adsl, firewalls, etc.

Midwinter greetings,

I have just moved one rung up on the evolutionary scale and got myself
an adsl connection. I am probably going to make a few relatively minor
changes to my home lan because of this, but before going any further
there is one issue worrying me:

The free modem my isp provided has no support under Linux so I had to
take the router option. It's a Draytek Vigor 2500. The defect
configuration leaves ports 20 (ftp-data), 23 (telnet) and 80 (http)
open, the rest are stealthed (according to Shields Up). Am I right in
thinking this is not such a good idea? I haven't yet had any success in
trying to add rules to close these ports, and my isp 'cordially' informs
me that this is up to me to sort out, so for the time being I am simply
disconnecting when not in use (about 16 hours a day). Am I being
over-paranoid?

TIA
Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

nopes i know a person who simply kills pppd on my friends route
for the fun of it, using telnet :D

there is no such thing as over paranoid.
someone can break in and change your router config
and change password for admin.

block them but youll need a port open for remote admin, so......

Joy

On 12/19/05, Andrew wrote:
> Midwinter greetings,
>
> I have just moved one rung up on the evolutionary scale and got myself
> an adsl connection. I am probably going to make a few relatively minor
> changes to my home lan because of this, but before going any further
> there is one issue worrying me:
>
> The free modem my isp provided has no support under Linux so I had to
> take the router option. It's a Draytek Vigor 2500. The defect
> configuration leaves ports 20 (ftp-data), 23 (telnet) and 80 (http)
> open, the rest are stealthed (according to Shields Up). Am I right in
> thinking this is not such a good idea? I haven't yet had any success in
> trying to add rules to close these ports, and my isp 'cordially' informs
> me that this is up to me to sort out, so for the time being I am simply
> disconnecting when not in use (about 16 hours a day). Am I being
> over-paranoid?
>
> TIA
> Andrew
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
>


--
Girls are like slugs.... You know they are around for a reason, but
you cant imagine what.

-- Calvin
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

Andrew wrote:

> Midwinter greetings,
>
> I have just moved one rung up on the evolutionary scale and got myself
> an adsl connection. I am probably going to make a few relatively minor
> changes to my home lan because of this, but before going any further
> there is one issue worrying me:
>
> The free modem my isp provided has no support under Linux so I had to
> take the router option. It's a Draytek Vigor 2500. The defect
> configuration leaves ports 20 (ftp-data), 23 (telnet) and 80 (http)
> open, the rest are stealthed (according to Shields Up). Am I right in
> thinking this is not such a good idea? I haven't yet had any success
> in trying to add rules to close these ports, and my isp 'cordially'
> informs me that this is up to me to sort out, so for the time being I
> am simply disconnecting when not in use (about 16 hours a day). Am I
> being over-paranoid?
>
> TIA
> Andrew

Hi, Andrew:

"The free modem my isp provided has no support under Linux so I had to
take the router option."

I disagree.

I have had two aDSL acounts; Earthlink and the local telephone company
Ameritech (now SBC/Yahoo).
Each setup came with a DSL modem and an ethernet card at no charge other
than a one year commitment.
Both accounts came with Windows(r) software and not Linux software.
Both modems worked flawlessly with Linux. I used RoaringPenguin (PPPOE).
I don't know what protocol your ISP (Spain?) uses, but there may already
be a Linux application for it.
There may be no need for explicit Linux support from the ISP as current
Linux distributions may already contain
the needed application(s). Sorry that this information is not your
current solution, but I wanted to post
this response so that others may opt to accept the standard modem.

Your answer, now, lies in the configuration of the router. Unless you
are offering a service to other internet hosts
or want to enable remote access to your router, you do not need any open
ports
on the WAN side of your router.

One is not paranoid is everyone else is really out to get one.
However, paranoia is not a solution.
IMHO, disconnecting two thirds of the time is a silly solution.
OBTW, are you disconnecting the modem from the telephone line or
disconnecting your computer from the modem?

Suggestion:
Disable remote access to the router via WAN (and wireless, if applicable).
Else; Change the router's internal web server to a different port;
e.g. between 2000 - 65535 and not 8080.

