1 |
Mick wrote: |
2 |
> On Saturday 05 September 2009, Dale wrote: |
3 |
> |
4 |
>> Grant Edwards wrote: |
5 |
>> |
6 |
>>> On 2009-09-05, Dale <rdalek1967@×××××.com> wrote: |
7 |
>>> |
8 |
>>>> As some may know already, I recently got DSL. |
9 |
>>>> |
10 |
>>> [...] |
11 |
>>> |
12 |
>>> |
13 |
>>>> The DSL modem I am using is the Motorola 2210. It seems to be |
14 |
>>>> a gateway thing. I have no router at the moment |
15 |
>>>> |
16 |
>>> The 2210 is a router that is doing NAT with a stateful |
17 |
>>> firewall. It will (assuming it's not too buggy) prevent |
18 |
>>> outside access to your network. |
19 |
>>> |
20 |
>>> If you buy a second router (e.g. a Linksys or DLink), you'll |
21 |
>>> just be duplicating the NAT/firewall/routing functions in the |
22 |
>>> 2210. You can do that if you want. I used to run a two layer |
23 |
>>> NAT setup with a Cisco 678 DSL modem (configure to forward all |
24 |
>>> TCP/UDP ports) and an OpenWRT gateway. There were features I |
25 |
>>> needed that OpenWRT had that the Cisco didn't. |
26 |
>>> |
27 |
>>> Unless there's something specific that you want to do that |
28 |
>>> isn't supported by the 2210 (or you're aware of deficiencies in |
29 |
>>> the 2210), I probably wouldn't bother adding a second firewall |
30 |
>>> box. |
31 |
>>> |
32 |
>> I was thinking about buying a router IF I build a second box and need to |
33 |
>> share the internet with it. The modem only has one port and apparently |
34 |
>> zero reconfigurability because when I log in, there are no options to |
35 |
>> change anything except what time it updates the modem software. So, I |
36 |
>> hope it works well. o_O |
37 |
>> |
38 |
> |
39 |
> Just a few suggestions: |
40 |
> |
41 |
> Make sure that you change all passwds in the router - it may have more than |
42 |
> one user defined - and shut down any router services that you do not need at |
43 |
> the moment (e.g. telnet, ftp, or whatever Motorola are providing). |
44 |
> |
45 |
> Make sure you disable Upnp as it can be susceptible to having your router |
46 |
> cracked open and its configuration changed. |
47 |
> |
48 |
> If you google for the above two I am sure that you will find a lot of stories |
49 |
> about the poor defaults of some routers. I do not know if your Motorola is |
50 |
> one of those of course, so take these and others like them with a pinch of |
51 |
> salt, because I do not want to alarm you unnecessarily: |
52 |
> |
53 |
> http://www.jibble.org/o2-broadband-fail/ |
54 |
> http://www.informationweek.com/news/personal_tech/showArticle.jhtml?articleID=205800419 |
55 |
> |
56 |
> The cheapest solution by far to networking a second PC in the LAN is to use |
57 |
> your first PC as a router and forward packets through it. The second option |
58 |
> is to buy another router. In this case I recommend that you use your |
59 |
> Motorola in fully bridged mode where it acts as a transparent ADSL modem |
60 |
> (look through its GUI and read the manual as to how to achieve this) and use |
61 |
> your new router to achieve PPPoE authentication with your ISP's network. If |
62 |
> you buy an old Cisco or Adtran router off ebay make sure you flash them with |
63 |
> the latest firmware as they will be open to the Internet via your fully |
64 |
> transparent bridged ADSL modem. |
65 |
> |
66 |
|
67 |
As far as I can tell, I can't configure anything in the modem, at all. |
68 |
That is the weirdest modem I have ever seen. Unless I am missing |
69 |
something, I can't enable or disable anything at all. I guess it is |
70 |
designed to either work or not work. Sort of like a steel ball. lol |
71 |
|
72 |
> Your netstat results show that you are running mdnsd and mDNSResponder. Is |
73 |
> this necessary? |
74 |
> |
75 |
|
76 |
I vaguely remember something pulling that in a LONG time ago. I have no |
77 |
clue what the heck that thing is, none whatsoever. I remember checking |
78 |
the forums when it was installed and it being needed by something. I |
79 |
don't think I have it set to start, I think it starts because something |
80 |
else needs it. Should I kill that thing or what? |
81 |
|
82 |
> Instead of fail2ban and similar I recommend native sshd solutions: |
83 |
> |
84 |
> No root logins, a random high port number instead of 22 and only public key |
85 |
> authentication allowed. The random port will get rid of 99.5% of the botnets |
86 |
> and the pubkey will drop dead anything else. Make sure that you secure your |
87 |
> private key with a strong passwd - if you are paranoid and also just in case |
88 |
> your user account is one day compromised. |
89 |
> |
90 |
> The stealthiness or not of your ports is determined by your router (responding |
91 |
> to ICMP echo requests) and is for all intends and purposes irrelevant. GRC |
92 |
> have to make money somehow out of panicky MSWindows users. Some discussion |
93 |
> on this here, although there are no doubt more serious comments on the web |
94 |
> about this topic: |
95 |
> |
96 |
> http://www.wilderssecurity.com/showthread.php?t=216892 |
97 |
> |
98 |
> Finally, I would recommend that you configure IP tables (there's loads of |
99 |
> scripts out there). You never know if some application you're trying out |
100 |
> decides to open a port just for laughs. |
101 |
> |
102 |
> HTH. |
103 |
> |
104 |
|
105 |
I ran a iptable script and saved the config a long time ago. I don't |
106 |
know if it is the modem or my iptables that is making me "stealthy" or |
107 |
what. I'm just glad that me hiding appears to be a good thing. lol |
108 |
|
109 |
Oooops, I hope that wasn't to loud. I had a thought here. I may have |
110 |
ground up a gear or two. This may help: |
111 |
|
112 |
root@smoker / # equery depends mDNSResponder |
113 |
[ Searching for packages depending on mDNSResponder... ] |
114 |
kde-base/kdelibs-3.5.10-r6 (!avahi & !bindist? net-misc/mDNSResponder) |
115 |
kde-base/kdelibs-4.3.1 (zeroconf & !bindist? net-misc/mDNSResponder) |
116 |
kde-base/krdc-4.3.1 (zeroconf? net-misc/mDNSResponder) |
117 |
kde-base/krfb-4.3.1 (zeroconf? net-misc/mDNSResponder) |
118 |
media-libs/libgphoto2-2.4.3 (bonjour? net-misc/mDNSResponder) |
119 |
net-misc/ntp-4.2.4_p7 (zeroconf? net-misc/mDNSResponder) |
120 |
net-print/cups-1.3.10-r2 (zeroconf & !avahi? net-misc/mDNSResponder) |
121 |
root@smoker / # |
122 |
|
123 |
Looks like a few things needs mDNSResponder. I can't see me going |
124 |
without kdelibs anytime soon. lol |
125 |
|
126 |
Dale |
127 |
|
128 |
:-) :-) |