LeRoy Cressy on 31 Aug 2008 04:34:38 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Question about Remote Desktop through a NAT

Hash: SHA256

brent timothy saner wrote:
> Brian Vagnoni wrote:

> No, but the router's always on. Assuming it's an end-user residential
> gateway/router/firewall, i.e. Linksys WRT54G, THAT is not turned off.
> the modem is also always on. do you have ANY idea how easy it would be
> to bruteforce that? instant admin access to the router/gateway is a
> dangerous, dangerous thing, no matter WHAT context. security by
> obscurity does not a good practice make. case in point: who do you think
> is affected more by phishing scams, big enterprise businesses or home
> users? what about malware/botnetting? i'd argue that they're an EASIER
> target. only skids (script kiddies) target big corps and defacement;
> they want to make a name for themselves (and usually get their ass
> handed to them on a rusty platter). the REAL threat lies in those that,
> much like predators in the wild, focus on the "sick and weak"- the home
> users. i'd rather expend an hour and get 5 successful targets than spend
> an hour on one big guy only to be crushed because i was greedy,
> impatient, and stupid.

Even with a gateway router firewall it is still best to setup your own
iptables firewall filtering out everything except ssh from a specific
trusted host.  Also allow mail and web access to get out.

Only open up ports that are required and block everything else.

>> Assuming it is for a time limited event of, 
>> open remote admin ssl port, login(user name & password), 
>> make router changes, close admin port, connect to computer
>> via opened ports.

Access to any gateway router should only be from the local network with
a real user name and password.  Get rid of a stupid name like admin!
> do you do this?

> security should ALWAYS, ALWAYS be a concern, whether it's mentioned or not.
>> No you haven't misinterpreted me. 
>> This isn't NASA, NSA, VISA, or even a POS system.

Even a home system should be locked down like the above should.
Numerous POS systems need to tighten their security!

>  the odds of
>> penetration by a script kiddie and the time and effort it 
>> takes to exploit an up to date endpoint firewalled Linux
>> based system with it's own set of login cred's in the time
>> limited event window I've outlined above is indeed very close
>> to astronomical.

Still root attacks happen and you should setup ssh so that root cannot

edit /etc/ssh/sshd.config
PermitRootLogin no

- --
 Rev. LeRoy D. Cressy  mailto:leroy@lrcressy.com   /\_/\
                       http://lrcressy.com        ( o.o )
                       Phone:  215-535-4037        > ^ <

gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

For info on enigmail:    http://lrcressy.com/linux/mozilla.pdf
For info on gpg:         http://www.gnupg.org/

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug