Re: crack my machine

From: jack (not_at_all.org)
Date: 01/21/04 

Date: Wed, 21 Jan 2004 19:13:07 +0100

charly wrote:
> Greetings,
>
> I run my linux box at home which is behind a modem-Router
>
> every request on port 21,22 are routed to my box.
> I installed (ok with a lot of help from you people :) ) an iptables
> script as a firewall.
>
> When I ping my ip, I, in fact ping the router, don't I ?
> So the machine behind the router can not be accessed from outside
> excepted for the ports which are routed ?
> If I do a port-scan of the ip, I scan the router and not the machine
> as well....
>
> So my question is :
>
> If my machine, were to be hacked it could only be through the 21,22 ports ?

Well, this really depends on Your "modem-Router"...

Firstly, if You ping Your external IP, Yes, Your router will answer
those pings. That's exactly what ping is good for. - You _could_ (and I
dare doubt that Your router can do this) redirect all ICMP traffic to
one of Your internal clients. But, IMHO, doing that is nonsense.

Then, Yes, an _immediate_ attack to Your box can only take place via
ports 21, 22 which You are redirecting. On the other hand, once anybody
"cracks" Your router first and configures it to forward {all;some}
traffic inside Your LAN, You're lost at this stage. - So, even if behind
a firewall, keep Your servers as tight as You can. And, strengthen the
rules of that firewall of Yours. - Unfortunally, with all these "in-a-
box" modems, You can never absolutely, reliably confirm whether they're
safe or not. There have been cases in the past where such products
failed painfully.

Personally, I don't have such thing, and I don't want it. I have one
dedicated Linux box connected directly to my DSL, and that is the only
solution that satisfies me and gives me good sleep at night. - It also
provides for greatest flexibility and, very important for me, for
distinguished logging so that I _know_ where the problems are and so
that I can tweak my firewall settings accordingly. Plus, if all this
fails anyway, I know that I for _myself_ am responsible for leaks or
failures; if any of those commercial products would allow havoc inside
my nets, I'd (spontaneously) get a gun and shoot the developers' dep
dpt at that respective site...

Cheers, Jack. 

-- 
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

Relevant Pages

  • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
    ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
    (microsoft.public.security)
  • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
    ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
    (microsoft.public.security)
  • Re: yet anothe samba question
    ... Both pcs can ping each other. ... I can see my laptop ip address connecting to the smb ports on the xp. ... connecting via the same router. ... >> theres no firewall enabled on the laptop, and i even turned off the ...
    (comp.os.linux.networking)
  • Re: How to stealth against ping/echo requests?
    ... I just started using the Online-Armor firewall. ... Some ports are even open. ... Are you behind a router? ... Every time it founds a new LAN, it asks if you want to trust it ...
    (comp.security.firewalls)
  • Re: Is ISP blocking traffic? ADSL bridged modem - Linksys FEFW11s4 - SBS Standard
    ... But without Ping, how do I verify the static IP they gave me can be reached from the Internet? ... Is there any way to prove the ISP is blocking traffic, or have I screwed something up in the network configuration? ... I don't know this router. ... will have hammered on all the privileged ports and this ...
    (microsoft.public.windows.server.sbs)