1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato & Network Security

Discussion in 'Tomato Firmware' started by Low-WRT, Nov 5, 2007.

  1. Low-WRT

    Low-WRT LI Guru Member

    This may not be the correct forum for this, but I do use Tomato, so here it goes:
    I'm curious why admin access over the internet isn't safe.

    A little background:
    I have a network hard drive that serves my wife's home business website. Port 80 is forwarded to that.
    I like to check the router status from work as well as use WOL command to turn on my home computer. I then use Remote Desktop to access it.
    So, my only open ports are 80, 3389, & the port of router access.
    Since my ip is dynamic and I use dyndns.com, I can't use https.

    So, to gain access, wouldn't someone have to correctly guess my access port, then figure out my password to gain access?
    Why is ssh safer? If they figured out my password they could still get in?
    Thanks for the help, and pardon my ignorance.
     
  2. Macskeeball

    Macskeeball LI Guru Member

    If you can't use https, your connection isn't encrypted. Your login is sent in the clear as plain text. SSH stands for secure shell because it is encrypted.

    Yes, if someone (or some bot) knew the IP and figured out your SSH password, they would gain access. However, SSH can be configured to use public and private key cryptography rather than username and password, meaning that the private key (protected by a passphrase in case of system theft) would be required to gain access.
     
  3. RonWessels

    RonWessels Network Guru Member

    Suppose I'm a evil person who works where you do. I put a packet sniffer on my machine that watches all network traffic (ignore the effect of intelligent switches for the moment). I see you access your home machine using HTTP on a bizarre port, which piques my interest. I check out the contents of those packets and there in clear-text is your router password. I write it down along with your access port, and go play with your router myself when you are not around. From the configuration of your router, I deduce your WOL and remote desktop setup and go play on your home computer. Cool! A website! Every web site needs a little porn!
     
  4. Low-WRT

    Low-WRT LI Guru Member

    Thanks.

    Is there a way to access the Tomato GUI remotely using ssh?
    Is that what Roadkill's mod does?

    Is accessing Remote Desktop secure?
    Thanks
     
  5. Low-WRT

    Low-WRT LI Guru Member

    Well, I've done some playing around and I got Putty all set up.
    I can now send a WOL command through ssh to my main home computer.
    Then, I can access it through Remote Desktop, which lets me do whatever I need to.
    Thanks for clearing up "how and why" http isn't safe. (I didn't realize that, through remote http admin access, I was basically broadcasting my router's password.)
     
  6. jon124

    jon124 LI Guru Member

    and don't forget, they wouldn't have to guess the port, I could run an nmap on you and find every port you have open /services listening
     
  7. Maggard

    Maggard LI Guru Member

    We don't need to posit 'random evildoer', if your local network administrator is doing a good job your unusual online activities at work will be noted. From there 'doing follow-up' could extend beyond reasonable caution to active disruption or even improper access of your home files. (That'd be bad, but there are Bastard Operators From Hell out there.)

    As a former network administrator let me reassure you folks creating encrypted connections from our work systems, through our protective firewalls, to their home devices, is something that concerns us greatly. We worry about sensitive information being illicitly transferred off-site, viruses & worms getting copied in through our defenses, remote hackers getting real-time encrypted access to our networks & systems, etc.

    Thus let me recommend you have a preemptive chat with your local IT folk. Reassure them you're not engaged in any nefarious activities, you're not transferring files or sending death threats to elected officials or looking at porn or whatnot. Consider having one look over your shoulder as you demonstrate just how prosaic your activities are. Finally IMHO limit your connections to home to brief ones during your break time, the same as a personal phone call.
     
  8. HennieM

    HennieM Network Guru Member

    Using ssh is good, but you can also use HTTPS if you want to access the router's web configuration. This has very much the same effect of encrypting all the traffic from your PC (where-ever that may be) to your home router, so you don't "broadcast" your password.

    @RonWessels: To be fair, a Basic Authentication username/password is not quite clear-text, but pretty close to it.

    As to Win Remote Desktop's security: MS says that the RDP used in (I assume) WinXP and lower, is not secure. I dunno HOW insecure it is.

