[OZAPRS] Internet facing services, was Re: VK4TTT

[Kim Hawtin]

In the interests of staying calm and constructive...

Ian Bennett wrote:
 >> not responding to ICMP makes debugging and testing a joy.
> Keeps out tyre kickers too.

Perhaps, but for folks who are actually interested and would like to 
learn more, its an entry barrier that doesn't help. Internet facing 
services should do what your users expect.

The host didn't respond on port 80 in v4 or v6, nor ping. Know ports for 
these services respond with 'filtered' with the usual discovery tools.

Is it dead? Is there a routing problem? Is there a firewall problem?

So, the community suggests there might be an issue and reports a bug...

Reporting bugs is an important part of the community in free and open 
source software, not to mention commercial software. In the FOSS 
community, its been very effective at progressing and pushing the 
boundaries. Its certainly something the Amateur Radio community can use 
to push back more boundaries. AR has effectively been doing it for the 
last hundred years, but within the group. The Internet offers up access 
and exposure to so many more people...

> If a host doesn't respond to pings, "they" assume it is not there and so look
> elsewhere.

"they" can use a range of tools of which ping is the first part.

If someone knows about a service that is advertised and have some 
destructive intent that "they" might imply, then not responding to ping 
makes the challenge all the more interesting.

Hidden in plain sight, is a very effective defense model.
The more you obscure things, the more interest you create.

I've been in this game a while, on both the service-provider and 
pen-testing/security business. Its not hard to do right.

> Provided you know your network (and know what you are doing), you don't need
> ping for fault finding.

So you need to do some port scanning if you don't know what the services 
are offered, note that 14580 isn't in the /etc/services of many systems. 
nmap show some interesting things though...

I can understand that for a small group or an individual you might not 
have much time to deploy intrusion detection and the simple "deny all, 
allow only service ports" looks like an easy option. However at the 
expense of much more on going support ;)

Doing what your users expect saves you time and effort in the future =)

Also responding to bug reports can be easier with a FAQ.
http://www.aprs.net.au/ has some of the answers, if you know its there.

Obviously I'm missing info in the big picture about APRS, but my license 
upgrade isn't that far off. Then will also have more time to tinker with 
APRS with the gear I've put aside for it.

regards,

Kim VK5FNET