|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Question about Remote Desktop through a NAT
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
brent timothy saner wrote:
> Brian Vagnoni wrote:
>
>
> No, but the router's always on. Assuming it's an end-user residential
> gateway/router/firewall, i.e. Linksys WRT54G, THAT is not turned off.
> the modem is also always on. do you have ANY idea how easy it would be
> to bruteforce that? instant admin access to the router/gateway is a
> dangerous, dangerous thing, no matter WHAT context. security by
> obscurity does not a good practice make. case in point: who do you think
> is affected more by phishing scams, big enterprise businesses or home
> users? what about malware/botnetting? i'd argue that they're an EASIER
> target. only skids (script kiddies) target big corps and defacement;
> they want to make a name for themselves (and usually get their ass
> handed to them on a rusty platter). the REAL threat lies in those that,
> much like predators in the wild, focus on the "sick and weak"- the home
> users. i'd rather expend an hour and get 5 successful targets than spend
> an hour on one big guy only to be crushed because i was greedy,
> impatient, and stupid.
Even with a gateway router firewall it is still best to setup your own
iptables firewall filtering out everything except ssh from a specific
trusted host. Also allow mail and web access to get out.
Only open up ports that are required and block everything else.
>
>> Assuming it is for a time limited event of,
>> open remote admin ssl port, login(user name & password),
>> make router changes, close admin port, connect to computer
>> via opened ports.
Access to any gateway router should only be from the local network with
a real user name and password. Get rid of a stupid name like admin!
>
> do you do this?
>
> security should ALWAYS, ALWAYS be a concern, whether it's mentioned or not.
>
>> No you haven't misinterpreted me.
>>
>> This isn't NASA, NSA, VISA, or even a POS system.
Even a home system should be locked down like the above should.
Numerous POS systems need to tighten their security!
>
>
> the odds of
>> penetration by a script kiddie and the time and effort it
>> takes to exploit an up to date endpoint firewalled Linux
>> based system with it's own set of login cred's in the time
>> limited event window I've outlined above is indeed very close
>> to astronomical.
>
Still root attacks happen and you should setup ssh so that root cannot
login.
edit /etc/ssh/sshd.config
PermitRootLogin no
- --
Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <
gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA
For info on enigmail: http://lrcressy.com/linux/mozilla.pdf
For info on gpg: http://www.gnupg.org/
Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBSLqBrKuxGqN1iGbbAQjU1QgAq0QcuqLoYMzbnZjobhJQ3+O/vM6Rv9ec
euK6u8tH7Ydz6ZV3NkjFrLKKOmY6Lw4Pvt5Q6R4klJh4VdgK/TPnFaC28PNfxUjI
uh+HMWwBVK3ds6Ou78erI7fYjonTNYl8WgXgi57tpa8WwBH6HWYP0l9cp1zKVgsy
YrpMapZmSefrR6zp2/EU/DpSTjOWWeTarinf1cy4IIx0PsjTRAYEDeQp9rIfGGdl
O9HGwH2/ASxbiEy3lMJDLmYnwDJyL2IbSVcvdfdlBUnPOE8erzDmJtJNsY1+HXZf
Goq2dTHliccJwHmFGNKFQDC7qhXU7RpXL2QKaFFw+P3/O0NZ+C2kIA==
=bqqm
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|