Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
ofc, use the extended test. It’s safe.DNS leak test
dnsleaktest.com
ip l
tcpdump -D
tcpdump -i eth0 dst port 53 or src port 53 -n -x -X -v
My previous consideration - that maybe only 20% of all Syno NASes exposed in this source are vulnerable, has been underestimated. There are more than 58% of them.
nmap -Pn -sU -p5353 --script=dns-service-discovery <Your-public-IP>
Selectively scanning well-known ports and a lot of IPs will likely harvest a better crop of vulnerable devices. That's the reason to shift your services to less likely ports... if you are vulnerable then you will be more likely to be overlooked. But limiting exposed services to the minimum is a good idea.Never fully understood the reasoning with shifting port numbers around. Scanning ports seems trivial for an attacker and the idea of a firewall is to keep things from getting in via these ports when they are uninvited.
Never fully understood the reasoning with shifting port numbers around. Scanning ports seems trivial for an attacker and the idea of a firewall is to keep things from getting in via these ports when they are uninvited.
Unless people are leaving ports wide-open and rely on the (brief) obfuscation?
️
I'll assume you also don't run as a user account with admin privileges...that one is key.I never trust that my firewall is enough no matter what I do.
I make sure I have backups of my important files to avoid ransomware attacks, which are getting so common and hitting home users as well as commercial sites. I also run regular malware scans (Malwarebytes) and have Windows ransomware protection (FWIW) turned on for my laptops. I rarely connect to any public Wi-Fi (can't actually remember the last time I did), and if I do I always use my VPN (WireGuard). I even use it at my Mom's house, just in case. I use my phone hotspot for connecting my laptop if I need to do that.
Others can give you better advice than I on firming up your firewall. But the best advice I ever got was "Back up your shi_t, or you WILL cry later." Either due to equipment failure or to virus/bot/ransomware attack.
Yes! Absolutely.I'll assume you also don't run as a user account with admin privileges...that one is key.
I rarely connect to any public Wi-Fi (can't actually remember the last time I did), and if I do I always use my VPN (WireGuard)
- Capable IPv4/IPv6 firewall with ‘reasonable’ settings and a well-understood and managed configuration
- No basic form of UPnP used - service deleted in toto
- WAN via PPPoE tunnel with hardline direct to backhaul / ISP router
- ISP selected for privacy / security
- ISP provides IP ‘machine name’ linked to them alone
- All ports in 'stealth' mode
- No DNS leaks
- Good L2 / L3 management
- Capable and fully mapped wifi system, robust settings, guest and IoT VLAN segregation
- Monitored full-home SDN, reserved IPs by MAC, very limited use of DHCP IPs
- Very limited exposure to IoT systems and all using HomeKit and/or Thread
- Only using Apple TVs for streaming services
- Only 2 x 24/7 servers - macOS and Synology
- Main Synology NAS only exposed to external access (eg DDNS) when specifically required for a task
- Secondary servers are LAN only and only powered during specific tasks (eg weekly backups)
- Only use macOS, iOS and Linux to avoid issues provided by the Windows and ‘droid attack surfaces
- Internal DNS, DNS cache / forwarder with DNSSEC to 2 external ‘trusted’ providers
- Internal Stratum 1 NTP server, available to LAN clients, secondary NTP server and via DHCP Option 42
- No use of ‘services’ that deliberately bypass security settings (eg Google Chrome, some cloud services, Microsoft etc)
- Full use of Apple tracking prevention
- Own domain points at US provider only, rather than my own static IP
- Small and trusted UK company used for web and email hosting, using my own domain
- Firmware and software up-to-date with managed upgrades
- Accurate database of all networked equipment and relevant security policies
- All obsolete or depreciated protocols disabled
- No use of Facebook, WhatsApp, whatever, where the commodity traded is the user
- Password management system
- Digital hygiene on personal information
- Modem maintained ‘blind’ by a 3rd party (Openreach) (but mitigated somewhat by PPPoE tunnel)
- WAN provided over G.fast that went into limited support faster than it was rolled-out and finally halted
- Router has UPnP2 enabled (albeit monitored and configured in Secure Mode only)
- Using own static IP for day to day use
- No Secure SNI (??)
- Single Windows server (rarely powered-up and cleansed of all bloat & telemetry) but Windows is a security issue in its own right
- No full DNS encryption (either DoT or the horrid DoH)
- No use of Synology NAS’s internal firewall
- One device that bypasses some internal security (SkyHD box) but constrained to an untrusted VLAN
- One device that seems to be becoming less trustworthy (2019 LG OLED), needing further constraint
- One device (client) with RJ45 capability connected via wifi instead (hey, that’s just 1 single client!)
- Plex server available for remote access 24/7 via somewhat randomised UPnP2 secured ports
- WoL enabled on servers that are typically switched-off 24/7
- No ACLs or locks enabled on switchports (does anyone do that?)
- No full disk encryption on NASes (Synology…)
- Servers without dedicated management interfaces (Synology…)
- Have a daughter
We use essential cookies to make this site work, and optional cookies to enhance your experience.