22 should be in there as well, that's a major command and control system used for malware and botnets, even on windows anymore.
Most of your users will not need 22 inbound, and if they do it's easier to add an exception for a handful than to deal with no having it when Something Bad(tm) happens. On Tue, Jul 12, 2016 at 7:56 PM, That One Guy /sarcasm <[email protected]> wrote: > That would be great if it were viable, but its a management headache. we > have unrestricted static space, but its 10 for /30 and 20 for /29, but > customers dont want it if they have to pay for it, 25, 123, and 53 are easy > to justify dropping, the rest just arent in our market because customers > dont want to incur a fee for having somebody else come in and reconfigure > porting, and we dont want to take on the headache of helping them, thats why > i put in the DMZ config > > On Tue, Jul 12, 2016 at 7:20 PM, Josh Reynolds <[email protected]> wrote: >> >> If they want a public/static IPv4 without the blocking, they bypass the >> filtering. That's a $20 or $30/month service with Google. >> >> IPv4 is no longer cheap. >> >> This adds revenue while helping to prevent issues with infected customer >> routers. Very common ISP practice. >> >> On Jul 12, 2016 7:17 PM, "That One Guy /sarcasm" >> <[email protected]> wrote: >>> >>> lol, its funny you say that, this happens to be the guy a while back i >>> posted about who was convinced that one of JABs acquisition APs infected >>> him, and all his devices. this guy wanted to make it our problem now by >>> putting our router back in place, which was fine, more visibility for us if >>> hes a threat to our network. >>> >>> Im not sure what proper firewalls you speak of Josh for customer >>> equipment, we provide a cheap consumer router that occasionally ends up on >>> our exposed public IP space, its no different than the customers own router, >>> only we can lock it down so they cant mess things up. Aside from us managing >>> the device, two air routers side by side are both air routers even if we own >>> one and they own one. Are you recomending on our ISP network we block 80, >>> 443, 22, 21 for all customers? because that will piss off alot of DVR >>> owners. >>> >>> >>> >>> On Tue, Jul 12, 2016 at 4:45 PM, Bill Prince <[email protected]> wrote: >>>> >>>> No I didn't realize that. That's a whole other story. I would advise the >>>> customer to not allow direct access from the outside excepting perhaps VPN >>>> access. Otherwise, it's their problem. They probably have their >>>> smarter-than-they-are phone getting hacked. >>>> >>>> >>>> bp >>>> <part15sbs{at}gmail{dot}com> >>>> >>>> On 7/12/2016 2:26 PM, That One Guy /sarcasm wrote: >>>> >>>> You realize this is a residential customer router right? not >>>> infrastructure, not a CPE radio, those are all inaccessible >>>> We dump a config that puts a single IP outside the dhcp pool on the DMZ. >>>> If they want a public IP, they can do whatever they want as long as it >>>> doesnt violate our TOS 53 and 123 would, everything but our management port >>>> goes into the DMZ. And the only people with customer router credentials are >>>> the staff who would need to get into them to turn on or off the wireless, >>>> we >>>> defaultly put them out with it off. >>>> >>>> On Tue, Jul 12, 2016 at 4:17 PM, Bill Prince <[email protected]> >>>> wrote: >>>>> >>>>> You should limit the scope of who can even attempt to login. >>>>> >>>>> bp >>>>> <part15sbs{at}gmail{dot}com> >>>>> >>>>> On 7/12/2016 1:23 PM, That One Guy /sarcasm wrote: >>>>> >>>>> Jul 12 12:11:05 httpd[6948]: Bad password attempt for 'admin' from >>>>> c-98-226-167-23.hsd1.il.comcast.net >>>>> Jul 12 12:11:28 httpd[6952]: Password auth succeeded for 'admin' from >>>>> c-98-226-167-23.hsd1.il.comcast.net >>>>> >>>>> This is from an airrouter with a strong password.. we just went through >>>>> a password change too >>>>> >>>>> >>>>> -- >>>>> If you only see yourself as part of the team but you don't see your >>>>> team as part of yourself you have already failed as part of the team. >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> If you only see yourself as part of the team but you don't see your team >>>> as part of yourself you have already failed as part of the team. >>>> >>>> >>> >>> >>> >>> -- >>> If you only see yourself as part of the team but you don't see your team >>> as part of yourself you have already failed as part of the team. > > > > > -- > If you only see yourself as part of the team but you don't see your team as > part of yourself you have already failed as part of the team.
