johnny121b Posted April 3, 2015 Share Posted April 3, 2015 I've been reading more lately about security failings (and even built-in weaknesses) in your standard home/office router. I'm sure I'm not alone in the realization that my 40Tb sits one step away from the world ....the only thing separating the two, is a $140 router (in my case a Buffalo). And of course, all the articles are sensationalized- they scream 80% of routers insecure, but there's never any details regarding the 20% that might be safe®. Are there any steps I should be taking to increase the security of my data? (thinking primarily configuration changes on my server's slackware installation)... Or even any commonly overlooked router configuration changes. I don't use default passwords/logins. Router's AOSS/WPS is off. I use nonstandard ports with redirection for Sickbeard/Sabnzbd. My firmware is up-to-date. I don't share my media externally via PLEX. Etc. With all the talk of routers being open-doors to the bad guys, I'm wondering if there's any way to tell my server "don't talk to strangers" .....i.e. if the packets aren't coming from the machines inside my home, don't allow them. Of course that's at-odds with Sickbeard/Sabnzbd plugins, which need access to function. Thanks. Quote Link to comment
RobJ Posted April 6, 2015 Share Posted April 6, 2015 It's a wild time right now, in router land. I think if I had an InnGate (see this), I'd trash it and buy something else! Why would you want support people that clueless about security trying to fix it?!? The only other things I can think of are turning off external admin access (remote administration, I'm sure you've done that), and turning off any services you don't use. But of course if you happen to have one of those routers with a built in hard-coded back door, you're sunk, probably should pull the router plug and wait for new firmware. You sound like you are doing the right things, keeping informed, keeping updated... We are all learning here, trying to stay ahead of the bad guys. Besides, no matter how careful you are, one of those unruly other users on your network will click on something they shouldn't, and introduce something inside your network! Quote Link to comment
johnny121b Posted April 6, 2015 Author Share Posted April 6, 2015 of course if you happen to have one of those routers with a built in hard-coded back door, you're sunk, probably should pull the router plug and wait for new firmware. Therein lies the problem. All the articles are sensationalized- to attract attention, but light on details. Their only concern is traffic- a hundred similar cookie-cutter articles, spewing panic that xx% of all routers have built-in security flaws....state of the internet is a mess....somebody needs to fix this...blah.blah.blah. A few of the BETTER articles go so far as to say they've tested xx# of routers and found weakness. But the common element to ALL the articles- they never specify WHICH routers were found with exploits. Or worse- they will never specify which routers DIDN'T have problems. I have no idea if my Buffalo router has problems, and thanks to shoddy reporting, I'll be the last to know. Quote Link to comment
RobJ Posted April 7, 2015 Share Posted April 7, 2015 I started doing some Googling... Perhaps if we get more, we could prepare a wiki article, call it "Router Safety"? Backdoor on Port 32764 Published: January 2014; see this and this and this Systems: many Linksys and Netgear, some Cisco, a few others; see first link above Vulnerability: backdoor listening on LAN on port 32764, a few routers listening also on WAN; allows hackers to gain complete control Test: "telnet local_IP 32764" (eg. telnet 192.168.0.1 32764); if it times out with "connection failed", you are safe Fixes: close port with firewall rule; upgrade firmware; replace firmware with open source firmware; replace router Asus routers and unprotected external hard drives Published: January 2014; see this and this Systems: Asus routers with USB ports for external hard drives Vulnerability: default settings left the external hard drives wide open to the Internet Test: check settings for attached hard drives Fixes: upgrade firmware; correct the settings TheMoon malware Published: February 2014; see this and this Systems: select older Linksys Wi-Fi Routers and Wireless-N access points and routers Vulnerability: hackers gains admin access without admin credentials, then set up botnet to infect others, etc Test: none; check if a vulnerable model with older firmware (see first link above) Fixes: upgrade firmware; turn off remote admin It's just a start, more to add when I or others have time and interest ... More links welcome! Quote Link to comment
tucansam Posted April 14, 2015 Share Posted April 14, 2015 pfsense and untangle on cheap Atoms with dual NICs. Quote Link to comment
