[Music]
welcome to the coffee break everybody
happy Saturday
I'm in my jammie-jams at noon on a
Saturday so what does that tell you
yep I'm being way too lazy today but I
know that I've got a lot to do this
afternoon so I'm going to be heading
into the studio just after this
everybody well yeah
Jean snagged on the chainsaw oh oh no oh
you were taking down some some trees
today or something there what we I had
to cut it up it fell a few several weeks
Oh bugging me every time I look out the
window I see it there and it's like I
gotta get rid of that thing so it was on
the ground it wasn't something you had
to get up on a ladder or anything yeah
good good yeah last year I bought it I
bought an extension pole electric
chainsaw I don't know if you ever saw
that but that was pretty that thing
works pretty well
yeah actually surprisingly well to be
honest so I just had a I just had like a
tree that was like this big around that
was maybe 25 feet tall that had died mmm
you know so I just had to take it down
just so it wouldn't fall on the kids or
something yeah well this one this one
died and came down in the storm that's a
little the trunk is a little larger than
that but not yeah but it's already down
so I just got cut it up and get it I was
right he died with him he got nicked so
he could drop that by 2030 please as a
teenager but little every time Peter
so when every time Peter talks it comes
up on my screen full screen and so just
like a Peter so cute this is so cute Oh
[Laughter]
soul boos there I can't tell if soul
boobs using his own loop or if he's
actually with us oh there he is he's
constantly constantly making sandwiches
and then Bill's got the deer in the
backyard that's cute
that's just something that you found
online yeah
yeah cool right now just the some free
tape loops cool and Peter what's the
story behind the dogs are those your
dogs they're just something you found
maybe the weight yet but they worked on
the dog my dog oh that like to build
blunted raised mg3 bring the 494 I got a
notification last night that the the new
HDMI repeaters have shipped and they'll
be here Friday so go that's good news
some won't be here in time for Wednesday
show so I'm still going to be make
shifting it probably in the the
producers bridge but yeah we'll get
through we'll get we'll get by maybe p9
just arriving morning very good how are
you I'm good man
where were we are we were we're talking
about we're talking about security and
micro tech and everything and then yeah
I was all I'm all ready to start that
conversation all right let's go okay so
here's my setup right I have a I have a
u-verse modem and I know it's just a
modem but it does provide for that it
does provide for protection in terms of
it doesn't let anything to knit
internally okay however the downside of
that is that I've read and the
technician has confirmed that it also
publishes a feat to AT&amp;T publishes the
MAC addresses of all the devices inside
my private network so for that reason I
have a I have a Nikia rather
is the only thing that's attached to the
modem and I connect everything via the
net next year router and or other
rabbits that are in internal to the
house the only thing that the modem
knows about is the net gear here and
that's the ugly MAC address and poison
that's the only MAC address that it
publishes right assuming that it's I
have no reason to believe it doesn't do
that so so yeah okay so here's my here's
my thing the other thing that prevents
because of the fact that it doesn't
allow any kind of the modem provides the
firewall in terms of it doesn't allow
any kind of network connection incoming
by the way as you've already mentioned
in previous coffee breaks it does also
you know the modem provides for a 5 5
gigahertz and a 2.4 gigahertz Wi-Fi
connection that I do not use for the
same reason I let the internal Netgear
router do all that for me it too offers
5g and 5 you could 5 gigahertz and 2.4
gigahertz Wi-Fi internal so I control
that as much as I possibly can right but
what I'm trying to understand and I
think I've done all that I can
reasonably do to make that happen now
disabled the Wi-Fi modems in there the
Wi-Fi access points in the actual
internet provider yeah provided device
and I'm using all or all of my accesses
is through the internal routers yeah so
I've done all I can I think reasonably
to actually make all that work I've done
all kinds of other stuff like you know
if I don't know the MAC address of the
device it just simply won't connect to
the even the internal network stuff like
that yeah so you know I feel like I'd
feel like it's pretty good but here's
the thing
one thing I can
as I mentioned in yesterday's coffee
break is that I cannot allow for any
kind of I cannot SSH in I used to be
able to do on my old DSL I used to be
able to SSH in by port forwarding yeah
but the modem does not allow that the
the Internet service provider provided
modem does not allow for RAM for that
kind of port forwarding yeah and it
sounds like from from all the forums
that I've read and all that it sounds
like my only option really is to what's
