From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Mjz3p-0001KS-0u for garchives@archives.gentoo.org; Sat, 05 Sep 2009 17:28:25 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7372FE08AF; Sat, 5 Sep 2009 17:28:23 +0000 (UTC) Received: from mail-yx0-f174.google.com (mail-yx0-f174.google.com [209.85.210.174]) by pigeon.gentoo.org (Postfix) with ESMTP id 4FB7FE08AF for ; Sat, 5 Sep 2009 17:28:23 +0000 (UTC) Received: by yxe4 with SMTP id 4so203744yxe.32 for ; Sat, 05 Sep 2009 10:28:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=JlMh8LkXkZRA1OdQos4Os57Um0/DqZwtA+2Q/HSsMLk=; b=SMcws94z4Vu5WHG0S8SjQxTTxQlpMQ7uDyIixNUhWfbcT8+zzdTTeTT52YWUo1Ypfo cQ9pZe4FAB00pGYHzdLKtPd0g7Txvp9MTTylO8iHrd5IG0ra9N+LRN/OlUsK4rLD+q0M 43AnjBEuQflpr5yrX5a1oSg55wZud2VLOmXPI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=FUDhIqp0xjzFeHQf0nokxMLIOLiUPPC6aJ+QeF9E1DzsJd3nyhsmldYRR+V9ozV4xx UUMyBghjlS0D0woZI5gwN4cYTlde/amkSQFr0kTQVE2qm5W8DOVuxdFWcjZluirhQdp/ TM/+MkL4JlbVHArnbteWdZUNFoS8yjdA8x41I= Received: by 10.91.214.17 with SMTP id r17mr9403217agq.34.1252171702815; Sat, 05 Sep 2009 10:28:22 -0700 (PDT) Received: from ?192.168.1.1? (adsl-12-46-83.jan.bellsouth.net [65.12.46.83]) by mx.google.com with ESMTPS id 20sm1164199yxe.6.2009.09.05.10.28.21 (version=SSLv3 cipher=RC4-MD5); Sat, 05 Sep 2009 10:28:21 -0700 (PDT) Message-ID: <4AA29FB4.3080200@gmail.com> Date: Sat, 05 Sep 2009 12:28:20 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090905 SeaMonkey/1.1.17 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Making sure I am a good netizen and secure. References: <4AA235B9.90306@gmail.com> <4AA27F78.50409@gmail.com> <200909051803.21929.michaelkintzios@gmail.com> In-Reply-To: <200909051803.21929.michaelkintzios@gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: cf772f2a-3268-49b2-b58a-52f773d2d1e0 X-Archives-Hash: f0d37ce10dfc1affb29ef143edc3af07 Mick wrote: > On Saturday 05 September 2009, Dale wrote: > >> Grant Edwards wrote: >> >>> On 2009-09-05, Dale wrote: >>> >>>> As some may know already, I recently got DSL. >>>> >>> [...] >>> >>> >>>> The DSL modem I am using is the Motorola 2210. It seems to be >>>> a gateway thing. I have no router at the moment >>>> >>> The 2210 is a router that is doing NAT with a stateful >>> firewall. It will (assuming it's not too buggy) prevent >>> outside access to your network. >>> >>> If you buy a second router (e.g. a Linksys or DLink), you'll >>> just be duplicating the NAT/firewall/routing functions in the >>> 2210. You can do that if you want. I used to run a two layer >>> NAT setup with a Cisco 678 DSL modem (configure to forward all >>> TCP/UDP ports) and an OpenWRT gateway. There were features I >>> needed that OpenWRT had that the Cisco didn't. >>> >>> Unless there's something specific that you want to do that >>> isn't supported by the 2210 (or you're aware of deficiencies in >>> the 2210), I probably wouldn't bother adding a second firewall >>> box. >>> >> I was thinking about buying a router IF I build a second box and need to >> share the internet with it. The modem only has one port and apparently >> zero reconfigurability because when I log in, there are no options to >> change anything except what time it updates the modem software. So, I >> hope it works well. o_O >> > > Just a few suggestions: > > Make sure that you change all passwds in the router - it may have more than > one user defined - and shut down any router services that you do not need at > the moment (e.g. telnet, ftp, or whatever Motorola are providing). > > Make sure you disable Upnp as it can be susceptible to having your router > cracked open and its configuration changed. > > If you google for the above two I am sure that you will find a