[ale] How to test your public internet connection for open ports

[Pat Regan]

On Fri, 11 Feb 2011 03:21:16 -0500
Ron Frazier <atllinuxenthinfo at c3energy.com> wrote:

> That's partly incorrect.  The default settings generally do silently 
> drop, or stealth, unsolicited packets, which is exactly what Steve is 
> recommending.  However, there are usually other defaults which must
> be checked and sometimes changed.

I am more than a little unfamiliar with the current state of the
majority of routers people use at home.

I don't really care if they drop packets or respond that the port is
closed.  From the consumer's perspective they are pretty much identical.

If they're dropping ICMP, well, then that's a bit disappointing and
something most people won't turn back on.

> * They usually have no active wireless encryption.  That definitely 
> needs to be on.

This seems to have changed drastically over the last few years.  My DSL
modem here has WEP enabled and required by default.  The default
password is printed on the same label as the serial number.  I think it
supports WPA, but I wouldn't know for sure, it has been in bridge mode
the whole time I've used it.

I'm seeing way fewer unprotected wifi networks today than I did even a
few years ago, most of them are running WPA2.  They must be much more
likely to ship with encryption enabled by default today.

> * They usually have a stupid well published default password.  That 
> definitely needs to be changed.

If it is only available on the LAN side this isn't that big a deal.  I
agree that it should be changed, but it is low on the list.

> * They frequently have UPNP on.  That should be turned off.

Then they may have a diminished experience playing multiplayer games on
their PS3.  If an internal machine is compromised it has no need of
UPNP to accept connections from the outside.

> * They sometimes have remote internet side administration on.  That 
> should be turned off.

If they do, they're broken.  Someone should make a list of this crap
hardware.

> * The NAT and firewall settings should be on.  I've seen at least one 
> example where they weren't.

I'd love to know exactly which device that was.  Even ancient routers
get this part right, even if they might be buggy in some scary way.

> * It may be appropriate to change the SSID and DHCP settings.

What changes to these settings does the average consumer need to make?

Most (maybe nearly all, I don't track this) secured access points I see
in my travels have unique names.  Some look generated, most look like
they have intelligence behind them.  I can't remember the last time I
saw a "linksys" or "netgear" SSID that was encrypted.  

> In short, I would NEVER just take a home router out of the box and
> wire it up and assume I'm done.  Nor would I recommend it.

That's exactly what most people do, though.  Almost every one of them
is as safe from attacks on their WAN port as you or I.

> I KNOW the things I advocate increase my security.  The only question
> is how much.  I want the network to be as safe as it can, with the 
> equipment I have available.

We know the some of the things you advocate cause some harm, require
extra work, and don't provide any extra protection.

People are only going to put so much effort into security.  It is
better to aim them at the things that help instead of the things that
don't make any difference.

> The best we can hope for from the afore mentioned consumers is to
> have a passing knowledge of security, and they probably won't have
> the money to pay us for it.

Almost every single one of these consumers is already safe from attacks
on the WAN side.  This isn't the weak link in their security chain.

I agree that more people need to protect their wifi.  That is a
significantly bigger hole for a huge number of people.

Pat