Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Astrocat

11 posts

Geek
Inactive user


#243605 20-Dec-2018 11:54
Send private message

Hi,

 

Like most who look at the firewall logs, it is littered with numerous attempts to connect to the public IP address assigned on port 22 and port 23.

 

Some people may want legitimate SSH traffic into the firewall, 99% of us do not, and the telnet port is just internet junk traffic from old devices.  

 

Could spark introduce an option to block ports we select before it hits our edge device.

 

I know this should be possible as filtering of other posts already happens at the ISP level.

 

Many Thanks


Filter this topic showing only the reply marked as answer Create new topic
Affiliate link
 
 
 

Affiliate link: Trend Micro provides enhanced protection against viruses, malware, ransomware and spyware and more for your connected devices.

xpd

xpd
Trash bandit
11926 posts

Uber Geek

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #2148312 20-Dec-2018 12:04
Send private message

Wont happen - would be too much cost for the firewall system, and maintenance etc for those that do want ports allowed. Easier to leave it to the client to buy decent gear and control it themselves.





       Gavin / xpd / FastRaccoon

 

Website - Photo Gallery - Instagram

 

 


Zeon
3859 posts

Uber Geek

Trusted

  #2148328 20-Dec-2018 12:32
Send private message

This is why you have a firewall :)





Speedtest 2019-10-14


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #2148353 20-Dec-2018 13:14
Send private message

Vocus already do this on a number of their brands (Slingshot and Orcon being two) and there have then been numerous complaints on here from people about this because they believe it should be opt in, not opt out (opt in would be pointless so there is no logic behind their arguments).

 

I see it being something more and more RSPs will do due to people who don't understand security leaving devices on their networks with port forwards or even worse insecure devices due to uPNP. All the cameras on insecam.org are just as a classic example.

 

 

 

 




hio77
'That VDSL Cat'
12970 posts

Uber Geek

ID Verified
Trusted
Voyager
Subscriber

  #2148357 20-Dec-2018 13:19
Send private message

sbiddle:

 

Vocus already do this on a number of their brands (Slingshot and Orcon being two) and there have then been numerous complaints on here from people about this because they believe it should be opt in, not opt out (opt in would be pointless so there is no logic behind their arguments).

 

I see it being something more and more RSPs will do due to people who don't understand security leaving devices on their networks with port forwards or even worse insecure devices due to uPNP. All the cameras on insecam.org are just as a classic example.

 

 

 

 

 

 

 

This one made me laugh.

 

 

 

It is possible this could be looked at but as noted there are both positives and negatives.

 

When you start adding in too many things, all on or all off nolonger becomes an option and people want more detailed control.

 

Network folk i'm sure will comment further.

 

 

 

Realistically ssh/telnet is rare to not have exposed on purpose..

 

 





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 


Astrocat

11 posts

Geek
Inactive user


  #2148503 20-Dec-2018 18:33
Send private message

ssh and telnet legitimate access through a firewall is probably 0.01% of the public IP's in NZ, I am not condoning that these ports require pleading with spark to be open as I experienced with port 25 over the years of different policies.

 

 

 

Yes a firewall blocks this at the ingress and egress, however as we all can see by the spam on these ports, many firewalls do not block the egress. Do I want my firewall logs full of this pointless chatter.. no.. and I am sure I speak for many, blocking by choice at the POTS level would be of benefit.

 

 

 

I would have thought that adding value to your internet service and provide something other than a pipe would be of benefit. 

 

 


hio77
'That VDSL Cat'
12970 posts

Uber Geek

ID Verified
Trusted
Voyager
Subscriber

  #2148571 20-Dec-2018 21:48
Send private message

Astrocat:

 

ssh and telnet legitimate access through a firewall is probably 0.01% of the public IP's in NZ, I am not condoning that these ports require pleading with spark to be open as I experienced with port 25 over the years of different policies.

 

 

Just as it always has been, these ports are unblocked on the same base rule. so if you wanted to have ssh open, you would also have port 25 open.

 

That wouldn't be a light thing to change.

 

 

 

Astrocat:

 

Yes a firewall blocks this at the ingress and egress, however as we all can see by the spam on these ports, many firewalls do not block the egress. Do I want my firewall logs full of this pointless chatter.. no.. and I am sure I speak for many, blocking by choice at the POTS level would be of benefit.

 

 

 

I would have thought that adding value to your internet service and provide something other than a pipe would be of benefit. 

 

 

i can understand the value in your eyes, the support effort such a block would create is also a thing to consider though.

 

It would be far more easier to just tell your router, don't log those ports.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 


chevrolux
4962 posts

Uber Geek
Inactive user


  #2148583 20-Dec-2018 22:13
Send private message

I just dont get what the actual issue is...

