin (PPPOE).
> I don't know what protocol your ISP (Spain?) uses, but there may 
> already be a Linux application for it.

OK. I'll add that to my growing list of todos. The modem is a Vigor 318.

> There may be no need for explicit Linux support from the ISP as 
> current Linux distributions may already contain
> the needed application(s).  Sorry that this information is not your 
> current solution, but I wanted to post
> this response so that others may opt to accept the standard modem.
>
> Your answer, now, lies in the configuration of the router.

Since I'm going to need more ports than there are on the router anyway, 
and since I have some familiarity with Freesco and shorewall, as well as 
about half a dozen 486s and similar, would it be simplest/advisable to 
put everything behind a dedicated firewall and not bother to mess about 
with the router? (Or get the free modem working and sell the router).

> Unless you are offering a service to other internet hosts
> or want to enable remote access to your router, you do not need any 
> open ports
> on the WAN side of your router.

I'm not.

> IMHO, disconnecting two thirds of the time is a silly solution.

Not so much 'silly' as a PITA (and only a stopgap).

> OBTW, are you disconnecting the modem from the telephone line or 
> disconnecting your computer from the modem?

Modem from telephone line.

>
> Suggestion:
> Disable remote access to the router via WAN (and wireless, if 
> applicable).
> Else; Change the router's internal web server to a different port;
>         e.g. between 2000 - 65535 and not 8080.

Thanks for your answers.

Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

[chuck gelm]

Andrew wrote:

>
>>> The free modem my isp provided has no support under Linux so I had 
>>> to take the router option. It's a Draytek Vigor 2500. The defect 
>>> configuration leaves ports 20 (ftp-data),  23 (telnet) and 80 (http) 
>>> open, the rest are stealthed (according to Shields Up). Am I right 
>>> in thinking this is not such a good idea? I haven't yet had any 
>>> success in trying to add rules to close these ports, and my isp 
>>> 'cordially' informs me that this is up to me to sort out, so for the 
>>> time being I am simply disconnecting when not in use (about 16 hours 
>>> a day). Am I being over-paranoid?
>>>
>> "The free modem my isp provided has no support under Linux so I had 
>> to take the router option."
>>
>> I disagree.
>
Hi, Andrew:

 Uh, I disagree that you needed to take the router option.
I do not disagree that your ISP's free modem did not come with Linux 
support.  :-|
<more>

>>
>> I have had two aDSL acounts; Earthlink and the local telephone 
>> company Ameritech (now SBC/Yahoo).
>> Each setup came with a DSL modem and an ethernet card at no charge 
>> other than a one year commitment.
>> Both accounts came with Windows(r) software and not Linux software.
>> Both modems worked flawlessly with Linux.  I used RoaringPenguin 
>> (PPPOE).
>> I don't know what protocol your ISP (Spain?) uses, but there may 
>> already be a Linux application for it.
>
>
> OK. I'll add that to my growing list of todos. The modem is a Vigor 318.

 You look it up (Google, "Draytek Vigor 2500", "Draytek Vigor 318").  
You will need to
know what protocol the modem is speaking to the host computer 
(workstation or your
own 'homebrew' 80486 router. OBTW, I am using an old (1992) Compaq 80486dx33
as my router.  I am not using any of the available enterprise firewall 
packages:
 Smoothwall, Shorewall, Freesco, ..., but I use an eleven (11) line 
IPTABLES script
I found (modified to suit my fun and games). )

# google search: setting up a linux home gateway
#newbiedoc.sourceforge.net/networking/homegateway.html#IPMASQSETTINGSETH
# 9.2.2 For Iptables Users
#For users connecting to external network on ethernet & using iptables:
...

 Chances are that your router's LAN ports default to 192.168.0.1 or 192.168.1.1
and you will find a web server at port 80.  Username may be = Admin and password
may be = password or [blank].  YMMV.
...


http://www.roaringpenguin.com/penguin/open_source_rp-pppoe.php

"PPPoE (Point-to-Point Protocol over Ethernet) is a protocol used by 
many ADSL Internet Service Providers. Roaring Penguin has a free PPPoE 
client for Linux and Solaris systems to connect to PPPoE service providers.

Dubbed RP-PPPoE, this open-source product is ideal for Linux users with 
a DSL "modem" whose Internet service provider uses PPPoE. Before you 
download this software, check whether or not you really need it. If your 
ISP uses PPPoE, but has given you a router, you may not need a PPPoE 
client on your Linux box. DHCP may work fine."

 If your ISP does not use PPPOE, it may still use some other compatible 
protocol.

<more>

>
>> There may be no need for explicit Linux support from the ISP as 
>> current Linux distributions may already contain
>> the needed application(s).  Sorry that this information is not your 
>> current solution, but I wanted to post
>> this response so that others may opt to accept the standard modem.
>>
>> Your answer, now, lies in the configuration of the router.
>
>
> Since I'm going to need more ports than there are on the router 
> anyway, and since I have some familiarity with Freesco and shorewall, 
> as well as about half a dozen 486s and similar, would it be 
> simplest/advisable to put everything behind a dedicated firewall and 
> not bother to mess about with the router? (Or get the free modem 
> working and sell the router).


