DSL Line Security--What Do I Need to know?

Brian Alletto asks: "I'm getting a DSL line installed in my apartment, with a dynamically allocated IP address, running on my Macintosh (Starmax 5500, MacOS 8.5.1). Are there any IP/DSL security issues I need to be aware of? "

Re:run few services: only sshd, sendmail, httpd

[dattaway]

Deny everything. Here is an interesting hosts.allow file I have that fingers and logs all denied mischif (I catch a lot of portscans this way:)

ALL: 192.168.1.10
in.fingerd: ALL
in.ntalkd : ALL
sshd : ALL
ALL : ALL@ALL : \
rfc931 : \
spawn ( /usr/bin/logger -p authpriv.alert -t TCPD \
access to %s denied to %c ) : \
spawn (/usr/sbin/safe_finger -l @%h | \
/usr/bin/logger -p authpriv.alert -t TCPD) :\
spawn (/usr/sbin/safe_finger abuse@%h | \
/usr/bin/logger -p authpriv.alert -t TCPD) :\
DENY

Re:shared files

[IntlHarvester]

Well, it's a Mac, so Samba doesn't figure in, but AppleShareIP volumes might.

I've haven't seen Mac networking in a loong time, but in the old days, AppleShare passwords were clear text over the wire unless you used an authentication plug-in. Best bet, however, would be to disable the AppleShare extension, or just make sure you are using AppleTalk rather than TCP/IP. (The DSL bridge will block all non-IP traffic, if I understand correctly.)

Likewise with NT (or Unix/Samba) - if you can't firewall, you probably want to at least disable the filesharing interface on the DSL side (unbind the WINS client in NT).
--

Re:shared files

[IntlHarvester]

Well, the DSL 'modem' is actually a bridge, so I guess it's possible that NetBEUI packets could be sent out to the DSL subnet.

I asked my ISP (FirstWorld), and here's the answer I got: "Generally, anything bridged across will be stopped at the terminating end
as we only allow IP traffic from there." (I guess by terminating end, they mean the other end of the DSL line, so you're probably OK.)

--