called air bleeds to modem and if I do
that my concern then becomes okay the
internet service provider modem is is my
first wall of defense
right it's at least stopping incoming
connections for which I'm grateful my
internal router is also set up to do the
same right but at which point you know
how do you so how do you decide yeah I
understand a deer rabbit is strong
enough or you know whatever rally you've
got is strong enough to be able to do
what the to do what the AT&amp;T modems
doing for me already
you've just that's really kind of dual
firewall yeah right yeah yeah so that's
good you know mikrotik and i understand
why but at the same time get that it's
not open source but at least an open
operating system then hopefully does not
phone home
that's the that's the biggest concern I
have you know what all was it doing when
it's phoning home right and so I are you
notice that I get that not like that
I don't care home I already know the
Internet Service Providers is
transparently looking at everything I do
I can't and that's my concern vp9 that's
my concern and like your so anyone who's
watching this on demand later like you
know that your your modem
doing that you understand that they're
monitoring graphic and connected devices
and all those kinds of things are you're
fixing it but the average Joe user just
plugs in their modem and I know is it
even people at work at work a couple of
couple of jobs ago yeah do the same
thing and I said why are you doing that
don't you know that this modem the
publishing back to to the provider
oh not only that devices that are on
your network on your internal private
yeah yeah yeah yeah but not only that
but also quite often as is the case with
the ISP for the internet at the studio
so when they installed them the Internet
they said they have remote access to the
router sure I said and I said well
disable that to the modem right
the modem it has a built-in router yes
okay so be careful because when you say
router you might infer that you're
talking about an internal router my
internal I don't have it no no no no
right your your modem has a built-in
router yes that's house and it has a
DHCP server and a firewall Brian right
right so the modem is is basically a
chip that's what gives you the
connection and then you have the the
router is what's actually routing the
traffic to the ethernet ports on the
back of that modem which is also a
router right so yeah but but because
they have remote access to it they can
actually access not only my modem and
router but my computer my Samba shares
my files they can access those things
they could defeat would if it were
directly connected to the Internet
provides I'm talking about yeah I'm
talking about the average user who just
allows them to install the modem and
then just goes along using it as is
you're not the average user because
you've supplemented that with it with
this neck here right so as far as
bridging goes usually and I always
bridge my modem because I don't want my
ISP having any access to my network
period
but the as far as the the first line of
defense goes but I I would just try
bridging the modem because usually
there's you usually have the capability
to just press a reset button and that'll
take it back to its normal factory
default settings anyway so you can
always experiment with it and see so I
figured that after G but you know what
you've gotten you have this situation
where you've got two firewalls so your
first line of defense is the ISPs modem
you're sure yeah so can you not set up a
port trigger or port redirection on that
motorbike I tried it on the modem and it
just won't work
and so I checked on various forums yeah
who you know various Google searches or
whatever and they say the only way to
get around this is it's to breach the
modem restriction because you have to
you've got a dual firewall set up so you
have to have your if you don't bridge
the modem you have to have your firewall
built into the modem pointing to the net
gear and opening port 22 then you have
to have the net gear picking up on port
20 on port 22 and then rerouting it to
your internal IP because I a so says
annoying that's the set up but used to
do with the old DSL modem yeah I had an
old DSL modem prior to the treatment you
verse modem and the universe is
considerably more complicated because as
you say it has a router built-in so if I
think that if I were to default to port
22 it might work but I'm deliberately
not using any - oh you can use whatever
your I discussed notified not if I want
to hackers to you no no no but you know
so think about your ISP modem could be
port 1444 or something right and then
that points to the IP address of the
neck years land port which apparently
apparently the only way that I could
make it work with redirects
Bo's port 22 on the EMG u-verse modem
yeah on the user DMZ it yeah
which are down to avoid death I'm trying
to avoid that yeah so this thing I have
the same issue he blocks it to that's
why Robbie sometimes you talk to you
saying we work together you say can I
guess si Jin I'm like no and it's not my
choice
