|
|
@@ -1084,12 +1084,12 @@ apt-get install fail2ban
|
|
1084
|
1084
|
** Set up a firewall
|
|
1085
|
1085
|
|
|
1086
|
1086
|
#+BEGIN_VERSE
|
|
1087
|
|
-/The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder/
|
|
|
1087
|
+/The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability./
|
|
1088
|
1088
|
|
|
|
1089
|
+-- Bruce Schneier
|
|
1089
|
1090
|
#+END_VERSE
|
|
1090
|
1091
|
|
|
1091
|
|
-A basic firewall limits the maximum rate at which connections can be made and closes any unused ports, and this helps to defend against various kinds of DDOS attack.
|
|
|
1092
|
+A basic firewall limits the maximum rate at which connections can be made and closes any unused ports, and this helps to defend against various kinds of DDOS attack. Your internet router may contain a firewall, but chances are that it also contains proprietary software which can be remotely changed/updated by the ISP. Unless you're running free software, such as [[https://en.wikipedia.org/wiki/OpenWrt][OpenWrt]], on your internet router then it's reasonable to assume that the device is hostile and could be conducting surveillance, trying to do [[https://en.wikipedia.org/wiki/Man-in-the-middle_attack]["man in the middle"]] attacks or be pushing "implants" onto the computers and mobile devices on your local network. That means that your server needs its own firewall.
|
|
1092
|
1093
|
|
|
1093
|
1094
|
#+BEGIN_SRC: bash
|
|
1094
|
1095
|
apt-get install portsentry
|
Bob Mottram
11 years ago