Hi All,
Tim G. Makes some very good points, particularly about securing your router,
the first of your devices on your internet connection and the one generally
providing you with protection against outside malicious attacks.
But just to be clear, this thread has morphed a bit from its original question.
The original question was what can be done about WBS shared IP addresses being
blacklisted due to one or more Warwick users of that shared IP address having
malware on one or more of their devices and that malware is using the device to
perform prohibited network activity (generally email spamming).
First, we could all just make sure that we were all following best security
practices (such as locking down our routers as Tim G. explained and running a
quality antivirus on all our Apple, Windows and Android devices and never
clicking on an unknown link or loading a file from an unknown source, among
other things). For this to be effective everyone would have to also scan their
devices for any malware currently present and then remove that software before
continuing on with good security practices to ensure no new malware is
introduced. Once our shared IP addresses were no longer the source of “bad”
Internet behavior, we could get them removed from the blacklists and, as long
as we stayed “clean”, that would be the end of it.
Second, WBS can move to dedicated IP addresses, where each user will get their
own unique IP address. This will not eliminate the actual security issues
where people are allowing their devices to be “infected”, but it will isolate
the negative impact to that one user.
Third, you can use a Proxy or VPN service to provide you with a different
external facing IP address (one that is not part of the WBS shared address
structure and thus not subject to the blacklisting).
Only the first of these options actually addresses the overall security of your
home network and the devices attached to it. I can have the tightest network
security in the world but if my daughter gives me a USB stick with some videos
of the grandkids on it and that stick is infected with a really good virus I
could end up transmitting all my user-ids and passwords up to some nefarious
site unless I have a quality antivirus installed to catch it.
Network/computer security is really quite complex. At one point in my career I
was VP of Operations and Support and Chief Security Officer for LiveVault
Corporation. That taught me that you can spend a lot of time and money on
securing your computers and Internet connected devices from all possible
threats, but you do have to consider the cost/benefit of anything you do (cost
not only being in dollars but in complexity/difficulty of doing what you want
to do on the WEB). While a bank or a credit card processing firm will be the
explicit target of many attacks, your home network and computers are not near
as at risk. Taking basic precautions is probably all most people will need to
do:
Making sure your router and other devices are reasonably locked down (no
passwords left at default, no unnecessary ports or services open).
Run a quality Antivirus (there are several free antivirus packages along with
the more popular commercial products, Google “best freeware antivirus” to get a
list) on all your devices that allow it.
Follow good security practices. Don’t accept downloads from sites you are not
sure of, don’t open links you are not sure of, if you get an email, even from
someone you know, with a link or download you weren’t already expecting,
confirm separately with the person what it is. Don’t respond to “phishing”
email with any of you private information (including user-ids and passwords, no
reputable company will ask for these). Don’t use a link given to you in an
email to sign in to a financial or store account (scammers will send you an
email that looks legit and will embed a link asking you to use it to sign in to
verify some detail of your account, the embedded link will take you to a site
that looks EXACTLY like the actual site except for a very small discrepancy in
the URL; so you will go ahead and try to sign in with with your
user-id/password and - bingo - the scammer now has you Citi Bank login
credentials), instead always go to the site using your own bookmark.
There are probably lots of other simple things you can do to make sure you
don’t fall victim to Internet fraud. If there is enough interest, maybe WBS
could host a get together to go over some of them.
Regards, Tim M
On Nov 24, 2018, at 8:26 AM, Tim Gwinn <tim@xxxxxxxxxxx> wrote:
If Brad's estimate is right and this conversion to public IPs is completed
"in a few weeks" and if you are able to hang on and muddle through until
then, I would not see a need to sign up for a VPN.
wonder if all devices used (say computer plus phone or ipad work all work
seamlessly with a vpn.
If you do use need to get a VPN app, they install like any other program.
E.g., I installed my proXPN phone app from Google Play store, and it looks
like the Apple store has VPN apps as well. The app should be free since it is
a service you are paying to subscribe to, not the app per se.
Once the app is installed, and you have signed up with the VPN service
provider, all you need to do usually is just to log into the app with your
VPN subscriber login. Then, there is usually just a simple ON/OFF or
ENABLE/DISABLE setting which turns the VPN routing on or off. From then on,
the app runs in the background and it should be seamless for all your
activity on the computer or device. So, its quite simple in most cases.