they actually your ISP blocks it Wow
yeah so I'm for a minute en or well my
I'm thinking a bridge in mine and and
building a PF sense
yeah system to control everything
oh yeah he did that at times house he
has a server there and they lost the I
had to replace the modem but they won't
he used to have for many years he had in
there bridge mode and before he reached
it he configured the modem so yeah setup
button
there's nothing just have it trigger
like an AI voice that says don't touch
that so my specific question to you
Robbie before we had to cut it short
again yesterday was what what do you
look for in a router router that you
would plug internal you know that that
would be the only thing that connects
from your u-verse or your cable modem or
whatever it is you're using assuming you
bridge that modem that means that the
router that you've connected is your
primary line of defense right now I know
you're gonna say mikrotik and I did that
I'm okay with that
well that's a brand but I know it's
still asking I'm still asking what do
you look for in a router yeah that that
makes you feel comfortable
that he will act it will properly
protect you
yeah and in there so so first of all
like when I say mikrotik isn't Rand yeah
mikrotik is a brand right so true when I
say oh go buy a mikrotik that's because
I've already used a whole bunch of
different brands and have said okay this
is this one has everything I need for
much much cheaper so so so I have to be
more careful with that because no I'm
saying the these are the features and I
think this is your question is what are
the distributors that I look for so why
why did I inevitably settle on Microtech
price is a big part or any brand or any
item so it can be any brand so yeah so
two things I think are key for me one is
I want it to have the capability of
controlling how it caches things so as
as an attack is happening for example I
want to be able to control the
responsiveness of my router so if if I
come under a DDoS attack I want to be
able to shut down that DDoS attack
without affecting my main services and
so that's important to me mikrotik does
that really really well and it allows it
to kind of reroute traffic based on for
example if if I have said my computer's
MAC address is this then the mikrotik
automatically skips over some of the
checks for that MAC address so it makes
it a lot faster right mm-hmm
so so that's important to me the second
thing is I like my routers to have the
same mentality that I have which is lock
down everything unless I say otherwise
right yeah right Ron by default
everything should be locked down my
router should be about security so I
shouldn't have to look at it and say oh
that's open I need to close that that's
the mentality of the ISP let that select
universal plug and play
yeah yeah exactly I wanted I've heard a
magnet I did not know that my old router
had UPnP enabled for so long before
before I just happened to run across a
net cast somewhere you should turn off
UPnP and here's why all of the printers
that the Canadian hacker printed - it's
because of UPnP Oh like a half a million
printers so yeah I mean it's got to be
locked down completely securely unless I
say I want to open that and when I open
that I don't want just rudimentary it's
on or off like DMZ I wanted to be able
to control the traffic so so and that's
part of it so maybe that's three things
but I think that's still part of the the
routing aspect in that I don't want to
just say yes I'm going to allow SSH
which is that that's what you do with
the neck here I want to say I will allow
SSH to this IP address because this is
my home computer I will allow it only
with this SSL cert I will allow it only
from the country of Canada and
everything else I want it to go through
these filters before it's allowed or so
to be clear the Netgear router and in
fact the one I had prior to - this one
is quite happy to accept and port
forward SSH on a custom port it does not
have to be plus when you - I think they
they always lose just that's true now
what I have not heard about and this was
what surprised me yesterday was when you
described how you needed how you could
configure it so that you needed an SSH
cert or an SSL cert to even be able to
negotiate that connection to even be
able to open that connection from
outside that's something I'd never heard
of before gets really sophisticated it
sounded a lot like an airport knocking
on there I don't think that yeah what
you're having
say again so be explained to me what it
is you know he had something that you
you had to be authorized in order to
initiate the collection it sounded like
an old-fashioned and important Hocking
but but I'm not sure if that is what he
was talking about
you should pork knocking yes I've never
heard it either I don't know what that
means
yeah the port knocking he said you are
pinging air you use some scripts to do
that it's automated but you're pinging
are up specific coach and then then
maybe you're peeing a specific sequence
of port in order for portrait to do is
open you're saying that's what I that's
what a hacker would do to try and figure
out if there's anything open on those
ports right no a map or talking he said
you Arnie you need to and you are
configuring what that sequence is you
are pinging port 10,000 and maybe 6400
you have a series of approach two or
three and and when you do that in in in
a certain order
then port strategy is opening for you
that is why having never heard of that
I've never heard of that that is what I
had what came to me I don't think that
is what know from know from what Robby
described and I'm sorry Robbie I don't
mean to talk about you like you're not
here but I kind of like it
I'm just but I'm almost out of coffee
yes from what you described Robbie it
doesn't sound like that's what it is it
sounds like you specifically need a
separate I'll call it an SSH you know
search info order to exit or SSL so in
order to actually make that connection -
in order to initiate that ssl port
forwarding connection to your to your
machine yeah from outside is there
remember how we did it cuz cuz it it's
rather sophisticated what what we did is
we created a virtual appliance on one of
the hypervisors that generated SSL keys
and then had the traffic routed from the
mikrotik for the ssh to check and verify
the SSL certificate before it allowed
the routing of the traffic to no ssh it
was really sophisticated and this is
because because well the boss was
travelling and he didn't want other
people being able to access ssh how
often has it gone wrong
never okay flawlessly yeah okay but it
but we don't again I subscribe to the
mindset of block everything unless I
approve it so with this with this
capability or this setup we were able to
open it up to him but no matter where in
the world he is but yet still block it
from any geographic region that we
didn't approve except if it was him that
was there yeah ya know so again by
authorizing it then we then skip these
other rules in the mikrotik router or in
the firewall so it's really cool I mean
there's there's this it's one of those
things like I couldn't tell you how I
did that
like just off the top of my head I'd
have to look back at notes but but but I
can tell you anything that I've ever
needed to do we've just been able to do
it like just and if I were quarterly on
that so I got around that by picking a
port number that was way up high in the
address budget yeah you can do that but
ports can still happen for the whole 64
thousand porch yeah yeah and when they
do happen my mikrotik will say all right
you've ports Kandice five times blocked
you're done yeah yeah so by the time
they get to port five they usually do
this kind of security that Robbie has it
is too
SSS key and set up your server to accept
you to connect without an entering a
password on this and that's what I do
and that's what I do
anyway right yeah man that was the very
first thing I setup before I even moved
B yeah many people forget is that once
that is working disabled as I said
disabled posture I've done that too I've
done that as well I mean I've had it
happen before where I've changed the key
but forgot to change you know I've
changed that the public key on the
server but forgot to change the private
key or or whatever it is you know
whatever sequence and it you know it
says yep you can't fail then you don't
have any other ways to to authenticate
so you're not getting me yeah the other
thing I like to do like to supplement my
SSH protection is just have a single
unit which is quite often an order ID
xu4 or some other SBC but just a single
unit that's allowed to receive SSH
connections and then that unit has land
access to other resources on my land
so because sometimes people will open
you know I'll have ten ten ports open in
my firewall so that I can SSH to this
computer and SSH to that computer and
not compute and then you get Lacs on
your security on one of those commuters
and boom that's an entry point for
ransomware so instead I have just one
computer that is sh2 and quite often
I'll use a reverse socks proxy to coup
SSH to that and then access my network
resources
now when you say do Droid has access
that sounds like Peters gotten on the
phone when you when you say the Oh droid
has access to the to the network
resources does that all do you are you
implying also the network drives sure
exam Bashar is yeah well then how is
that any different - SSH from you know
into any other machine that has that
same access and Android also is a
is an entry point for could be more oh
absolutely but but because I only have
that one device I can harden that device
very securely and I can stay on top of
keeping that device harden versus having
to harden every device on my network
which are which are supposed to be land
right so I have one device that is one
one accessible and that device has CSF
lfd with the capability of you know
blocking IP addresses based on failed
login attempts based on region specific
stuff so right your droids doing matter
is at the market average doing that
the mikrotik would route the traffic to
the Odroid the old road would have CSF
as a final line of defense ok a little
