There is no consistency. Why would there be? There isn't one monolithic Enemy.
If you are dealing with an attacker who is targetting _your Pi specifically_, then non-standard-compliant ("stealthed") ports may make a difference, but if you're in that situation and you're asking for advice on a newsgroup you're out of luck.
Otherwise it makes no difference at all.
If that is possible, that is the way I prefer to do it, yes.
-- New Socialism consists essentially in being seen to have your heart in the right place whilst your head is in the clouds and your hand is in someone else's pocket.
Some do. But not many.
Thats pretty much the normal random scan pattern
Yes.
Not really. The more salient point is that a total lack of response tends to leave the prober waiting to see if there is a slow responding device on the far end. No response at all wastes their time..
-- New Socialism consists essentially in being seen to have your heart in the right place whilst your head is in the clouds and your hand is in someone else's pocket.
I guess you are using these fashionable square wheels and not the round sort that were invented 10,000 years ago.
and I see no reason why a scanner would stop
Not much point in scanning a port that doesn't answer so every reason while they wont rescan it.
Which is a very very sensible thing that a huge number of routers implemnent for very very good reasons.
>-- New Socialism consists essentially in being seen to have your heart in the right place whilst your head is in the clouds and your hand is in someone else's pocket.
Please can you tell me how you achieve that? My servers in the wild internet listening on port22 get beaten up all the time by probes from China. Strong security, frequent patching and fail2ban are needed.
I'm with Rob on this, GRC's site is full of hyperbole and scaremongering. Having stealthed ports or ports saying closed makes no difference to the number of probes I see.
I certainly wouldn't put the Pi in the DMZ, but as suggested, forward a port from the router to the Pi, run SSH and tunnel everything across. I ran OpenVPN for a while but now SSH and tunnelling does everything. On Linux, ssh does all you need, on Windows Putty is fairly wonderful. Also checkout MobaxTerm for a Windows "does everything network toolkit" (ssh, ftp, stfp, X, VNC, RDP etc.)
well beaten up is relative.
Lets say I don't actually care unless it start to chew CPU cycles or bandwidth I haven't got.
I don't bother to see who is attacking unless I notice performance degadation
However blocking port 22 to 'most ip addresses in china' or better still 'opening up port 22 only to me, or the networks I use' is not hard
It may well be, but that doesn't mean that configuring stuff to silently discard isn't better overall than nacking it
totally agree with the approa?h - DMZ waste of time on donestic stuff. Port forward what you explicitly need
And put iptables on the pi to get better control over what you repond to
-- New Socialism consists essentially in being seen to have your heart in the right place whilst your head is in the clouds and your hand is in someone else's pocket.
So, you scanned your NAT router from the inside as well? I don't see what that tells you since it has, or should have if it provides any security at all, one set of ports that are only accessible from the outside via the ADSL/DSL interface and a second set accessible only from the inside via an Ethernet chip.
NOTE: some really cheap noname routers (and some branded ones from firms that should know better) don't make this distinction, which is why bad people can use telnet or http to reconfigure them from the outside so they can control your LAN and all your computers.
Scanning the router's outside ports should only reveal ports that accept an incoming connection. Normally there would be none unless you've explicitly configured them. My router has no ports visible from the outside and so nothing can connect inward through it.
Scanning its inside ports should normally show just the ports that are used to configure the router. Mine shows ftp, telnet and httpd - it can be configured with a web browser or telnet, but it will transparently pass any connection request to an external server, e.g. I can run client programs using http, ftp, ssh, pop3 or smtp, etc. on any of my hosts that connect outward to any of these types of servers.
As you don't seem to be offering any services from your RPi I'd expect scanning it to show no advertised ports normally, but to show the VPN port when you've started the VPN server. This shows that the VPN server is running and expecting connections.
Similarly, my RPi always advertises port 22 because its run headless, so the SSH server is always running and waiting for connections from other hosts on my LAN. If I wanted any outsider to access it, I'd advertise that fact by telling my router router to forward port 22 to the RPi.
Apologies if I'm telling you stuff you already know, but IME there are a lot of computer users that do not understand that a router is by definition a two-faced device, that its internal and external faces may not have the same configurations and what the effect of these differences are.
-- martin@ | Martin Gregorie gregorie. | Essex, UK org |
Same here. The only reason I ever visit it is because the GRC Shields Up service is about the easiest and quickest way to check that my gateway router's external face is doing what I expect it to be doing.
+1-- martin@ | Martin Gregorie gregorie. | Essex, UK org |
Indeed, and it may also be possible/practical to either use a cron job to control the times when the router's port is connected to the RPi and/or the RPi's firewall has that port open.
Alternatively, you might think up a wheeze which a remote user could use to open the port, do stuff and close it again so the open port isn't always just sitting there waiting for some chancer to try getting in.
Careful about that: don't do it.
That sounds like an open relay to me. Black hats can use these to launch attacks on other victims, which you'd be blamed for because the attack would seem to be coming from your computer.
-- martin@ | Martin Gregorie gregorie. | Essex, UK org |
I think you have the wrong end of quite a bundle of sticks.
Shields Up is a web site. You connect out from inside your LAN to the web site and it notes your Internet facing IP address (the one for your NAT router, assuming you have one), and tells you that and also what name DNS resolves the IP address to. You can then ask Shields Up to probe your Internet facing IP address - so you are asking a web based computer to try and call into your local network from the outside. The web sites then reports what your personal network looks like to the Internet as a whole. This should alert you to any ports left open when they shouldn't be.
The standard response from a NAT router is to ignore all the incoming probes, and this shows up on the Shields Up website as "stealthed".
In my case I was checking for differences between a NAT router which doesn't accept any incoming connections and a NAT router with a DMZ configured where all incoming calls are directed to my Raspberry Pi.
Hope this is now clear :-)
Cheers
Dave R
-- Windows 8.1 on PCSpecialist box
The 'prober' isn't some person sitting in front of a computer probing each port and waiting for a response before moving on to the next. They are controlling a vast bot net of machines, each of which is scanning thousands of ports simultaneously. It makes no difference to the scanning engine if the a response comes back in a microsecond, a fortnight or never.
If a response comes back after any amount of time, and it indicates a port is open, the software will follow up with a tailored attack vector, such as trying to login as root with a common password to a ssh server, or exploiting a vulnerability in a router.
---druck
Some routers such as ASUS, have a port trigger facility where something within the LAN can request a port is temporarily opened. So you could do something like ssh in to the and run a script which makes its web server visible.
---druck
I can't imagine why think that scanning the LAN-side of your router or your RPi tells you anything useful about your LAN security.
Exactly. Using it is the easiest way I know of seeing what the *outside* of your router looks like: you use an http link to ask ShieldsUp to scan your IP from the outside. It does so and sends the answer back to you.
Using GRC or its equivalent is the only way that you can see what your IP looks like from the outside.
Nope. All you saw was that there was a connection between the two. If DMZ has its usual meaning, what you were looking at is asking for trouble unless:
1)the router has a firewall on its inside with all ports shut, except those that only accept connections from a second firewall there is a second firewall behind the router with everything on your LAN apart from the RPi behind it, the RPi is also running a firewall with only the VPN port exposed.IOW the RPi is an armoured fort in no-mans land between two impregnable walls.
2)every host on your LAN is running a firewall. The RPI's firewall only accepts connections from the VPN port and your local subnet/ All other hosts on the LAN only accept connections from your local subnet.Is that what you're running now?
As others have said, its much better and safer to configure the router to forward the VPN port to the RPi, but be very careful what VPN users can do. If they can log in to other LAN hosts from the RPi and get access to
*their* command lines, then your site security is non-existent.-- martin@ | Martin Gregorie gregorie. | Essex, UK org |
Do you mean port knocking?
I was thinking of an almost codeless such as e-mailing a START VPN request that would trigger a script or maybe using a very simple server on a high port number to trigger it.
-- martin@ | Martin Gregorie gregorie. | Essex, UK org |
it does, but since you are in the mood to be seen to be right, even if only to yourself, and stick your fingers in your ears, I cant be arsed to tell you why.
-- New Socialism consists essentially in being seen to have your heart in the right place whilst your head is in the clouds and your hand is in someone else's pocket.
Exactly! I also never observed any difference in those scanning engine behaviour depending on whether a response is sent.
Similar to "don't reply to ping! when you reply to ping they know you are there and they are going to probe you!". Well, that was true for one particular worm in the nineties, but never has been true after that. It does not matter if you reply to ping or not, they are scanning you anyway.
I have a Pi in a datacenter. I have never seen it myself. It is housed together with >2300 friends, must be cosy.
I never locked myself out, it is running for two years now. There is another big system in a datacenter I manage, also with a very complicated firewall.
Simple tricks:
Or instead of reboot, a command that removes your firewall rules or installs a known-good set.
When you lock yourself out, just wait a short while and you have access. When all is OK, do: atq atrm jobnumber
This trick is derived from one that I used on Cisco routers, where you use: reload in 15 and: cancel reload
I have port 22 open in the wild in a few places, what I see is from time to time there will be a spate of attempts to log in on it clearly running through a dictionary of names. They get nowhere because I always configure internet facing ssh servers to require keys and not allow passwords. After probing every few seconds for a day or two they go away, perhaps not allowing passwords gets me on a blacklist (I can hope).
-- Steve O'Hara-Smith | Directable Mirror Arrays C:>WIN | A better way to focus the sun The computer obeys and wins. | licences available see You lose and Bill collects. | http://www.sohara.org/
Dammit.
root@raspbx:~# nano /etc/fail2ban/jail.local
[asterisk] enabled = true filter = asterisk action = iptables-asterisk[name=asterisk] sendmail[name=Asterisk, dest= snipped-for-privacy@xxxxx.freeserve.co.uk, sender= snipped-for-privacy@sky.com] logpath = /var/log/asterisk/security_log maxretry = 1 bantime = 1209600 # 1209600 seconds = 2 weeks-- Graham. %Profound_observation%
Yeah whatever.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.