Loading ...
Sorry, an error occurred while loading the content.

A tool to stop hackers

Expand Messages
  • Richard Dowty
    Hi everyone this is W7EET: I got a super idea that really works for your computer. I bought a box; that has a manual switch on it. You can go off line and
    Message 1 of 20 , Sep 26, 2012
    • 0 Attachment
      Hi everyone this is W7EET: I got a super idea that really works for your computer. I bought a box; that has a manual switch on it. You can go off line and separate the computer from the internet by moving a rotatable switch when you are done using the internet. I bought mine from this company that sells them at a really great price. Here is the link and the name of the company is Triangle cables and they are located in Las Vegas, NV.
      www.trianglecables.com

      Rich/W7EET
    • David A. Ranch
      Hello Jim, You could just as easily disable the Ethernet port in the operating system and at that point, you re offline. That doesn t change anything when the
      Message 2 of 20 , Sep 26, 2012
      • 0 Attachment

        Hello Jim,

        You could just as easily disable the Ethernet port in the operating system and at that point, you're offline.  That doesn't change anything when the computer needs to be connected to the Internet or you want to connect to the Internet.  Yes, reducing the exposure time on the Internet can help but you're creating a false sense of hope.  There are lots of rules of thumbs for keeping a machine secure but none of them are 100%.  Here are a few I always recommend:

           - Keep the OS patched and up to date.  If it's an obsolete, non-supported OS.. upgrade it.  The old hardware not supported with new OSes, run Linux or buy new hardware.
           - Keep the applications updated  especially common multi-platform software like Flash, Java, etc
           - Run a firewall on every machine you have in ADDITION to say your DSL router, etc.  Configure them to allow NOTHING in and only then make exceptions only when needed
           - If you're running a Windows machine, run a good Anti-Virus program and keep it updated.  I like Eset
           - Secure the OS.. don't run services you won't use externally (ssh, rdesktop, VNC, MySQL) -- Not sure how?  Research it.. buy a book, etc.
           - Never EVER click on emailed, IMed, etc. URL links, open attachments, etc. from friends that you aren't expected something from them.  If you think it's legit, forward it back to them and ask them if they actually sent it to you.  It's a pain but more and more people use free email services and they are getting compromised every day.  Trust no one.
           - Have unique and STRONG passwords (upper and lower case, punctuation, 12+ characters) on EVERY SINGLE service you have -- it's an absolute pain but it's the only way to compartmentalize your risk. There are password management programs that help manage all this stuff but make sure that the program itself is highly recommended
           - Install NoScript and NoFlash in your browsers (Firefox) to control the automatic running of Flash, Java, and JavaScript code - WARNING:  Many websites will become difficult to first load as you have to specifically allow every single service but you'll know EXACTLY what's coming in
           - Don't install pirated software.. most of the stuff on the web now is pre-infected with Malware.  Nasty stuff.
           - If you visit shady websites (porn, gambling, etc.), you're putting your computer at a much greater risk as these sites are renown for spreading malware
          
           * If you subscribe to my point of view, I ultimately don't use primary target operatings systems (Windows), weak applications and browsers (Outlook, Internet Explorer).   By doing all of the above on a Linux machine running say Chrome or Firefox, you've GREATLY reduced your attack surface that a hostile user can attack you with.

        --David


        On 09/26/2012 11:15 AM, Richard Dowty wrote:
        Hi everyone this is W7EET: I got a super idea that really works for your computer. I bought a box; that has a manual switch on it. You can go off line and separate the computer from the internet by moving a rotatable switch when you are done using the internet. I bought mine from this company that sells them at a really great price. Here is the link and the name of the company is Triangle cables and they are located in Las Vegas, NV.

        Rich/W7EET
      • Richard Dowty
        Thanks dave for the heads up. Rich/W7EET ________________________________ From: David A. Ranch To: linuxham@yahoogroups.com Sent:
        Message 3 of 20 , Sep 26, 2012
        • 0 Attachment
          Thanks dave for the heads up.
          Rich/W7EET


          From: David A. Ranch <linuxham-fld@...>
          To: linuxham@yahoogroups.com
          Sent: Wednesday, September 26, 2012 7:58 PM
          Subject: Re: [linuxham] A tool to stop hackers

           

          Hello Jim,

          You could just as easily disable the Ethernet port in the operating system and at that point, you're offline.  That doesn't change anything when the computer needs to be connected to the Internet or you want to connect to the Internet.  Yes, reducing the exposure time on the Internet can help but you're creating a false sense of hope.  There are lots of rules of thumbs for keeping a machine secure but none of them are 100%.  Here are a few I always recommend:

