On Wed, 14 Jun 2023 16:34:52 +0200
"Carlos E. R." <robin_listas@es.invalid> wrote:
> On 2023-06-14 16:26, Spiros Bousbouras wrote:
> > I think my router has firewall functionality. But the router only has a web
> > interface whereas I much prefer to use the command line so I'd rather do
> > things on the computers rather on the router. Plus , computer settings can
> > go on my back-ups.
>
> Often routers have a telnet or ssh terminal, but do not document them.

Is there a way to find out if mine does ?

> But you are forgetting the computer firewall.

I'd still much prefer to explore the router's capabilities through the
command line rather than through a web interface.

On 14/06/2023 12:02, Carlos E.R. wrote:
> On 2023-06-14 10:23, The Natural Philosopher wrote:
>> On 14/06/2023 05:01, 24D.245 wrote:
>>> On 6/13/23 6:36 PM, The Natural Philosopher wrote:
>>>> On 13/06/2023 21:25, Carlos E.R. wrote:
>>>>> On 2023-06-13 01:11, Computer Nerd Kev wrote:
>>>>>> Spiros Bousbouras <spibou@gmail.com> wrote:
>>>>>>> Thanks for all the replies everyone. That's a lot to read on.
>>>>>
>>>>> ...
>>>>>
>>>>>>>>> 3. Can it be done safely without having to enter a password on
>>>>>>>>> B when I want to connect to A ?
>>>>>>>>
>>>>>>>> If you care about this then perhaps Telnet isn't for you because
>>>>>>>> "safely" probably means that you don't want plain-text passwords
>>>>>>>> and anything else will mean raising version incompatibility
>>>>>>>> problems with authentication systems such as are used by SSH.
>>>>>>>
>>>>>>> Ideally , I don't want passwords at all , as I've said. But I think
>>>>>>> I'm missing your point.
>>>>>>
>>>>>> Yeah, any secure passwordless authentication system has the same
>>>>>> issues as SSH. Telnet itself only supports not having any
>>>>>> authentication, or passwords. If only computer B can connect to A
>>>>>> over Telnet due to firewall settings then going without
>>>>>> authentication should be OK, but it's not necessarily "safe"
>>>>>> against all attacks. Probably safe against any attacks that you're
>>>>>> likely to experience in many cases though.
>>>>>
>>>>>
>>>>> Telnet is an ancient protocol, and is considered to be unsafe in
>>>>> many aspects. Anyone with access to the LAN can see anything inside
>>>>> the telnet session.
>>>>>
>>>> Incorrect. Not since switches replaced hubs.
>>>> Apart from WiFi
>>>
>>>    Mostly correct ... but you can still poll addresses
>>>    looking for Telnet activity and then go from there.
>>>    Switches don't/can't hide EVERYTHING ... there are
>>>    numerous utilities that can still see a LOT going
>>>    on in the local network. Try WireShark ...
>>>
>> No, you cant.
>>
>> BTDTGTTS
>>
>> You can only see broadcast traffic on other segments.
>> That might tell you a connection is being made, but once established
>> MAC addresses are used to limit propagation to only the segment where
>> the target machine resides. Thats what a switch *does*.
>
> So?
>
> The switch can put ports in mirror mode,

Not unless its managed and you have password access.

or a rogue switch can be
> inserted in the cable.

In what cable?

I mean this is so bleeding stupid and *theoretical* it makes no sense.

reminds me of a security audit my chiefe engineer did on a company, to
test their firewall.

He came back and said.'Well I am glad that's over' 'Why? was there
something wrong with their firewalll' 'No. It was the list of roots
passwords pinned up behind the receptionist, and the 5 modems connected
to staff computers, behind the firewall on direct dial in lines, that I
found'

If someone has access to my physical lan they can stick a USB stick in
any one of my computers, boot live linux and have access to anything on it.

SSH isnt going to stop that.

If someone has the intent to look into traffic,
> he will.
>
Yes, but the last way he would bother to try is installing some splitter
dongle on a switch based network

Nobody picks a Chubb lock when the door is already open

--
"When one man dies it's a tragedy. When thousands die it's statistics."

Josef Stalin

On 14/06/2023 12:52, Rich wrote:
> The Natural Philosopher <tnp@invalid.invalid> wrote:
>> On 14/06/2023 05:01, 24D.245 wrote:
>>> On 6/13/23 6:36 PM, The Natural Philosopher wrote:
>>>> On 13/06/2023 21:25, Carlos E.R. wrote:
>>>>> On 2023-06-13 01:11, Computer Nerd Kev wrote:
>>>>>> Spiros Bousbouras <spibou@gmail.com> wrote:
>>>>>>> Thanks for all the replies everyone. That's a lot to read on.
>>>>>
>>>>> ...
>>>>>
>>>>>>>>> 3. Can it be done safely without having to enter a password on
>>>>>>>>> B when I want to connect to A ?
>>>>>>>>
>>>>>>>> If you care about this then perhaps Telnet isn't for you because
>>>>>>>> "safely" probably means that you don't want plain-text passwords
>>>>>>>> and anything else will mean raising version incompatibility
>>>>>>>> problems with authentication systems such as are used by SSH.
>>>>>>>
>>>>>>> Ideally , I don't want passwords at all , as I've said. But I think
>>>>>>> I'm missing your point.
>>>>>>
>>>>>> Yeah, any secure passwordless authentication system has the same
>>>>>> issues as SSH. Telnet itself only supports not having any
>>>>>> authentication, or passwords. If only computer B can connect to A
>>>>>> over Telnet due to firewall settings then going without
>>>>>> authentication should be OK, but it's not necessarily "safe"
>>>>>> against all attacks. Probably safe against any attacks that you're
>>>>>> likely to experience in many cases though.
>>>>>
>>>>>
>>>>> Telnet is an ancient protocol, and is considered to be unsafe in many
>>>>> aspects. Anyone with access to the LAN can see anything inside the
>>>>> telnet session.
>>>>>
>>>> Incorrect. Not since switches replaced hubs.
>>>> Apart from WiFi
>>>
>>>   Mostly correct ... but you can still poll addresses
>>>   looking for Telnet activity and then go from there.
>>>   Switches don't/can't hide EVERYTHING ... there are
>>>   numerous utilities that can still see a LOT going
>>>   on in the local network. Try WireShark ...
>>>
>> No, you cant.
>>
>> BTDTGTTS
>>
>> You can only see broadcast traffic on other segments.
>> That might tell you a connection is being made, but once established MAC
>> addresses are used to limit propagation to only the segment where the
>> target machine resides. Thats what a switch *does*.
>
> That is the normal state. But an active attacker can use a MAC
> flooding attack (https://en.wikipedia.org/wiki/MAC_flooding) on the
> switch to try to get it to trip into unicast flooding mode, at which
> point the switch degrades to a hub (all packets broadcast on all
> ports).
>
> This is likely more effective on common 4-port switches for home use
> vs. on 'enterprise grade' high end managed switches.

There is no one in my house except me, and I have an ancient 24 port
switch feeding my network.

--
It’s easier to fool people than to convince them that they have been fooled.
Mark Twain

Spiros Bousbouras <spibou@gmail.com> wrote:
> On Mon, 12 Jun 2023 17:05:50 -0000 (UTC)
> Rich <rich@example.invalid> wrote:
>> Spiros Bousbouras <spibou@gmail.com> wrote:
>> > Perhaps I'm asking a very naive question but why is it not enough to
>> > enter into some configuration file (whether one for telnet or SSH or
>> > whatever) something which tells the relevant server "Only accept
>> > connections coming from a computer which is physically connected to
>> > the router through a cable" ?
>>
>> This is typically done by setting up a firewall rule.
>
> I assume it's possible to set different restrictions for different internet
> ports , otherwise it seems like a much too crude solution.

Yes, at least for the Linux built in firewall, you can setup very fine
grained permissions (assuming you wish to enumerate and setup all the
rules)

>> For your stated "rule" above, and assuming by 'router' you actually
>> mean one of those boxes that is both a router and a 4-port ethernet
>> switch combination box,
>
> Yes , that's what I mean.
>
>> you would add a rule to the machine's firewall to only accept
>> packets with a source IP of the local LAN. Which is most likely a
>> /24, so X.Y.Z.??? where X.Y.Z are the first three octets of your LAN's
>> IP address range, and ??? is anything.
>>
>> The exact way to formulate and install such a rule requires more
>> specifics than we are cognizant of over USENET.
>
> Something about your choice of words makes it sound very complicated !

I do not know your IP address range you are using. But to take an
example, the 10.0.0.0 IP range is one of the three "reserved for local
usage" ranges. Assuming you are giving your machines IP addresses of:

10.0.0.1, 10.0.0.12, 10.0.0.134, etc.

Then an appropriate rule could be (assuming Linux, iptables, an
otherwise empty INPUT chain, the INPUT chain configured to deny by
default, you wanting to block ssh, and sshd listening on port 22):

iptables -A INPUT -s 10.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

That says to only accept TCP packets that are destined for port 22 that
have a source IP of 10.0.0.0 through 10.0.0.255. Any packet with a
different source address would be blocked by the 'default deny' rule).

Note that "IP address of 10.0.0.X" is not 100% identical to "only
connected to router by cable" as there is no mechanism at the
networking layer for IP packets to know they are traversing cables
"only connected to the router". So doing your actual ask is
impossible. But denying any source IP other than the IP range used for
the local LAN is the closest possibility.

The Natural Philosopher <tnp@invalid.invalid> wrote:
> On 14/06/2023 12:52, Rich wrote:
>> The Natural Philosopher <tnp@invalid.invalid> wrote:
>>> On 14/06/2023 05:01, 24D.245 wrote:
>>>> On 6/13/23 6:36 PM, The Natural Philosopher wrote:
>>>>> On 13/06/2023 21:25, Carlos E.R. wrote:
>>>>>> On 2023-06-13 01:11, Computer Nerd Kev wrote:
>>>>>>> Spiros Bousbouras <spibou@gmail.com> wrote:
>>>>>>>> Thanks for all the replies everyone. That's a lot to read on.
>>>>>>
>>>>>> ...
>>>>>>
>>>>>>>>>> 3. Can it be done safely without having to enter a password on
>>>>>>>>>> B when I want to connect to A ?
>>>>>>>>>
>>>>>>>>> If you care about this then perhaps Telnet isn't for you because
>>>>>>>>> "safely" probably means that you don't want plain-text passwords
>>>>>>>>> and anything else will mean raising version incompatibility
>>>>>>>>> problems with authentication systems such as are used by SSH.
>>>>>>>>
>>>>>>>> Ideally , I don't want passwords at all , as I've said. But I think
>>>>>>>> I'm missing your point.
>>>>>>>
>>>>>>> Yeah, any secure passwordless authentication system has the same
>>>>>>> issues as SSH. Telnet itself only supports not having any
>>>>>>> authentication, or passwords. If only computer B can connect to A
>>>>>>> over Telnet due to firewall settings then going without
>>>>>>> authentication should be OK, but it's not necessarily "safe"
>>>>>>> against all attacks. Probably safe against any attacks that you're
>>>>>>> likely to experience in many cases though.
>>>>>>
>>>>>>
>>>>>> Telnet is an ancient protocol, and is considered to be unsafe in many
>>>>>> aspects. Anyone with access to the LAN can see anything inside the
>>>>>> telnet session.
>>>>>>
>>>>> Incorrect. Not since switches replaced hubs.
>>>>> Apart from WiFi
>>>>
>>>>   Mostly correct ... but you can still poll addresses
>>>>   looking for Telnet activity and then go from there.
>>>>   Switches don't/can't hide EVERYTHING ... there are
>>>>   numerous utilities that can still see a LOT going
>>>>   on in the local network. Try WireShark ...
>>>>
>>> No, you cant.
>>>
>>> BTDTGTTS
>>>
>>> You can only see broadcast traffic on other segments.
>>> That might tell you a connection is being made, but once established MAC
>>> addresses are used to limit propagation to only the segment where the
>>> target machine resides. Thats what a switch *does*.
>>
>> That is the normal state. But an active attacker can use a MAC
>> flooding attack (https://en.wikipedia.org/wiki/MAC_flooding) on the
>> switch to try to get it to trip into unicast flooding mode, at which
>> point the switch degrades to a hub (all packets broadcast on all
>> ports).
>>
>> This is likely more effective on common 4-port switches for home use
>> vs. on 'enterprise grade' high end managed switches.
>
> There is no one in my house except me, and I have an ancient 24 port
> switch feeding my network.

Agreed, if you have an "active attacker" in your house, you have much
bigger problems than the possibility of overflowing the switch's mac
address lookup tables.

My point was that a switch is not always a "segment isolator". Some of
them can be tricked into degrading into hubs.

Spiros Bousbouras <spibou@gmail.com> wrote:
> On 13 Jun 2023 09:11:14 +1000
> not@telling.you.invalid (Computer Nerd Kev) wrote:
>> What/how you edit depends on the firewall you're running. If you're
>> not running one, then pick one and this should be a basic thing
>> described in its documentation.
>
> So there are different firewall choices ? Ok , this is getting too
> far from my present knowledge for me for now. So I think that for
> the time being I will go with SSH *with* password and not worry about
> firewalls.
>
> So with such a set up , I'm guessing that anyone will be able to try
> and connect to computer A but , as long as my password is secure
> enough , then it shouldn't be a problem. I'm guessing that it's
> possible to configure SSH to log all attempts to log in (both
> successful and not) and also have a delay after an unsuccessful
> attempt.
>
> Do I have all this right ?

Maybe -- or maybe not -- it depends upon the configuration of the box
you are referring to as "the router".

If it is a typical ISP provided combo box that connects to your ISP
DEMARC on one side, has a WiFi antenna to provide WiFi connections to
the location, and includes (usually) a four-port switch for connecting
to the local LAN, *and* if it is not configured to port-forward any
ports from the "ISP DEMARC" side over to the local lan side, *and* it
does not contain any zero-day exploits accessible from the "ISP DEMARC"
side, then no one on the internet will be able to make SSH connection
attempts to your machines on your local LAN.

But, if it does do port forwarding, and port forwarding is turned on,
then those forwarded ports allow for folks on the greater internet to
connect to whatever machine might be listening for those forwarded
ports on the local LAN.

Spiros Bousbouras <spibou@gmail.com> wrote:
> On Wed, 14 Jun 2023 16:34:52 +0200
> "Carlos E. R." <robin_listas@es.invalid> wrote:
>> On 2023-06-14 16:26, Spiros Bousbouras wrote:
>> > I think my router has firewall functionality. But the router only
>> > has a web interface whereas I much prefer to use the command line
>> > so I'd rather do things on the computers rather on the router.
>> > Plus , computer settings can go on my back-ups.
>>
>> Often routers have a telnet or ssh terminal, but do not document
>> them.
>
> Is there a way to find out if mine does ?

