View Poll Results: Do you think your router is secure?

Voters
30. You may not vote on this poll
  • Yes, I know it from inside out and I am security expert

    0 0%
  • I think it is very secure

    10 33.33%
  • I don't know

    9 30.00%
  • It is not secure

    11 36.67%
Results 1 to 6 of 6

Thread: ASUS systematic security proposal

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1

    Exclamation ASUS systematic security proposal

    Hello!

    Today I had a jolly unpleasant experience - I could no longer log in with my root password. I tried quite a few methods but the bottom line was - ssh was working, http as well but my and default passwords were not valid. It seems my box has been had Now my ASUS sits on my table switched off and I put my old trusty DD-wrt box in its place - no HDD for now .

    This event made me focus on a job that I have been thinking about for a couple of months:
    1) To create a more secure ASUS installation in which the focus would be not only to get the services (disk, ftp samba...) working, but rather working securely. After all ASUS security should be not very different from any other UNIX box security. My aim will be to test it esternally as well - from a friend's house.
    2) In this process to create ASUS security guidelines - similar to marcnesium's and mine tutorials. Guidelines then could be discussed and improved.

    I did not find a similar thread in these forums, therefore I think this could add to overall good experrience with ASUS. Of course I found http://wl500g.info/showthread.php?t=...light=security describing the horrible ASUS official firmware gap. I trust that Oleg's firmware does not have it - although I did not check as my ASUS was offline.

    My proposed configuration would be:
    1. Hardware:
    - Firewall
    - HDD
    2. Software:
    - Oleg's current firmware
    - SSH
    - cron
    - samba
    - vsftpd
    - mc
    - nano
    - screen
    - ntpclient
    - nload
    - enhanced-ctorrent
    - additional security related programs discovered during this project

    Notes:
    * Security means that there is an easy routine how to check if anything suspicious is going on. Therefore some system of logs and log analysis must be in place. I plan to get this bit from the available literature.
    * Command line access would be mainstay. Essentially I think setting up a httpd and maintaining it secure is an unnecessary task unless there is a huge advantage to that interface.
    * Some of the scope of security related questions are:
    - how to be sure your samba is not accessible from Internet (yes I know you can bind it to your LAN ip, but is it enough?)
    - how to be sure your ftp server is difficult to hack in and how to alert yourself to serious attempts. I noticed that my ftp server got at least 300 login attempts during the first weeks, but I did not have the system to follow that up properly. I dod not worry very much as it was chrooted, but still - was it the cuplrit?
    - how to make enhanced-ctorrent to be secure - run it form a non root account for starters?
    - how to set up other accounts correctly so that above services needn't run as root
    - etc...

    I am grateful for your comments and suggestions.

  2. #2
    Join Date
    Nov 2006
    Location
    Lisbon@Portugal
    Posts
    25
    I dont think that a router with a torrent client installed could ever be classified as "secure" or even "reliable". A reliable router must not need to be rebooted every now and then, and to my experience this is the case when torrent clients are active inside the router.

  3. #3

    stable or secure ?

    well in my experience ASUS was remerkably stable with enhanced-ctorrent working on it. It was routing OK at the same time even skype quality was OK. Of course if there were more than 2 simultaneous torrents, then it would use the attached HDD for lots of swap activity, but 1 or 2 torrents were ok and I rebooted it perhaps once in 3 months. I think torrents and stability are more of a resources matter than security and ASUS is a small computer.

    For security what would matter more IMHO is:
    -> user under which torrent is running
    -> availability or not of easy exploits for ctorrent
    -> plus the overall router security like ports to be open and for what purpose and what the ramifications might be

  4. #4
    Join Date
    May 2005
    Location
    Maryland, USA
    Posts
    13
    OK, I'm the bad guy who voted "not secure." I don't know all about Asus routers but I do know that electronic devices do not become secure by chance. If they become secure it's because of a lot of hard work by knowlegable people. And in view of the performance problems Asus has had recently I think we can be sure that they have not been working hard on security.

    Furthermore, this root:root thing is not a back door---it's a front door. The only people who could install such a thing are people who are absolutely unconcerned about security and can't be bothered to consider how this hole could harm you.

    As users of Asus equipment we have two important advantages: Linux, which provides a sound foundation which can be hardened, and the many man-years of expert effort which has gone into learning how to harden it. Besides, we don't have to make our routers impervious, we only need to make them hard enough that these script-kiddies will return to easier victims.

    The basic principles of hardening a Linux router are not difficult to understand and are well-documented on the web:
    1. Run only the services you must run: firewall, NAT. Any host can run DHCP if you really believe you need it. Static addressing is much more secure, especially if combined with MAC filtering.
    2. Give each service only the privileges it really needs. No more running everything as root.
    3. Pay attention to the security alerts published by the distros. Because Asus does not publish such alerts, consider installing Debian or Gentoo or some other reputable distro.
    4. Simplest of all: when you're not really using your equipment, turn it off. Consider the environment. Consider your electric bill. Consider your credit rating.


    .
    NE COGITE MALLEUM MAJOREM CAPE

    --- motto of a chariot repair shop

    ("Don't think about it, get a bigger hammer.")


    .

  5. #5

    Arrow in a couple of weeks

    OK guys, it seems quite a few have looked at this, opinion of those who cared to vote is evenly divided. In a couple of weeks I will start my ASUS security project and post steps here on my way as I very likely won't have the time to do everything in one day

  6. #6
    I've just tested my 500gP with Nessus and the latest plugins. The only thing it had to say was that dropbear 0.47 can suffer from denial of service: if someone were to open 30 connections to it that's it, no more new connections for legitimate users. 0.48 solves this problem, we'll probably see it in the next of Oleg's firmwares.

    A few details are probably in order about how my Asus is set up.

    * It has Oleg's firmware, not the default one.
    * The firewall configuration is the default one, to which I've added: drop FTP (port 21) from the outside (I only use it in the LAN); allow SSH, but on a non-standard port, to cut down on dumb automatic probes; allow HTTP to lighttpd for the transmission CGI, again on a non-standard port; allow a port on both TCP and UDP for transmission to get more torrent peers.
    * NO access to the router web interface from the outside! I've also moved it to a non-standard port, just to be paranoid (see the interface to see how).
    * NO access to the FTP server from outside (it's vsftpd and I've bound it to the LAN IP only).

    Some ideas for securing the box as much as possible:

    Cut down on unnecessary services. What doesn't run and doesn't listen on an outside port can't be hacked from outside the LAN (it MAY be hacked if someone exploits a vulnerable program on a computer inside the LAN, such as Internet Explorer on an unpatched Windows, so it's a neverending story). Use these commands to see what services you have: "netstat -tlnp" (also -ulnp for UDP and -xlnp for UNIX sockets). Kill daemons you don't use -- CAREFUL, see if the router still works after you do. If it does, add the kill command to the post-boot script and save to flash so it does it right after boot. From what I see, nas and snmpd are good candidates for killing. Also upnp, provided you don't use any programs on the LAN PC's that would need it (I run the torrent on the router so I don't). I think some messenger/VoIP programs may need it too.

    If possible and applicable, bind programs only on the LAN interface or IP.. For instance, I've configured vsftpd to only listen on the LAN IP. DO NOT RELY ON THE FIREWALL ALONE TO BLOCK! Firewall is like duct tape, it's better to not rely on it for such things if it's possible to do it properly. The administration web interface would also be a very good idea to be bound to a LAN-only IP, but I haven't figured out how to do that yet.

    The firewall could be better. I'm not 100% happy with the default settings. Sure, they're a reasonable compromise between security and functionality, but if you want as much security as possible (which is the topic of this thread) there's room for improvement: a default policy of DROP on INPUT; elimination of redundant and useless rules; and best of all, very paranoid rules, which deny everything by default and allow only a small set of ports and services. But, granted, to maintain such a firewall is impossible for the average user; everytime they install a new program that uses the net they should adjust the firewall. It takes a very knowledgeable person, and they must be willing to do it on a constant basis.

    These being said, here's my current firewall adjustments, performed in /usr/local/sbin/post-firewall. I use Oleg 1.9.2.7-7g-pre1. YMMV:

    Code:
    ## re-set default policy on input
    iptables -P INPUT DROP
    ## Allow access to various router services from WAN
    # (ssh, transmission, my own http)
    for P in 22 60000 81; do
      iptables -I INPUT 1 -p tcp -i "$1" --syn --dport $P -j ACCEPT
    done
    # (transmission on UDP)
    iptables -I INPUT 1 -p udp -i "$1" --dport 60000 -j ACCEPT
    ## drop unneeded liberties
    # delete rule that allows FTP
    iptables -D INPUT -p tcp --dport 21 -j ACCEPT
    # delete rule that allows http access on LAN, it's redundant
    iptables -D INPUT -p tcp --dport 80 -d "$4" -j ACCEPT
    Last edited by wirespot; 08-03-2007 at 09:10.

Similar Threads

  1. WL-500gP and Asus support experience
    By Blezi in forum WL-500gP Q&A
    Replies: 6
    Last Post: 03-12-2006, 13:59
  2. my ASUS die..
    By Snail.cz in forum WL-500g Q&A
    Replies: 3
    Last Post: 27-11-2006, 21:36

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •