I've just tested my 500gP with Nessus and the latest plugins. The only thing it had to say was that dropbear 0.47 can suffer from denial of service: if someone were to open 30 connections to it that's it, no more new connections for legitimate users. 0.48 solves this problem, we'll probably see it in the next of Oleg's firmwares.
A few details are probably in order about how my Asus is set up.
* It has Oleg's firmware, not the default one.
* The firewall configuration is the default one, to which I've added: drop FTP (port 21) from the outside (I only use it in the LAN); allow SSH, but on a non-standard port, to cut down on dumb automatic probes; allow HTTP to lighttpd for the transmission CGI, again on a non-standard port; allow a port on both TCP and UDP for transmission to get more torrent peers.
* NO access to the router web interface from the outside! I've also moved it to a non-standard port, just to be paranoid (see the interface to see how).
* NO access to the FTP server from outside (it's vsftpd and I've bound it to the LAN IP only).
Some ideas for securing the box as much as possible:
Cut down on unnecessary services. What doesn't run and doesn't listen on an outside port can't be hacked from outside the LAN (it MAY be hacked if someone exploits a vulnerable program on a computer inside the LAN, such as Internet Explorer on an unpatched Windows, so it's a neverending story). Use these commands to see what services you have: "netstat -tlnp" (also -ulnp for UDP and -xlnp for UNIX sockets). Kill daemons you don't use -- CAREFUL, see if the router still works after you do. If it does, add the kill command to the post-boot script and save to flash so it does it right after boot. From what I see, nas and snmpd are good candidates for killing. Also upnp, provided you don't use any programs on the LAN PC's that would need it (I run the torrent on the router so I don't). I think some messenger/VoIP programs may need it too.
If possible and applicable, bind programs only on the LAN interface or IP.. For instance, I've configured vsftpd to only listen on the LAN IP. DO NOT RELY ON THE FIREWALL ALONE TO BLOCK! Firewall is like duct tape, it's better to not rely on it for such things if it's possible to do it properly. The administration web interface would also be a very good idea to be bound to a LAN-only IP, but I haven't figured out how to do that yet.
The firewall could be better. I'm not 100% happy with the default settings. Sure, they're a reasonable compromise between security and functionality, but if you want as much security as possible (which is the topic of this thread) there's room for improvement: a default policy of DROP on INPUT; elimination of redundant and useless rules; and best of all, very paranoid rules, which deny everything by default and allow only a small set of ports and services. But, granted, to maintain such a firewall is impossible for the average user; everytime they install a new program that uses the net they should adjust the firewall. It takes a very knowledgeable person, and they must be willing to do it on a constant basis.
These being said, here's my current firewall adjustments, performed in /usr/local/sbin/post-firewall. I use Oleg 1.9.2.7-7g-pre1. YMMV:
Code:## re-set default policy on input iptables -P INPUT DROP ## Allow access to various router services from WAN # (ssh, transmission, my own http) for P in 22 60000 81; do iptables -I INPUT 1 -p tcp -i "$1" --syn --dport $P -j ACCEPT done # (transmission on UDP) iptables -I INPUT 1 -p udp -i "$1" --dport 60000 -j ACCEPT ## drop unneeded liberties # delete rule that allows FTP iptables -D INPUT -p tcp --dport 21 -j ACCEPT # delete rule that allows http access on LAN, it's redundant iptables -D INPUT -p tcp --dport 80 -d "$4" -j ACCEPT
Reply With Quote