Run a nmap scan against the router from one of the internal machines.

If you find it does, then you'll have to experiment with how, exactly,
to log in.

>> But you are forgetting the computer firewall.
>
> I'd still much prefer to explore the router's capabilities through
> the command line rather than through a web interface.

If the router your ISP supplies does not give you a CLI interface
option, you are out of luck there with that desire.

On 2023-06-14 17:03, Spiros Bousbouras wrote:
> On Wed, 14 Jun 2023 16:34:52 +0200
> "Carlos E. R." <robin_listas@es.invalid> wrote:
>> On 2023-06-14 16:26, Spiros Bousbouras wrote:
>>> I think my router has firewall functionality. But the router only has a web
>>> interface whereas I much prefer to use the command line so I'd rather do
>>> things on the computers rather on the router. Plus , computer settings can
>>> go on my back-ups.
>>
>> Often routers have a telnet or ssh terminal, but do not document them.
>
> Is there a way to find out if mine does ?

Just try to connect to it, see if it answers :-)

Or run an nmap on it.

>
>> But you are forgetting the computer firewall.
>
> I'd still much prefer to explore the router's capabilities through the
> command line rather than through a web interface.

We are not saying that. We say that your COMPUTER can also run a
firewall that can possibly do what you asked.

computer
+--------------+
| |
| |
| | router w firewall
| | +-----------+
| | | |
| | | |
+--------------+ | |
| firewall | | |
+---+----------+ +--|-|-|-|--+
| |
| cable /
\------------------------------------------

--
Cheers,
Carlos E.R.

On 2023-06-14 17:26, The Natural Philosopher wrote:
> On 14/06/2023 12:02, Carlos E.R. wrote:
>> On 2023-06-14 10:23, The Natural Philosopher wrote:
>>> On 14/06/2023 05:01, 24D.245 wrote:
>>>> On 6/13/23 6:36 PM, The Natural Philosopher wrote:
>>>>> On 13/06/2023 21:25, Carlos E.R. wrote:
>>>>>> On 2023-06-13 01:11, Computer Nerd Kev wrote:
>>>>>>> Spiros Bousbouras <spibou@gmail.com> wrote:
>>>>>>>> Thanks for all the replies everyone. That's a lot to read on.
>>>>>>
>>>>>> ...
>>>>>>
>>>>>>>>>> 3. Can it be done safely without having to enter a password on
>>>>>>>>>> B when I want to connect to A ?
>>>>>>>>>
>>>>>>>>> If you care about this then perhaps Telnet isn't for you because
>>>>>>>>> "safely" probably means that you don't want plain-text passwords
>>>>>>>>> and anything else will mean raising version incompatibility
>>>>>>>>> problems with authentication systems such as are used by SSH.
>>>>>>>>
>>>>>>>> Ideally , I don't want passwords at all , as I've said. But I think
>>>>>>>> I'm missing your point.
>>>>>>>
>>>>>>> Yeah, any secure passwordless authentication system has the same
>>>>>>> issues as SSH. Telnet itself only supports not having any
>>>>>>> authentication, or passwords. If only computer B can connect to A
>>>>>>> over Telnet due to firewall settings then going without
>>>>>>> authentication should be OK, but it's not necessarily "safe"
>>>>>>> against all attacks. Probably safe against any attacks that you're
>>>>>>> likely to experience in many cases though.
>>>>>>
>>>>>>
>>>>>> Telnet is an ancient protocol, and is considered to be unsafe in
>>>>>> many aspects. Anyone with access to the LAN can see anything
>>>>>> inside the telnet session.
>>>>>>
>>>>> Incorrect. Not since switches replaced hubs.
>>>>> Apart from WiFi
>>>>
>>>>    Mostly correct ... but you can still poll addresses
>>>>    looking for Telnet activity and then go from there.
>>>>    Switches don't/can't hide EVERYTHING ... there are
>>>>    numerous utilities that can still see a LOT going
>>>>    on in the local network. Try WireShark ...
>>>>
>>> No, you cant.
>>>
>>> BTDTGTTS
>>>
>>> You can only see broadcast traffic on other segments.
>>> That might tell you a connection is being made, but once established
>>> MAC addresses are used to limit propagation to only the segment where
>>> the target machine resides. Thats what a switch *does*.
>>
>> So?
>>
>> The switch can put ports in mirror mode,
>
> Not unless its managed and you have password access.
>
>  or a rogue switch can be
>> inserted in the cable.
>
> In what cable?

What cable do you think it would be? :-)

--
Cheers,
Carlos E.R.

On Wed, 14 Jun 2023 16:31:04 -0000 (UTC)
Rich <rich@example.invalid> wrote:
> Spiros Bousbouras <spibou@gmail.com> wrote:
> > On Wed, 14 Jun 2023 16:34:52 +0200
> > "Carlos E. R." <robin_listas@es.invalid> wrote:
> >> On 2023-06-14 16:26, Spiros Bousbouras wrote:
> >> > I think my router has firewall functionality. But the router only
> >> > has a web interface whereas I much prefer to use the command line
> >> > so I'd rather do things on the computers rather on the router.
> >> > Plus , computer settings can go on my back-ups.
> >>
> >> Often routers have a telnet or ssh terminal, but do not document
> >> them.
> >
> > Is there a way to find out if mine does ?
>
> Run a nmap scan against the router from one of the internal machines.
>
> If you find it does, then you'll have to experiment with how, exactly,
> to log in.

nmap 192.168.1.1
Interesting ports on 192.168.1.1:
Not shown: 1708 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
5000/tcp open upnp
8080/tcp open http-proxy
8443/tcp open https-alt

So I guess this means that the router is listening for SSH connections. So
the idea is to experiment with logging in and , if I manage to do this , try
to explore what I can do through the command line.

What do the other stuff mean ? I guess 80/tcp and 443/tcp are for
the web interface. Anyone knows or can guess what the rest is for ?

Spiros Bousbouras <spibou@gmail.com> wrote:
> On Wed, 14 Jun 2023 16:31:04 -0000 (UTC)
> Rich <rich@example.invalid> wrote:
>> Spiros Bousbouras <spibou@gmail.com> wrote:
>> > On Wed, 14 Jun 2023 16:34:52 +0200
>> > "Carlos E. R." <robin_listas@es.invalid> wrote:
>> >> On 2023-06-14 16:26, Spiros Bousbouras wrote:
>> >> > I think my router has firewall functionality. But the router only
>> >> > has a web interface whereas I much prefer to use the command line
>> >> > so I'd rather do things on the computers rather on the router.
>> >> > Plus , computer settings can go on my back-ups.
>> >>
>> >> Often routers have a telnet or ssh terminal, but do not document
>> >> them.
>> >
>> > Is there a way to find out if mine does ?
>>
>> Run a nmap scan against the router from one of the internal machines.
>>
>> If you find it does, then you'll have to experiment with how, exactly,
>> to log in.
>
> nmap 192.168.1.1
> Interesting ports on 192.168.1.1:
> Not shown: 1708 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp open domain
> 80/tcp open http
> 443/tcp open https
> 5000/tcp open upnp
> 8080/tcp open http-proxy
> 8443/tcp open https-alt
>
> So I guess this means that the router is listening for SSH connections. So
> the idea is to experiment with logging in and , if I manage to do this , try
> to explore what I can do through the command line.
>
> What do the other stuff mean ? I guess 80/tcp and 443/tcp are for
> the web interface. Anyone knows or can guess what the rest is for ?

upnp is for the /helpful/ ability of other devices on the local LAN to
poke holes in the firewall so they can be contacted by machines on the
internet side. https://en.wikipedia.org/wiki/Upnp

If 'http-proxy' is meaningful, that is an http proxy service (why, or
where it proxies, is unknown to us).

https-alt might simply be a "tls" version of the 8080 port. Why those
two are there, and what they are meant for, is unknown.