    @Maggard: Although I agree in general with the IT folk paranoia, I never could see why they get quite so riled: If I wanted to leak info I'd rather do it off my laptop while at home, hand somebody my memory stick, or maybe even have a chat with my "the competition" friend at church...
    But, good advice Low-WRT, those IT guys might treat you as 006, or summarily block your i-net access...
     
  9. Low-WRT

    Low-WRT LI Guru Member

    Thanks for all the help.
    I think I read somewhere that https doesn't work with dyndns.com. So, that's why I'm using ssh, which is working just fine.
    I can logon remotely and issue a WOL command to my home pc. Then, I can access via Remote Desktop. BTW, none of this access is necessary, I just can't stop fiddling with my settings--which is why I'm on this board to begin with.:)

    We're a very small company. My office-mate is in charge of "IT", so no problems there. If anything major happens, another IT company comes in to fix it.
     
  10. davemuk

    davemuk LI Guru Member

    I use no-ip.com which allows https. Works a treat.

    Dave
     
  11. Macskeeball

    Macskeeball LI Guru Member

    I want to clarify that when you send or receive data that is not already encrypted over an unencrypted protocol, everything is in the clear, not just your username and password. That means content, not just usernames and passwords. I recommend that you give the Security Now podcast a listen if you can, and definitely go back to the older episodes and listen in order.

    Hopefully it goes without saying that if someone or some bot/malware has sniffed a password of yours already, even if you encrypt it they have your login until you change it.
     
  12. Maggard

    Maggard LI Guru Member

    Different types of threats.

    Joe Schmoe copying the customer contact list to his laptop or iPod and taking it home we can’t do much about. (However you’d be astonished how often Joe Schmoe cluelessly emails those to their home address 15 minutes before they tender their resignation.)

    Indeed those sorts of things are pretty much expected. Any large list of customers or the like will have a few ringers in it just to catch this sort of misuse. The civil and criminal procedures & penalties are almost rote; it sux but it’s bearable.

    However home computers are typically cesspools. The odds of a home PC having some sort of nasty on it are something like 50%. With kids involved it becomes near certainty. Punching a hole through our firewall to a family PC is the same as dragging it into the office and plugging it in our data center next to the servers...

    Which leads to the big nightmare: Ongoing direct access to systems.

    Joe Schmoe probably can’t get into too much trouble. Even senior execs & IT folks have limits on our access. However Vlad the Hacker coming in live can cause no end of trouble; far more then a single or set of purloined files.

    The disaster? Five miles from where I’m sitting: TJX Corp.

    Nearly 100 millions of customer files remotely accessed over a period of years. A pilfering that requires each one of those millions of people to change their credit cards, spend the next decade watching for evidence of fraud or identity theft, etc. All costing the company in ill will, lawsuits, greater insurance premiums, distraction from other business concerns, and in several cases professional disgrace.

    That’s a`scale you can’t achieve chatting after church. Even stupidly copying confidential information to a laptop & having it stolen is`difficult to compare. A store WiFi router in Minnesota (in)secured with WEP, lax security – preventable, unconscionable, and potentially catastrophic.

    So before dodging around those annoying barriers the corporate IT drones have put up understand what you’re doing, and what sort of responsibility you’re taking on.
     
  13. HennieM

    HennieM Network Guru Member

    https://myrouter.dyndns.com/ does not work, but http://myrouter.dyndns.com/ does work? I think you might have misunderstood. I'll try to explain for what it's worth.

    When your router/modem initially connects to the internet, it gets an IP address. This IP address may be the same one everytime, but most likely you get a different IP address every time your router makes the connection to the internet. So, your routers WAN side would, for argument's sake, get address 172.16.1.1 today. Tomorrow your internet connection drops, and your router reconnects, but now it gets IP address 172.31.254.254, and so on.

    When you make use of a dynamic DNS service such as dyndns, no-ip, etc., this service registers you name/IP pair on a public DNS database - the DynDNS client in your router would connect to the DynDNS server, and register IP address 172.31.254.254 with, say, the name Low-WRT.selfip.org.

    So, when you want to connect to the WAN side of your router from some PC somewhere on the internet, you don't have to check up what your current WAN IP address is (like phone home and ask your wife to check the IP...), you can just connect to Low-WRT.selfip.org, and the software you use to connect to your router (like a browser, a telnet client, or an ssh client like PuTTY) will go through these steps talking to the public DNS database:

    Software on internet PC: Mr. DNS database, what is the IP address for Low-WRT.selfip.org?
    DNS: The IP address for Low-WRT.selfip.org is 172.31.254.254

    The software now connects to the IP address, and the name (Low-WRT.selfip.org) is forgotten.