Dont read your firewall logs... they aren't that interesting.



hio77
'That VDSL Cat'
12970 posts

Uber Geek

ID Verified
Trusted
Voyager
Subscriber

  #2148587 20-Dec-2018 22:22
Send private message

chevrolux: Dont read your firewall logs... they aren't that interesting.

 

How else do you know if huawei is spying?





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 


cbrpilot
842 posts

Ultimate Geek

Trusted
Spark NZ

  #2148588 20-Dec-2018 22:25
Send private message

@Astrocat I hear what you are saying.  Let's face it, there are may bots, hackers etc which go scanning the internet looking for devices that have these ports open and seeing if they can get in (and what mischief they can get up to if they do get in).  It would be great to block that traffic.    Unfortunately there is enough legitimate traffic out there that this would likely be problematic to roll out and administer.  The fact is that the >99% would get no benefit from such a policy too as the default config in our modems and routers have these ports blocked (on the WAN interface) by default - and most (some crazy high number) of our customers use the routers we supply.  

 

So in my personal opinion there is a very low benefit to rolling out a policy to block this traffic, and a moderate number of customers that would negatively be impacted by this change (i.e. not hundreds of thousands, but we're not talking just a handful here!).  And those that were impacted would be highly impacted - they may have many sites they remotely manage etc that would require an opt out.  

 

While I appreciate the suggestion (and if you have others, always keen to hear how we could make the service better!) I hope you can understand why I'm not keen on this one. 

 

 

 

Disclaimer: that is just my personal view and I can't claim to speak for all of Spark here.

 

 

 

Dave.





My views are my own, and may not necessarily represent those of my employer.


Hammerer
2370 posts

Uber Geek

Lifetime subscriber

  #2148589 20-Dec-2018 22:28
Send private message

This is an absurd solutions for the 21st century: a firewall that needs another firewall in front of it because the log reporting can't filter log entries.

 

Who knows? It's Christmas so the strangest of dreams can come true.


Talkiet
4565 posts

Uber Geek

Trusted

  #2148679 21-Dec-2018 08:42
Send private message

cbrpilot:

 

@Astrocat I hear what you are saying.  Let's face it, there are may bots, hackers etc which go scanning the internet looking for devices that have these ports open and seeing if they can get in (and what mischief they can get up to if they do get in).  It would be great to block that traffic.    Unfortunately there is enough legitimate traffic out there that this would likely be problematic to roll out and administer.  The fact is that the >99% would get no benefit from such a policy too as the default config in our modems and routers have these ports blocked (on the WAN interface) by default - and most (some crazy high number) of our customers use the routers we supply.  

 

So in my personal opinion there is a very low benefit to rolling out a policy to block this traffic, and a moderate number of customers that would negatively be impacted by this change (i.e. not hundreds of thousands, but we're not talking just a handful here!).  And those that were impacted would be highly impacted - they may have many sites they remotely manage etc that would require an opt out.  

 

While I appreciate the suggestion (and if you have others, always keen to hear how we could make the service better!) I hope you can understand why I'm not keen on this one. 

 

Disclaimer: that is just my personal view and I can't claim to speak for all of Spark here.

 

Dave.

 

 

Ditto to this...

 

N





--

 

Please note all comments are the product of my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.


Filter this topic showing only the reply marked as answer Create new topic





News and reviews »

D-Link G415 4G Smart Router Review
Posted 27-Jun-2022 17:24


New Zealand Video Game Sales Reaches $540 Million
Posted 26-Jun-2022 14:49


Github Copilot Generally Available to All Developers
Posted 26-Jun-2022 14:37


Logitech G Introduces the New Astro A10 Headset
Posted 26-Jun-2022 14:20


Fitbit introduces Sleep Profiles
Posted 26-Jun-2022 14:11


Synology Introduces FlashStation FS3410
Posted 26-Jun-2022 14:04


Intel Arc A380 Graphics First Available in China
Posted 15-Jun-2022 17:08


JBL Introduces PartyBox Encore Essential Speaker
Posted 15-Jun-2022 17:05


New TVNZ+ streaming brand launches
Posted 13-Jun-2022 08:35


Chromecast With Google TV Review
Posted 10-Jun-2022 17:10


Xbox Gaming on Your Samsung Smart TV No Console Required
Posted 10-Jun-2022 00:01


Xbox Cloud Gaming Now Available in New Zealand
Posted 10-Jun-2022 00:01


HP Envy Inspire 7900e Review
Posted 9-Jun-2022 20:31


Philips Hue Starter Kit Review
Posted 4-Jun-2022 11:10


Sony Expands Its Wireless Speaker X-series Range
Posted 4-Jun-2022 10:25









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.