It does look to expose an ssh listener (at least "something" is
listening on port 22 -- it may or may not be an sshd). So you'll now
need to do a little 'investigaating' of what you can find by trying to
connect.

On 14/06/2023 17:21, Rich wrote:
> The Natural Philosopher <tnp@invalid.invalid> wrote:
>> On 14/06/2023 12:52, Rich wrote:
>>> The Natural Philosopher <tnp@invalid.invalid> wrote:
>>>> On 14/06/2023 05:01, 24D.245 wrote:
>>>>> On 6/13/23 6:36 PM, The Natural Philosopher wrote:
>>>>>> On 13/06/2023 21:25, Carlos E.R. wrote:
>>>>>>> On 2023-06-13 01:11, Computer Nerd Kev wrote:
>>>>>>>> Spiros Bousbouras <spibou@gmail.com> wrote:
>>>>>>>>> Thanks for all the replies everyone. That's a lot to read on.
>>>>>>>
>>>>>>> ...
>>>>>>>
>>>>>>>>>>> 3. Can it be done safely without having to enter a password on
>>>>>>>>>>> B when I want to connect to A ?
>>>>>>>>>>
>>>>>>>>>> If you care about this then perhaps Telnet isn't for you because
>>>>>>>>>> "safely" probably means that you don't want plain-text passwords
>>>>>>>>>> and anything else will mean raising version incompatibility
>>>>>>>>>> problems with authentication systems such as are used by SSH.
>>>>>>>>>
>>>>>>>>> Ideally , I don't want passwords at all , as I've said. But I think
>>>>>>>>> I'm missing your point.
>>>>>>>>
>>>>>>>> Yeah, any secure passwordless authentication system has the same
>>>>>>>> issues as SSH. Telnet itself only supports not having any
>>>>>>>> authentication, or passwords. If only computer B can connect to A
>>>>>>>> over Telnet due to firewall settings then going without
>>>>>>>> authentication should be OK, but it's not necessarily "safe"
>>>>>>>> against all attacks. Probably safe against any attacks that you're
>>>>>>>> likely to experience in many cases though.
>>>>>>>
>>>>>>>
>>>>>>> Telnet is an ancient protocol, and is considered to be unsafe in many
>>>>>>> aspects. Anyone with access to the LAN can see anything inside the
>>>>>>> telnet session.
>>>>>>>
>>>>>> Incorrect. Not since switches replaced hubs.
>>>>>> Apart from WiFi
>>>>>
>>>>>   Mostly correct ... but you can still poll addresses
>>>>>   looking for Telnet activity and then go from there.
>>>>>   Switches don't/can't hide EVERYTHING ... there are
>>>>>   numerous utilities that can still see a LOT going
>>>>>   on in the local network. Try WireShark ...
>>>>>
>>>> No, you cant.
>>>>
>>>> BTDTGTTS
>>>>
>>>> You can only see broadcast traffic on other segments.
>>>> That might tell you a connection is being made, but once established MAC
>>>> addresses are used to limit propagation to only the segment where the
>>>> target machine resides. Thats what a switch *does*.
>>>
>>> That is the normal state. But an active attacker can use a MAC
>>> flooding attack (https://en.wikipedia.org/wiki/MAC_flooding) on the
>>> switch to try to get it to trip into unicast flooding mode, at which
>>> point the switch degrades to a hub (all packets broadcast on all
>>> ports).
>>>
>>> This is likely more effective on common 4-port switches for home use
>>> vs. on 'enterprise grade' high end managed switches.
>>
>> There is no one in my house except me, and I have an ancient 24 port
>> switch feeding my network.
>
> Agreed, if you have an "active attacker" in your house, you have much
> bigger problems than the possibility of overflowing the switch's mac
> address lookup tables.
>
> My point was that a switch is not always a "segment isolator". Some of
> them can be tricked into degrading into hubs.
>
Needs a lot more sophistication than simply booting the computer from a
live distro and accessing its file system as root..
People have to actually *think* about security and how they would attack
a given system.
In most cases hacking the wifi from a van parked outside using brute
force at 3.a.m. would be a lot easier than flooding a switch.
Especially if you 'ca,me to read the gas meter' the day before and took
a photo on your smart phone of the default wifi password on the ISP
supplied hub, which the ISP support droid will insist you reset it to if
there is any problem at all.

--
The higher up the mountainside
The greener grows the grass.
The higher up the monkey climbs
The more he shows his arse.

Traditional

On 14/06/2023 17:31, Rich wrote:
> Spiros Bousbouras <spibou@gmail.com> wrote:
>> On Wed, 14 Jun 2023 16:34:52 +0200
>> "Carlos E. R." <robin_listas@es.invalid> wrote:
>>> On 2023-06-14 16:26, Spiros Bousbouras wrote:
>>>> I think my router has firewall functionality. But the router only
>>>> has a web interface whereas I much prefer to use the command line
>>>> so I'd rather do things on the computers rather on the router.
>>>> Plus , computer settings can go on my back-ups.
>>>
>>> Often routers have a telnet or ssh terminal, but do not document
>>> them.
>>
>> Is there a way to find out if mine does ?
>
> Run a nmap scan against the router from one of the internal machines.
>
> If you find it does, then you'll have to experiment with how, exactly,
> to log in.
>
>>> But you are forgetting the computer firewall.
>>
>> I'd still much prefer to explore the router's capabilities through
>> the command line rather than through a web interface.
>
> If the router your ISP supplies does not give you a CLI interface
> option, you are out of luck there with that desire.
You can supply your own router.

However the default situation is that unless you specifically enable
port forwarding there will be none, and inbound access from the internet
to machines behind the router will be blocked.

If you are excessively paranoid you can configure sshd to only respond
to local IP addresses only, which is another layer of (effective)
firewall, and for a third you can setup a linux firewall as well, to do
the same.

I bet people here would. I have sshd access port forwarded to my server
and accessible from all over the internet. So I can access it from
anywhere with a laptop

Its on a strange port. Even I have to look it up before going on
holiday. The logs reveal no one has even scanned that port yet and its
been like that for years. I think it needs a public key to log in so
trying with a name/password is nbg anyway.

I set it up before going abroad. I am not sure it even still works

There is no firewall, as I have no idea what IP address ,my laptop might
end up on. The chances of someone guessing an RSA key are vanishingly small.

And that key only is associated with my user login. They would still
need another password to sudo or login as root.

Why you don't want to use the routers web interface is beyond me. their
CLI interfaces are out of the ark usually. I only use mine because there
is one piece of data I cant get out of it using snmp

Yes, I log traffic every 5 minutes through my router. I've found some
very nasty websites that way. Using me as a proxy server I think.

--
To ban Christmas, simply give turkeys the vote.

On 14/06/2023 17:46, Carlos E. R. wrote:
> On 2023-06-14 17:26, The Natural Philosopher wrote:
>> On 14/06/2023 12:02, Carlos E.R. wrote:
>>> On 2023-06-14 10:23, The Natural Philosopher wrote:
>>>> On 14/06/2023 05:01, 24D.245 wrote:
>>>>> On 6/13/23 6:36 PM, The Natural Philosopher wrote:
>>>>>> On 13/06/2023 21:25, Carlos E.R. wrote:
>>>>>>> On 2023-06-13 01:11, Computer Nerd Kev wrote:
>>>>>>>> Spiros Bousbouras <spibou@gmail.com> wrote:
>>>>>>>>> Thanks for all the replies everyone. That's a lot to read on.
>>>>>>>
>>>>>>> ...
>>>>>>>
>>>>>>>>>>> 3. Can it be done safely without having to enter a password on
>>>>>>>>>>> B when I want to connect to A ?
>>>>>>>>>>
>>>>>>>>>> If you care about this then perhaps Telnet isn't for you because
>>>>>>>>>> "safely" probably means that you don't want plain-text passwords
>>>>>>>>>> and anything else will mean raising version incompatibility
>>>>>>>>>> problems with authentication systems such as are used by SSH.
>>>>>>>>>
>>>>>>>>> Ideally , I don't want passwords at all , as I've said. But I
>>>>>>>>> think
>>>>>>>>> I'm missing your point.
>>>>>>>>
>>>>>>>> Yeah, any secure passwordless authentication system has the same
>>>>>>>> issues as SSH. Telnet itself only supports not having any
>>>>>>>> authentication, or passwords. If only computer B can connect to A
>>>>>>>> over Telnet due to firewall settings then going without
>>>>>>>> authentication should be OK, but it's not necessarily "safe"
>>>>>>>> against all attacks. Probably safe against any attacks that you're
>>>>>>>> likely to experience in many cases though.
>>>>>>>
>>>>>>>
>>>>>>> Telnet is an ancient protocol, and is considered to be unsafe in
>>>>>>> many aspects. Anyone with access to the LAN can see anything
>>>>>>> inside the telnet session.
>>>>>>>
>>>>>> Incorrect. Not since switches replaced hubs.
>>>>>> Apart from WiFi
>>>>>
>>>>>    Mostly correct ... but you can still poll addresses
>>>>>    looking for Telnet activity and then go from there.
>>>>>    Switches don't/can't hide EVERYTHING ... there are
>>>>>    numerous utilities that can still see a LOT going
>>>>>    on in the local network. Try WireShark ...
>>>>>
>>>> No, you cant.
>>>>
>>>> BTDTGTTS
>>>>
>>>> You can only see broadcast traffic on other segments.
>>>> That might tell you a connection is being made, but once established
>>>> MAC addresses are used to limit propagation to only the segment
>>>> where the target machine resides. Thats what a switch *does*.
>>>
>>> So?
>>>
>>> The switch can put ports in mirror mode,
>>
>> Not unless its managed and you have password access.
>>
>>   or a rogue switch can be
>>> inserted in the cable.
>>
>> In what cable?
>
> What cable do you think it would be? :-)
>
>
I have no idea. All my cables are buried in the walls.
Except where they emerge and go into my computers. And I would notice in
5 seconds if they had a switch dangling off them.

I mean, aliens could land and probe my brain, do you think I need a
firewall for that, too?

Is there anything in it worth stealing?
--
"What do you think about Gay Marriage?"
"I don't."
"Don't what?"
"Think about Gay Marriage."

Computer Nerd Kev <not@telling.you.invalid> writes:
> Richard Kettlewell <invalid@invalid.invalid> wrote:
>> Eventually older ciphers do get disabled, for good reason. The
>> sensible thing to do at that point is upgrade the older endpoints,
>> rather than falling back to telnet.
>
> It's two computers on his home network connected via Ethernet, why use
> SSH in the first place? Forget falling back to Telnet, I'd start with
> it and not have to worry about ciphers in the first place.

SSH is quicker and easier. No need for manual password entry, and it
encompasses remote login, remote command execution and file transfer in
a single authentication model.

I’ve not had to worry much about cryptographic choices to actually get
SSH working, in the last quarter century.

I do take an interest in them professionally, but that’s about the
security and compliance characteristics of our product, not because we
want to communicate with thoroughly obsolete platforms.

--
https://www.greenend.org.uk/rjk/

On 14/06/2023 19:16, Spiros Bousbouras wrote:
> On Wed, 14 Jun 2023 16:31:04 -0000 (UTC)
> Rich <rich@example.invalid> wrote:
>> Spiros Bousbouras <spibou@gmail.com> wrote:
>>> On Wed, 14 Jun 2023 16:34:52 +0200
>>> "Carlos E. R." <robin_listas@es.invalid> wrote:
>>>> On 2023-06-14 16:26, Spiros Bousbouras wrote:
>>>>> I think my router has firewall functionality. But the router only
>>>>> has a web interface whereas I much prefer to use the command line
>>>>> so I'd rather do things on the computers rather on the router.
>>>>> Plus , computer settings can go on my back-ups.
>>>>
>>>> Often routers have a telnet or ssh terminal, but do not document
>>>> them.
>>>
>>> Is there a way to find out if mine does ?
>>
>> Run a nmap scan against the router from one of the internal machines.
>>
>> If you find it does, then you'll have to experiment with how, exactly,
>> to log in.
>
> nmap 192.168.1.1
> Interesting ports on 192.168.1.1:
> Not shown: 1708 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp open domain
DNS. If you set the router to be a local DNS proxy in your DHCP
configuration, yiour local lAN machines will use this port to do DNS queries

> 80/tcp open http
> 443/tcp open https
> 5000/tcp open upnp
Gaming protocol IIRC. It is generally regarded by geeks as insecure and
a security risk, and by many other people as indispensable to run peer
to peer games over. It allows applications to open up port forwarding to
themselves so other people can connect to them from the internet.
Ive got it enabled. I cant even remember why I needed to

> 8080/tcp open http-proxy

Web proxy server. Probably completely useless.

> 8443/tcp open https-alt

Probably an alternative to port 80 for the management web server in case
you want to redirect port 80 to an internal web server on your LAN
>
> So I guess this means that the router is listening for SSH connections. So
> the idea is to experiment with logging in and , if I manage to do this , try
> to explore what I can do through the command line.
>
Generally typing a question mark is a good place to start. Most of these
routers run a stripped down linux with busybox on them as a shell

> What do the other stuff mean ? I guess 80/tcp and 443/tcp are for
> the web interface. Anyone knows or can guess what the rest is for ?

See above
--
To ban Christmas, simply give turkeys the vote.

On 2023-06-14 21:07, The Natural Philosopher wrote:
> On 14/06/2023 17:46, Carlos E. R. wrote:
>> On 2023-06-14 17:26, The Natural Philosopher wrote:
>>> On 14/06/2023 12:02, Carlos E.R. wrote:
>>>> On 2023-06-14 10:23, The Natural Philosopher wrote:
>>>>> On 14/06/2023 05:01, 24D.245 wrote:
>>>>>> On 6/13/23 6:36 PM, The Natural Philosopher wrote:
>>>>>>> On 13/06/2023 21:25, Carlos E.R. wrote:
>>>>>>>> On 2023-06-13 01:11, Computer Nerd Kev wrote:
>>>>>>>>> Spiros Bousbouras <spibou@gmail.com> wrote:
>>>>>>>>>> Thanks for all the replies everyone. That's a lot to read on.
>>>>>>>>
>>>>>>>> ...
>>>>>>>>
>>>>>>>>>>>> 3. Can it be done safely without having to enter a password on
>>>>>>>>>>>> B when I want to connect to A ?
>>>>>>>>>>>
>>>>>>>>>>> If you care about this then perhaps Telnet isn't for you because
>>>>>>>>>>> "safely" probably means that you don't want plain-text passwords
>>>>>>>>>>> and anything else will mean raising version incompatibility
>>>>>>>>>>> problems with authentication systems such as are used by SSH.
>>>>>>>>>>
>>>>>>>>>> Ideally , I don't want passwords at all , as I've said. But I
>>>>>>>>>> think
>>>>>>>>>> I'm missing your point.
>>>>>>>>>
>>>>>>>>> Yeah, any secure passwordless authentication system has the same
>>>>>>>>> issues as SSH. Telnet itself only supports not having any
>>>>>>>>> authentication, or passwords. If only computer B can connect to A
>>>>>>>>> over Telnet due to firewall settings then going without
>>>>>>>>> authentication should be OK, but it's not necessarily "safe"
>>>>>>>>> against all attacks. Probably safe against any attacks that you're
>>>>>>>>> likely to experience in many cases though.
>>>>>>>>
>>>>>>>>
>>>>>>>> Telnet is an ancient protocol, and is considered to be unsafe in
>>>>>>>> many aspects. Anyone with access to the LAN can see anything
>>>>>>>> inside the telnet session.
>>>>>>>>
>>>>>>> Incorrect. Not since switches replaced hubs.
>>>>>>> Apart from WiFi
>>>>>>
>>>>>>    Mostly correct ... but you can still poll addresses
>>>>>>    looking for Telnet activity and then go from there.
>>>>>>    Switches don't/can't hide EVERYTHING ... there are
>>>>>>    numerous utilities that can still see a LOT going
>>>>>>    on in the local network. Try WireShark ...
>>>>>>
>>>>> No, you cant.
>>>>>
>>>>> BTDTGTTS
>>>>>
>>>>> You can only see broadcast traffic on other segments.
>>>>> That might tell you a connection is being made, but once
>>>>> established MAC addresses are used to limit propagation to only the
>>>>> segment where the target machine resides. Thats what a switch *does*.
>>>>
>>>> So?
>>>>
>>>> The switch can put ports in mirror mode,
>>>
>>> Not unless its managed and you have password access.
>>>
>>>   or a rogue switch can be
>>>> inserted in the cable.
>>>
>>> In what cable?
>>
>> What cable do you think it would be? :-)
>>
>>
> I have no idea. All my cables are buried in the walls.

Mine aren't.

> Except where they emerge and go into my computers. And I would notice in
> 5 seconds if they had a switch dangling off them.

I wouldn't, I don't inspect the 50 metres every day. There is furniture
in the way.

>
> I mean, aliens could land and probe my brain, do you think I need a
> firewall for that, too?

An aluminum foil hat is said to help :-D

>
> Is there anything in it worth stealing?

--
Cheers,
Carlos E.R.

On 14/06/2023 21:27, Carlos E. R. wrote:
> On 2023-06-14 21:07, The Natural Philosopher wrote:
>> On 14/06/2023 17:46, Carlos E. R. wrote:
>>> On 2023-06-14 17:26, The Natural Philosopher wrote:
>>>> On 14/06/2023 12:02, Carlos E.R. wrote:
>>>>> On 2023-06-14 10:23, The Natural Philosopher wrote:
>>>>>> On 14/06/2023 05:01, 24D.245 wrote:
>>>>>>> On 6/13/23 6:36 PM, The Natural Philosopher wrote:
>>>>>>>> On 13/06/2023 21:25, Carlos E.R. wrote:
>>>>>>>>> On 2023-06-13 01:11, Computer Nerd Kev wrote:
>>>>>>>>>> Spiros Bousbouras <spibou@gmail.com> wrote:
>>>>>>>>>>> Thanks for all the replies everyone. That's a lot to read on.
>>>>>>>>>
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>>>>>>> 3. Can it be done safely without having to enter a password on
>>>>>>>>>>>>> B when I want to connect to A ?
>>>>>>>>>>>>
>>>>>>>>>>>> If you care about this then perhaps Telnet isn't for you
>>>>>>>>>>>> because
>>>>>>>>>>>> "safely" probably means that you don't want plain-text
>>>>>>>>>>>> passwords
>>>>>>>>>>>> and anything else will mean raising version incompatibility
>>>>>>>>>>>> problems with authentication systems such as are used by SSH.
>>>>>>>>>>>
>>>>>>>>>>> Ideally , I don't want passwords at all , as I've said. But I
>>>>>>>>>>> think
>>>>>>>>>>> I'm missing your point.
>>>>>>>>>>
>>>>>>>>>> Yeah, any secure passwordless authentication system has the same
>>>>>>>>>> issues as SSH. Telnet itself only supports not having any
>>>>>>>>>> authentication, or passwords. If only computer B can connect to A
>>>>>>>>>> over Telnet due to firewall settings then going without
>>>>>>>>>> authentication should be OK, but it's not necessarily "safe"
>>>>>>>>>> against all attacks. Probably safe against any attacks that
>>>>>>>>>> you're
>>>>>>>>>> likely to experience in many cases though.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Telnet is an ancient protocol, and is considered to be unsafe
>>>>>>>>> in many aspects. Anyone with access to the LAN can see anything
>>>>>>>>> inside the telnet session.
>>>>>>>>>
>>>>>>>> Incorrect. Not since switches replaced hubs.
>>>>>>>> Apart from WiFi
>>>>>>>
>>>>>>>    Mostly correct ... but you can still poll addresses
>>>>>>>    looking for Telnet activity and then go from there.
>>>>>>>    Switches don't/can't hide EVERYTHING ... there are
>>>>>>>    numerous utilities that can still see a LOT going
>>>>>>>    on in the local network. Try WireShark ...
>>>>>>>
>>>>>> No, you cant.
>>>>>>
>>>>>> BTDTGTTS
>>>>>>
>>>>>> You can only see broadcast traffic on other segments.
>>>>>> That might tell you a connection is being made, but once
>>>>>> established MAC addresses are used to limit propagation to only
>>>>>> the segment where the target machine resides. Thats what a switch
>>>>>> *does*.
>>>>>
>>>>> So?
>>>>>
>>>>> The switch can put ports in mirror mode,
>>>>
>>>> Not unless its managed and you have password access.
>>>>
>>>>   or a rogue switch can be
>>>>> inserted in the cable.
>>>>
>>>> In what cable?
>>>
>>> What cable do you think it would be? :-)
>>>
>>>
>> I have no idea. All my cables are buried in the walls.
>
> Mine aren't.
>
Not my problem. If they aren't, well you can see them then, can't you?
all covered in alien probes etc etc

>> Except where they emerge and go into my computers. And I would notice
>> in 5 seconds if they had a switch dangling off them.
>
> I wouldn't, I don't inspect the 50 metres every day. There is furniture
> in the way.
>
Well patently you *should* as you consider they are a security risk. And
your computers have more state secrets than Donald Trumps bog.

>>
>> I mean, aliens could land and probe my brain, do you think I need a
>> firewall for that, too?
>
> An aluminum foil hat is said to help :-D
>
It's 'aluminium' over here.
And I suspect it would help just as much as configuring my computer to
reject addresses from some random Internet routing block when they cant
get past the NAT router anyway.

--
If I had all the money I've spent on drink...
...I'd spend it on drink.

Sir Henry (at Rawlinson's End)

The Natural Philosopher <tnp@invalid.invalid> wrote:
> On 14/06/2023 17:31, Rich wrote:
>> Spiros Bousbouras <spibou@gmail.com> wrote:
>>> On Wed, 14 Jun 2023 16:34:52 +0200
>>> "Carlos E. R." <robin_listas@es.invalid> wrote:
>>>> On 2023-06-14 16:26, Spiros Bousbouras wrote:
>>>>> I think my router has firewall functionality. But the router only
>>>>> has a web interface whereas I much prefer to use the command line
>>>>> so I'd rather do things on the computers rather on the router.
>>>>> Plus , computer settings can go on my back-ups.
>>>>
>>>> Often routers have a telnet or ssh terminal, but do not document
>>>> them.
>>>
>>> Is there a way to find out if mine does ?
>>
>> Run a nmap scan against the router from one of the internal machines.
>>
>> If you find it does, then you'll have to experiment with how, exactly,
>> to log in.
>>
>>>> But you are forgetting the computer firewall.
>>>
>>> I'd still much prefer to explore the router's capabilities through
>>> the command line rather than through a web interface.
>>
>> If the router your ISP supplies does not give you a CLI interface
>> option, you are out of luck there with that desire.
> You can supply your own router.

Indeed, and in my case (I'm not the OP, but much of your reply implies
you meant it for the OP) I do not use the ISP supplied router and
instead use my own.

> However the default situation is that unless you specifically enable
> port forwarding there will be none, and inbound access from the
> internet to machines behind the router will be blocked.

That is usually the case, but the OP has not told us which ISP nor what
router, and for some combinations of the two, the ISP very well may
configure their routers for some default port forwards. A prime
candidate would be ports needed for remote windows admin, if their
on-call folks also helpfully offer to "help you debug issues" when one
calls them with issues.

> Why you don't want to use the routers web interface is beyond me.
> their CLI interfaces are out of the ark usually. I only use mine
> because there is one piece of data I cant get out of it using snmp

Not OP, so I'm not the one bellyaching to gain CLI access (I have CLI
access to my router, as it is just another Linux machine with plural
ethernet cards plugged in, configured to route and firewall). As to
the OP, I've no idea why, other than for the set of ISP router web
config panels I've seen while helping friends indicates that at least
those were written by the lowest bidder, using developers who only knew
English and networking terms by looking them up in a "native language to
English dictionary". I.e., the web interfaces were absolute crap the
moment one wanted to do anything beyond "reset to defaults".

So given that experience, I can sympathize with the OP's wish for CLI
access, but sadly, even if he can log in over that ssh port that is
listening, he may find that the CLI side is just as much a crap-shoot
as the web interface.

Spiros Bousbouras <spibou@gmail.com> wrote:
> On 13 Jun 2023 09:11:14 +1000
> not@telling.you.invalid (Computer Nerd Kev) wrote:
>> What/how you edit depends on the firewall you're
>> running. If you're not running one, then pick one and this should
>> be a basic thing described in its documentation.
>
> So there are different firewall choices ? Ok , this is getting too far from
> my present knowledge for me for now. So I think that for the time being I
> will go with SSH *with* password and not worry about firewalls.

Sure, and actually you shouldn't need to worry about firewalls with
passwords over Telnet in your case either because people shouldn't
be able to listen into your communications unless they've hacked
into your router. It was only for if you wanted to disable
passwords entirely and let any connection through unchallenged.
With SSH you can use a public key as a better passwordless log-in
option, if it works.

> So with such a set up , I'm guessing that anyone will be able to try
> and connect to computer A but , as long as my password is secure enough ,
> then it shouldn't be a problem. I'm guessing that it's possible to
> configure SSH to log all attempts to log in (both successful and not)
> and also have a delay after an unsuccessful attempt.
>
> Do I have all this right ?

Sure. The log-in retry delay is default.

> At least , it will be somewhat interesting to see how many random attempts
> I get of people trying to log in to the computer.

Unless you've set up port forwarding to the internet for computer A
then I don't think you'll ever see anyone but yourself trying to
log in.

>> > Can the router itself be tricked in that regard ?
>>
>> Only if people can get onto your LAN.
>
> You mean physically get onto the LAN ?

I mean be able to connect to your router via Ethernet or WiFi.
Physical access is obviously required for Ethernet. WiFi should be
OK if the encryption is, or nobody else is ever anywhere within
range.

>> The firewall suggestion protects against potential devices on your
>> network that are already infected by some sort of malware. If the
>> router is infected then it won't help.
>
> By the way , is the book "Linux firewalls" by Michael Rash still
> considered relevant enough ?

You don't need a book. You've got iptables and, since Debian 10,
nftables which can pretend to be iptables. But if you just want to
block connections to specific ports there are far simpler (and more
foolproof) ways to tackle that.

ufw seems popular for Debian/Devuan and should be set up to do what
you want with just a few short commands:
https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29

--
__ __
#_ < |\| |< _#

Ivan Shmakov <ivan@siamics.netnospam.invalid> wrote:
>>>>>> On 2023-06-12, Computer Nerd Kev wrote:
>
> > I'm posting from Debian version 3 right now, so that makes sense
> > to me, but it did occur to me afterwards that the OP may have
> > meant an old but still supported Debian version.
>
> While I'm no stranger to running unmaintained software (or
> versions thereof) myself, I'm curious what could be the reason
> to run a no longer supported version of Debian specifically?
> (With i686 in User-Agent:, I'd venture to guess it's not a
> matter of having hardware no longer supported by Debian?)

It's set up how I like, runs old software I like without having to
patch it myself to make it build for later GCC or libraries, and
runs much faster (possibly also better, in terms of supported
drivers) on old computers that I still use. Actually I don't think
current Debian would run on the PC I'm posting from now either
(that i686 has changed to an i586).

> > But indeed up to a point you can enable many depreciated options
> > with the "ciphers" and "KexAlgorithms" settings in
> > /etc/ssh/sshd_config on "computer A".
>
> > But if you can just use Telnet happily on a secure LAN, then this
> > is all lots of unnecessary work
>
> Not everyone of us can quite 'afford' a secure LAN. Some of
> us use 'insecure' computers, be that Windows laptops, Android
> TVs, or Wi-Fi-connected smartphones; or have family members
> who use those. And while it /might/ be 'physically' possible
> to have two LANs, one secure and one not, such a solution
> increases maintenance burden.

OK, fair enough, although using virtual LANs on a supported router
might make keeping separate LANs easier than you think.