             - Keep the OS patched and up to date.  If it's an obsolete, non-supported OS.. upgrade it.  The old hardware not supported with new OSes, run Linux or buy new hardware.
             - Keep the applications updated  especially common multi-platform software like Flash, Java, etc
             - Run a firewall on every machine you have in ADDITION to say your DSL router, etc.  Configure them to allow NOTHING in and only then make exceptions only when needed
             - If you're running a Windows machine, run a good Anti-Virus program and keep it updated.  I like Eset
             - Secure the OS.. don't run services you won't use externally (ssh, rdesktop, VNC, MySQL) -- Not sure how?  Research it.. buy a book, etc.
             - Never EVER click on emailed, IMed, etc. URL links, open attachments, etc. from friends that you aren't expected something from them.  If you think it's legit, forward it back to them and ask them if they actually sent it to you.  It's a pain but more and more people use free email services and they are getting compromised every day.  Trust no one.
             - Have unique and STRONG passwords (upper and lower case, punctuation, 12+ characters) on EVERY SINGLE service you have -- it's an absolute pain but it's the only way to compartmentalize your risk. There are password management programs that help manage all this stuff but make sure that the program itself is highly recommended
             - Install NoScript and NoFlash in your browsers (Firefox) to control the automatic running of Flash, Java, and JavaScript code - WARNING:  Many websites will become difficult to first load as you have to specifically allow every single service but you'll know EXACTLY what's coming in
             - Don't install pirated software.. most of the stuff on the web now is pre-infected with Malware.  Nasty stuff.
             - If you visit shady websites (porn, gambling, etc.), you're putting your computer at a much greater risk as these sites are renown for spreading malware
            
             * If you subscribe to my point of view, I ultimately don't use primary target operatings systems (Windows), weak applications and browsers (Outlook, Internet Explorer).   By doing all of the above on a Linux machine running say Chrome or Firefox, you've GREATLY reduced your attack surface that a hostile user can attack you with.

          --David


          On 09/26/2012 11:15 AM, Richard Dowty wrote:
          Hi everyone this is W7EET: I got a super idea that really works for your computer. I bought a box; that has a manual switch on it. You can go off line and separate the computer from the internet by moving a rotatable switch when you are done using the internet. I bought mine from this company that sells them at a really great price. Here is the link and the name of the company is Triangle cables and they are located in Las Vegas, NV.

          Rich/W7EET


        • Holger Schurig
          My ethernet switch is two commands: ifdown eth0 ifup eth0 ... But actually I don t do that, too cumbersome. What I do is the following: a) I only install
          Message 4 of 20 , Sep 27, 2012
          • 0 Attachment
            My ethernet switch is two commands:

            ifdown eth0
            ifup eth0


            :-)


            But actually I don't do that, too cumbersome.  What I do is the following:

            a) I only install really needed network services. I use "netstat -ntlp" so we which TCP services are listening "to the world" (you see this when the "local address" column is 0.0.0.0). And I use "netstat -nulp" to get the same for the UDP sockets.
            b) I make that list as minimal as possible. In the end I only have SSH listening to the world.
            c) Finally, I installed "Port Knocker" from http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
            . Its package knockd in Debian. That thing adds a firewall rule so that SSH is normally blocked. Only when I knock a sequence of ports within one minute from the outside will knockd open the firewall rule so that SSH is reachable from the outside. Knocking can be done as simple as "telnet mybox.homelinux.net 1234", Ctrl-C, "telnet mybox.homelinux.net 4435", Ctrl-C, no need for a special program.

            This is all in addition of the inherent security features of a DSL box like the Fritzbox that masquerades your local IP network away from the outside.


            Holger, DH3HS

          • aa1oc@comcast.net
            Thank you, Holger! Sanity at last. No need for spending money on switches. I ve been using a home brew version of knockd since the late nineties when I first
            Message 5 of 20 , Sep 27, 2012
            • 0 Attachment
              Thank you, Holger!

              Sanity at last.  No need for spending money on switches.

              I've been using a home brew version of knockd since the late nineties when I first learned the technique.