lot of stories > about the poor defaults of some routers. I do not know if your Motorola is > one of those of course, so take these and others like them with a pinch of > salt, because I do not want to alarm you unnecessarily: > > http://www.jibble.org/o2-broadband-fail/ > http://www.informationweek.com/news/personal_tech/showArticle.jhtml?articleID=205800419 > > The cheapest solution by far to networking a second PC in the LAN is to use > your first PC as a router and forward packets through it. The second option > is to buy another router. In this case I recommend that you use your > Motorola in fully bridged mode where it acts as a transparent ADSL modem > (look through its GUI and read the manual as to how to achieve this) and use > your new router to achieve PPPoE authentication with your ISP's network. If > you buy an old Cisco or Adtran router off ebay make sure you flash them with > the latest firmware as they will be open to the Internet via your fully > transparent bridged ADSL modem. > As far as I can tell, I can't configure anything in the modem, at all. That is the weirdest modem I have ever seen. Unless I am missing something, I can't enable or disable anything at all. I guess it is designed to either work or not work. Sort of like a steel ball. lol > Your netstat results show that you are running mdnsd and mDNSResponder. Is > this necessary? > I vaguely remember something pulling that in a LONG time ago. I have no clue what the heck that thing is, none whatsoever. I remember checking the forums when it was installed and it being needed by something. I don't think I have it set to start, I think it starts because something else needs it. Should I kill that thing or what? > Instead of fail2ban and similar I recommend native sshd solutions: > > No root logins, a random high port number instead of 22 and only public key > authentication allowed. The random port will get rid of 99.5% of the botnets > and the pubkey will drop dead anything else. Make sure that you secure your > private key with a strong passwd - if you are paranoid and also just in case > your user account is one day compromised. > > The stealthiness or not of your ports is determined by your router (responding > to ICMP echo requests) and is for all intends and purposes irrelevant. GRC > have to make money somehow out of panicky MSWindows users. Some discussion > on this here, although there are no doubt more serious comments on the web > about this topic: > > http://www.wilderssecurity.com/showthread.php?t=216892 > > Finally, I would recommend that you configure IP tables (there's loads of > scripts out there). You never know if some application you're trying out > decides to open a port just for laughs. > > HTH. > I ran a iptable script and saved the config a long time ago. I don't know if it is the modem or my iptables that is making me "stealthy" or what. I'm just glad that me hiding appears to be a good thing. lol Oooops, I hope that wasn't to loud. I had a thought here. I may have ground up a gear or two. This may help: root@smoker / # equery depends mDNSResponder [ Searching for packages depending on mDNSResponder... ] kde-base/kdelibs-3.5.10-r6 (!avahi & !bindist? net-misc/mDNSResponder) kde-base/kdelibs-4.3.1 (zeroconf & !bindist? net-misc/mDNSResponder) kde-base/krdc-4.3.1 (zeroconf? net-misc/mDNSResponder) kde-base/krfb-4.3.1 (zeroconf? net-misc/mDNSResponder) media-libs/libgphoto2-2.4.3 (bonjour? net-misc/mDNSResponder) net-misc/ntp-4.2.4_p7 (zeroconf? net-misc/mDNSResponder) net-print/cups-1.3.10-r2 (zeroconf & !avahi? net-misc/mDNSResponder) root@smoker / # Looks like a few things needs mDNSResponder. I can't see me going without kdelibs anytime soon. lol Dale :-) :-)