[HamWAN PSDR] Questions

Dean Gibson AE7Q hamwan at ae7q.net
Tue Mar 11 18:37:17 PDT 2014 

Hmm, let's see:

 1. If you happen to get root access on any of my Linux boxes and do "rm
    -rf /" or "rm -rf /bin" or "rm -rf /sbin" or "rm -rf /sys" or "rm
    -rf /usr" or "rm -rf /lib" (or any other modifications to those
    directories), nothing will happen. Depending upon what I've been
    doing recently, "rm -rf /etc" (or other directories) may or may not
    work.  When I used SCSI hard drives (which back then typically had a
    jumper to force read-only access), that was enforced by hardware in
    addition to a software configuration.  Whether I make similar mods
    to the MikroTik OS configuration, remains to be seen.
 2. I run bind (named), ntpd, and postfix in a chroot environment.
 3. SSH does not run on port 22 (nor does it run on a port # > 1024). 
    PostgreSQL is not available on port 5432.  Postfix does not allow
    submissions on port 25.  I don't use self-signed keys.  I don't type
    root passwords.  Etc.
 4. I've run externally-available DNS servers for 15 years, and I've
    *never* allowed recursive queries outside my LAN.
 5. Before I installed FiOS, I asked the (then) Verizon rep whether if
    could support idiot customers with had back-door access to the
    provided modem, and when the answer was yes, I set up a DMZ.  When
    people visit my house and need WiFi or wired access, they're in the DMZ.

I have run various versions of Windows for decades, and until recently 
without anti-virus software (some of it is just soothing or alarming 
junk), without ever getting a virus.  However, before I made the above 
modifications (except the last) to my Linux boxes over a decade ago, I 
did have an otherwise-secure Linux box compromised by a vulnerability in 
ISC bind: my server was #3 in a five-stage leapfrog attack on a bank.  
This was before the above modifications over a decade ago.  Since then, 
I've been paranoid. You too can be paranoid, with only a little effort 
(or experience).

Oh, and when I was run running a public NTP server (my one serious 
mistake; see: http://www.ultimeth.com/Abandon.html ), I had people 
accessing my NTP hostname without getting permission, so I changed the 
hostname (and let authorized users know), and then pointed the old 
hostname to 127.0.0.1 (I have other "useful" but unsupported services 
similarly configured).  Boy, did that make one person mad; he complained 
to the NTP mailing list (which was somehow unsympathetic).  I guess 
entitlement is alive and well on the Internet ...

So yes, I'll take the risk that a change to the HamWAN network will 
render my link temporarily unusable.

-- Dean

On 2014-03-11 17:11, Jeff Francis(tm) wrote:
> If you put your modem outside of your firewall (which is where mine 
> is, in spite of the fact that I haven't successfully connected yet), 
> your exposure is no worse than being attacked from another host 
> connected to the HamWAN network*.  You *do* have a firewall on your 
> network, right? ;^)
>
> * Well, ok, speaking as a professional security geek (which is what I 
> do for a living), it *is* in fact very slightly worse.  Assuming the 
> firmware of the modem could be compromised to launch attacks, it's a 
> higher-bandwidth lower-latency connection to pound on your network 
> from, which, in theory, is less secure.  But given the speed of the 
> HamWAN network, the delta is pretty small, and given that the modems 
> run a semi-proprietary (and fairly uncommon) OS, the odds of the modem 
> itself becoming a leapfrog platform for staging attacks are pretty 
> insignificant.  And again, assuming you've got a halfway decent 
> firewall in the middle (ie, not just a cheap consumer device that does 
> NAT, but an actual firewall), I wouldn't worry about it.
>
> Jeff N0GQ
>
> On Tue, Mar 11, 2014 at 4:27 PM, Nigel Vander Houwen <nigel at k7nvh.com 
> <mailto:nigel at k7nvh.com>> wrote:
>
>     To add to what Cory said,
>
>     The goal is not to remove control or access from the user. It's
>     simply for network management. It's very much an experimental
>     network, so if you choose not to allow admin accounts on your
>     modem, the network may change and you will be responsible for
>     maintaining it yourself.
>
>     I'd also like to bring up a parallel with other commercial ISPs.
>     You end up in the same situation. For example, with comcast, you
>     can either rent a modem from them, which they have full admin
>     control of, and may not give you any access at all, or you buy a
>     modem yourself, and configure it to work with them, and any issues
>     or changes are your own responsibility.
>
>     For us the problem is far more significant. The HamWAN network is
>     changing and evolving all the time, unlike a network like
>     comcast's which is relatively stable. The methods of connecting /
>     authenticating to the network will change, and you should be
>     prepared for that if you decide that allowing a few trusted users
>     on your modem is an unacceptable risk, despite these users having
>     full administrative access to ALL of the rest of the HamWAN
>     network routing your packets.
>
>     In any case, as Cory said, it is your choice, but the recommended
>     one is what's documented on the wiki instructions.
>
>     Nigel K7NVH
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20140311/4289cdcd/attachment.html>

More information about the PSDR mailing list