Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISPs are asked to block yet another port

  • From: Jared Mauch
  • Date: Mon Jun 23 12:16:27 2003

On Mon, Jun 23, 2003 at 03:59:56PM +0000, Christopher L. Morrow wrote:
> On Mon, 23 Jun 2003, Sean Donelan wrote:
> >
> >
> > How many ports should ISPs block?  People still buy and connect insecure
> > computers to the net.
> ISP's could block all ports and save everyone the hassle of having an
> Internet.... (I am just kidding of course)
> Two interesting points though:
> 1) Spammers adapt
> 2) default insecure OS installs cause problems
> Not new points, but interesting none-the-less. Spammers have adapted quite
> quickly and readily to almost all 'fixes' imposed by providers and most
> default OS installs are insecure still after all this time. With notable
> exceptions most OS installs are still tailored for closed network
> installs, lots of never to be used ports listening with old versions of
> daemon's installed :(

	I think that many can learn from this.

	Instead of defaulting with everything enabled, default with the
services installed but disabled so they can be easily enabled.  This
is fairly easy to do and something that has gradually changed in the
free UNIX(r) community over the past years.

	RedHat (for example) no longer enables every possible service
by default and requires you to enable these features to protect your
machine from being compromised by software you didn't know you had.

	Not every machine needs to run its own nameserver.

	While there are some services that are safe(er) to have enabled
by default as it improves the usability of the machine, some of
these things are just silly to be enabled on consumer (home) machines.

	I hope all the vendors out there get a clue on this and stop
enabling insecure methods of access by default.  (eg: telnet)

	- Jared

Jared Mauch  | pgp key available via finger from
clue++;      |  My statements are only mine.

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.