[conspire] (forw) Re: [Felton LUG] Using IPv6 with Linux? You???ve likely been visited by Shodan and other scanners | Ars Technica

Rick Moen rick at linuxmafia.com
Tue Feb 23 14:12:49 PST 2016 

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Tue, 23 Feb 2016 14:12:25 -0800
From: Rick Moen <rick at linuxmafia.com>
To: Felton Lug <felton-lug at googlegroups.com>
Subject: Re: [Felton LUG] Using IPv6 with Linux? You???ve likely been
	visited by Shodan and other scanners | Ars Technica
Organization: If you lived here, you'd be $HOME already.

[Sorry about hitting an old thread.  I just got back from a month on a
cruise ship.]

Quoting Robert Lewis (bob.l.lewis at gmail.com):

> http://arstechnica.com/security/2016/02/using-ipv6-with-linux-youve-likely-been-visited-by-shodan-and-other-scanners/

Or to put it another way:  Security by obscurity fails yet again.

Although it was certainly fair to eject Shodan security-scanning
project's 45 IP addresses from pool.ntp.org (as they violated their
sign-up agreement with ntp.org by security-scanning NTP-client IP
addresses), anyone who assumed 'My machines are invisible on the
Internet because they have only IPv6 addresses' was reality-challenged:
Any machine making outbound Internet queries of any kind _will_ be
noticed.  

It could have been DNS rather than NTP -- or any of a large number of
other services.

Anyone who seriously wishes to fly under everyone's radar will proxy all
outbound requests through gateway devices able to withstand probing
without worry.  E.g., one can have a public-facing, security-hardened
ntpd gateway host sync'd to pool.ntp.org, and sync local, less-hardened
hosts to the gateway host.  And likewise, run a local recursive
nameserver on a hardened host, for the same reason.

(Surprise:  Attempting to hide vulnerable machines behind IPv4 NAT
doesn't really work, either.)

As the 'Internet of Things' becomes more prevalent, this will become a
larger and larger problem -- which is actually the Shodan Project's
point, FWIW.

Personally, I prefer a fundamentally different approach:  Assume networks
are dangerous places, expect to be probed, and make sure I've paid
adequate attention to all of my devices' attack surfaces.  Works for Me.[tm]

And under no circumstances would I permit my refrigerator to chat
directly with the Internet.  ;->

----- End forwarded message -----

More information about the conspire mailing list