Author: Simon

Posted on

More Routers

It’s interesting to me how obstinately we refuse to take basic network security precautions.  Usually, introducing the topic for conversation is met with contempt for nerds, as if I were attempting to discuss comic books and card games with high school jocks (neither of which have I associated in my adult life).  But concern for such trivialities is gradually waning in light of big news’ headlines (Russia!), so people are now at least acknowledging that infosec is something we might casually entertain (though only in outrage that our government isn’t protecting us).

But elsewhere, in the tech community, network technology itself is becoming increasingly under fire–specifically, consumer-grade NAT routers.  I had previously covered my recent transition to a more commercial-class router, the Ubiquiti Edgerouter X, and I had been pleased with its performance for the time I used it.  Alas, a botched firmware upgrade left the device bricked, so I was forced back to my old D-Link while I considered options.  The experience had taught me a lesson: I wanted the security and features of a commercial grade router, with the hand-holding of a consumer grade one.  But that seemed an unfilled niche.

Eventually, I went back to my NAS’ manufacturer, Synology.  Their NAS management software has proven incredibly robust, with timely and automatic patches immediately following a CVE disclosure.  They had formerly tried to introduce a router but had discontinued it.  But now they were trying again with a new model.  It was hard to find an expert review on the device, as most of the Amazon community’s comments boiled down to “It’s fast and doesn’t drop connections”–something I consider to be bare minimum requirements for $200 piece of network equipment.  Still, I discovered enough information elsewhere that compared its router management software to that of its NAS products, so I decided to bite.

RT2600AT

I could go on at length, exulting its software, but for the sake of keeping this post within the casual Internet-peruser’s attention span, I’d like to call attention to its simple and effective firewall.

Configuring a firewall shouldn’t be difficult, but until now I had never owned a router that managed to balance simplicity with effectiveness.  I was delighted with the level of customization.  For example, I decided to block all inbound connections from geolocated Russian and Chinese IPs.  I was disturbed to find out that two days later, 1800+ connection attempts from these regions had been blocked.  I suppose it’s mostly just Internet noise–passive scanning–but it’s still disconcerting.

Next up–a particularly troublesome IP range that my ISP uses to perform DNS and reverse-DNS queries.  To be clear, I don’t want my ISP messing with my DNS traffic, but as DNS is largely unencrypted, there’s not much I can do to stop them.  I specified my preferred DNS servers, but they appear to be bypassed when the lookup returns a 404, and my ISP serves me a “helpful” page of suggested results.pithy

Fortunately, their DNS servers appear to be static, and using a Whois service I pithynarrowed down the IP range and blocked it outright.  The router has since blocked 48 connection requests to these IPs, so while I might not be able to prevent my ISP from intercepting my DNS queries, I don’t have to look at what they decide to serve me back.

Lastly, and equally unsettling, was my cable modem’s hard-coded internal IP: 192.168.100.1–the address used by the majority of modem manufacturers.  In reality, there is no reason that a LAN-side device should need to contact the modem (that’s the router’s job), other than the remote possibility that the modem might need some user administration.  But that’s a stretch.

And the modem lacks any form of user authentication.  While there isn’t much someone could mess around with (apart from rebooting and resetting it), I still don’t think it should be open to anything on the LAN.  So, just no.  I blocked all traffic to its IP.  I didn’t count on anything trying to access it regularly, but the router counts 48 attempts now.  I’d really like to know what was trying to access it and why, but the conventional logs don’t provide that level of detail.  Oh well.

In conclusion, my router upgrade has increased my network security at the cost of equal paranoia.

I’d end with something pithly snarky, but I just realized I’m out a aluminum foil.

–Simon

Posted on

Down to the River

Memorial Day saw us into the unofficial start of Summer, not that we needed the reminder, as it’s been swelteringly hot for weeks now.  But with Summer comes Summer activities, and the old man paid us a visit for some granddaughter time and fishing.

The Mad River provided some relief from the heat–ambient temperature drop from its evaporative cooling effects, though the kid chose a more direct approach (having quickly lost interest in fishing–not as easy as pulling out packs of ravenous bluegills).  I remember being indifferent to the discomfort of wet clothes too as a kid.

The chubs were biting, and I pulled in a satisfying number.  Dad got a shiner, too.  It was much more successful than last year’s attempt at the local metroparks.

Plus, it’s a lot more pleasant to spend the afternoon in a clean and more secluded body of water.  The metroparks are just dirty and I wouldn’t eat anything that came out of those ponds.  Although that hardly matters, as we’re generally catch and release anyway.

–Simon

Posted on

Over the Rainbow (Part 5)

Our Memorial Day weekend campfire got postponed a day on account of more rain, but we received our first double rainbow of the year as a result.

May 26, 2018; 20:03

Happy Memorial Day!

–Simon

Posted on

Salesmanship

Part of homeownership, I’ve noticed, is the increased onslaught of people who want to sell me things I don’t need.  But in the interest of civility, as I myself have worked for many years interacting with the public, I exercise good manners.  But, as with telemarketers, these door-to-door salesman tend to be over-aggressive.  If they simply introduced themselves and their services, then handed me a pamphlet, I’d be much more inclined to consider whatever they happen to be peddling.  But that’s never the case.

His smile was haunting

Despite popular belief, humans are very adept at reading each others’ intent from body language and facial cues.  It’s a primal instinct intended for self-preservation.  And while I doubt this man showed up at my door to kill me, he certainly read as disingenuous.

So began the myriad of sales tactics.  He was selling a service to spray for bugs.  He informed me that my neighbors were already buying it and were happy.  He assured me that the spraying was invisible, so it wouldn’t mar the otherwise beautiful external appearance of our home and therefore keep my wife happy.  He pointed out the ants and carpenter bees as potential victims.  He then motioned to record some info and asked if I would be home tomorrow.

I had once made the mistake of providing an alternate electricity provider my email.  It took months to get my junk filters configured to delete the spam, and the phone calls continued for a year.  Despite which, that last question was incredibly presumptuous, as if I had already agreed and taking down my info was just a formality.

Repeated polite denials eventually conveyed my disinterest, and he left.  Perhaps gated communities aren’t nearly as dumb as I had once thought.

–Simon