              Bill, AA1OC.
            • Eric Haddix
              ... There are even better versions of knockd that use encrypted ICMP packets to open the ports so that someone merely listening in on your traffic can t figure
              Message 6 of 20 , Sep 27, 2012
              • 0 Attachment
                On 09/27/2012 03:08 AM, Holger Schurig wrote:

                > c) Finally, I installed "Port Knocker" from
                > http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
                > . Its package knockd in Debian. That thing adds a firewall rule so that SSH
                > is normally blocked. Only when I knock a sequence of ports within one
                > minute from the outside will knockd open the firewall rule so that SSH is
                > reachable from the outside. Knocking can be done as simple as "telnet
                > mybox.homelinux.net 1234", Ctrl-C, "telnet mybox.homelinux.net 4435",
                > Ctrl-C, no need for a special program.


                There are even better versions of knockd that use encrypted ICMP packets
                to open the ports so that someone merely listening in on your traffic
                can't figure out how to open your box. Yes, they require you to have an
                appropriate client but by encrypting the knock you protect yourself
                against replay attacks.
              • Richard Dowty
                I do not know about you folks; but I just a dumb old farm boy that is retired now. I will just stick with my manual switch box. It works just fine. click!
                Message 7 of 20 , Sep 27, 2012
                • 0 Attachment
                  I do not know about you folks; but I just a dumb old farm boy that is retired now. I will just stick with my manual switch box. It works just fine. click! on,,,,,Click! OFF
                  Rich/W7EET




                  From: Eric Haddix <eric@...>
                  To: linuxham@yahoogroups.com
                  Sent: Thursday, September 27, 2012 6:40 PM
                  Subject: Re: [linuxham] A tool to stop hackers

                   
                  On 09/27/2012 03:08 AM, Holger Schurig wrote:

                  > c) Finally, I installed "Port Knocker" from
                  > http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
                  > . Its package knockd in Debian. That thing adds a firewall rule so that SSH
                  > is normally blocked. Only when I knock a sequence of ports within one
                  > minute from the outside will knockd open the firewall rule so that SSH is
                  > reachable from the outside. Knocking can be done as simple as "telnet
                  > mybox.homelinux.net 1234", Ctrl-C, "telnet mybox.homelinux.net 4435",
                  > Ctrl-C, no need for a special program.

                  There are even better versions of knockd that use encrypted ICMP packets
                  to open the ports so that someone merely listening in on your traffic
                  can't figure out how to open your box. Yes, they require you to have an
                  appropriate client but by encrypting the knock you protect yourself
                  against replay attacks.



                • Eric Scott
                  My question is, whatever happened to the idea of just turning the machine off when your not using it??? I have always been a fan of the KISS principal. 73
                  Message 8 of 20 , Sep 27, 2012
                  • 0 Attachment
                    My question is,  whatever happened to the idea of just turning the machine off when your not using it??? 

                    I have always been a fan of the KISS principal. 

                    '73

                    Eric
                    KC7KLZ

                    On 2012-09-27, at 7:47 PM, Richard Dowty <w7eet@...> wrote:

                     

                    I do not know about you folks; but I just a dumb old farm boy that is retired now. I will just stick with my manual switch box. It works just fine. click! on,,,,,Click! OFF
                    Rich/W7EET




                    From: Eric Haddix <eric@...>
                    To: linuxham@yahoogroups.com
                    Sent: Thursday, September 27, 2012 6:40 PM
                    Subject: Re: [linuxham] A tool to stop hackers

                     
                    On 09/27/2012 03:08 AM, Holger Schurig wrote:

                    > c) Finally, I installed "Port Knocker" from
                    > http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
                    > . Its package knockd in Debian. That thing adds a firewall rule so that SSH
                    > is normally blocked. Only when I knock a sequence of ports within one
                    > minute from the outside will knockd open the firewall rule so that SSH is
                    > reachable from the outside. Knocking can be done as simple as "telnet
                    > mybox.homelinux.net 1234", Ctrl-C, "telnet mybox.homelinux.net 4435",
                    > Ctrl-C, no need for a special program.

                    There are even better versions of knockd that use encrypted ICMP packets
                    to open the ports so that someone merely listening in on your traffic
                    can't figure out how to open your box. Yes, they require you to have an
                    appropriate client but by encrypting the knock you protect yourself
                    against replay attacks.