Simplest would be to use the Draytek router
Sure you can.  I have several 10/100 ethernet switches after my 80486 
router and several
($5 after rebates) wired and wired/wireless routers that I can drop into 
my LAN.
All my routers have four (4) port switched included.  Does yours?  You 
can add
multiport switches to the LAN port of the router.
<more>

>
>
>> Unless you are offering a service to other internet hosts
>> or want to enable remote access to your router, you do not need any 
>> open ports
>> on the WAN side of your router.
>
>
> I'm not.
>
>> IMHO, disconnecting two thirds of the time is a silly solution.
>
>
> Not so much 'silly' as a PITA (and only a stopgap).
>
>> OBTW, are you disconnecting the modem from the telephone line or 
>> disconnecting your computer from the modem?
>
>
> Modem from telephone line.

Hmmmm, I seem to recall that these modems ask that the user keep them 
powered up
and connected to the data line for up to ten (10) days as the modems at 
each end decide
what data tones to use.  I'd recommend in some point in the future that 
before connecting
the router to the telephone line, do a 'reset' and disable remote 
access.  Your router may
already be compromised.

HTH, Chuck


>
>>
>> Suggestion:
>> Disable remote access to the router via WAN (and wireless, if 
>> applicable).
>> Else; Change the router's internal web server to a different port;
>>         e.g. between 2000 - 65535 and not 8080.
>
>
> Thanks for your answers.
>
> Andrew


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

[Michael Medwid]

I assume you mean the "default" configuration.  :-)  The first
question to ask is - are you running a telnet daemon on your box that
you want reachable from the Internet?  Telnet is an unencrypted
protocol - easily sniffed.  If you don't need to remotely access your
machine at all - just turn that port off on the router/firewall.  If
you do need remote command line access to your box - at least make it
SSH port 22.

Same question for ftp-data - are you running FTP that you want open to
the Internet?  If no - turn it off.  If you need a file transfer
facility use SCP which operates on SSH's TCP port 22.  Like telnet FTP
is unencrypted while SCP is encrypted.

Lastly are you running a web server open to the Internet?  I suspect
no given you're newly using ADSL and many ADSL providers give you a
dynamic IP address.  Anyhow - if no - turn off port 80.

-Michael

>The defect configuration leaves ports 20 (ftp-data),  23
>(telnet) and 80 (http)open,"


On 12/19/05, Andrew <ald2@arrakis.es> wrote:
> Midwinter greetings,
>
> I have just moved one rung up on the evolutionary scale and got myself
> an adsl connection. I am probably going to make a few relatively minor
> changes to my home lan because of this, but before going any further
> there is one issue worrying me:
>
> The free modem my isp provided has no support under Linux so I had to
> take the router option. It's a Draytek Vigor 2500. The defect
> configuration leaves ports 20 (ftp-data),  23 (telnet) and 80 (http)
> open, the rest are stealthed (according to Shields Up). Am I right in
> thinking this is not such a good idea? I haven't yet had any success in
> trying to add rules to close these ports, and my isp 'cordially' informs
> me that this is up to me to sort out, so for the time being I am simply
> disconnecting when not in use (about 16 hours a day). Am I being
> over-paranoid?
>
> TIA
> Andrew
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
>
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

[Andrew]

Michael Medwid wrote:

>I assume you mean the "default" configuration.  :-)  
>
Right! Spanish influence (por defecto=by default), but not far wrong.

Thanks for your answers

I know I'm pushing my luck a bit asking this here, but does anyone 
actually have any experience shutting ports on this router? I've 
followed the logical steps, which are the same steps described in the 
manual, but after reinitiating the router I still find exactly the same 
ports open.

And no, I don't need any ports opne on the outside.

Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

[Michael Medwid]

You might get an answer from their mailing list:

http://www.draytek.co.uk/support/vigor_announce.html

I had never heard of Vigor before you post.  Good luck!

On 12/19/05, Andrew <ald2@arrakis.es> wrote:
> Michael Medwid wrote:
>
> >I assume you mean the "default" configuration.  :-)
> >
> Right! Spanish influence (por defecto=by default), but not far wrong.
>
> Thanks for your answers
>
> I know I'm pushing my luck a bit asking this here, but does anyone
> actually have any experience shutting ports on this router? I've
> followed the logical steps, which are the same steps described in the
> manual, but after reinitiating the router I still find exactly the same
> ports open.
>
> And no, I don't need any ports opne on the outside.
>
> Andrew
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
>
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

[Carl]

I've just unwrapped a brand new draytek vigor 2900 out the box and 
set it up to connect to the internet with NAT
and it doesn't allow management access via https, http, ftp or telnet 
from the outside by default.

There is a check box in the management setup that gives you the 
option to allow access from the outside
and the choice of which service you allow and what ports you want 
them to run on.

This is the same on vigor 2600's but i never had a 2500 so can't 
comment on that model but i suspect it is the same.

