Page 1 of 3 123 LastLast
Results 1 to 10 of 29
  1. #1
    Newbie
    Join Date
    Feb 2019
    Posts
    5

    Default newbie on a brand new install & intrusion detection

    To a brand new install, and from scratch, by default, my understanding is
    without changing a thing, that all incoming ports are closed?
    if so, any reason to configure and turn on intrusion detection at all?

    isnt, by default port 80 & 110, 143,and 465 are open?

    I am paranoid with all the "bad" hacking going on, i just want to keep all I can from incoming attack, yes, i will use the untangle virus apps & features

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,948

    Default

    By default, all inbound ports are closed, with no exceptions, and all outbound ports are open.

    Basic internet traffic will work this way, even with all inbound ports closed, because the sessions for that traffic originate in the outbound direction.

    Intrusion prevention scans traffic in both directions, can be useful to detecting traffic from infected systems on your local network, or for detecting attacks in situations where you've needed to create a port forward rule to allow inbound traffic, such as with UPnP for XBox Live/PSN or hosting a web service on the connection.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  3. #3
    Untangler
    Join Date
    Jan 2019
    Posts
    91

    Default

    If you use untangle as your router (i.e. not in bridge mode):
    * NAT is enabled, so by default, no internal machine is accessible from the outside unless a session has been started by an internal machine. Making an internal machine accessible would require adding a rule to Config/Network/PortForwardRules
    * The untangle box itself will respond to a few types of requests from the outside, mostly related to ping/routing/VPNs. The rules are available in Config/Network/Advanced/AccessRules.
    * Several of the other tabs in Config/Network (and the firewall app) allow you to play with what happens, but these are all blank by default. Also assuming UPnP is off (which it is by default).

    You are unlikely to get much benefit from running IPS in a typical home install with no internal service accessible from the outside. In their Youtube video on IPS, untangle mentions (paraphrasing, possibly poorly or inaccurately) that IPS is used to cover the gap between when vulnerabilities of services are exploited until the vulnerabilities are closed in the services as it's much quicker to add a signature to an IPS list vs. fixing and deploying software. I should add that tuning the IPS app is a full time job, so it is likely too much, at least initially.

    IPS is also able to deal with suspicious accesses coming from the inside (e.g. clking on malware links), which may have more value to a home network.

  4. #4
    Newbie
    Join Date
    Feb 2019
    Posts
    5

    Default

    thanks for such prompt response.....
    so will you suggest to turn it on?
    my understanding is that it require lots of resources from the hardware, like its ram intensive?

    will 16gb with a 240gb msata be good enough? ( Dual Core Celeron 3865U procressor )
    or
    will 8gb with a 120 gb msata be good enough? ( Intel Quad Core Atom E3845 )

  5. #5
    Untangler
    Join Date
    Jan 2019
    Posts
    91

    Default

    Note: Previous thread with various opinions:
    https://forums.untangle.com/intrusio...home-user.html

    I am still experimenting myself with what may make sense for IPS. I recommend you deal with the rest of untangle first and IPS should be last when everything else is working to your liking.

    Even with IPS on, 4GB is plenty for home use. Really no need for more.
    Storage use is just for logging purposes. Account for 0.5-1GB/day and multiply by how many days you want to store. That number can go up quickly if you have lots of users. I have only 4 (very active) users on most days.

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,948

    Default

    Quote Originally Posted by LaurentR View Post
    Storage use is just for logging purposes. Account for 0.5-1GB/day and multiply by how many days you want to store. That number can go up quickly if you have lots of users.
    If you want to use an SSD, also multiply by about a factor of 3 to 5 so there's enough space for wear leveling to spread across the disk, and then add a few GB for the base system.

    So let's say you have a system that runs about 2GB of logging per day (not unusual for a small business), and you want a full 30 days retention. You're looking at a 480GB SSD, or 320GB if you can still find one (2x30x5 = 300). But if you can reduce the retention to 20 days (2x20x5 = 200), or if you can stomach replacing the disk sooner (2x30x3 = 180), you could fit this on a 240GB SSD.

    But my home system, which logs less than the .5GB per day most days, can fit okay on a 64GB disk with around 25 days retention (.4x25x4 = 40)
    Last edited by jcoehoorn; 02-20-2019 at 01:38 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  7. #7
    Untangler
    Join Date
    Jan 2019
    Posts
    91

    Default

    I wouldn't worry too much about oversizing a drive for wear leveling on modern SSDs. Because of low Program/Erase cycles on modern flash, wear leveling algorithms are highly aggressive with large DRAM caches (and more recently even SLC NAND caches) and require no explicit over-provisioning from the user.

