Nat Fire wall

[p0lar]

<blink>

I'm amazed that as many people have let as much B$ slide in this forum as not.

Sniffing? - No thanks, please drive through, have a nice day, come back again.
Reverse LAN & WAN? - Nice one!
NAT Firewalls only do NAT? - Wrong... wrong wrong wrong.
Connections coming in on an ephemeral port? - No sir, nice try - you're not God (yet?).

Let me sum this up without getting too terribly technical:

The guy is a few fries short of a happy meal. After he has finished eating his nightly supply of paint chips, he lays down, wets the bed, cries for mommy because you didn't open up icmp echo for him and then passes out sucking his thumb while cuddled with his pooh bear.

The next time he tells you he is going to "hack your firewall/lan/whatever", pass him a personal invite to join us here and we'll see to it that he knows what the terms 'categorically denied' means. He is the sombrero of @$$hats.

 

[Mir96TA]

Now he wants me to run some services.......
So he can hack into this

 

[p0lar]

Ok, here's how this thing is going to go down...

Fire up your favourite copy of VMWare + linux of some sort and load up Honey Pot...

Let him chew on that for a few minutes, grab his IP from your logs, then post it here.

IF you hear back from him, rinse, lather, and repeat. He will eventually garner a clue.

 

[dxpaap]

I've recently got Adelphia cable internet. Using the provided cable modem, and installed router w/ firewall NAT & SPI and installed software firewall. seems pretty secure as per some of the security test sites.

But, I installed this Adelphia "Eserivce" application that allows them to trouble shoot my connection and system. I asked tech support if this opened up my system from a security standpoint - there response was they can only access information relevant to an "open" trouble ticket.

Question 1: Am I correct in assuming that I just created a huge securty hole my home network defences ?

Also, was configuring Adelphia mail to collect POP mail from my other internet provider (AT&T which requires SSL). But noticed that Adelphia doesn't use SSL to access its POP mail. Tech support said they don't use it.

Question 2: Anyone know if Adelphia is neglect in protecting its customer's Email because they don't use SSL ? Should this be a concern ?

thanks in advance
dave

 

[Matthias99]

1) Possibly, but most likely not. It's almost certainly opened a port in your router (you can look in the router's configuration pages to see if it did), but if the only thing listening on that port is their application, I doubt it's much of a breach of security.

2) Yes and no. While it's possible for someone to pick up your encrypted password and then spend enough time to break it, the odds of someone between you and the sever (very few people) wanting to do this are very very small. A bigger concern for me would just be someone at the cable company reading my mail -- if you're that paranoid about security, you should be using something like PGP for sensitive communications. In short, I'd rather use a server that has SSL or Kerberos, but it's not the end of the world for what is effectively a mail server on your LAN.

 

[exx1976]

Yeah, it's not the end of the world, except that I also have Adelphiam, and... My firewall runs OpenBSD. Fire up Ethereal, sniff the WAN side of the connection, and you find ALL SORTS of fun stuff.. You can only sniff your local segment, but.... ALL the usernames/passwords for email access to Adelphia's servers are sent CLEAR TEXT. So, if your neighbor is a d!ck, and has Adelphia, you can log into his mailbox and screw with him...

 

[dxpaap]

exx1976, thanks for the info - guess it would be pretty timeconsuming to determine how many connections are in my segment with a sniffer.

I'd like to know who is on my segment, if anyone with a little knowldge and motivation can access my mail. I'd think it would be more important for a cable setup to use ssl then with a dialup connection.

Think its just a matter of cost that Adelphia doesnt implement ssl ?

 

[exx1976]

I'm not sure about why they don't implement SSL.. Could have to do with the servers they use (perhaps they don't support it?), it could have to do with ease of setting up clients (most people's PCs are self-configured, they just mail you a modem and instructions -- saves the $50 install fee), could have to do with many different things.

Figuring out how many people on your segment will be difficult at best, because not everyone leaves their machine on all the time, so you may not be able to determine this without sniffing for a VERY extended period of time and logging everything, and then comparing the logs..

The clear text thing was one reason I switched to an Exchange server at home (aside from the fact I was studying to get certified on it).. Not only that, but I also have no limitations on the size of an email I can send, or how full my mailbox can get...

That, and I can run OWA..

 

[dxpaap]

well, I'm happy with Adelphia's access speed (coming from dialup), but NOT impressed at all with tech support or mail implementation. guess we don't live in a perfect world

Guess I'll look on the bright side, been wanting to build a linux based firewall. Do you know if "Ethereal for OpenBSD" runs on linux ? or of an equivalant for linux ?

 

[Fuzznuts]

yes it does ethereal works on all linux and bsd's afaik. i use it on rh9 at least

 

[exx1976]

Someone has even ported Ethereal to run on the Wintel platform now, too.. The *nix version is a little more stable, and a LOT faster though.. But it requires X Windows, which not many people bother to set up if it's just a firewall...