different instead of having a small box
that I have a full-blown this desktop in
it it's in my basement
and it's running on Linux with an ID
table script that I use and the modem is
in the air bridge because I want and the
main reason it's in the bridge is
because I want my server to have the
public IP and that yeah are they
hardening on that yeah that's cool so so
consider this just going back to the
question like you know how did I settle
on mikrotik I used to use mono I used to
use mono wall and pfsense in a very
similar scenario as you with a PC with
multi NIC and then when you when you
realize that something like a micro tech
can use a tenth of the power so it's
multitasking I wouldn't do that I
wouldn't do I would always separate
those into into different devices yeah I
know that I have my new server
I might do during the summer when I get
a few more drives in it might you start
a steaming server for things yeah that's
cool but my Raptor server is it's not
you're using a mono wall or I mean the
melissad it's a full-blown Linux yeah
like Linux without iptables yeah I got
you
no way it snowed well the only thing
there for my normal desktop is that it
doesn't have a graphical layer yeah but
it's you you have by nine running your
DNS and everything on that as well and
yeah DHCP on there as well yes cool
yeah yeah that's another way to do it I
am like I don't know if it's because you
know I turned 40 and suddenly I'm like I
just want a little box that I can just
plug yeah I've gotten lazy I'm like I'm
lying lenovo laptops and HP desktops
yeah
and I do I do get that one of the things
I do I do get concerned about is once
you once you can SSH into the main
machine now you've got access to
everything and that does bother me
know once you act once you've SSH into
the main machine presumably the xu4 in
my case now you have to authenticate to
get access to the network resources
right in that machine you can't do it as
the user who accesses it which is a
low-level user yeah no you can't access
anything with that access now you have
to elevate your user access to a user
account on the system that has access to
those resources that user account is not
allowed to connect to SSH or we have to
connect first then elevate like it I
like it but as with all homegrown
security type you know solutions the
more you know the more security is but
the more you have to do to get you know
normal access to your to you I'm fine
with that
I have no problem with that I'm well
aware of it so yeah hey Robbie do you
know up at the top of your head the
model of that mikrotik you're working
with no however I did mention I did
mention it on the show this week and if
you go to the if you go to cap 5 TV
slash micro tech yeah it's the only one
listed because it's the only one I've
talked about so far ok and it gives good
Wi-Fi performance even though Absalom
apparently have any antennas yeah and
you know that's fantastic yeah I use one
in our in our basement in the in the
cellar and it does the Wi-Fi all the way
up to the top floor of the house it
works really well no I couldn't live
without it really these days I didn't
used to love it but now I'm just like
it's just you hearing the answer yeah
yeah when you've got phones and tablets
and all that yeah and I'm using voice
over IP now and yeah was that the place
I lived it was 70 order condos in sit
right outside and hacking into my yeah
that's when you shut off that's when you
shut off SSID and um you don't let
anyone in it unless you know the MAC
address of the device it's connecting
over Wi-Fi watch I'm gonna be showing
you some really cool stuff on the micro
deck yeah I'm gonna I'm gonna just put
this out there as a final thought one
thing that I hold true to and that like
is really good food for thought is that
saying it's a cliche but it's so true
security through obscurity is not
security
oh I agree oh and and just remember that
as you're as you're taking an approach
to your router to your setup obscurity
is not any amount of security so
just just remember that and that we help
support my moving my SSH port was not a
move to a purity it was just a question
of help you know avoiding the hackers
who it it will cut it will cut it down
ten times oh yeah big time
yeah because there are script kiddies
out there that just have a script that
just scans IP addresses for port 22 so
you just cut all those script kiddies
off right it's the good ones who know
what they're doing that you got to watch
out for I know I know yeah I also use
that as well very good very good
guys I got a run build the deer behind
you is getting really full this has been
fun guys I appreciate the chance to
we'll talk more this is good to because
these are things that I'm going to be
talking about on the show and that gives
me some some good viewer feedback as to
yeah stuff that I should be talking
about so thank you for that yeah but
I'll be at the studio this afternoon and
into tomorrow tomorrow morning I'll be
there and so tomorrow's coffee break
I'll be there okay that's special pizza
okay then yeah alright guys see ya I
enjoyed it thank you bye bye