[HECnet] Telnet/SSH attacks
Sampsa Laine
sampsa at mac.com
Thu Nov 28 20:11:21 PST 2013
On 29 Nov 2013, at 04:03, "Brian Schenkenberger, VAXman-" <system at TMESIS.COM> wrote:
Sampsa Laine <sampsa at mac.com> writes:
{...snip...}
It is getting ludicrous. Soon we'll all be behind NAT "for our own =
safety". Ugh.
NAT doesn't necessarily provide you or buy you any better security.
Well not necessarily but if you're the type to leave 20 services open on your box and you doing it on a NAT'd network with no port forwards, those 20 service won't be internet visible. I was being a bit sarcastic there because soon ISPs will start charging extra for non-NAT'd service I think, as the free IP pool gets shallower and shallower.
So NAT for n00bs = good. It doesn't expose their machine directly to the internet. Especially if you get the box from ISP like most people in the UK, they could lock down UPNP and any internet facing management ports, and the "crazy amount of open services" problem is gone.
Of course a less than brilliant user can go and download something that compromises his system on the INSIDE of the NAT and makes an outgoing connection, and you're right, you'd need a firewall (or competence) to stop that.
Sampsa
More information about the Hecnet-list
mailing list