    For example, the 250GB version of the ubiquitous (and highly recommended) Samsung 860 EVO ($58 in 2.5" and $68 in mSATA on amazon.com) has an endurance rating of 150TBW (TeraBytes Written). At 2GB/day from untangle, that's >200 years. Even if you're worried about the traffic being pathological, you're very far from the endurance limit of the disk.

    The really cheap (but solid) Crucial BX500 120GB ($23 in 2.5" on amazon.com) is rated at a lower 40TBW, still >50 years @ 2GB/day.

    YMMV on older / no name SSDs.
    Last edited by LaurentR; 02-20-2019 at 09:44 PM.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Quote Originally Posted by LaurentR View Post
    I wouldn't worry too much about oversizing a drive for wear leveling on modern SSDs. Because of low Program/Erase cycles on modern flash, wear leveling algorithms are highly aggressive with large DRAM caches (and more recently even SLC NAND caches) and require no explicit over-provisioning from the user.

    For example, the 250GB version of the ubiquitous (and highly recommended) Samsung 860 EVO ($58 in 2.5" and $68 in mSATA on amazon.com) has an endurance rating of 150TBW (TeraBytes Written). At 2GB/day from untangle, that's >200 years. Even if you're worried about the traffic being pathological, you're very far from the endurance limit of the disk.

    The really cheap (but solid) Crucial BX500 120GB ($23 in 2.5" on amazon.com) is rated at a lower 40TBW, still >50 years @ 2GB/day.

    YMMV on older / no name SSDs.
    Well, I worry... Because even a modern SSD will buckle under the write strain of Untangle's constant logging. It writes vastly more information to disk than your typical desktop. So you do need to under-provision it to ensure you're going to get the expected lifespan it burns much faster than you'd expect, but also much slower than most of us that have been using SSDs on Untangle since the bad early days of the technology are afraid of.

    Still, it's a server, and SSDs are cheap, easy enough to just slap a larger one in there, use a smaller partition and never have to worry about it.

    You are however again not wrong, heck look at these statistics from the Samsung EVO 840 120gb in my Untangle server:
    Code:
    ------------------------------
     SSD Status:   /dev/sda
    ------------------------------
     On time:      72,076 hr
    ------------------------------
     Data written:
               MB: 22,849,417.230
               GB: 22,313.884
               TB: 21.790
    ------------------------------
     Mean write rate:
            MB/hr: 317.018
    ------------------------------
     Drive health: 21 %
    ------------------------------
    I'm trying to kill this poor thing and it just won't die!
    Last edited by sky-knight; 02-20-2019 at 10:49 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangler
    Join Date
    Jan 2019
    Posts
    91

    Default

    Very interesting data!
    At 21% health, it looks like you're close to your goal :-)
    Does the reported 317MB/hr (7.6GB/day) correspond to the 2GB/day of logs you were mentioning earlier?

    With 21% health, it looks like your 840 EVO will do ~28 TBW before dying.
    Interestingly, the 840 EVO predates Samsung making TBW guarantees.
    https://www.samsung.com/semiconducto...port/warranty/

    OTOH, I am using a 850 EVO 250GB lifted from an old PC and have 20TB written and 92% health. The stated endurance for that drive is 75 TBW, so I assume it's currently way overshooting its rating from having been in a media PC with a lot of easy very large file writes.
    Last edited by LaurentR; 02-20-2019 at 11:38 PM.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Oh yes, that's why I kept this drive around. The Samsung EVO 840 line was the first line of "good" SSDs to hit the shelf. Prior to that everything was simply garbage, and everything that's released after that is orders of magnitude better.

    This system is for my home, it also protects my business operations because I work from here too. But it's a very small amount of total traffic, it's set for 30 days of retention and I'm consuming 14% of the drive doing so. That's only 16.1gb used, of a 114.04gb partition, 15 maximum active devices, 265 known devices. So if you run the math, I'm only consuming .536 gb / day on the average. But you can see the mean write rate above. 317MB/hour = 3.8gb / day But that's also over the life of the disk, current use is a bit different and Untangle used to be heavier on the writes! System requirements have actually decreased over time with Untangle in general.

    But still larger networks can often consume MUCH more writes depending on the features used, especially if you fire up intrusion prevention and spam blocker on the same rig! So when I sell appliances I have to assume a full operational load when I spec an SSD, despite the fact that most won't use it. So I pack Samsung 850 EVOs or Pros depending on class, and then use a 120gb partition on the disk to limit the consumption. The aim is to ensure at least a 5 year disk no matter what. Users are free to break that mold of course, and SSDs have gotten so cheap that it's not so much of an issue anymore. But just a few years ago, SSDs were very scary, the 32gb models would burn up in 6 months! Terrible time...

    P.S. I'm losing a percentage point of health about every week and a half. So I've got at least six months left.
    Last edited by sky-knight; 02-21-2019 at 03:18 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2