[The-L] Re: email and web blocking WBS
- From: Tim Gwinn <tim@xxxxxxxxxxx>
- To: warwicklist@xxxxxxxxxxxxx
- Date: Sat, 24 Nov 2018 08:26:43 -0500
If Brad's estimate is right and this conversion to public IPs is
completed "in a few weeks" and if you are able to hang on and muddle
through until then, I would not see a need to sign up for a VPN.
* wonder if all devices used (say computer plus phone or ipad work all
work seamlessly with a vpn.*
If you do use need to get a VPN app, they install like any other
program. E.g., I installed my proXPN phone app from Google Play store,
and it looks like the Apple store has VPN apps as well. The app should
be free since it is a service you are paying to subscribe to, not the
app per se.
Once the app is installed, and you have signed up with the VPN service
provider, all you need to do usually is just to log into the app with
your VPN subscriber login. Then, there is usually just a simple ON/OFF
or ENABLE/DISABLE setting which turns the VPN routing on or off. From
then on, the app runs in the background and it should be seamless for
all your activity on the computer or device. So, its quite simple in
most cases.
There are typically more options to play with, such as selecting which
VPN server location to use, but by default it should choose the
geographically nearest one. Some offer to enable the VPN on startup, so
you don't have to remember to do it. Things like that. The rest of the
more advanced options can usually be left at default.
I personally dislike software that tries to act like multiple things,
such as a VPN+antivirus+buzzwordthis+buzzwordthat. Often those packages
do everything only so-so, rather than one thing well. It's also added
complexity to setup and maintain. So, I just want a VPN software that is
ONLY a VPN, and nothing else. That's just my bias.
I agree with TimM - setting up a VPN at the router level is not the
preferred way to go. It is an option so I wanted to mention it, but
its more costly, and more complex. And again, if we can hold out a
few weeks, then this situation should ameliorate without making
hardware changes.
Of course, with great power comes great responsibility. Once we each
have our own IP on the internet then every malicious actor on the
internet will be able to target our IP addresses directly. So, your
router is you main line of defense. Having a router is not enough, it
needs to be secure. There have been some routers with vulnerabiltiies
int their firmware, which actually make them insecure, and allow bad
guys to get into your network or take over the router and have it become
part of a botnet.
E.g.,:
https://www.bleepingcomputer.com/news/security/thousands-of-compromised-mikrotik-routers-send-traffic-to-attackers/
So, a few things to check are:
* Change the factory default router login password to something unique.
(Although its not best practice, since we are concerned about remote
attackers, and not someone in your home, then you can write the
password on a piece of tape and stick it to the bottom of the router
to make it easier to find in case you forget it.)
* Update the router firmware. (On some newer routers, you can check for
the latest firmware from the router menu, or it may automatically
check periodically, or can even be configured to do the updates
automatically. On older routers, you need to go to the manufacturers
website, find the support page for that router, look for the latest
firmware, compare that version to your current running version,
download the new firmware if needed, then upload it from your device
to your router.)
* Disable remote administration. (Remote administration allows
accessing your router setup login from anywhere in the world.
Unless you absolutely need it, disable remote administration of the
router. That prevents bad guys from breaking into router via that
avenue of attack.)
* Disable uPNP. (Unless you have a device/program that you know needs
it, disable it. Unfortunately, too many routers ship with it enabled
by default.)
* Disable all inbound ports & port-mapping. (Again, unless you have a
device/program that you know needs it, disable inbound ports. This
disallows inbound traffic from *initiating *from outside our router;
we only want inbound traffic to be as a result of something we
initiate from our devices in the internal side of our router (e.g.,
a webserver only sends a webpage to us as a result of us initiating
a request for that page). This -should- be the default in all modern
routers. It's just something to verify.)
* Make sure the WBS connection is plugged into the WAN or INTERNET port
on your router. It should be the ONLY thing plugged into the
WAN/INTERNET port. That's the outward-facing port, so no other
devices should be on that side. All our devices should be connected
over wifi or the ethernet jacks labeled LAN.
* By default, your devices will get their DNS server from your router,
DNS is how devices send a lookup request to convert a sitename like
www.google.com to an IP address. Consider setting your DNS in your
router to 9.9.9.9. This is a free DNS service called Quad9 that it
blocks known-bad IP addresses. So if someone in your home
accidentally clicks on a malicious link, when it tries to convert
*evildomain.com *(say) to an IP address by performing a DNS request,
Quad9 will not respond with an IP address if it knows that is a
malicious site. So, it prevents the user from ever getting redirected
to the bad site. Quad9 also doesn't retain any personally-
identifiable info. See:
https://www.quad9.net/
Unfortunately, each router manufacturer has wildly different router
menus, different firmware update methods, different features and
abilities, etc., so there's no way to create a universal step-by-step
guide for router configuration.
Regards,
TimG
On Fri, Nov 23, 2018, at 8:11 PM, ear@xxxxxxxxxxx wrote:
Hi Tim, Thanks for this info. Many of us in town may end up
scrambling to do this... I'm wondering if there could be some kind of
short mini-workshop to talk folks thru setting up a VPN ; and wonder
if all devices used (say computer plus phone or ipad work all work
seamlessly with a vpn. Or is there a utube you could recommend ?>
On Thursday 22/11/2018 at 11:58 am, Tim Gwinn wrote:
FYI -
One temporary workaround is to use a VPN (virtual private network)
app on your device, which will create an encrypted "tunnel"
connection between your device and a VPN server (which is not in the
WBS IP range) somewhere else on the internet. In short, it gives your
device an entirely non-WBS IP address on the internet, so that
services that block or challenge you based on your IP address will
see this non-WBS IP address and thus not block nor pester you with
challenges.>>
There are many VPN services like this out there. Some are free, most
have a monthly fee. I happen to use proXPN, which is around $7/mo. It
supports Windows, Mac, Android.>> https://secure.proxpn.com/index.php
Here is a very recent review comparison of VPNs by PC Mag:
https://www.pcmag.com/article2/0,2817,2403388,00.asp
These apps run in the background of your device, so once it is set up
and enabled, its transparent, and doesn't interfere with your normal
activity. Issues that can occur are some restricted bandwidth (but
generally, WBS bandwidth is the limiting facotr), and some services
like Netflix may or may not allow connection over a VPN, since VPNs
are sometimes used to get around region/country specific pricing or
availability, and so services like Netflix may be wary of customers
signing in via VPNs.>>
Regards,
Tim Gwinn
On Wed, Nov 21, 2018, at 10:42 PM, Mari Rovang wrote:
Jim,
We are having the same I’m not a robot phenomenon any time we try
to access a website, or even use the online dictionary. Says it’s
detecting unqualified activity. Doesn’t happen in other locations.
Also, the photos are hazy and hard to interpret.>>> Mari
On Wed, Nov 21, 2018 at 7:34 PM Jim McRae <jimmcraejim@xxxxxxxxx>
wrote:>>>> Yes Rick. I also don't know what my "credentials" are. Sorry to
be
so dense. I'm sure it's obvious to a whole lot of folks.>>>> Also, several
news locations ask me to confirm that I'm not a
robot. That has come up so frequently lately that I don't trust
anyone enough to click anything on command. What do folks know
about that happening now. Any manipulative requests around this?>>>>
On Tue, Nov 13, 2018 at 5:21 PM David Young
<coordinator@xxxxxxxxxxxxxxxxxx> wrote:>>>>> Warwick Broadband have an IP
blacklist problem. We almost cured it
last month and now it is very much back. We need everyone to
change their email credentials and run antivirus protection.____>>>>> We
believe the blacklisting is caused by SPAM being sent from one
or more subscriber computers. But, it may be IP spoofing, using
our customer’s email credentials from a remote site. Fixing this
requires running antivirus software on your computers and keeping
the protection current. ____>>>>> If this is happening remotely (meaning:
not on our network) the
fix is for folks to change their email passwords. That way a
remote server can’t successfully pretend to be one of us.____>>>>>
Studying this today added another element to ponder: are websites
blocking our IPs because they see too many connections coming from
it?____>>>>> Options we are considering include implementation of carrier
class
network address translation where customers are assigned to a
unique port range which means we can track down offenders with
some snooping; using public IP4 addresses; or implementing public
IP6 with support IP4). The advantage of the public IP address use
will be that only the “offender” will be impacted by blacklisting.
____>>>>> __ __
David Young____
Administrative Coordinator____
Town of Warwick____
978-729-3224 (mobile)____
978-544-6315 (Selectboard office)____
413-676-9544 (Broadband service)____
__ __
*From:* warwicklist-bounce@xxxxxxxxxxxxx <warwicklist-
bounce@xxxxxxxxxxxxx> *On Behalf Of *narguimbau>>>>> *Sent:* Tuesday,
November 13, 2018 2:35 PM
*To:* WarwickList@xxxxxxxxxxxxx
*Subject:* [The-L] Re: - 10/27 ____
__ __
My incoming email has been blocked since October 27. Don’t know
why. Trying to fix it.____>>>>> __ __
Nick Arguimbau____
__ __
Sent from Mail[1] for Windows 10____
__ __
__ __
Links:
1.
https://go.microsoft.com/fwlink/?LinkId=550986
Other related posts: