1 |
On Saturday 05 September 2009, Dale wrote: |
2 |
> Grant Edwards wrote: |
3 |
> > On 2009-09-05, Dale <rdalek1967@×××××.com> wrote: |
4 |
> >> As some may know already, I recently got DSL. |
5 |
> > |
6 |
> > [...] |
7 |
> > |
8 |
> >> The DSL modem I am using is the Motorola 2210. It seems to be |
9 |
> >> a gateway thing. I have no router at the moment |
10 |
> > |
11 |
> > The 2210 is a router that is doing NAT with a stateful |
12 |
> > firewall. It will (assuming it's not too buggy) prevent |
13 |
> > outside access to your network. |
14 |
> > |
15 |
> > If you buy a second router (e.g. a Linksys or DLink), you'll |
16 |
> > just be duplicating the NAT/firewall/routing functions in the |
17 |
> > 2210. You can do that if you want. I used to run a two layer |
18 |
> > NAT setup with a Cisco 678 DSL modem (configure to forward all |
19 |
> > TCP/UDP ports) and an OpenWRT gateway. There were features I |
20 |
> > needed that OpenWRT had that the Cisco didn't. |
21 |
> > |
22 |
> > Unless there's something specific that you want to do that |
23 |
> > isn't supported by the 2210 (or you're aware of deficiencies in |
24 |
> > the 2210), I probably wouldn't bother adding a second firewall |
25 |
> > box. |
26 |
> |
27 |
> I was thinking about buying a router IF I build a second box and need to |
28 |
> share the internet with it. The modem only has one port and apparently |
29 |
> zero reconfigurability because when I log in, there are no options to |
30 |
> change anything except what time it updates the modem software. So, I |
31 |
> hope it works well. o_O |
32 |
|
33 |
Just a few suggestions: |
34 |
|
35 |
Make sure that you change all passwds in the router - it may have more than |
36 |
one user defined - and shut down any router services that you do not need at |
37 |
the moment (e.g. telnet, ftp, or whatever Motorola are providing). |
38 |
|
39 |
Make sure you disable Upnp as it can be susceptible to having your router |
40 |
cracked open and its configuration changed. |
41 |
|
42 |
If you google for the above two I am sure that you will find a lot of stories |
43 |
about the poor defaults of some routers. I do not know if your Motorola is |
44 |
one of those of course, so take these and others like them with a pinch of |
45 |
salt, because I do not want to alarm you unnecessarily: |
46 |
|
47 |
http://www.jibble.org/o2-broadband-fail/ |
48 |
http://www.informationweek.com/news/personal_tech/showArticle.jhtml?articleID=205800419 |
49 |
|
50 |
The cheapest solution by far to networking a second PC in the LAN is to use |
51 |
your first PC as a router and forward packets through it. The second option |
52 |
is to buy another router. In this case I recommend that you use your |
53 |
Motorola in fully bridged mode where it acts as a transparent ADSL modem |
54 |
(look through its GUI and read the manual as to how to achieve this) and use |
55 |
your new router to achieve PPPoE authentication with your ISP's network. If |
56 |
you buy an old Cisco or Adtran router off ebay make sure you flash them with |
57 |
the latest firmware as they will be open to the Internet via your fully |
58 |
transparent bridged ADSL modem. |
59 |
|
60 |
Your netstat results show that you are running mdnsd and mDNSResponder. Is |
61 |
this necessary? |
62 |
|
63 |
Instead of fail2ban and similar I recommend native sshd solutions: |
64 |
|
65 |
No root logins, a random high port number instead of 22 and only public key |
66 |
authentication allowed. The random port will get rid of 99.5% of the botnets |
67 |
and the pubkey will drop dead anything else. Make sure that you secure your |
68 |
private key with a strong passwd - if you are paranoid and also just in case |
69 |
your user account is one day compromised. |
70 |
|
71 |
The stealthiness or not of your ports is determined by your router (responding |
72 |
to ICMP echo requests) and is for all intends and purposes irrelevant. GRC |
73 |
have to make money somehow out of panicky MSWindows users. Some discussion |
74 |
on this here, although there are no doubt more serious comments on the web |
75 |
about this topic: |
76 |
|
77 |
http://www.wilderssecurity.com/showthread.php?t=216892 |
78 |
|
79 |
Finally, I would recommend that you configure IP tables (there's loads of |
80 |
scripts out there). You never know if some application you're trying out |
81 |
decides to open a port just for laughs. |
82 |
|
83 |
HTH. |
84 |
-- |
85 |
Regards, |
86 |
Mick |