Mike said:
agreed security by obscurity isn't worth too much...(maybe deter script
kiddies)..but many port scanners do not scan all ports...so I imagine
(perhaps incorrectly?) that it is a modest increase in security...and does
no harm.
Firewall, & hard passwords are definately the primary lines of security...
I disagree. Most port scanners scan all ports just looking for this kind of
thing, after all, it takes almost no more effort than scanning a single
port and there is only 64k ports in total. A script can do it in a flash,
go to grc.com and try their public one for instance.
The danger here is that it makes a person feel secure when in fact he/she/it
has done nothing to improve his/her/its security at all.
When it comes to protecting your local network you really need to be
pro-active and put in place real security measures. At this point in time,
and to the best of my knowledge, the best setup IMHO (for broadband) is to
run your cable modem to a router, close every port at the router, only open
ports at the router you absolutely need, then run that connection from the
router to a linux based machine with IP masquerading (2 nic cards, 1 for
traffic to/from the router and one for traffic to/from the rest of your
lan), iptables, and possibly something like spamasassin, installed and set
up properly, this acts like a giant sludge filter that then feeds cleaned
up and semi-safe traffic to the rest of your local network. Next, all
windows systems NEED to have an updated and properly configured virus
scanner running on them. All windows systems need to have their virus
scanner doing automatic scans every night, checking for and if available
downloading engine and .dat file updates every night, The virus scanner
needs to be set up to scan all incoming and outgoing files and email. Also,
the router needs a lengthy unguessable password and remote management and
any WAN configuration access disabled. Every system on your local lan needs
to have regular password changes and the passwords and user names need to
be weird and unguessable. Never use your email address in Usenet, never
post your username, never post any of your internel (local lan) IPs. When
purchasing stuff online, create a yahoo or other web based email account
and use that. Next system and application software needs to be kept up to
date - ie: Windows Update once a week is good, Linux systems should be
checking for security updates once a week also. Finally, know where you go!
Be sceptical! Whats this free stuff? How do in know its not a trojan? Run
Adaware regularly, remove those tracking cookies, clean out temporary
internet files daily. Never! Ever! execute email attachments unless you
KNOW they are safe, did you expect them? Just because they came from "your
buddy" doesnt mean they are safe, a lot of trojans/worms/virus's etc send
email from infected systems, thats how they spread.
Lastly, EDUCATION! READ READ READ, know what is going on out there. What
tools are available, how they work, how good are they? Whats the latest
trojan/work/virus scorching the net? How can i keep it out, how can i
recognize it and kill it if it gets in my local netowrk. Of course if its
done that, you need to re-think the whole protective structure you've set
up and analyze what went wrong. How did i get it? How can i prevent things
like that from ever happening again etc etc
Hope this helps
Eric
While not perfect this will go a long way towards making your life easier.
If everyone followed this type of thing, there would be a LOT less virus's
on the net and a lot of people would breath easier knowing they have
dramaticly lessened the chances of someone hacking their systems.
Eric