Over 5 years ago SANS stated that the "Time To Own" for an unpatched
Windows box connected to raw Internet was around 4 minutes, although they
did admit that this would vary based on the network and other factors -
http://isc.sans.org/diary/Survival+Time+on+the+Internet/4721
Connecting *anything* to unfiltered Internet in order to configure it is
absolutely the wrong thing to do. Even if the config is only going to take
a few minutes, it's still asking for trouble.
Scott
On Sat, Dec 7, 2013 at 7:36 PM, Pete Mundy
A story along a similar line that reinforces this view:
I put a phone on public IP space a few weeks back, then got sidetracked while configuring it. Before I had even returned to enter a new admin password and the correct SIP details (only 1/2hr later!), the phone had already been attempting to dial out on it's own. Turns out a robot had found it on it's public IP with port 80 open and started issuing it dial commands before I even had a chance to go about locking it down.
It was unable to dial out as it hadn't had the correct SIP server or login details configured, but it just goes to show that the device really need to be locked down _before_ being put on any publicly accessible IP space, even if just for provisioning purposes!
Pete
On 8/12/2013, at 3:17 PM, "Dobbins, Roland"
wrote: On Dec 8, 2013, at 8:46 AM, Don Gould
wrote: Clearly you can't even put a quick and dirty box in place to just prove
a concept without having to bolt it down.
Correct - it simply isn't viable to expose an unpatched/unsecured box to
the Internet at all, due to all the automated scanning/hacking activities taking place.
+1 to the other folks who recommended more workable solutions - 'GeoIP'
isn't exact at all, and not all bad nodes (of any nationality) are in China.
Roland Dobbins
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog