What do you mean by 'external LAN interface'? His (and my) LAN is on
a private IP range and is mostly wired and within the house. There is
WiFi but I doubt if it reaches anyone else's house and you can't stop
in the lane outside without causing an obstruction (and lots of dog
Ah, you mean the outside facing *WAN* interface of the NAT router.
Yes, there can be security holes put there by ISPs and such but since
I (and probably The Natural Philosopher) use our own (not the ISP's)
router that's unlikely.
I ran some tests of this sort on mine a while ago, seemed to confirm
that it's fairly 'hard'.
Your router does connect you to the Internet, doesn't ist? External
administration is so "convenient" and "comfortable" that it may be
offered by default and if not your security need not be worth much.
On the other hand, getting at you that way will require knowledge and
effort. I expect you to be safe just because nobody as qualified would
consider it worth his time to look at your PI experiments. Now, if you
hosted a sizeable customer database there of ran a political website ...
/ \ Mail | -- No unannounced, large, binary attachments, please! --
No. External administration is not offered by defaukt on a second hand
Even there, its surprsinsing how resileinet one can be. I do run a very
Have a look at what was happening in October...
...a massive increase in traffic TO the server...
Till I got bored with the huge logs and firwalled out the fruitless
attempts to log in as root with every possible password.
Hint to hackers. Root login is in any case disallowed. Even with the
My point is that even with a relatively high profile and exposed machine
that has sshd enabled to all comers, they couldnt hack the thing in a
month of trying.
Whereas I know of people with varoius 'web tools' like joomla who were
hacked every few DAYS
Future generations will wonder in bemused amazement that the early
twenty-first century?s developed world went into hysterical panic over a
It's turned off. If I *really* need to configure from outside then I
set up a temporary ssh tunnel to do so.
Quite! :-) I doubt anyone will expend a *lot* of effort trying to
break into my home systems.
Yes, it's amazing how many hits an open ssh port gets! :-)
I have mine set up to only allow connections from two outside sites
where I have ssh login accounts. Thus I connect from 'somewhere' to
one of these two accounts and then from there to my home system.
Basically I have unlimited access from my (fixed) home address - I had
opened ssh up so I could access it from abroad, but I am back home now,
so I have shut the lot down.
Now the only globally open ports are smtp, ssmtp, pop3, http and https.
And one other I won't mention.
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:xxxxx
REJECT all -- anywhere anywhere reject-with
On the internet the default should always be 'only let in what you
absolutely need, and then only once you have worked out how to hack it,
and blocked that too'
I havenm't had a virus since I abandonedd Windows, and I have never been
hacked. Yet. But I have been subjected to sccessful denial of service
Greens dont like gridwatch.
Most of these are obvious and sensible given that you're running a
webserver and, presumably, a mainserver that accepts SMTP connections.
Indeed, but one has me curious: why is pop3 open?
I assume you're running a public or semi-public POP3 server, since using
it to collect mail from an ISP doesn't require an externally accessible
I use ssh to read mail and usenet as I simply connect to my desktop
machine at home and run command line mail and news clients.
I only have SMTP open in addition to ssh. I did have SMTP limited
(like ssh) to only some IPs allowed to connect (my hosting service's
mail servers) but that got a bit difficult to maintain so it's now
open to any IP. It doesn't seem to get many unwanted connection
attempts, nothing like ssh gets.
Correct. A friend is also using it, from a BT dynamic IP setup.
I dont understand what you mean by 'using it to collect mail from an ISP'.
Why on earth would I want to be 'collecting mail from an ISP'?
Since ISPS don't have mail to collect. They are merely connectivity devices.
I mean what is the POINT of having your own domains and server, if you
then 'use it to collect mail from somewhere else?
Mail comes on and out via SMTP and SSMTP
POP3 is how it gets to me inside my network, as I don't want to open an
SMTP port into my home network
"I am inclined to tell the truth and dislike people who lie consistently.
This makes me unfit for the company of people of a Left persuasion, and
Well I have to have it openm else how could I receive global email?
Ditto https and https. You cant run webservers if the world is
Naturally there are comnstantt attempts to hack into all these serviecs,
but sincef I dont runs 'standard' sofwtare liek wordpress, phpmydamnin,
jooomla, ISP style mail logins...they are all simply network load that
leads to nothing.
None of the hack attempts have even come close.
The biggest threat to humanity comes from socialism, which has utterly
diverted our attention away from what really matters to our existential
It probably would not suit you, but the following setup works exactly the
way I want it to:
My Postfix MTA sends outgoing mail via my ISP's mail host and I use
getmail to retrieve incoming mail from from my ISP's mail host using POP3,
passing it to my MTA for local delivery via Dovecot. My mail volume is
fairly small, so this system handles it easily while allowing me to
receive and send mail without having any ports externally visible or
I do run a web server, but only for internal use. My published websites
are hosted by my ISP. These are maintained locally and published by using
FTP to mirror them onto my ISP's webhosting servers.
Good gid. I wouldnt rteuts my ISP tro host a cklown party for 5 year olds.
I run about 20 websites on a linux virtual private server, plus half a
dozen doamins I keep for my email and other nefarious purposes plus a
few other people's websites and email.
This isnt at home stuff. Behind some firewall. This is out there on the
The only firewall is iptables.
"Anyone who believes that the laws of physics are mere social
conventions is invited to try transgressing those conventions from the
You would be surprised about how far it extends. The range of your WiFi
depends on your equipment and that used by the second party, with some
very simple hardware it is easy to build an antenna with sufficient gain
to boost the signal out to a mile or more. While unlikely that some
hacker with QRP (reduced power) skills would be within a mile or two of
your house it is possible. I have used a simple cantenna to boost wifi
across a field of just over a mile to get a poor but useable signal.
2.4GHz wifi band routers output about 100mW, one of the current QRP ham
radio records is about 1500 miles on a microwatt, not a quality data
signal by any means but a very low bandwidth signal that was detectable.
With a directional antenna a hacker could sit in a car a hundred yards
or so away and easily pick up your router or a neighbour could. Finding
a way in through open ports is possible then but brute forcing the key
may be a better option.
I live in the UK and use Sky as my provider. Their routers use WPA
encryption which has an ASCII key between 8 and 63 characters long.
Sky chose 8 characters for simplicity which, if you use the full
printable ASCII set, has about 100 Billion combinations. At 10 seconds
per key that amounts to an average of about 15 thousand years to crack
by brute forcing so fairly secure.
Sky however, for customer simplicity and convenience over security, only
uses upper case letters in their passwords so that 95 possible
characters drops to 26 and brute forcing is possible in an average of 3
You have to be very determined to crack an average user's wifi and even
more determined to do so at a distance but it is possible. Also bear in
mind that many small businesses use standard routers for the broadband
so hacking a shop to steal banking information is possibly more
lucrative. I brute forced a sky password in just over a month just for
fun with an old Pi1. It was an spare router of my own BTW before someone
quotes the computer misuse act. The simplest way to crack a neighbour's
wifi is just to visit them and sneak a peek at the back of their router,
it saves weeks of fiddling about.
I would only allow SSH access from the outside using DSH/RSH key
authentication, possibly even changing the port even though that should
not be considered a security measure in its own right.
personally I prefer to have a VPN tunnel into my network again protected
by key/certificate rather than password.
'It's time to-'
'Prod buttock, sir?' said Carrot, hurriedly.
The effect for this is the same but I wonder if there are things that do
work differently when you leave the framebuffer dimensions commented out
and instead edit the hdmi mode settings, eg. I am used to changing:
for TV mode 1080p @50 Hz. And then to make absolutely sure:
(in my case for a receiver that wrongly reported available resolutions).
See all settings at
The POINT is that it saves you trouble of running and administering
that mail server ... and spares you the responsibility of knowing what
you're doing and keeping that knowledge up to date. Life is finite!
You and I may be happy doing all that, but I wouldn't recommend that
most people try running any kind of public-facing server (even if they
do have their own domains) unless they're really sure that they have a
good reason to do so and that they know how to do it securely.
Of course, having your own domain is convenient even if you have no
intention of running your own server(s), as it gives you the freedom to
move the hosting between ISPs/suppliers without having to change your
But it doesn't. You still have to set up the mail server. Assuming its
out there in internet land the most trivial thing is to let it accept
incoming SMTP mail and set MX recods to point to it.
But thats only haf my pint.
Why use a server AT ALL if it's simply cloning someone elses server? Why
not go direct to the original server?
A lie can travel halfway around the world while the truth is putting on
Actually, I chose to do it that way because using getmail to collect
incoming messages avoids having to open any ports in my firewall.
I run my own internal Postfix MTA for two additional reasons:
- I have a database-based mail archive which gets fed via a Postfix
'always_bcc' directive. I ensure that all my incoming and outgoing mail
passes through that MTA. Why do that? Because I thought that it should
be a lot faster to find an e-mail by searching that database than by
looking through huge email folders in an MTA - and it certainly is.
Any matching email among the 184,000 in the archive will be found within
10 seconds and can be inspected in the search app or forwarded to my
MUA so attachments can be saved and/or it can be replied to.
- The archive also acts as a whitelisting engine: I wrote a Spamassassin
rule that whitelists any e-mail whose sender is recorded as having
received mail from me.
That too. I also run an internal HTTP server (Apache) which is an
extended bookmarking system, provides no-hassle access to a growing
collection of images and documents in a variety of topics, as well as
being a convenient place to publish my externally visible websites, which
are exported to a webhost via FTP.
I save myself a lot of hassle by using external hosts for my websites and
domain names and by routing all incoming and outgoing mail through my
ISP's mail server.