There are typically more options to play with, such as selecting which VPN
server location to use, but by default it should choose the geographically
nearest one. Some offer to enable the VPN on startup, so you don't have to
remember to do it. Things like that. The rest of the more advanced options
can usually be left at default.
I personally dislike software that tries to act like multiple things, such as
a VPN+antivirus+buzzwordthis+buzzwordthat. Often those packages do everything
only so-so, rather than one thing well. It's also added complexity to setup
and maintain. So, I just want a VPN software that is ONLY a VPN, and nothing
else. That's just my bias.
I agree with TimM - setting up a VPN at the router level is not the preferred
way to go. It is an option so I wanted to mention it, but its more costly,
and more complex. And again, if we can hold out a few weeks, then this
situation should ameliorate without making hardware changes.
Of course, with great power comes great responsibility. Once we each have our
own IP on the internet then every malicious actor on the internet will be
able to target our IP addresses directly. So, your router is you main line of
defense. Having a router is not enough, it needs to be secure. There have
been some routers with vulnerabiltiies int their firmware, which actually
make them insecure, and allow bad guys to get into your network or take over
the router and have it become part of a botnet. E.g.,:
https://www.bleepingcomputer.com/news/security/thousands-of-compromised-mikrotik-routers-send-traffic-to-attackers/
<https://www.bleepingcomputer.com/news/security/thousands-of-compromised-mikrotik-routers-send-traffic-to-attackers/>
So, a few things to check are:
Change the factory default router login password to something unique.
(Although its not best practice, since we are concerned about remote
attackers, and not someone in your home, then you can write the password on a
piece of tape and stick it to the bottom of the router to make it easier to
find in case you forget it.)
Update the router firmware. (On some newer routers, you can check for the
latest firmware from the router menu, or it may automatically check
periodically, or can even be configured to do the updates automatically. On
older routers, you need to go to the manufacturers website, find the support
page for that router, look for the latest firmware, compare that version to
your current running version, download the new firmware if needed, then
upload it from your device to your router.)
Disable remote administration. (Remote administration allows accessing your
router setup login from anywhere in the world. Unless you absolutely need it,
disable remote administration of the router. That prevents bad guys from
breaking into router via that avenue of attack.)
Disable uPNP. (Unless you have a device/program that you know needs it,
disable it. Unfortunately, too many routers ship with it enabled by default.)
Disable all inbound ports & port-mapping. (Again, unless you have a
device/program that you know needs it, disable inbound ports. This disallows
inbound traffic from initiating from outside our router; we only want inbound
traffic to be as a result of something we initiate from our devices in the
internal side of our router (e.g., a webserver only sends a webpage to us as
a result of us initiating a request for that page). This -should- be the
default in all modern routers. It's just something to verify.)
Make sure the WBS connection is plugged into the WAN or INTERNET port on your
router. It should be the ONLY thing plugged into the WAN/INTERNET port.
That's the outward-facing port, so no other devices should be on that side.
All our devices should be connected over wifi or the ethernet jacks labeled
LAN.
By default, your devices will get their DNS server from your router, DNS is
how devices send a lookup request to convert a sitename like www.google.com
<http://www.google.com/> to an IP address. Consider setting your DNS in your
router to 9.9.9.9. This is a free DNS service called Quad9 that it blocks
known-bad IP addresses. So if someone in your home accidentally clicks on a
malicious link, when it tries to convert evildomain.com
<http://evildomain.com/> (say) to an IP address by performing a DNS request,
Quad9 will not respond with an IP address if it knows that is a malicious
site. So, it prevents the user from ever getting redirected to the bad site.
Quad9 also doesn't retain any personally-identifiable info. See:
https://www.quad9.net/ ;<https://www.quad9.net/>
Unfortunately, each router manufacturer has wildly different router menus,
different firmware update methods, different features and abilities, etc., so
there's no way to create a universal step-by-step guide for router
configuration.
Regards,
TimG
On Fri, Nov 23, 2018, at 8:11 PM, ear@xxxxxxxxxxx <mailto:ear@xxxxxxxxxxx>
wrote:
Hi Tim, Thanks for this info. Many of us in town may end up scrambling to
do this... I'm wondering if there could be some kind of short mini-workshop
to talk folks thru setting up a VPN ; and wonder if all devices used (say
computer plus phone or ipad work all work seamlessly with a vpn. Or is there
a utube you could recommend ?
On Thursday 22/11/2018 at 11:58 am, Tim Gwinn wrote:
FYI -
One temporary workaround is to use a VPN (virtual private network) app on
your device, which will create an encrypted "tunnel" connection between
your device and a VPN server (which is not in the WBS IP range) somewhere
else on the internet. In short, it gives your device an entirely non-WBS IP
address on the internet, so that services that block or challenge you based
on your IP address will see this non-WBS IP address and thus not block nor
pester you with challenges.
There are many VPN services like this out there. Some are free, most have a
monthly fee. I happen to use proXPN, which is around $7/mo. It supports
Windows, Mac, Android.
https://secure.proxpn.com/index.php ;<https://secure.proxpn.com/index.php>
Here is a very recent review comparison of VPNs by PC Mag:
https://www.pcmag.com/article2/0,2817,2403388,00.asp ;
<https://www.pcmag.com/article2/0,2817,2403388,00.asp>
These apps run in the background of your device, so once it is set up and
enabled, its transparent, and doesn't interfere with your normal activity.
Issues that can occur are some restricted bandwidth (but generally, WBS
bandwidth is the limiting facotr), and some services like Netflix may or
may not allow connection over a VPN, since VPNs are sometimes used to get
around region/country specific pricing or availability, and so services
like Netflix may be wary of customers signing in via VPNs.
Regards,
Tim Gwinn
On Wed, Nov 21, 2018, at 10:42 PM, Mari Rovang wrote:
Jim,
We are having the same I’m not a robot phenomenon any time we try to
access a website, or even use the online dictionary. Says it’s detecting
unqualified activity. Doesn’t happen in other locations. Also, the photos
are hazy and hard to interpret.
Mari
On Wed, Nov 21, 2018 at 7:34 PM Jim McRae <jimmcraejim@xxxxxxxxx
<mailto:jimmcraejim@xxxxxxxxx>> wrote:
Yes Rick. I also don't know what my "credentials" are. Sorry to be so
dense. I'm sure it's obvious to a whole lot of folks.
Also, several news locations ask me to confirm that I'm not a robot. That
has come up so frequently lately that I don't trust anyone enough to click
anything on command. What do folks know about that happening now. Any
manipulative requests around this?
On Tue, Nov 13, 2018 at 5:21 PM David Young <coordinator@xxxxxxxxxxxxxxxxxx
<mailto:coordinator@xxxxxxxxxxxxxxxxxx>> wrote:
Warwick Broadband have an IP blacklist problem. We almost cured it last
month and now it is very much back. We need everyone to change their email
credentials and run antivirus protection.
We believe the blacklisting is caused by SPAM being sent from one or more
subscriber computers. But, it may be IP spoofing, using our customer’s
email credentials from a remote site. Fixing this requires running
antivirus software on your computers and keeping the protection current.
If this is happening remotely (meaning: not on our network) the fix is for
folks to change their email passwords. That way a remote server can’t
successfully pretend to be one of us.
Studying this today added another element to ponder: are websites blocking
our IPs because they see too many connections coming from it?
Options we are considering include implementation of carrier class network
address translation where customers are assigned to a unique port range
which means we can track down offenders with some snooping; using public
IP4 addresses; or implementing public IP6 with support IP4). The advantage
of the public IP address use will be that only the “offender” will be
impacted by blacklisting.
David Young
Administrative Coordinator
Town of Warwick
978-729-3224 <tel:978-729-3224> (mobile)
978-544-6315 <tel:978-544-6315> (Selectboard office)
413-676-9544 <tel:413-676-9544> (Broadband service)
From: warwicklist-bounce@xxxxxxxxxxxxx
<mailto:warwicklist-bounce@xxxxxxxxxxxxx> <warwicklist-bounce@xxxxxxxxxxxxx
<mailto:warwicklist-bounce@xxxxxxxxxxxxx>> On Behalf Of narguimbau
Sent: Tuesday, November 13, 2018 2:35 PM
To: WarwickList@xxxxxxxxxxxxx <mailto:WarwickList@xxxxxxxxxxxxx>
Subject: [The-L] Re: - 10/27
My incoming email has been blocked since October 27. Don’t know why.
Trying to fix it.
Nick Arguimbau
Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows
10