koyaanisqatsi Posted April 14, 2015 Share Posted April 14, 2015 Prompted by this thread, I took a quick look and I'm a bit disappointed that unRAID exposes so much to the network, even when services are supposedly shut off. I just ran a network scan against my server, and even though I have disabled AFP, NFS and FTP via the webGui, the ports for those services are still open and listening, which is a huge security no-no. Unused services should be shut down and/or disabled - even uninstalled if in production - not just "unconfigured-but-still-running". Looking through the Wiki, I'm not finding any initial security configuration documentation. I've found where the root password is changed and some docs on setting security on Samba, AFP, etc. But there really should be a "Production Ready" document that runs through all the security settings and configurations and gives advice on places where you may have to compromise. I know security on Linux and networks pretty well (17 years of enterprise IT and web), but I'm not all that familiar with unRAID and the community yet. I'd be happy to contribute to such a document on the Wiki. But I will humbly ask that someone else lead the effort until I am more familiar with things around here. RobJ's idea is well-intended, but we would just be re-documenting what's already out there. What we need is info on how to secure unRAID thoroughly. IIRC, that 80% statistic is actually an aggregation of devices that fail security tests for many reasons. But the #1 reason across the board is that they were not properly configured by the owners. Default passwords, exposed management UIs, all kinds of dumb stuff. Best you can do there is try to determine whether the router you have is OK or needs to be updated or replaced. And make sure you run through the initial security configuration! Just in case you weren't paranoid enough about this problem: http://www.csoonline.com/article/2906137/cloud-security/lost-in-the-clouds-your-private-data-has-been-indexed-by-google.html Quote Link to comment
BRiT Posted April 14, 2015 Share Posted April 14, 2015 Heres the thing, every time security has been brought up in the past it has always been meet with "unraid isnt secure and isnt meant to be secure, so dont put it on the internet", so best of luck trying to get that mentality changed. Quote Link to comment
WeeboTech Posted April 14, 2015 Share Posted April 14, 2015 Heres the thing, every time security has been brought up in the past it has always been meet with "unraid isnt secure and isnt meant to be secure, so dont put it on the internet", so best of luck trying to get that mentality changed. No, it's even worse then that. There's a perception that your local lan is secure and there's little need to apply security updates to software that exists on your secure local lan. Quote Link to comment
koyaanisqatsi Posted April 14, 2015 Share Posted April 14, 2015 There's a perception that your local lan is secure and there's little need to apply security updates to software that exists on your secure local lan. Kinda like Microsoft Windows, right? Because Windows workstations and servers are usually connected DIRECTLY to the Internet, without any level of security protection. And while corporate networks are commonly breached despite equipment costing tens or hundreds of thousands of dollars, the $169 router I bought at Staples will surely protect my network, when my son visits a malware-infected site looking for game cheats, or Grandma clicks the flashing "Your computer is infected!" link on her favorite gossip site. </sarcasm> NO NO NO BAD WRONG and 100% UNACCEPTABLE! Please note my frustration is directed at Lime-Tech, not anyone on the forum. I had to delete the rest of my post. I'm so frustrated right now about this, I can't even tell you. I'll have to get back to this after I have cooled off a bit. EDIT: Let me just plop this here. If your home network is so secure, how could this ever be a problem? (and believe me, it already is) http://www.symantec.com/connect/blogs/digging-deeper-nest-security Quote Link to comment
WeeboTech Posted April 14, 2015 Share Posted April 14, 2015 The $169 router I bought at Staples will surely protect my network, when my son visits a malware-infected site looking for game cheats, or Grandma clicks the flashing "Your computer is infected!" link on her favorite gossip site. This has been the position/argument for a few people in the great debate of applying slackware security patches in a timely manner. Quote Link to comment
koyaanisqatsi Posted June 30, 2015 Share Posted June 30, 2015 Mmmmm, crow. I'd like to officially apologize to Lime Tech for shooting off my mouth (keyboard?) about security. I do infrastructure for a living and deal mostly with companies like Adobe and MongoDB, whose software runs in the hundreds of thousands of dollars. And this is for clients who invest millions of dollars into the environments we build. My point is that I came into a situation with an inflated and false sense of the lay of the land, if you will, and a huge case of assumption about things I knew not about. So enough excuses. Sorry about that. Really, I do want to see more security in unRAID, and I may be someone who can help improve the situation. So I've got a part-time project going here, making note of the things I think need to be addressed. Most of it is normal stuff I deal with all the time and can just write up procedures for hardening. My main concern is protecting unRAID from the threat of a locally connected computer that has become infected or breached. It seems like the two main use cases for unRAID are home media and SOHO file storage, which are the most at risk of loss due to a local breach. I'll post a new thread when I have some meat to offer on this... Quote Link to comment
Chris Pollard Posted July 2, 2015 Share Posted July 2, 2015 I reported issues with CSRF previously and no-one ever replied to me..... I haven't got around to testing v6 but version 5 was painful to test because the GUI blows up as soon as you try doing most things and since there is no way to restart it you have to reboot the box every five minutes. Quote Link to comment
johnodon Posted July 2, 2015 Share Posted July 2, 2015 pfsense and untangle on cheap Atoms with dual NICs. Or in a VM. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.