PrivateJoker
Very Senior Member
I'm posting this here because a good question on IPV6 firewalls was raised in another thread, but my response was not totally on topic, but I'm glad to brainstorm things I do in general re online security and bounce my ideas off of yours, etc.
This is by no means intended to be a definitive guide, far from it, I'm just mentioning some practical everyday things I do, and am curious what others do. It's very easy to get tunnel vision and focus too much on obscure things while overlooking others.
Here's the original post I was replying to, quoted.
Agreed in both spirit and specifically. . .heck I keep a window breaker, seat belt cutter, and fire extinguisher in all my cars (among other rarely used tools), just in case.
A couple random things that come to mind beyond just IPV6 port scanners would be that it's probably a good practice to
- go into individual PCs and check the firewall exceptions you have allowed in the past, remove anything you don't need or is questionable. . .if it's a bonafide exception it will get around to asking you for it again
- turn off UPnP if you're not using it
- on this page http://192.168.1.1/Advanced_System_Content.asp disable any service related to remote access/router admin that you don't need
- if you use a DDNS service be careful what ports are opened from the outside and the passwords and user name an outsider would would have to use to try to login (when my NAS's admin name was "admin" and I used no-ip.org I got dozens of bad login attempts from overseas daily)
- completely gut every install of java your computer has and re-install the latest version from scratch. Most java exploits tend to be "zero day" and documented publicly, so when it gives an indication you need to update, you should.
- go through your PC's network sharing options and only enable the intra-LAN sharing (or public facing) resources you need (ie turn off file sharing and VNCs unless you need them)
- strong router login PW, strong WiFi pw, strong utility to keep track of all your p/ws such as Roboform, lastpass, 1password, etc - to sync, store, and retrieve all your strong PWs when you need them. There are really good articles out there that show how intercepting of WPA2 packets and then running rainbow tables/dictionary attacks that it can be broken, however I'm yet to see that actually happen with a high entropy 20+ character long p/w that has absolutely no dictionary words in it and tons of caps and lowercase and numbers & symbols.
- make sure your PCs & laptops actually logout after a reasonable idle time and force password login
- disable guest accounts on your PCs & NASes
- change admin username to something other than admin on your routers, NAS, bridges, etc.
- Use different admin login names for all the devices above, and for all your usernames across websites
- Don't identify your network SSID or your computer's friendly name with stuff that involves your actual full real name and/or location.
- use fake answers for the security questions on: mother's maiden name, street you grew up on etc, those are such low entropy and if you give the same real answer to your bank, what's to stop them from resetting your email p/w using the same info? I give different, false answers to all of these and just record them in an encrypted p/w storage program.
This is by no means intended to be a definitive guide, far from it, I'm just mentioning some practical everyday things I do, and am curious what others do. It's very easy to get tunnel vision and focus too much on obscure things while overlooking others.
Here's the original post I was replying to, quoted.
I know what you mean, but who wants to deliberately play the percentages? IPv6 is a little different than IPv4 in terms of more exposure on the internet despite being connected to a router. I, for one, don't want to be the first guy on my block whose system was taken over because of not paying attention to the obvious ease of exploits. Besides, part of being geeky (and sleeping at night) is to have complete IPv6 (actually it's a dual stack, as you know) networking set up including a firewall. So it goes.
Agreed in both spirit and specifically. . .heck I keep a window breaker, seat belt cutter, and fire extinguisher in all my cars (among other rarely used tools), just in case.
A couple random things that come to mind beyond just IPV6 port scanners would be that it's probably a good practice to
- go into individual PCs and check the firewall exceptions you have allowed in the past, remove anything you don't need or is questionable. . .if it's a bonafide exception it will get around to asking you for it again
- turn off UPnP if you're not using it
- on this page http://192.168.1.1/Advanced_System_Content.asp disable any service related to remote access/router admin that you don't need
- if you use a DDNS service be careful what ports are opened from the outside and the passwords and user name an outsider would would have to use to try to login (when my NAS's admin name was "admin" and I used no-ip.org I got dozens of bad login attempts from overseas daily)
- completely gut every install of java your computer has and re-install the latest version from scratch. Most java exploits tend to be "zero day" and documented publicly, so when it gives an indication you need to update, you should.
- go through your PC's network sharing options and only enable the intra-LAN sharing (or public facing) resources you need (ie turn off file sharing and VNCs unless you need them)
- strong router login PW, strong WiFi pw, strong utility to keep track of all your p/ws such as Roboform, lastpass, 1password, etc - to sync, store, and retrieve all your strong PWs when you need them. There are really good articles out there that show how intercepting of WPA2 packets and then running rainbow tables/dictionary attacks that it can be broken, however I'm yet to see that actually happen with a high entropy 20+ character long p/w that has absolutely no dictionary words in it and tons of caps and lowercase and numbers & symbols.
- make sure your PCs & laptops actually logout after a reasonable idle time and force password login
- disable guest accounts on your PCs & NASes
- change admin username to something other than admin on your routers, NAS, bridges, etc.
- Use different admin login names for all the devices above, and for all your usernames across websites
- Don't identify your network SSID or your computer's friendly name with stuff that involves your actual full real name and/or location.
- use fake answers for the security questions on: mother's maiden name, street you grew up on etc, those are such low entropy and if you give the same real answer to your bank, what's to stop them from resetting your email p/w using the same info? I give different, false answers to all of these and just record them in an encrypted p/w storage program.