The Site > Old Forums > Qwest > Multiple supported properties

Multiple supported properties

Configure your systems/firewalls appropriately so that when an infected client joins your network, they are prevented from attempting to infect other systems on the Internet.

This is your problem, not Qwest's, even though Qwest is taking due diligence and preventing their network from being used as a vehicle to spread viruses.

any place i can get a list to block these in our iptable firewall rules

I do not have a commercial interest, however gratuities accepted?

Maybe you can cut-and-paste from existing software's "host files"?

On my own computer,

I have a router with NAT and "stateful packet inspection".

In the router,
I manually "authorize" the MAC ID of the computers and devices in my control.
If I notice a "slow down" I check my internet speed with SpeedTest.net and I change the 104-bit randomly generated password in the router. I have free software to randomly generate passwords: use case sensitive letters and numbers, plus random symbols on the keyboard. For ease of use, use cut-and-paste.

In the computer,
I have Panda Cloud antivirus - free (I change, if something is better).
I have PC Tools Firewall Plus - free (I change, if something is better) "stealth" enabled.
I check to see all ports are closed and "stealth" with GRC.com
Note: The Antivirus-Firewall "do-it-all" Suites are not better!

I take all security updates for Windows, for Javascript, for Adobe Flash. I take all security updates for Firefox.

In Firefox, I have Ad blocker and AdBlock Plus: I have all the host files in English and from "eastern european countries" and asian. Take all of the host files, if you have an international hotel.

If you like, you can selectively block p)rn sites, warez, and Limewire, free music and other "malware" website's URL's.

This can be done a number a different ways: in the router, in the browser, or by purchasing "nanny" software designed for families.

However, "nanny" software does not have to BLOCK all "adult sites" if you so choose. You make the selections. That said, I would BLOCK uTP ports and eMule to avoid "excessive use policy" enforcement from your internet provider.

In addition, I have recommended our local public library computers have no USB ports, no SD slot, and no floppy drive on their public computers, because this is how most "malware" is introduced by patrons.

I also recommend their public computers have only access to internet and that on the desktop, no Start or My Computer.

I would have email disabled, requiring use of the patron/customer's own "online email" like gmail, for example.

I would put that statement with the welcome to-the-hotel rules.

If I had a hotel, I would have PC "drones" with no accessible ports whatsoever in the rooms, with everything networked into an on location server, that or WiFI I control.

In fact, the motels I stay-at have only WiFI.

If they are smart, they change their randomly generated password "daily" to be picked up with your room key at the desk.

We do use password control, with random generated passwords that the FD hands out, however the router to the hotel is a embedded linux system that is very limited on what we can add to it. Most of all the firewall rules are done in iptables, we do block some p2p but havent found a way to eliminate it. The best way to think of our router is a very powerful linksys running a stripped down version of debian 4.0.

Beyond that we have no control on whats on the guest computers, if they come from there home with a virus or bot, there is nothing we can really do to detect or block them. However usually they are unable to effect other computers at the hotel due to client isolation.

as far as ports opened, our routers have 80 (for our portal system), 22 (remote management only available from our office), and 1111 for VPN.

The biggest issue is not computers at the hotel, but laptops that guest bring in from elsewhere, we cannot advertise offering free wifi if we have to block people from using their devices because we cant be sure they have a clean computer.

The problem is im not finding anything online really that gives me known ports and firewall rules that i can apply to our systems. and without these it is next to impossible to prevent a user with an infected laptop from causing problems with quest.

so basically i can.

1. Block internet for guests, tough luck, we offer free wifi but you cant use it because we cant trust you

2. Force guests to install software and call tech support to get online causing larger call volumes and more headaches for support

3. deal with qwest blocking internet access to the hotel once a week and hope an account holder can call when this happens and get them unblocked.

4. plead with our hotels that have qwest to drop them and find a better ISP that treats business better than home users.

This is why i wish there is a way for qwest not to do blocking of internet on hotels as it is very hard to control whats coming into the hotel, even with firewalls on our equipment, it wont stop dirty guest PC's and then if we dont allow guests to use there wireless devices, well we cant advertise free wireless internet and most guests demand that hotels have this.

Are you allowing patrons/customers to plug directly into ethernet?

I am mystified, you can "catch a virus" from WiFI.

It is possible to have a deliberate attack.

"malware" websites made deliberate attacks.

Hostile "patrons/customers" make deliberate attacks.

"Angry neighbors" make deliberate attacks.

Internet "bots" attack Windows-systems. Internet "bots" attack commercial sites with "exploits" to find credit cards.

I would not have the "referrer string" have the name of the hotel.

Maybe you are having deliberate attacks?

. . .

"we cannot advertise offering free wifi if we have to block people"

When travelling, I stay at motels and at campgrounds. I go to coffeeshops and restaurants.

Their WiFI "front page" at the "login" has "the rules" usually in the context of "Welcome to the"...

Their WiFI is free. I don't see why you cannot.

. . .

I have used Pandasoft Active Scan to clean local county government computers of very nasty "trojans".

I have even cleaned a worm out of a MAC once.

Do you have something nasty, that replicates, like a worm?

I recommend a Pandasoft Active Scan to start.

. . .

It might be helpful for you to get Commodo, even Commodo-free has Geek Buddy and a forum.

does Pandasoft Active Scan run from a linksys router, or a devices with only 4-5mb of free space and very little ram.

The issue is, with the limited resources we have, 233mhz router with a few megs of ram, running an old version of linux that has been not supported for years, it is hard to change anything to detect and stop virus/malware/bots on computer we dont own.

secondly, who would let someone else scan there computer, when you goto a motel or hotel do you hand your laptop over to staff so they can scan it before going online, or do you just connect to wifi or ethernet and accept the terms and go online.

Now yes you can catch virus from wifi, but we have client isolation, no devices on our network should be able to communicate to each other, only the gateway/our router.

If the attacker is a guest and is doing on it purpose, we usually notice due to the high bw usage. Spam is usaually stopped as we use redirection of email on port 25. small bots that dont cause much network traffic are very hard to detect, especially since sometimes they work on port 80.

The issue we are having, we get a guest that shows up to the hotel, has some virus/bot that does bad things on the internet and then leaves the next day, then the internet is blocked 7 days later when the guest is already gone making everyone at the hotel pissed.

and what i meant by we cant block people if we offer free wifi, i mean we cant just turn wifi off forever because if we turn it on the internet gets blocked by qwest when a guest with infected computer joins.

so essentially we can either not have wifi, or have wifi and get blocked once a week.

If you can go to Pandasoft Active Scan with your system, I would think they can scan it. Maybe javascript is a requirement.

The terms can be anything you like.

I was at a campground that Welcome screen said "This is a family-friendly place. For that reason, we allow no adult sites".

Another way to get attacks, I forgot to mention, is Live Chat.

You could ban Live Chat: Every public place I have been bans Live Chat.

I am not a professional. I am just a somewhat tech-savvy person who uses internet and "helps out" when I can.

I really only know "machine language". I wrote "new syntax" that created the GUI, well, more than printed fan-folds of Snoopy and Merry Christmas and flat-art on the old amber-screen displays. It created the C++ language. I should be rich and famous.

All the things I said are always "good information".

I do not know how to implement any of that on your system.

For one thing, I don't know if you have VPN, or what. I do know an "IT Professional" can make software run silently in the background. However, finding that "IT Professional" is not easy.

But a firewall and an antivirus is always "a good thing".

There must be a small-footprint low-resources firewall that runs on Linux. Look to a legacy-Linux part of a Linux forum?

I do know Frisk has F-Prot Antivirus for Linux.

Malwarebytes may run on Linux.

The "Cloud" antivirus will even work on embedded systems on a chip.

I recommended an enterprise-level firewall once to a small government. Their tribal government, actually, said their ISP was taking care of it for them. Not.

the problem with antivirus, they will only protect our router, and nothing else as there is no way to scan computers that we do not have access or rights too.

We do ban some services, and im thinking we should ban IRC, as that is what most bots use to initiate attacks. the problem with blocks , even with notices in the terms page is guests believe that the internet is supposed to be 100 open and that we do not have the right to block access, heck even terms pages piss guests off.

its a tough subject, you want things secure and workable, but you dont want guests to call in every 5min because they dont know how to click accept, or that our page asking to accept is blocking there yahoo and that they will sue us if we dont remove it. (we here it all!!)

sorry if i sounded a bit of an ahole but ive been in a bad mood as being tech support means everyone blames you for problems. im thinking of setting up opendns on our qwest sites and blocking using p2p and a few other sources of bad stuff

reply to Bink

reply to jjjacer
I know the frustration.

I just ordered Bresnan/Optimum. Why? I couldn't take more "run-around" abuse.

Their "Sales Professional" answered straight questions with straight answers, and, didn't say go to the website after your account starts whenever. I have an appointment to install the service in a "half-day window". I like Direct Pay. She set up "Direct Pay". No hassles.

But.

If you have a different ISP, your problem will not "just go away".

I say "ban" IRC. yes. Most "script-kiddies" use IRC.

I think a nice printed card handed at sign-in is acceptable.

I have had a laminated card presented before signing in.

I think savvy-travelers know there is internet abuse.

I would say, it is important to have it all be pleasant:

"Do you want internet?

We have had to make rules (handing the laminated card).

If you have no objection, you may have a password.

(adding, as appropriate) You will, likely, find there is nothing objectionable (smile pleasantly)."

That should keep your patrons/customers from engaging your personnel in a conversation about the "issues".

If someone tries to "discuss the issues", be courteous but firm.

"That is a Management (better: Owner) decision, sorry".

If they go across the street to a different hotel, you may have saved yourself from getting blocked" by your ISP.

The fact you have ethernet is a big plus for business-class travelers.

The business-class travelers, after all, are very likely your "bread-and-butter". Keep ethernet, if only for their rooms and suites.

Make room/suite assignments appropriately.

reply to DataRiker
"Open-internet"? Really?

I know organizations that have their IT Professionals use "packet-sniffers" to keep their systems runing clean. The "packets" are "packets" in the data stream.

I would think an ISP would be doing that at their internet backbone or trunk.

Not entirely open. We do have bandwidth management, but our users are free to use the network how they feel.

As for what our ISP does after our network I don't much care as long as it doesn't block traffic. ISP's are apparently not very good at distinguishing automated research software with zombie bots.

reply to DataRiker
If your network is being used to attack other networks, it is your responsibility to rectify the situation—or you should be cut off from the rest of the Internet. If you lack the capacity to manage your own network, you shouldn’t be in the business of providing network access.

Actually, I am not allowed to block traffic for adults unless I have notification from the proper authorities. Our public network falls under the same laws that our public libraries do.

Furthermore, our bandwidth monitoring system would prevent any type of coordinated attack from becoming even remotely an issue.

reply to Bink
problem is its not always preventable, especialy on open networks, where you only control your devices, not what guests bring in. and i wouldnt mind them blocking during the attack or sending the warning when it happens, then we can block the user doing the abuse, however sending us the notice, or blocking days later will do no good at helping us.

if there was a list of known bottnet ports/ip's that we could add our firewall rules, i would its not hard, but alot of it is not well documented. in the latest email the device came from port 2812, and attacked port 80. at least thats what the isp saw. but there was no one on the network putting out this traffic. so we have no way of figuring out what was causing it.

biggest issue, these devices have limited resources for logging, so if someone was doing something it is usually not logged, or if it is a reboot will erase all logs as they are in ramdisk and not saved to flash

reply to DataRiker
Does the "bandwidth monitoring system" include "packet sniffing"?

or total bandwidth useage from one location?

I was under the impression it was the total bandwidth usage per location.

Interestingly, before a few years ago we routinely blocked explicit sites until a student brought to our former bosses attention that we may be violating the law.

A few consultations to our law school confirmed indeed we were. ( of course none of the law professors totally agreed, but we erred on the side of caution.)

reply to jjjacer
port 2812...

I would think a port sniffer, that attacks an open port or uses an "exploit" would have come from the internet, not in-house.