Hackers

[irBosOtter]

Fortigate not overkill for home use?

Not when you get the device for free and 3 year 24/7/365 support and full feature set included

Mostly use it to test out new functionality before we deploy to production firewalls

 

[ArtyLoop]

Not when you get the device for free and 3 year 24/7/365 support and full feature set included

Mostly use it to test out new functionality before we deploy to production firewalls

Thanks for revealing who you work for!

 

[SauRoNZA]

Remember to make sure uPnp on NAS is disabled. Cool feature im sure, bad idea imo

I wish this advice would stop being thrown around as it's not generally a real problem and often breaks more than it supposedly fixes.

uPNP itself isn't a problem, it's the nature by which it can open ports in a firewall by OTHER devices that are potentially malicious where it's insecure.

***EDIT***

Modern implementations of uPNP I should add. It did have issues when it first came about but that was like a decade ago.

****

Address the problem with the other devices and you don't need to worry about uPNP. If they wanted to access your stuff there are far simpler ways that relying on uPNP to do it and whatever malware would likely just do it directly.

Switch off uPNP and you are in for a world of additional support to fix basic things.


Obviously I'm referring to it in the home user/consumer context in which it was created for.

Doesn't belong in an enterprise/corporate network and should be disabled there.

 

[Peon]

I wish this advice would stop being thrown around as it's not generally a real problem and often breaks more than it supposedly fixes.

uPNP itself isn't a problem, it's the nature by which it can open ports in a firewall by OTHER devices that are potentially malicious where it's insecure.

***EDIT***

Modern implementations of uPNP I should add. It did have issues when it first came about but that was like a decade ago.

****

Address the problem with the other devices and you don't need to worry about uPNP. If they wanted to access your stuff there are far simpler ways that relying on uPNP to do it and whatever malware would likely just do it directly.

Switch off uPNP and you are in for a world of additional support to fix basic things.


Obviously I'm referring to it in the home user/consumer context in which it was created for.

Doesn't belong in an enterprise/corporate network and should be disabled there.

 

[My_King]

Not when you get the device for free and 3 year 24/7/365 support and full feature set included

Mostly use it to test out new functionality before we deploy to production firewalls

I know we paid R6000 for one year which included AV, web filtering, forticare.

I`m too poor, klapping a Mikrotik 750

 

[Peon]

I know we paid R6000 for one year which included AV, web filtering, forticare.

I`m too poor, klapping a Mikrotik 750

If I may ask, how many users you servicing on that 750?

 

[TrueSeeker]

Quite funny to see this when going through logs:

View attachment 765540

Thats why I always say, create users in Afrikaans.
We have Zabbix, support, root, admin, even VNC that these 9 year olds keep guessing.


*Or just disable SSH.

Yeah you drop any server, anywhere and you better be ready. 10-15mins later somebody from somewhere will be hitting that.

 

[My_King]

If I may ask, how many users you servicing on that 750?

Max 4

 

[Prawnapple]

Quite funny to see this when going through logs:

View attachment 765540

Thats why I always say, create users in Afrikaans.
We have Zabbix, support, root, admin, even VNC that these 9 year olds keep guessing.


*Or just disable SSH.

Just block the entire 58.186.0.0, 45.136.0.0 etc.

 

[Kosmik]

Reminds me of folks who leave the sql SA account active

 

[pinball wizard]

Why is this in the Fibre Networks sub?

 

[R4ziel]

Reminds me of folks who leave the sql SA account active

I've seen people use the sa account as the only account on SQL, used for the SAP developers and the monitoring services, everyone has that password to a very sensitive insurance database, but highlighting it in recommendations was met with "But it works, why would we pay someone to change it"

 

[SauRoNZA]

I've seen people use the sa account as the only account on SQL, used for the SAP developers and the monitoring services, everyone has that password to a very sensitive insurance database, but highlighting it in recommendations was met with "But it works, why would we pay someone to change it"

And when it's all published on the internet there will be fingers pointed and everyone else but the ones who ignored it.

 

[R4ziel]

And when it's all published on the internet there will be fingers pointed and everyone else but the ones who ignored it.

Of course, the people in the Ivory towers will just shift the blame to the lower levels and someone will go home early with all their stuff, that's how they work

 

[Kosmik]

I've seen people use the sa account as the only account on SQL, used for the SAP developers and the monitoring services, everyone has that password to a very sensitive insurance database, but highlighting it in recommendations was met with "But it works, why would we pay someone to change it"

Every single "script kiddy" installer who comes in for some software package or other - Accpac, Pastel etc etc etc , all ask for the SA account and password. No, you can have an account locked down to your databases with full access. Need to create the databases, ok I'll give your account privileges, run the scripts and then get restricted again.

Maybe I'm being mean but most consultants who come in, just run pre-loaded sripts and yell for help on the phone when an error pops up, not even reading the error from their own software to troubleshoot. My favourite used to be, ok, give us a copy of the DB and we'll go fix it. Sure, bring a hardrive....No you can upload it to here, ok I'll see you in a few years when its uploaded a couple 100 gigs.

 

[R4ziel]

Every single "script kiddy" installer who comes in for some software package or other - Accpac, Pastel etc etc etc , all ask for the SA account and password. No, you can have an account locked down to your databases with full access. Need to create the databases, ok I'll give your account privileges, run the scripts and then get restricted again.

Maybe I'm being mean but most consultants who come in, just run pre-loaded sripts and yell for help on the phone when an error pops up, not even reading the error from their own software to troubleshoot. My favourite used to be, ok, give us a copy of the DB and we'll go fix it. Sure, bring a hardrive....No you can upload it to here, ok I'll see you in a few years when its uploaded a couple 100 gigs.

I don't even give them full permissions on their own DB, they can let me know which exact permissions they need and they can get them approved and signed, creating Databases need to be arranged in advance and signed off.

We had a request for a DB upgrade years ago, the guy was requesting we upload a 500GB Database backup over a 4MB line so they can look at an interface display issue lol

 

[Kosmik]

I don't even give them full permissions on their own DB, they can let me know which exact permissions they need and they can get them approved and signed, creating Databases need to be arranged in advance and signed off.

We had a request for a DB upgrade years ago, the guy was requesting we upload a 500GB Database backup over a 4MB line so they can look at an interface display issue lol

If it's their DB, we allow it otherwise there's always finger-pointing when something goes wrong ( index runaway, lack of indexes ). That way if their DB konks, its that vendor's issue. We just ensure that we have a solid backup/restore strategy in place so the company is not impacted by their mishandling.