> More to the point is that Telnet is a poor substitute for the
> 'remote shell' function. I have scripts that will run
> ssh -- REMOTE COMMAND for a given REMOTE, and I'd rather not
> specialcase 'REMOTE is on secure LAN' vs. 'REMOTE is Internet.'
>
> I have scripts where REMOTE = HOSTNAME is specialcased, though.
> There, COMMAND would be passed to sh -c instead.
>
> I use 'remote shell' for running all sorts of commands remotely.
> I will $ ssh -- REMOTE tar --lzip -c -- . > REMOTE-backup.tar.lz
> one day, and I will $ ssh -- REMOTE mpg123 -q -- - < FILE.mp3
> another. (Or, rather, I will run a script that runs $MPG123
> with MPG123="ssh -- REMOTE mpg123" set in its environment.)
>
> And of course I use Rsync over SSH extensively, be that for
> backups or for pushing new versions of ~/.bashrc et al. from
> my primary box to every other *nix home directory I have.
>
> I suppose with some 'necessary work' I can do the things
> above with Telnet as well, but I'd think that by that point,
> resurrecting RSH would be a more straightforward solution.

Sure, I don't try to use Telnet for anything but terminal access.
But the other tools without encryption do the same job with much
less to go wrong. You've got RSH, also Rexec, FTP, Rsync (without
SSH), etc.

The latest SSH annoyance I've has is a system I set up with current
software only three years ago now needing a redesign because of the
present switch from SCP to SFTP. If I'd used RCP, or more likely
FTP, instead, no problem. Actually that one is over the internet,
but as it's only uploading public info anyway, an unencrypted
write-only FTP account could have been used with the only risk
being that someone will fill up the storage space with rubbish one
day, and that wouldn't do them any good because it wouldn't be
retrievable by anyone but me.

> > (especially because SSH isn't very helpful with its error messages,
> > and old versions don't support the -Q option).
>
> Well, cannot quite argue with that. If anything, I haven't yet
> figured out how to connect to my OpenSSH instances with SSH2DOS.

Yes well I'd definately look for a Telnet client there, but I never
have used networking in DOS. I do boot into it on this computer and
use files that I copied over the network earlier while booted into
Linux though. Handy for old (or home made to old designs) hardware
that only works with MSDOS software (there's no way that I'd mess
about trying to get that to work via QEMU etc., before someone
mentions emulation/virtualisation).

--
__ __
#_ < |\| |< _#

On 2023-06-14 22:51, The Natural Philosopher wrote:
> On 14/06/2023 21:27, Carlos E. R. wrote:
>> On 2023-06-14 21:07, The Natural Philosopher wrote:

....

>>>
>>> I mean, aliens could land and probe my brain, do you think I need a
>>> firewall for that, too?
>>
>> An aluminum foil hat is said to help :-D
>>
> It's 'aluminium' over here.

The spell checker says 'aluminium' is wrong :-p

> And I suspect it would help just as much as configuring my computer to
> reject addresses from some random Internet routing block when they cant
> get past the NAT router anyway.
>
>

--
Cheers, Carlos.

On 15/06/2023 11:52, Carlos E.R. wrote:
> On 2023-06-14 22:51, The Natural Philosopher wrote:
>> On 14/06/2023 21:27, Carlos E. R. wrote:
>>> On 2023-06-14 21:07, The Natural Philosopher wrote:
>
> ...
>
>>>>
>>>> I mean, aliens could land and probe my brain, do you think I need a
>>>> firewall for that, too?
>>>
>>> An aluminum foil hat is said to help :-D
>>>
>> It's 'aluminium' over here.
>
> The spell checker says 'aluminium' is wrong :-p

Well that is typically American, US is Right, everywhere else is wrong.
Try selecting the Afrikaans dictionary instead

--
“it should be clear by now to everyone that activist environmentalism
(or environmental activism) is becoming a general ideology about humans,
about their freedom, about the relationship between the individual and
the state, and about the manipulation of people under the guise of a
'noble' idea. It is not an honest pursuit of 'sustainable development,'
a matter of elementary environmental protection, or a search for
rational mechanisms designed to achieve a healthy environment. Yet
things do occur that make you shake your head and remind yourself that
you live neither in Joseph Stalin’s Communist era, nor in the Orwellian
utopia of 1984.”

Vaclav Klaus

On 15 Jun 2023 09:04:58 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:
> Spiros Bousbouras <spibou@gmail.com> wrote:
> > On 13 Jun 2023 09:11:14 +1000
> > not@telling.you.invalid (Computer Nerd Kev) wrote:
> > So with such a set up , I'm guessing that anyone will be able to try
> > and connect to computer A but , as long as my password is secure enough ,
> > then it shouldn't be a problem. I'm guessing that it's possible to
> > configure SSH to log all attempts to log in (both successful and not)
> > and also have a delay after an unsuccessful attempt.
> >
> > Do I have all this right ?
>
> Sure. The log-in retry delay is default.
>
> > At least , it will be somewhat interesting to see how many random attempts
> > I get of people trying to log in to the computer.
>
> Unless you've set up port forwarding to the internet for computer A
> then I don't think you'll ever see anyone but yourself trying to
> log in.

Still , I can get SSH to log them , yes ?

> >> > Can the router itself be tricked in that regard ?
> >>
> >> Only if people can get onto your LAN.
> >
> > You mean physically get onto the LAN ?
>
> I mean be able to connect to your router via Ethernet or WiFi.
> Physical access is obviously required for Ethernet. WiFi should be
> OK if the encryption is, or nobody else is ever anywhere within
> range.

Since the router is recent enough , hopefully encryption is ok. I see plenty
of (not my) signals on wireless devices so I assume that other people can see
my wireless signal when it's on.

> > By the way , is the book "Linux firewalls" by Michael Rash still
> > considered relevant enough ?
>
> You don't need a book.

I want it for general knowledge too. Every time I see networks discussion
online , there are many terms I'm not familiar with and I don't seem to
learn this stuff by osmosis either. So I want a more systematic approach.

> ufw seems popular for Debian/Devuan and should be set up to do what
> you want with just a few short commands:
> https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29

Thanks , I'll have a look into that.

--
vlaho.ninja/prog

On Wed, 14 Jun 2023 20:17:05 +0100
The Natural Philosopher <tnp@invalid.invalid> wrote:
> On 14/06/2023 19:16, Spiros Bousbouras wrote:
> > On Wed, 14 Jun 2023 16:31:04 -0000 (UTC)
> > nmap 192.168.1.1
> > Interesting ports on 192.168.1.1:
> > Not shown: 1708 closed ports
> > PORT STATE SERVICE
> > 22/tcp open ssh
> > 53/tcp open domain
> DNS. If you set the router to be a local DNS proxy in your DHCP
> configuration, yiour local lAN machines will use this port to do DNS queries
>
> > 80/tcp open http
> > 443/tcp open https
> > 5000/tcp open upnp
> Gaming protocol IIRC. It is generally regarded by geeks as insecure and
> a security risk, and by many other people as indispensable to run peer
> to peer games over. It allows applications to open up port forwarding to
> themselves so other people can connect to them from the internet.
> Ive got it enabled. I cant even remember why I needed to

wikipedia also says that it is a security risk so I'll turn this off.

>
> > 8080/tcp open http-proxy
>
> Web proxy server. Probably completely useless.
>
> > 8443/tcp open https-alt
>
> Probably an alternative to port 80 for the management web server in case
> you want to redirect port 80 to an internal web server on your LAN

Thanks for all the info.

> > So I guess this means that the router is listening for SSH connections. So
> > the idea is to experiment with logging in and , if I manage to do this , try
> > to explore what I can do through the command line.
> >
> Generally typing a question mark is a good place to start. Most of these
> routers run a stripped down linux with busybox on them as a shell