<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>UFW is really just a front-end for iptables. You give instructions to UFW, it does the correct IPTables lines to make it happen. Firewalld on CentOS 7 is the same way. Any network firewalling tool on Linux is going to be IPTables under the hood.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Jeremy, NQ0M<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>From:</b> App_rpt-users [mailto:app_rpt-users-bounces@lists.allstarlink.org] <b>On Behalf Of </b>Loren Tedford<br><b>Sent:</b> Thursday, June 8, 2017 3:13 AM<br><b>To:</b> Users of Asterisk app_rpt <app_rpt-users@lists.allstarlink.org><br><b>Subject:</b> Re: [App_rpt-users] Security was Re: What is the "debian" user in the DIAL distro?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Bryan What about the use of UFW?? I have been using ufw in place of iptables started that about 4 years ago.. Is their a known risk from ufw rather iptables?? I thought they had similar characteristics.. <o:p></o:p></p></div><div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><div><div><div><div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial",sans-serif'>Loren Tedford (KC9ZHV) <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial",sans-serif'>Phone:618-553-0806<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial",sans-serif'>Fax: 1-618-551-2755</span><span style='font-size:12.0pt'><br></span><span style='font-size:12.0pt;font-family:"Arial",sans-serif'>Email: </span><span style='font-size:12.0pt'><a href="mailto:lorentedford@gmail.com" target="_blank"><span style='font-family:"Arial",sans-serif;color:#1155CC'>lorentedford@gmail.com</span></a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt'>Email: <a href="mailto:KC9ZHV@KC9ZHV.com" target="_blank"><span style='color:#1155CC'>KC9ZHV@KC9ZHV.com</span></a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial",sans-serif'><a href="http://www.lorentedford.com/" target="_blank"><span style='color:#1155CC'>http://www.lorentedford.com</span></a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial",sans-serif'><a href="http://www.kc9zhv.com/" target="_blank"><span style='color:#1155CC'>http://www.kc9zhv.com</span></a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial",sans-serif'><a href="http://forum.kc9zhv.com/" target="_blank"><span style='color:#1155CC'>http://forum.kc9zhv.com</span></a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial",sans-serif'><a href="http://hub.kc9zhv.com/" target="_blank"><span style='color:#1155CC'>http://hub.kc9zhv.com</span></a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt'><a href="http://ltcraft.net/" target="_blank"><span style='color:#1155CC'>http://Ltcraft.net</span></a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt'><a href="http://voipham.com" target="_blank">http://voipham.com</a><o:p></o:p></span></p></div></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Wed, Jun 7, 2017 at 8:55 PM, Bryan D. Boyle <<a href="mailto:bdboyle@bdboyle.com" target="_blank">bdboyle@bdboyle.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal>Based on tests that the security research arm of my company has run (well-known IT company that's been around for over a century...), the elapsed time that a system exposed to the network is discovered, probed, and if well-known vulnerable ports are detailed (and the scum or nation states who do this keep records), then attempted to be pwned is somewhere between a minute to a half hour. <o:p></o:p></p></div><div id="m_8850129897607754467AppleMailSignature"><p class=MsoNormal><o:p> </o:p></p></div><div id="m_8850129897607754467AppleMailSignature"><p class=MsoNormal>Just for giggles, i spun up a pi with a sip server enabled connected to a second port on my router and started a tail -f on the messages file and grepped for the sip daemon. routed the sip port on my external router to the pi, a sat back. (there was no route from the pi to my internal network)<o:p></o:p></p></div><div id="m_8850129897607754467AppleMailSignature"><p class=MsoNormal><o:p> </o:p></p></div><div id="m_8850129897607754467AppleMailSignature"><p class=MsoNormal>3 minutes till the first probe. 15 till the attempted pwning. SIP was the only inbound port opened. I just watched...and went on for an hour (no, they didn't take over the system, only ate up bandwidth, of which I am pretty ok with being on FTTH). It's all automated. don't even need human intervention for the probe, just to select the attack vectors when the automated system pops a live port selection.<o:p></o:p></p></div><div id="m_8850129897607754467AppleMailSignature"><p class=MsoNormal><o:p> </o:p></p></div><div id="m_8850129897607754467AppleMailSignature"><p class=MsoNormal>Default SSH is NO guarantee. Allowing root access from an interactive login from the net port deserves to be punished. Bogus user passwords that are guessable should be cause for your isp to turn off your connection. Moving to a different port is just attempted security through obscurity. Open ports from the outside inbound that allow anyone on the network to connect will be probed and attempts (DoS, null sled, buffer overruns, etc) to subvert your system as a c&c node, bitcoin miner, email spam relay, porn repository, or whathaveyou is the goal.<o:p></o:p></p></div><div id="m_8850129897607754467AppleMailSignature"><p class=MsoNormal><o:p> </o:p></p></div><div id="m_8850129897607754467AppleMailSignature"><p class=MsoNormal>After doing this since 1988 or so, it's only the frequency that it happens that's changing, not that it's happening. <br><br>fail2ban is a good stopgap measure for ports that you positively HAVE to have exposed. router firewall enabled and locked down? good. iptables set up properly? passwords NOT based on dictionary words or used for your other online activities? yeah, it's a pain. the alternative is your system being taken over and used for other purposes while you sleep. <o:p></o:p></p></div><div id="m_8850129897607754467AppleMailSignature"><p class=MsoNormal><o:p> </o:p></p></div><div id="m_8850129897607754467AppleMailSignature"><p class=MsoNormal>Lots more you can do. the basic mantra you should have is: "That which is not expressly permitted is prohibited". <br>--<o:p></o:p></p><div><p class=MsoNormal>Bryan CISSP/CEH/CISM<o:p></o:p></p></div><div><p class=MsoNormal>Sent from my iPhone 6S.<span style='font-size:13.0pt'>..No electrons were harmed in the sending of this message.</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div><p class=MsoNormal><br>_______________________________________________<br>App_rpt-users mailing list<br><a href="mailto:App_rpt-users@lists.allstarlink.org">App_rpt-users@lists.allstarlink.org</a><br><a href="http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users</a><br><br>To unsubscribe from this list please visit <a href="http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users" target="_blank">http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"<br>You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. <o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>