yeah, once i add it to the list, unless youre on a static you dont get it, so im limited. The publics other staff can add and remove, im the only one that touches the statics, we have quite a few customers who do use 22 for access. We do run butch evans script a little modified on all our infrastructure routers and will probably have it on all the CPE routers when we dump the air routers for mikrotiks. 22 is changed on publicly exposed air routers too of ours, but customers with their own, we cant do anything about, but UBNT "assures" us the last two firmwares are safe LMFAO
On Tue, Jul 12, 2016 at 8:04 PM, Josh Reynolds <[email protected]> wrote: > 22 should be in there as well, that's a major command and control > system used for malware and botnets, even on windows anymore. > > Most of your users will not need 22 inbound, and if they do it's > easier to add an exception for a handful than to deal with no having > it when Something Bad(tm) happens. > > On Tue, Jul 12, 2016 at 7:56 PM, That One Guy /sarcasm > <[email protected]> wrote: > > That would be great if it were viable, but its a management headache. we > > have unrestricted static space, but its 10 for /30 and 20 for /29, but > > customers dont want it if they have to pay for it, 25, 123, and 53 are > easy > > to justify dropping, the rest just arent in our market because customers > > dont want to incur a fee for having somebody else come in and reconfigure > > porting, and we dont want to take on the headache of helping them, thats > why > > i put in the DMZ config > > > > On Tue, Jul 12, 2016 at 7:20 PM, Josh Reynolds <[email protected]> > wrote: > >> > >> If they want a public/static IPv4 without the blocking, they bypass the > >> filtering. That's a $20 or $30/month service with Google. > >> > >> IPv4 is no longer cheap. > >> > >> This adds revenue while helping to prevent issues with infected customer > >> routers. Very common ISP practice. > >> > >> On Jul 12, 2016 7:17 PM, "That One Guy /sarcasm" > >> <[email protected]> wrote: > >>> > >>> lol, its funny you say that, this happens to be the guy a while back i > >>> posted about who was convinced that one of JABs acquisition APs > infected > >>> him, and all his devices. this guy wanted to make it our problem now by > >>> putting our router back in place, which was fine, more visibility for > us if > >>> hes a threat to our network. > >>> > >>> Im not sure what proper firewalls you speak of Josh for customer > >>> equipment, we provide a cheap consumer router that occasionally ends > up on > >>> our exposed public IP space, its no different than the customers own > router, > >>> only we can lock it down so they cant mess things up. Aside from us > managing > >>> the device, two air routers side by side are both air routers even if > we own > >>> one and they own one. Are you recomending on our ISP network we block > 80, > >>> 443, 22, 21 for all customers? because that will piss off alot of DVR > >>> owners. > >>> > >>> > >>> > >>> On Tue, Jul 12, 2016 at 4:45 PM, Bill Prince <[email protected]> > wrote: > >>>> > >>>> No I didn't realize that. That's a whole other story. I would advise > the > >>>> customer to not allow direct access from the outside excepting > perhaps VPN > >>>> access. Otherwise, it's their problem. They probably have their > >>>> smarter-than-they-are phone getting hacked. > >>>> > >>>> > >>>> bp > >>>> <part15sbs{at}gmail{dot}com> > >>>> > >>>> On 7/12/2016 2:26 PM, That One Guy /sarcasm wrote: > >>>> > >>>> You realize this is a residential customer router right? not > >>>> infrastructure, not a CPE radio, those are all inaccessible > >>>> We dump a config that puts a single IP outside the dhcp pool on the > DMZ. > >>>> If they want a public IP, they can do whatever they want as long as it > >>>> doesnt violate our TOS 53 and 123 would, everything but our > management port > >>>> goes into the DMZ. And the only people with customer router > credentials are > >>>> the staff who would need to get into them to turn on or off the > wireless, we > >>>> defaultly put them out with it off. > >>>> > >>>> On Tue, Jul 12, 2016 at 4:17 PM, Bill Prince <[email protected]> > >>>> wrote: > >>>>> > >>>>> You should limit the scope of who can even attempt to login. > >>>>> > >>>>> bp > >>>>> <part15sbs{at}gmail{dot}com> > >>>>> > >>>>> On 7/12/2016 1:23 PM, That One Guy /sarcasm wrote: > >>>>> > >>>>> Jul 12 12:11:05 httpd[6948]: Bad password attempt for 'admin' from > >>>>> c-98-226-167-23.hsd1.il.comcast.net > >>>>> Jul 12 12:11:28 httpd[6952]: Password auth succeeded for 'admin' from > >>>>> c-98-226-167-23.hsd1.il.comcast.net > >>>>> > >>>>> This is from an airrouter with a strong password.. we just went > through > >>>>> a password change too > >>>>> > >>>>> > >>>>> -- > >>>>> If you only see yourself as part of the team but you don't see your > >>>>> team as part of yourself you have already failed as part of the team. > >>>>> > >>>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> If you only see yourself as part of the team but you don't see your > team > >>>> as part of yourself you have already failed as part of the team. > >>>> > >>>> > >>> > >>> > >>> > >>> -- > >>> If you only see yourself as part of the team but you don't see your > team > >>> as part of yourself you have already failed as part of the team. > > > > > > > > > > -- > > If you only see yourself as part of the team but you don't see your team > as > > part of yourself you have already failed as part of the team. > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
