HOWTO: Security
Eric S. Raymond
esr at thyrsus.com
Tue May 24 21:33:06 UTC 2016
Hal Murray <hmurray at megapathdsl.net>:
>
> esr at thyrsus.com said:
> > See my reply to Gary and your text about NATs and firewalls. Nobody has
> > convinced me that this procedure *isn't* taking security seriously, nor will
> > they until I understand how any machine other than the one I port-forward to
> > is visible to outsiders.
>
> Your mention of port-forward assumes you are behind a NAT box. That's not
> true in all setups.
Would it suffice to say "Never put a Pi on an un-NATted address until you
have removed the default account?"
> Try "lastb | grep pi -w" on your bastion machine to get an indication of how
> persistent the bad guys are. I'm averaging one a day. You can do the math.
> It's far from a sure thing, but there are too many stories out there along
> the lines of "my box was hacked within 5 minutes".
I see it.
> Gary's comments about IPv6 are important, at least in theory. lastb doesn't
> show me any probes from IPv6 addresses on the machines I looked at. I'm
> guessing the bad guys aren't geared up to scan IPv6 yet. Brute force isn't
> going to find interesting targets - there are too many bits in IPv6
> addresses. I wonder when the bad guys will be selling IPv6 addresses the
> same way they sell email addresses.
I also don't see any IPv6 probes. This may turn out to be important.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
More information about the devel
mailing list