--
Carl


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

[Andrew]

Carl wrote:

> There is a check box in the management setup that gives you the option 
> to allow access from the outside
> and the choice of which service you allow and what ports you want them 
> to run on.
>
> This is the same on vigor 2600's but i never had a 2500 so can't 
> comment on that model but i suspect it is the same.
>
That was it. Thanks.

BTW. Amongst the Google answers Ray coudn't understand was one 
confirming that the modem (vigor 318) was unsupported under Linux and 
another with info about a project which does provide Linux support for it:

http://accessrunner.sourceforge.net/

Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

[Ray Olszewski]

Andrew wrote:
> Midwinter greetings,
> 
> I have just moved one rung up on the evolutionary scale and got myself 
> an adsl connection. I am probably going to make a few relatively minor 
> changes to my home lan because of this, but before going any further 
> there is one issue worrying me:
> 
> The free modem my isp provided has no support under Linux so I had to 
> take the router option. It's a Draytek Vigor 2500. The defect 
> configuration leaves ports 20 (ftp-data),  23 (telnet) and 80 (http) 
> open, the rest are stealthed (according to Shields Up). Am I right in 
> thinking this is not such a good idea? I haven't yet had any success in 
> trying to add rules to close these ports, and my isp 'cordially' informs 
> me that this is up to me to sort out, so for the time being I am simply 
> disconnecting when not in use (about 16 hours a day). Am I being 
> over-paranoid?

Andrew -- Your report was a bit too sketchy to get a good answer, in 
that you didn't say if you did your scan from the LAN side or the WAN 
side of the router. Ports open on one interface need not be open on the 
other.

Unfortunately, Draytek apparently doesn't make its manual for the Vigor 
2500 available online (as a PDF, say), so I couldn't check the details 
behind your report very much. But this entry in the FAQ -- 
http://www.draytek.co.uk/support/kb_vigor_portforwarding.html -- at 
least implies that the telnet and http ports are open on both interfaces.

Now using insecure protocols for configuration on the LAN side isn't 
great (I'd much prefer to see manufacturers use ssh and https), but it 
isn't a disaster either ... especially not in SOHO settings. Using them 
on the WAN side, though ... this brings to mind the old playground 
epithet, "Dumb as a stick." Now you'll want to check this by redoing 
your port scan on the WAN side, but if I've read the FAQ right, 
Draytek's designers have achieved dumb-as-a-stick status by opening 
these ports (telnet, http) on BOTH interfaces.

Were I confronting this situation, I would not buy Draytek products and 
I'd tell them why. But you're stuck with the thing, so that's not really 
practical advice for you. How do you minimize the risks? Here's what I'd do.

1. Move the telnet and http connections to different ports. Use obscure 
ones, not obvious ones like 8080 for http. The URL I quoted above tells 
you how to do this over the Web interface.

2. Protect these connections with good, hard-to-guess passwords.

3. Never, never, never connect to either of them from the WAN side, or 
when there is any risk of a snooper being present on the LAN side (e.g., 
if you ever start running WiFi).

This is not a perfect solution, but it should be enough to protect you 
from casual attackers. (The real threat distinctive to insecure 
protocols is password sniffing, and attackers can't sniff a password 
that you never transmit.) And you need something like this for the 8 
hours you are connected, even if you continue to turn the connection off 
for the other 16 hours. In the end, though, it's mostly "security 
through obscurity" ... not the preferred approach to security, but 
better than none at all (and in settings like yours, genuinely better 
than its detractors make it out to be).

I didn't address the ftp issue because, frankly, I don't understand it. 
Are you sure your testing software reported port 20 as one of the open 
ones? I ask because opening port 20 (ftp-data) but not 21 (ftp-control) 
is unusual, and the FAQ does mention some use of the tftp port (69/UDP) 
for firmware upgrades.

PS -- Was calling it the "defect configuration" a purposely humorous 
description or just a typo?

PPS -- I started to look into your (later) modem inquiry, but I couldn't 
find a listing for a "Vigor 318" on the Dreytek site. Another URL 
indicated that it is a USB modem. This may not be fatal, but it does 
make Chuck's advice, which was based on his experience with DSL modems 
that use Ethernet on the LAN side (which, typically, are trivially easy 
to get working with Linux), not very relevant to your situation.

I Googled "Vigor 318 Linux" and got a few hits, but only one (an 
unhelpful one) was in English. So while getting this device to work with 
Linux might be possible, it probably won't be a snap. So the Vigor 2500 
probably is the better of your (poor) options.

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

RE: adsl, firewalls, etc.

[Justin Morgan]

> I know I'm pushing my luck a bit asking this here, but does anyone 
> actually have any experience shutting ports on this router? I've 
> followed the logical steps, which are the same steps described in the 
> manual, but after reinitiating the router I still find exactly the
same 
> ports open.


Andrew,

I can't say I've actually worked with that model, but I can say that I
suspect those are ports to manage the router itself.  Thus, you might
not find the settings in the ACLs/policies, but in the management
settings for the entire device.  I've seen similar hiding spots for
management ports on Juniper and Linksys devices.

Regards,

-Justin
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs