ISPs are asked to block yet another port

Mon Jun 23 16:15:32 UTC 2003

On Mon, Jun 23, 2003 at 03:59:56PM +0000, Christopher L. Morrow wrote:
> On Mon, 23 Jun 2003, Sean Donelan wrote:
> > http://www.lurhq.com/popup_spam.html
> >
> > How many ports should ISPs block?  People still buy and connect insecure
> > computers to the net.
> 
> ISP's could block all ports and save everyone the hassle of having an
> Internet.... (I am just kidding of course)
> 
> Two interesting points though:
> 
> 1) Spammers adapt
> 2) default insecure OS installs cause problems
> 
> Not new points, but interesting none-the-less. Spammers have adapted quite
> quickly and readily to almost all 'fixes' imposed by providers and most
> default OS installs are insecure still after all this time. With notable
> exceptions most OS installs are still tailored for closed network
> installs, lots of never to be used ports listening with old versions of
> daemon's installed :(

	I think that many can learn from this.

	Instead of defaulting with everything enabled, default with the
services installed but disabled so they can be easily enabled.  This
is fairly easy to do and something that has gradually changed in the
free UNIX(r) community over the past years.

	RedHat (for example) no longer enables every possible service
by default and requires you to enable these features to protect your
machine from being compromised by software you didn't know you had.

	Not every machine needs to run its own nameserver.

	While there are some services that are safe(er) to have enabled
by default as it improves the usability of the machine, some of
these things are just silly to be enabled on consumer (home) machines.

	I hope all the vendors out there get a clue on this and stop
enabling insecure methods of access by default.  (eg: telnet)

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.