HTH, Chuck


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

>> The free modem my isp provided has no support under Linux so I had to
>> take the router option. It's a Draytek Vigor 2500. The defect
>> configuration leaves ports 20 (ftp-data), 23 (telnet) and 80 (http)
>> open, the rest are stealthed (according to Shields Up). Am I right in
>> thinking this is not such a good idea? I haven't yet had any success
>> in trying to add rules to close these ports, and my isp 'cordially'
>> informs me that this is up to me to sort out, so for the time being I
>> am simply disconnecting when not in use (about 16 hours a day). Am I
>> being over-paranoid?
>>
> "The free modem my isp provided has no support under Linux so I had to
> take the router option."
>
> I disagree.
>
> I have had two aDSL acounts; Earthlink and the local telephone company
> Ameritech (now SBC/Yahoo).
> Each setup came with a DSL modem and an ethernet card at no charge
> other than a one year commitment.
> Both accounts came with Windows(r) software and not Linux software.
> Both modems worked flawlessly with Linux. I used RoaringPenguin (PPPOE).
> I don't know what protocol your ISP (Spain?) uses, but there may
> already be a Linux application for it.

OK. I'll add that to my growing list of todos. The modem is a Vigor 318.

> There may be no need for explicit Linux support from the ISP as
> current Linux distributions may already contain
> the needed application(s). Sorry that this information is not your
> current solution, but I wanted to post
> this response so that others may opt to accept the standard modem.
>
> Your answer, now, lies in the configuration of the router.

Since I'm going to need more ports than there are on the router anyway,
and since I have some familiarity with Freesco and shorewall, as well as
about half a dozen 486s and similar, would it be simplest/advisable to
put everything behind a dedicated firewall and not bother to mess about
with the router? (Or get the free modem working and sell the router).

> Unless you are offering a service to other internet hosts
> or want to enable remote access to your router, you do not need any
> open ports
> on the WAN side of your router.

I'm not.

> IMHO, disconnecting two thirds of the time is a silly solution.

Not so much 'silly' as a PITA (and only a stopgap).

> OBTW, are you disconnecting the modem from the telephone line or
> disconnecting your computer from the modem?

Modem from telephone line.

>
> Suggestion:
> Disable remote access to the router via WAN (and wireless, if
> applicable).
> Else; Change the router's internal web server to a different port;
> e.g. between 2000 - 65535 and not 8080.

Thanks for your answers.

Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

I assume you mean the "default" configuration. :-) The first
question to ask is - are you running a telnet daemon on your box that
you want reachable from the Internet? Telnet is an unencrypted
protocol - easily sniffed. If you don't need to remotely access your
machine at all - just turn that port off on the router/firewall. If
you do need remote command line access to your box - at least make it
SSH port 22.

Same question for ftp-data - are you running FTP that you want open to
the Internet? If no - turn it off. If you need a file transfer
facility use SCP which operates on SSH's TCP port 22. Like telnet FTP
is unencrypted while SCP is encrypted.

Lastly are you running a web server open to the Internet? I suspect
no given you're newly using ADSL and many ADSL providers give you a
dynamic IP address. Anyhow - if no - turn off port 80.

-Michael

>The defect configuration leaves ports 20 (ftp-data), 23
>(telnet) and 80 (http)open,"


On 12/19/05, Andrew wrote:
> Midwinter greetings,
>
> I have just moved one rung up on the evolutionary scale and got myself
> an adsl connection. I am probably going to make a few relatively minor
> changes to my home lan because of this, but before going any further
> there is one issue worrying me:
>
> The free modem my isp provided has no support under Linux so I had to
> take the router option. It's a Draytek Vigor 2500. The defect
> configuration leaves ports 20 (ftp-data), 23 (telnet) and 80 (http)
> open, the rest are stealthed (according to Shields Up). Am I right in
> thinking this is not such a good idea? I haven't yet had any success in
> trying to add rules to close these ports, and my isp 'cordially' informs
> me that this is up to me to sort out, so for the time being I am simply
> disconnecting when not in use (about 16 hours a day). Am I being
> over-paranoid?
>
> TIA
> Andrew
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
>
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

Michael Medwid wrote:

>I assume you mean the "default" configuration. :-)
>
Right! Spanish influence (por defecto=by default), but not far wrong.

