[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root password strength

On Fri, Mar 22, 2024 at 9:02 AM Jan Krapivin  wrote:
>
> The thing that bothers me are words: "any computer (and a fortiori any server) connected to the Internet is regularly targeted by automated connection attempts"

Change it to "any computer (and a fortiori any server) >>using IPv4
and directly<< connected to the Internet is regularly targeted by
automated connection attempts"
and yes, I'm 100% confident they're getting automated connection attempts.

Why the qualifier >>using IPv4 and directly<< connected?

The IPv4 address space is only 32 bits long.  Scanning 2^32 = about
4,000,000,000 addresses for an open port is easily doable.
The IPv6 address space is a bit harder...  Let's just say that 7/8th
of the IPv6 address space is reserved[1] so that means 2^125 addresses
would need to be scanned .. which just isn't going to happen.
There are ways for attackers to get the IPv6 address scan space down
to a reasonable number.  I probably don't know most of them..

What's the difference between "connected" and "directly connected"?
None of my computers are directly connected to the Internet.
Everything is hiding behind a firewall that supposedly blocks _all_
unsolicited traffic coming in from the Internet.
So however much I believe no unsolicited traffic is allowed into my
network is about how much I believe there are no automated connection
attempts to my computers.

> I am not tech-savvy. Can you say with 100% (90%?) confidence that there is no such thing? That home PC without SSH and whatever complicated is safe (rather safe) from "automated connection attempts"?

What make it more fun is that it is not only SSH that could allow an
attacker in. A quick & easy check is to look for open ports - eg.
  sudo ss -lptu

shows you all the programs listening for new connections (right now ..
10 minutes from now could be a whole different thing).
Except.. oops.. not _all_ the programs listening for new connections.
While writing this I tried

$ sudo ss -lwnp
State  Recv-Q  Send-Q   Local Address:Port   Peer Address:Port Process
UNCONN 0       0              0.0.0.0:255         0.0.0.0:*
users:(("atop",pid=186997,fd=4))

so there's atop allowing connections on a "raw" socket.  .. whatever that is.
And there's the non-tcp/udp protocols like GRE or IPSec (think VPN
tunnels) where connections might be allowed in.

> This thread reminded of that topic - https://forums.debian.net/viewtopic.php?t=154002

Indeed.  Is a firewall necessary or no?  Some say yes, some say no.

I look at a firewall as the place where you implement your basic
network security policy.  Should SSH be allowed in from the Internet?
NetBIOS?  how about SNMP?
I fall into the "some say yes" camp because I say the firewall is
where those questions should be answered.

Regards,
Lee


[1] https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml

The assignable Global Unicast Address space is defined in [RFC3513] as
the address block
defined by the prefix 2000::/3. [RFC3513] was later obsoleted by [RFC4291].
Reply to: