[DrPhish]

Looking at Netdisco I have 12 VLANs. ISP1, ISP2 (from Dad's house across the valley), OSPF backbone, DMZ, LAN, Guest, Cameras, Servers, Japan, Kids, Management and Test. Everything passes thru PF and only exposes services as required. The Guest VLAN, for example, has no way to get to the rest of the VLANs. Camera VLAN can only talk to the DVR software, etc.

The important thing with securing my public IPs (as with securing anything) is to understand the surface area and minimize risks. With the number of services I'm exposing, I have to be careful. First thing is to keep all OSs up to date. OpenBSD every 6 months and Debian on an ongoing basis.

Next, whenever possible use single-purpose proxies that have been well audited. In my case OpenSMTPD, Unbound and NSD protect the always popular mail and dns servers from attack.

Keeping complicated things off the internet is important. Big CMS packages are constantly under attack. I only run either static pages on my webserver, or very carefully audited custom PHP pages (written with an attacker's eye to exploit injection)

When I expose something more complicated like Guacamole or Citadel that might end up with a known hole in the login screen, I put it behind both SSL and an HTTP simple auth login prompt. It's ancient, and so well tested that it is unlikely to end up with an exploit against it. Or at least less likely than the app its protecting. I've actually been toying around with doing 2 factor auth on these services with a dynamically generated simple auth sent via SMS bridge or IFTTT...

On my internal network, I have my family running linux wherever possible, and keep Java and Flash off the windows PCs. Everyone runs with a nonprivledged account and the OS/software packages/PDF readers are all kept up to date. I think the wife and kid's PCs are probably the most likely things to be compromised on the network, so I keep a close eye on them.

I also take the reactive approach of log alerting, change monitoring and general diligence to the state of my network. If you know what has changed in the last 24 hours it tends to be a small enough dataset to eyeball, and will tend to tip you off when things are wonky. I also have enough logging and data sources (syslog, configs diffs, apache logs, nfsen data, mrtg data) that it would be exceptionally difficult for an attacker to wipe out all trace of their presence.

I do not know of a successful attack against my network, tho I'm not naive enough to think that it hasn't happened. I just haven't realized it if it has.

Its a great hobby if you like this stuff!

[ge96]

Wow thanks a lot for the details this is not my field haha regarding the tech you mentioned in the beginning.

Curious what your family thinks having to run Linux. It's my primary os myself with i3-wm. People usually complain "install apps command line" ui, etc .. whatever Ubuntu being as supported as it is that UI is so slow/bloated IMO.

I have Windows as well but use Virtual box and Linux to access the web if it's not just YouTube/Gmail/regular pages with adblock/uorigin running.

I don't even know how many ports there are on computers, I mean in my experience I've seen up to port 10000, I think you have to enable them? I usually use 21/22/80/443 though I've seen 3000 (websocket), 4200 (angular), 246 or 286 (windows RDP) I don't know...

It's a lot to keep track of web security. OSWAP

Anyway thanks for your time rambled on my end.

[jlgaddis]

Take a look at /etc/services on your Linux box for some hints or Google something like "IANA well-known ports" for a list of "registered" ones.

[ge96]

Thanks for the tip

[Vendan]

Windows rdp is 3389, but really, anything can go on any port up to 65535. The common ports like 80 and 443 are just there as "it's common to use these for services, so you don't have to put in http://google.com:80". And there's no real "enabling" them, it's just a question of if your firewall allows it, and if you have something actually listening.

Also, websocket is just a protocol upgrade slapped on http/https, so it normally goes over 80/443. If someone's running it on another port, it's probably cause the server they have on their normal http/https doesn't work well with websockets.

[ge96]

Yeah the 3000 I just recalled that with a tutorial on socket.io I did a couple years back.

Yeah my bad in the RDP, you know I messed up on that. Was trying to get around firewall rules, I edited the registry and changed the port for it... Could not get back in. This was one of Amazon's windows servers, and I mounted it as a volume to another one and could not access the registry to change it back so yeah... Locked myself out haha.

[DrPhish]

I have a long history of having my family use Linux. I'm a Debian guy myself, so I've always either used Ubuntu or basic Debian. I run dwm on any machines that I put X on (very few, honestly).

I started my Dad on Ubuntu around 2008, and he hasn't used anything else since. Shortly thereafter my Mom, then my Sisters. Most recently my Step-mom, and Grandparents have gone to Ubuntu.

When I got some castoff laptops from work, I turned them into Sugar notebooks for my kids, and once that became too limiting for them I helped them install mainline Debian. Some of them run Gnome and my oldest runs fvwm.

My wife still runs Windows because of inertia, more than anything TBH.

In my experience, I've only had 1 peripheral that someone has bought that was totally unusable due to drivers (scanner), and the only programs my relatives have asked for that weren't available were my kids wanting to play Roblox, which I didn't want them playing anyways. Thanks to Minetest and buying most Humble Indie bundles I actually have a pretty good library of Linux games for them to play, so there hasn't been much bellyaching from them. Well, that and the Windows gaming/home theatre PC.

I've gone to a 2 strikes and you're out policy on Windows installs. If I have to re-install it for you more than one, and you're either getting Linux or finding someone else to fix your computer. My Grandparents got caught on this policy, but my stepmom actually asked for "That system that Dad has that doesn't get viruses". Happy ever since.

Most people that aren't highly technical tend be served by Firefox/Thunderbird/LibreOffice for 99.99% of their needs. It's mostly Facebook these days TBH.

It makes support dead simple. no-ip.com and SSH let me fix almost anything remotely, and no one has every gotten pwned that I know of.

Other people have answered the port question, but I'll try to go at a slightly lower level. Each open port will have a program running on the host that has opened a listening socket on that port. Netstat can help you find out what is listening, and on what interface/port. As a rule, only root can open ports under 1024, and any well written server will drop all non-required privs. You can check with the ps command. This is somewhat enforced on some OSs, eg OpenBSD with pledge.

From a security standpoint you should verify that you know and understand every server listening on a socket, which interfaces they are bound to (netstat asterisk means all interfaces), and whether they are exposed to the internet via direct interface/proxy/port forward/etc.

One trick to secure services that need remote access: if the service is only for technical users, you can give them each an account with no interactive shell, and then they can ssh port-forward to the port they want to access. Eg. you can make 3389 (RDP) only listen on the local LAN or the loopback device, ssh to your router with port forwarding local port 3399 (or whatever), to remote IP:3389 and point your local rdp client to localhost:3399. Great for ad-hoc limited VPN type connections. That way you only have to be aware of SSH remote holes, and not the more-likely RDP server.

Hopefully if any of this is incorrect, someone will correct me

[ge96]

Man that's cool and you save yourself buying windows licenses.

I'll have to check that out no-ip, so you install openssh server to SSH int their computers? Yeah I like that feature myself too lazy to get up and use the dev desktop.

That's my hope regarding Linux that it's safe, using virtual box and Linux.

Haven't heard of Sugar notebooks.

Yeah I used to run Linux Mint, then Debian, then Ubuntu mostly because of their good driver support, a few times I've had laptops with Debian installed and they couldn't connect to WiFi right off the bat. Then i3-wm because my computers are generally garbage. At least now both my desktop/laptop have 8gb ram. Could go higher maxing out chrome tabs.

Anyway thanks and for the info on the ports, I have used netstat before it's intimidating haha, so many at least when I checked on my windows laptop if I recall right.

[atmosx]

Sounds like a full time job to me. I mean, I'm getting paid, to monitor less than this...