Thanks for your answers

I know I'm pushing my luck a bit asking this here, but does anyone
actually have any experience shutting ports on this router? I've
followed the logical steps, which are the same steps described in the
manual, but after reinitiating the router I still find exactly the same
ports open.

And no, I don't need any ports opne on the outside.

Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

RE: adsl, firewalls, etc.

> I know I'm pushing my luck a bit asking this here, but does anyone
> actually have any experience shutting ports on this router? I've
> followed the logical steps, which are the same steps described in the
> manual, but after reinitiating the router I still find exactly the
same
> ports open.


Andrew,

I can't say I've actually worked with that model, but I can say that I
suspect those are ports to manage the router itself. Thus, you might
not find the settings in the ACLs/policies, but in the management
settings for the entire device. I've seen similar hiding spots for
management ports on Juniper and Linksys devices.

Regards,

-Justin
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

Andrew wrote:
> Midwinter greetings,
>
> I have just moved one rung up on the evolutionary scale and got myself
> an adsl connection. I am probably going to make a few relatively minor
> changes to my home lan because of this, but before going any further
> there is one issue worrying me:
>
> The free modem my isp provided has no support under Linux so I had to
> take the router option. It's a Draytek Vigor 2500. The defect
> configuration leaves ports 20 (ftp-data), 23 (telnet) and 80 (http)
> open, the rest are stealthed (according to Shields Up). Am I right in
> thinking this is not such a good idea? I haven't yet had any success in
> trying to add rules to close these ports, and my isp 'cordially' informs
> me that this is up to me to sort out, so for the time being I am simply
> disconnecting when not in use (about 16 hours a day). Am I being
> over-paranoid?

Andrew -- Your report was a bit too sketchy to get a good answer, in
that you didn't say if you did your scan from the LAN side or the WAN
side of the router. Ports open on one interface need not be open on the
other.

Unfortunately, Draytek apparently doesn't make its manual for the Vigor
2500 available online (as a PDF, say), so I couldn't check the details
behind your report very much. But this entry in the FAQ --
http://www.draytek.co.uk/support/kb_vigor_portforwarding.htm l -- at
least implies that the telnet and http ports are open on both interfaces.

Now using insecure protocols for configuration on the LAN side isn't
great (I'd much prefer to see manufacturers use ssh and https), but it
isn't a disaster either ... especially not in SOHO settings. Using them
on the WAN side, though ... this brings to mind the old playground
epithet, "Dumb as a stick." Now you'll want to check this by redoing
your port scan on the WAN side, but if I've read the FAQ right,
Draytek's designers have achieved dumb-as-a-stick status by opening
these ports (telnet, http) on BOTH interfaces.

Were I confronting this situation, I would not buy Draytek products and
I'd tell them why. But you're stuck with the thing, so that's not really
practical advice for you. How do you minimize the risks? Here's what I'd do.

1. Move the telnet and http connections to different ports. Use obscure
ones, not obvious ones like 8080 for http. The URL I quoted above tells
you how to do this over the Web interface.

2. Protect these connections with good, hard-to-guess passwords.

3. Never, never, never connect to either of them from the WAN side, or
when there is any risk of a snooper being present on the LAN side (e.g.,
if you ever start running WiFi).

This is not a perfect solution, but it should be enough to protect you
from casual attackers. (The real threat distinctive to insecure
protocols is password sniffing, and attackers can't sniff a password
that you never transmit.) And you need something like this for the 8
hours you are connected, even if you continue to turn the connection off
for the other 16 hours. In the end, though, it's mostly "security
through obscurity" ... not the preferred approach to security, but
better than none at all (and in settings like yours, genuinely better
than its detractors make it out to be).

I didn't address the ftp issue because, frankly, I don't understand it.
Are you sure your testing software reported port 20 as one of the open
ones? I ask because opening port 20 (ftp-data) but not 21 (ftp-control)
is unusual, and the FAQ does mention some use of the tftp port (69/UDP)
for firmware upgrades.

PS -- Was calling it the "defect configuration" a purposely humorous
description or just a typo?

PPS -- I started to look into your (later) modem inquiry, but I couldn't
find a listing for a "Vigor 318" on the Dreytek site. Another URL
indicated that it is a USB modem. This may not be fatal, but it does
make Chuck's advice, which was based on his experience with DSL modems
that use Ethernet on the LAN side (which, typically, are trivially easy
to get working with Linux), not very relevant to your situation.

I Googled "Vigor 318 Linux" and got a few hits, but only one (an
unhelpful one) was in English. So while getting this device to work with
Linux might be possible, it probably won't be a snap. So the Vigor 2500
probably is the better of your (poor) options.

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

You might get an answer from their mailing list:

http://www.draytek.co.uk/support/vigor_announce.html

I had never heard of Vigor before you post. Good luck!

On 12/19/05, Andrew wrote:
> Michael Medwid wrote:
>
> >I assume you mean the "default" configuration. :-)
> >
> Right! Spanish influence (por defecto=by default), but not far wrong.
>
> Thanks for your answers
>
> I know I'm pushing my luck a bit asking this here, but does anyone
> actually have any experience shutting ports on this router? I've
> followed the logical steps, which are the same steps described in the
> manual, but after reinitiating the router I still find exactly the same
> ports open.
>
> And no, I don't need any ports opne on the outside.
>
> Andrew
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
>
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

Andrew wrote:

>
>>> The free modem my isp provided has no support under Linux so I had
>>> to take the router option. It's a Draytek Vigor 2500. The defect
>>> configuration leaves ports 20 (ftp-data), 23 (telnet) and 80 (http)
>>> open, the rest are stealthed (according to Shields Up). Am I right
>>> in thinking this is not such a good idea? I haven't yet had any
>>> success in trying to add rules to close these ports, and my isp
>>> 'cordially' informs me that this is up to me to sort out, so for the
>>> time being I am simply disconnecting when not in use (about 16 hours
>>> a day). Am I being over-paranoid?
>>>
>> "The free modem my isp provided has no support under Linux so I had
>> to take the router option."
>>
>> I disagree.
>
Hi, Andrew:

Uh, I disagree that you needed to take the router option.
I do not disagree that your ISP's free modem did not come with Linux
support. :-|


>>
>> I have had two aDSL acounts; Earthlink and the local telephone
>> company Ameritech (now SBC/Yahoo).
>> Each setup came with a DSL modem and an ethernet card at no charge
>> other than a one year commitment.
>> Both accounts came with Windows(r) software and not Linux software.
>> Both modems worked flawlessly with Linux. I used RoaringPenguin
>> (PPPOE).
>> I don't know what protocol your ISP (Spain?) uses, but there may
>> already be a Linux application for it.
>
>
> OK. I'll add that to my growing list of todos. The modem is a Vigor 318.

You look it up (Google, "Draytek Vigor 2500", "Draytek Vigor 318").
You will need to
know what protocol the modem is speaking to the host computer
(workstation or your
own 'homebrew' 80486 router. OBTW, I am using an old (1992) Compaq 80486dx33
as my router. I am not using any of the available enterprise firewall
packages:
Smoothwall, Shorewall, Freesco, ..., but I use an eleven (11) line
IPTABLES script
I found (modified to suit my fun and games). )

# google search: setting up a linux home gateway
#newbiedoc.sourceforge.net/networking/homegateway.html#IPMAS QSETTINGSETH
# 9.2.2 For Iptables Users
#For users connecting to external network on ethernet & using iptables:
....

Chances are that your router's LAN ports default to 192.168.0.1 or 192.168.1.1
and you will find a web server at port 80. Username may be = Admin and password
may be = password or [blank]. YMMV.
....


http://www.roaringpenguin.com/penguin/open_source_rp-pppoe.p hp

"PPPoE (Point-to-Point Protocol over Ethernet) is a protocol used by
many ADSL Internet Service Providers. Roaring Penguin has a free PPPoE
client for Linux and Solaris systems to connect to PPPoE service providers.

Dubbed RP-PPPoE, this open-source product is ideal for Linux users with
a DSL "modem" whose Internet service provider uses PPPoE. Before you
download this software, check whether or not you really need it. If your
ISP uses PPPoE, but has given you a router, you may not need a PPPoE
client on your Linux box. DHCP may work fine."

If your ISP does not use PPPOE, it may still use some other compatible
protocol.



>
>> There may be no need for explicit Linux support from the ISP as
>> current Linux distributions may already contain
>> the needed application(s). Sorry that this information is not your
>> current solution, but I wanted to post
>> this response so that others may opt to accept the standard modem.
>>
>> Your answer, now, lies in the configuration of the router.
>
>
> Since I'm going to need more ports than there are on the router
> anyway, and since I have some familiarity with Freesco and shorewall,
> as well as about half a dozen 486s and similar, would it be
> simplest/advisable to put everything behind a dedicated firewall and
> not bother to mess about with the router? (Or get the free modem
> working and sell the router).


Simplest would be to use the Draytek router
Sure you can. I have several 10/100 ethernet switches after my 80486
router and several
($5 after rebates) wired and wired/wireless routers that I can drop into
my LAN.
All my routers have four (4) port switched included. Does yours? You
can add
multiport switches to the LAN port of the router.


>
>
>> Unless you are offering a service to other internet hosts
>> or want to enable remote access to your router, you do not need any
>> open ports
>> on the WAN side of your router.
>
>
> I'm not.
>
>> IMHO, disconnecting two thirds of the time is a silly solution.
>
>
> Not so much 'silly' as a PITA (and only a stopgap).
>
>> OBTW, are you disconnecting the modem from the telephone line or
>> disconnecting your computer from the modem?
>
>
> Modem from telephone line.

Hmmmm, I seem to recall that these modems ask that the user keep them
powered up
and connected to the data line for up to ten (10) days as the modems at
each end decide
what data tones to use. I'd recommend in some point in the future that
before connecting
the router to the telephone line, do a 'reset' and disable remote
access. Your router may
already be compromised.

HTH, Chuck


>
>>
>> Suggestion:
>> Disable remote access to the router via WAN (and wireless, if
>> applicable).
>> Else; Change the router's internal web server to a different port;
>> e.g. between 2000 - 65535 and not 8080.
>
>
> Thanks for your answers.
>
> Andrew


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

I've just unwrapped a brand new draytek vigor 2900 out the box and
set it up to connect to the internet with NAT
and it doesn't allow management access via https, http, ftp or telnet
from the outside by default.

There is a check box in the management setup that gives you the
option to allow access from the outside
and the choice of which service you allow and what ports you want
them to run on.

This is the same on vigor 2600's but i never had a 2500 so can't
comment on that model but i suspect it is the same.

--
Carl


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Fwd: Re: adsl, firewalls, etc.

>Date: Mon, 19 Dec 2005 17:44:09 +0000
>To: Michael Medwid ,linux-newbie@vger.kernel.org
>From: Carl
>Subject: Re: adsl, firewalls, etc.
>
>I've just unwrapped a brand new draytek vigor 2900 out the box and
>set it up to connect to the internet with NAT
>and it doesn't allow management access via https, http, ftp or
>telnet from the outside by default.
>
>There is a check box in the management setup that gives you the
>option to allow access from the outside
>and the choice of which service you allow and what ports you want
>them to run on.
>
>This is the same on vigor 2600's but i never had a 2500 so can't
>comment on that model but i suspect it is the same.
>
>--
>Carl



Also meant to mention there is also the option to add 3 ip/netmask
ranges that have access from the outside.


--
Carl


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: adsl, firewalls, etc.

Carl wrote:

> There is a check box in the management setup that gives you the option
> to allow access from the outside
> and the choice of which service you allow and what ports you want them
> to run on.
>
> This is the same on vigor 2600's but i never had a 2500 so can't
> comment on that model but i suspect it is the same.
>
That was it. Thanks.

BTW. Amongst the Google answers Ray coudn't understand was one
confirming that the modem (vigor 318) was unsupported under Linux and
another with info about a project which does provide Linux support for it:

http://accessrunner.sourceforge.net/

Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs