On Saturday 05 September 2009, Dale wrote: > Grant Edwards wrote: > > On 2009-09-05, Dale <[email protected]> wrote: > >> As some may know already, I recently got DSL. > > > > [...] > > > >> The DSL modem I am using is the Motorola 2210. It seems to be > >> a gateway thing. I have no router at the moment > > > > The 2210 is a router that is doing NAT with a stateful > > firewall. It will (assuming it's not too buggy) prevent > > outside access to your network. > > > > If you buy a second router (e.g. a Linksys or DLink), you'll > > just be duplicating the NAT/firewall/routing functions in the > > 2210. You can do that if you want. I used to run a two layer > > NAT setup with a Cisco 678 DSL modem (configure to forward all > > TCP/UDP ports) and an OpenWRT gateway. There were features I > > needed that OpenWRT had that the Cisco didn't. > > > > Unless there's something specific that you want to do that > > isn't supported by the 2210 (or you're aware of deficiencies in > > the 2210), I probably wouldn't bother adding a second firewall > > box. > > I was thinking about buying a router IF I build a second box and need to > share the internet with it. The modem only has one port and apparently > zero reconfigurability because when I log in, there are no options to > change anything except what time it updates the modem software. So, I > hope it works well. o_O
Just a few suggestions: Make sure that you change all passwds in the router - it may have more than one user defined - and shut down any router services that you do not need at the moment (e.g. telnet, ftp, or whatever Motorola are providing). Make sure you disable Upnp as it can be susceptible to having your router cracked open and its configuration changed. If you google for the above two I am sure that you will find a lot of stories about the poor defaults of some routers. I do not know if your Motorola is one of those of course, so take these and others like them with a pinch of salt, because I do not want to alarm you unnecessarily: http://www.jibble.org/o2-broadband-fail/ http://www.informationweek.com/news/personal_tech/showArticle.jhtml?articleID=205800419 The cheapest solution by far to networking a second PC in the LAN is to use your first PC as a router and forward packets through it. The second option is to buy another router. In this case I recommend that you use your Motorola in fully bridged mode where it acts as a transparent ADSL modem (look through its GUI and read the manual as to how to achieve this) and use your new router to achieve PPPoE authentication with your ISP's network. If you buy an old Cisco or Adtran router off ebay make sure you flash them with the latest firmware as they will be open to the Internet via your fully transparent bridged ADSL modem. Your netstat results show that you are running mdnsd and mDNSResponder. Is this necessary? Instead of fail2ban and similar I recommend native sshd solutions: No root logins, a random high port number instead of 22 and only public key authentication allowed. The random port will get rid of 99.5% of the botnets and the pubkey will drop dead anything else. Make sure that you secure your private key with a strong passwd - if you are paranoid and also just in case your user account is one day compromised. The stealthiness or not of your ports is determined by your router (responding to ICMP echo requests) and is for all intends and purposes irrelevant. GRC have to make money somehow out of panicky MSWindows users. Some discussion on this here, although there are no doubt more serious comments on the web about this topic: http://www.wilderssecurity.com/showthread.php?t=216892 Finally, I would recommend that you configure IP tables (there's loads of scripts out there). You never know if some application you're trying out decides to open a port just for laughs. HTH. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
