Home page logo

nanog logo nanog mailing list archives

Re: ISPs are asked to block yet another port
From: Jared Mauch <jared () puck Nether net>
Date: Mon, 23 Jun 2003 12:15:32 -0400

On Mon, Jun 23, 2003 at 03:59:56PM +0000, Christopher L. Morrow wrote:
On Mon, 23 Jun 2003, Sean Donelan wrote:

How many ports should ISPs block?  People still buy and connect insecure
computers to the net.

ISP's could block all ports and save everyone the hassle of having an
Internet.... (I am just kidding of course)

Two interesting points though:

1) Spammers adapt
2) default insecure OS installs cause problems

Not new points, but interesting none-the-less. Spammers have adapted quite
quickly and readily to almost all 'fixes' imposed by providers and most
default OS installs are insecure still after all this time. With notable
exceptions most OS installs are still tailored for closed network
installs, lots of never to be used ports listening with old versions of
daemon's installed :(

        I think that many can learn from this.

        Instead of defaulting with everything enabled, default with the
services installed but disabled so they can be easily enabled.  This
is fairly easy to do and something that has gradually changed in the
free UNIX(r) community over the past years.

        RedHat (for example) no longer enables every possible service
by default and requires you to enable these features to protect your
machine from being compromised by software you didn't know you had.

        Not every machine needs to run its own nameserver.

        While there are some services that are safe(er) to have enabled
by default as it improves the usability of the machine, some of
these things are just silly to be enabled on consumer (home) machines.

        I hope all the vendors out there get a clue on this and stop
enabling insecure methods of access by default.  (eg: telnet)

        - Jared

Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]