[Cerowrt-devel] open ports on WAN

Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed

* [Cerowrt-devel] open ports on WAN
@ 2014-04-19 16:36 Chuck Anderson
  2014-04-19 17:52 ` Dave Taht
  0 siblings, 1 reply; 2+ messages in thread
From: Chuck Anderson @ 2014-04-19 16:36 UTC (permalink / raw)
  To: cerowrt-devel

I was curious to see what services were open on the WAN to the CeroWrt
router itself.  It looks like the following services are open and not
firewalled via iptables directly:

21 telnet
22 ssh
23 ftp
873 rsync
12865 netserver

The only thing blocking access is the xinetd configuration:

defaults
{
              per_source = 16
              only_from = 192.168.0.0/16 172.16.0.0/12
              instances = 18
              max_load = 16
}

Is this a good idea, relying only on this default config to block
access to those services?  Or should the iptables firewall default to
blocking everything and only poke holes where they are needed rather
than how it is now--only blocking a list of ports which doesn't
include the above ports?

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [Cerowrt-devel] open ports on WAN
  2014-04-19 16:36 [Cerowrt-devel] open ports on WAN Chuck Anderson
@ 2014-04-19 17:52 ` Dave Taht
  0 siblings, 0 replies; 2+ messages in thread
From: Dave Taht @ 2014-04-19 17:52 UTC (permalink / raw)
  To: cerowrt-devel

On Sat, Apr 19, 2014 at 9:36 AM, Chuck Anderson <cra@wpi.edu> wrote:
> I was curious to see what services were open on the WAN to the CeroWrt
> router itself.  It looks like the following services are open and not
> firewalled via iptables directly:
>
> 21 telnet
> 22 ssh
> 23 ftp
> 873 rsync
> 12865 netserver
>
> The only thing blocking access is the xinetd configuration:
>
> defaults
> {
>               per_source = 16
>               only_from = 192.168.0.0/16 172.16.0.0/12
>               instances = 18
>               max_load = 16
> }

> Is this a good idea, relying only on this default config to block
> access to those services?  Or should the iptables firewall default to
> blocking everything and only poke holes where they are needed rather
> than how it is now--only blocking a list of ports which doesn't
> include the above ports?

telnet and ftp are actually sensors that detect probe attempts and
block off attempts to access any other services from the offending
IP.

I like the sensor capability, and wish it could trigger adding firewall
rules as well.

Rsync has no conf file by default, and ssh and netserver are limited by
default to the common internal  IP  addresses.

You  can tighten these down further if you like.

> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-04-19 17:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-19 16:36 [Cerowrt-devel] open ports on WAN Chuck Anderson
2014-04-19 17:52 ` Dave Taht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox