[aprssig] Turn-key IGate
scott at opentrac.org
Sun Mar 27 14:18:50 CDT 2016
>> it doesn't even need to respond to pings.
> obscurity != security
> MAYBE this could be considered part of defense in depth, but IMO you're just shooting yourself in the foot by removing a useful troubleshooting tool and slowing down only the slowest of the script kiddies.
I'm not saying ignoring pings is a security measure - I'm saying that
it's hard to hack a device when it doesn't respond to any incoming
traffic at all. The very first thing you should do when securing any
network-connected system is to disable all unused services.
> Yeah but if you know about port knocking you also know that stuff has to be patched regularly and my warning wasn't for you. :)
Only the things that are running need to be patched. For an IGate
appliance that can be a very small list. Anyone with the technical
proficiency to manage a Linux device via SSH should also be able to
manage some basic firewall settings. If not, they can use a
pre-configured system that's completely firewalled except for outbound
APRS IS traffic.
> In my limited-but-more-than-many-folks experience with embedded devices, attacks (or even scans) that have any effect tend to knock them offline, being a DoS even if unintentional. Connection handling has to be pretty robust.
> I recently put a couple of <name of embedded device censored> online to see if they have any problems. They're exposed to the world with minimal filtering.
> The Internet is an unfriendly place. It's certainly no place for appliances.
Plenty of Internet-connected devices are absolute crap. The designers
don't know or don't care about security. That doesn't mean you can't
make a secure appliance, particularly when it has a very limited set of
things it needs to do. I spent years working on network security for a
military base with more than 130,000 IP addresses that made a very large
target for all manner of attacks. I have much more confidence in my
ability to construct a secure single-purpose embedded appliance than in
a PC running any general-purpose desktop operating system no matter how
well patched and behind an off-the-shelf firewall.
More information about the aprssig