                  • Holger Schurig
                    Dear Eric, ... from time to time I m at a customers site there I couldn t do that. Put telnet (or, better, Putty) is always there, because my customers need
                    Message 9 of 20 , Sep 28, 2012
                    • 0 Attachment
                      Dear Eric,

                      > that use encrypted ICMP packets 

                      from time to time I'm at a customers site there I couldn't do that. Put telnet (or, better, Putty) is always there, because my customers need this anyway to control the devices I sell them :-)

                      But installing something different to encrypted ICMP packets to my office computer would be a "no no".

                      Also, it's not really needed. If some avid hacker would guess the exact sequence of ports to knock to, then he would still need to hack the SSH protocol. I installed the knockd merely because I was sick of all this login-attempts that showed up in my /var/log/secure. No one was so far able to hack my password.



                      Dear other Eric,

                      > My question is,  whatever happened to the idea of just turning the machine off when your not
                      > using it??? 

                      You're sooo right. When I don't need my computer, I use a switchable power chord (not sure what the english term for it is, http://www.multiexperten.de/images/steckdosenleiste%206-fach%20weiss.jpg). This turns off anything. I can't stand the AC/DC converters that plug directly into the power outlet, without their own switch. They use always a bit power, if you use the connected device or not. So I use my switchable power-plug. Good for me, good for the environment, bad for the automic plant operators.

                      Holger, DH3HS

                    • Andy
                      fail2ban ? You get 6 attempts to login then your IP is locked out for 10 mins. apt-get install fail2ban along with sensible strong passwords does an excellent
                      Message 10 of 20 , Sep 28, 2012
                      • 0 Attachment
                        fail2ban ?

                        You get 6 attempts to login then your IP is locked out for 10 mins.

                        apt-get install fail2ban along with sensible strong passwords does an excellent job.

                        No need for switches or cargo-cult behaviour.

                        Andy
                        MM0FMF
                      • Holger Schurig
                        Fail2ban only works after the fact, knockd doesn t let the burglary-attempt happen into the first place. Also knockd can be used for other services besides
                        Message 11 of 20 , Sep 28, 2012
                        • 0 Attachment
                          Fail2ban only works after the fact, knockd doesn't let the burglary-attempt happen into the first place. Also knockd can be used for other services besides SSH. It's universal.

                          Also, there are now botnets out where the SSH login attempts come from many different IP addresses. fail2ban can't protect against this.

                          So, for my use-case, fail2ban is less appealing.

                        • Dave B
                          ... Of course, another way, is to use non standard ports (Way up high) for SSH etc. Unless you *Have* to use the usual suspects that everyone knows
                          Message 12 of 20 , Sep 28, 2012
                          • 0 Attachment
                            On 28 Sep 2012 at 11:34, linuxham@yahoogroups.com wrote:

                            > .
                            > .
                            > I installed the knockd merely because I was sick of all this
                            > login-attempts that showed up in my /var/log/secure. No one was so far
                            > able to hack my password.
                            <end snip>

                            Of course, another way, is to use non standard ports (Way up high) for
                            SSH etc. Unless you *Have* to use the usual suspects that everyone knows
                            about due to standards compliance for some reason? There again, port
                            knocking is not exactly a "standard" either.

                            73.

                            Dave G0WBX.
                          • Jeffrey Sumner
                            ... My Microchannel (read: ancient) RS/6000 couldn t handle all the login attempts via SSH after I made it my DMZ host , effectively putting it on the
                            Message 13 of 20 , Sep 28, 2012
                            • 0 Attachment



                              On Sep 28, 2012, at 4:06 PM, "Dave B" <dave@...> wrote:

                               

                              On 28 Sep 2012 at 11:34, linuxham@yahoogroups.com wrote:

                              > .
                              > .
                              > I installed the knockd merely because I was sick of all this
                              > login-attempts that showed up in my /var/log/secure. No one was so far
                              > able to hack my password.
                              <end snip>

                              Of course, another way, is to use non standard ports (Way up high) for
                              SSH etc. Unless you *Have* to use the usual suspects that everyone knows
                              about due to standards compliance for some reason? There again, port
                              knocking is not exactly a "standard" either.

                              73.

                              Dave G0WBX.


                              My Microchannel (read: ancient) RS/6000 couldn't handle all the login attempts via SSH after I made it my "DMZ host", effectively putting it on the Internet at 3.2MB/sec. "It was discovered" after a day and within a couple hours of that discovery was flooded so completely that the only way into it was through the serial console- and that was very, very slow. Nobody had gotten into it, but it did not have enough CPU to handle all the attempts and rejections, making it a DoS victim.

                              KC4FOX



                            • BRIAN MIEZEJEWSKI
                              Hi, Best to use ssh with keys so no password is required. See http://paulkeck.com/ssh/. I always configure ssh so it requires keys and create special users for
                              Message 14 of 20 , Sep 28, 2012
                              • 0 Attachment
                                Hi,

                                Best to use ssh with keys so no password is required. See http://paulkeck.com/ssh/. I always configure ssh so it requires keys and create special users for the ssh accounts, I've used rsh (restricted shell) in a few cases to limit what one can do once they do get access in the case of servers not behind a couple layers of firewalls. Always fun to move the ssh port to something different, like the mysql port 3306 and watch the idiots throw SQL at it :-).

                                I use ssh X tunneling this way to run fldigi and flrig remotely, works great on both Linux and my Macs!

                                73,
                                Brian
                                k5hfi

                                 


                                On Sep 28, 2012, at 4:08 AM, Holger Schurig <holgerschurig@...> wrote:

                                 

                                Fail2ban only works after the fact, knockd doesn't let the burglary-attempt happen into the first place. Also knockd can be used for other services besides SSH. It's universal.


                                Also, there are now botnets out where the SSH login attempts come from many different IP addresses. fail2ban can't protect against this.

                                So, for my use-case, fail2ban is less appealing.



                              • Dave B
                                ... That reminds me of another trick... In the unlikley event these days you have to use a router that has no firewall as such, you can make the default
                                Message 15 of 20 , Sep 29, 2012
                                • 0 Attachment
                                  On 29 Sep 2012 at 10:46, linuxham@yahoogroups.com wrote:

                                  > 2b. Re: A tool to stop hackers
                                  > Posted by: "Jeffrey Sumner"
                                  >
                                  > My Microchannel (read: ancient) RS/6000 couldn't handle all the login
                                  > attempts via SSH after I made it my "DMZ host", effectively putting it
                                  > on the Internet at 3.2MB/sec. "It was discovered" after a day and
                                  > within a couple hours of that discovery was flooded so completely that
                                  > the only way into it was through the serial console- and that was
                                  > very, very slow. Nobody had gotten into it, but it did not have enough
                                  > CPU to handle all the attempts and rejections, making it a DoS victim.
                                  >
                                  > KC4FOX
                                  > J
                                  >

                                  That reminds me of another trick...

                                  In the unlikley event these days you have to use a router that has no
                                  "firewall" as such, you can make the default routing table rule point to
                                  a non existant LAN address as a DMZ, only making the rules/ports you want
                                  go to a real machine.

                                  All unsolicited incoming packets (of any type) will just get dropped,
                                  just like a "real" firewall, including ICMP (Pings) if you wish.

                                  Just remember not to put anything on that internal DMZ address, or it'll
                                  get hammered out of existence!...

                                  Have Fun.

                                  Dave G0WBX.
                                • mm0fmf
                                  You re right about it being after the fact. Perhaps it should be that all systems have fail2ban installed by default and then ports hidden and opened with port
                                  Message 16 of 20 , Sep 30, 2012
                                  • 0 Attachment
                                    You're right about it being after the fact. Perhaps it should be that
                                    all systems have fail2ban installed by default and then ports hidden and
                                    opened with port knocking.

                                    On shared services you can always convince some sysadmins to add
                                    fail2ban if they don't already do something like that. Harder to
                                    convince them about knocking. It shouldn't be. It's like offering SSH on
                                    a non-standard port, it cuts down a lot of the script kiddies but it's
                                    security by obscurity and once the obscurity veil is lifted, all bets
                                    are off.

                                    On my home based server I disabled password and root logins. You have to
                                    use a key to get in either from the net or even on the internal network.
                                    Similarly to get root you need to have successfully logged in as a user.

                                    The problem that I see with use a hard switch is that it encourages a
                                    false sense of security. The correct response is to learn (and we've all
                                    had to do that) how hacks are made and the steps needed to secure a
                                    machine against attacks. People need to know the principles to
                                    understand the danger. If the machine is incorrectly secured then the
                                    switch will stop attacks when it's isolated. But you're still vulnerable
                                    when the switch is thrown. So the switch merely reduces the attack
                                    window and encourages a false sense of security.

                                    Andy
                                    MM0FMF




                                    Holger Schurig wrote:
                                    >
                                    >
                                    > Fail2ban only works after the fact, knockd doesn't let the
                                    > burglary-attempt happen into the first place. Also knockd can be used
                                    > for other services besides SSH. It's universal.
                                    >
                                    >
                                    > Also, there are now botnets out where the SSH login attempts come from
                                    > many different IP addresses. fail2ban can't protect against this.
                                    >
                                    > So, for my use-case, fail2ban is less appealing.
                                    >
                                  • Eric Haddix
                                    ... It s better to make it non-trivial for a hacker to be able to gain access to your SSH ports in the first place because if you re using SSH without public
                                    Message 17 of 20 , Sep 30, 2012
                                    • 0 Attachment
                                      On 09/28/2012 04:28 AM, Holger Schurig wrote:

                                      > Also, it's not really needed. If some avid hacker would guess the exact
                                      > sequence of ports to knock to, then he would still need to hack the SSH
                                      > protocol. I installed the knockd merely because I was sick of all this
                                      > login-attempts that showed up in my /var/log/secure. No one was so far able
                                      > to hack my password.


                                      It's better to make it non-trivial for a hacker to be able to gain
                                      access to your SSH ports in the first place because if you're using SSH
                                      without public key authentication as you seem to be suggesting, it could
                                      indeed be trivial to attack your machine.
                                    • Holger Schurig
                                      I m not suggesting it. I described that I use it. And I have to use it because sometimes I need to access my computer from a customers site. Some corporate
                                      Message 18 of 20 , Oct 1, 2012
                                      • 0 Attachment
                                        I'm not "suggesting" it. I described that I use it. And I have to use it because sometimes I need to access my computer from a customers site. Some corporate customers have strict requirements, e.g. I cannot attach my own laptop to their network. And in some warehouses I can't use GSM.

                                        So I need to use what it's there. Putty is already there, but no way would I install my private key onto a customers desktop. So for me the answer is port-knocking to hide SSH, and SSH with normal password encryption to access it.

                                        Simply changing the port number of SSH is in my opinion silly. Standard port detection tools like nmap don't get fooled by this.

                                        Your mileage (usage scenario) may vary. And then your solution varies.



                                        (Internal I use ssh-keyfile-login, so that I don't have to type in the password all the time).
                                      • sonick55
                                        every bit of obfuscation can help. security has no panacea, it is layered. I would never change the port number in an enterprise access situation, but for
                                        Message 19 of 20 , Oct 1, 2012
                                        • 0 Attachment
                                          every bit of obfuscation can help. security has no panacea, it is layered.

                                          I would never change the port number in an enterprise access situation, but for coming in via the front door, it couldn't hurt.

                                          Sure, nmap will recognize it, but most people still don't scan higher than port 1024.

                                          layers layers layers, every little bit helps a little bit

                                          --- In linuxham@yahoogroups.com, Holger Schurig <holgerschurig@...> wrote:
                                          >
                                          > I'm not "suggesting" it. I described that I use it. And I have to use it
                                          > because sometimes I need to access my computer from a customers site. Some
                                          > corporate customers have strict requirements, e.g. I cannot attach my own
                                          > laptop to their network. And in some warehouses I can't use GSM.
                                          >
                                          > So I need to use what it's there. Putty is already there, but no way would
                                          > I install my private key onto a customers desktop. So for me the answer is
                                          > port-knocking to hide SSH, and SSH with normal password encryption to
                                          > access it.
                                          >
                                          > Simply changing the port number of SSH is in my opinion silly. Standard
                                          > port detection tools like nmap don't get fooled by this.
                                          >
                                          > Your mileage (usage scenario) may vary. And then your solution varies.
                                          >
                                          >
                                          >
                                          > (Internal I use ssh-keyfile-login, so that I don't have to type in the
                                          > password all the time).
                                          >
                                        • Dave B
                                          Hi. I knew the info was available... Take a look here. http://www.grc.com/nat/nat.htm and... http://www.grc.com/nat/nats.htm If you have family etc using your
                                          Message 20 of 20 , Oct 3, 2012
                                          • 0 Attachment
                                            Hi.

                                            I knew the info was available...

                                            Take a look here.

                                            http://www.grc.com/nat/nat.htm

                                            and...

                                            http://www.grc.com/nat/nats.htm

                                            If you have family etc using your home LAN, but wish to isolate yourself
                                            from their machines. That last second NAT router, could in essance be
                                            your "high value" machine's own internal firewall, at a pinch, if you
                                            have such a tool installed, or provided with the OS.

                                            73.

                                            Dave G0WBX.
                                          Your message has been successfully submitted and would be delivered to recipients shortly.