    It might be that the registering process mentioned above is not allowed via https on DynDNS; i.e. when your router registers your name/IP pair, it connects to http://www.dyndns.org , not httpS://www.dyndns.org to register.

    However, when you access your router, whether you connect with http://Low-WRT.selfip.org/ or https://Low-WRT.selfip.org/ does not matter, you might as well have connected as http://172.31.254.254/ or as https://172.31.254.254/

    @Maggard: You are right, of course.
     
  14. Low-WRT

    Low-WRT LI Guru Member

    I have a basic understanding of how dynamic dns services work. I.e., it helps me b/c I don't have to remember my constantly changing ip address. It basically gives me a static name.
    I was, however, under the perhaps misunderstanding that I couldn't access through dyndns.org using https. I thought they blocked it for non-paying customers. I never thought about checking it.
    Anyway, I've changed my login password and I am remotely accessing my router through no-ip.com.
    Thanks
     
  15. drelkata

    drelkata LI Guru Member

    i wondering why you do not use openvpn on your router with certificates :)
     
  16. ndoggac

    ndoggac Network Guru Member

    I use dyndns.com and use https for router access, azureus web interface and webmin linux interface. I also use ssh via Putty. You shouldn't have a problem. One thing I would make sure though is your dyndns account password is different from your router/server passwords, as someone could theoretically intercept your non-encrypted IP address updates from Tomato to dyndns.
     
  17. fyellin

    fyellin LI Guru Member

    Create the file <your home directory>/.ssh/config, and put the following contents in it:
    Code:
    Host router
       HostName [I]<your domain or ip address>[/I]
       User root
       Port [I]<your external ssh port, usually 2222>[/I]
       LocalForward 8001 localhost:80 
       LocalForward 8002 [I]otherHomeMachine[/I]:80 
    Now, when you type "ssh router", ssh will automatically log you in as root on your router.

    At the same time, it creates a tunnel from my current machine's ports onto the remote ports. Opening a browser to http://localhost:8001 will bring up my router's admin page. Opening a browser to http://localhost:8002 will bring up otherHomeMachine's home page. These tunnels exist only as long as the ssh session is active. When you log off, they go away.

    You can also create additional port forwardings on the fly. Read the ssh documentation for more details.

    (Putty has a slightly different UI for creating port forwarding, but it's the same idea).
     
  18. mstombs

    mstombs Network Guru Member

    I use https remotely to administer my router from a single fixed IP address only (seems pretty safe to me...)

    Today with Firefox 3 it refused to connect at first because the certificate related to the router local LAN address 192.168.x.y. I managed to force Firefox it to use the invalid certificate, but...

    Surely the Tomato router shouldn't advertise the local lan IP address?

    Is there some config I haven't done?

    I also use ssh/putty with just password security, guess I should use custom keys, but don't think that's related to https?
     
  19. HennieM

    HennieM Network Guru Member

    When you connect to your router from the internet via https on whatever port you set it, the router internally routes that connection to your router's internal IP port 443, and serves the request as if you connected from internally.

    Further, the identification address in a certificate - be it an IP address or a host name/Fully Qualified Domain Name (FQDN) - is hardcoded into a certificate. Your router is not "advertizing" this address, but your browser checks the identification address in the certificate, and sees that it says 192.168.x.y, while you actually connected from the internet to the router's WAN IP address or name.

    No big deal. In fact, the "descepancy" shown by your browser is a good indication to you that you are connecting to the right router.

    Newer Tomatos, to the best of my knowledge, allows you to generate your own certificate. However, if you gen the certificate for the internet address or FQDN, you will get the mismatch when you connect from inside your own network.

    FYI: In "real" web servers, such servers will have a certificate for every interface or virtual interface that that web server hosts. In this setup you would not get a "descrepancy" (if the certificates are married to the right interfaces).

    In a router though, which is already starved for memory and other resources, (i) only one interface is hosted (the internal IP), and (ii) only one certificate is used.
     
  20. scolbeck

    scolbeck LI Guru Member

    Under Administration->Admin Access->SSL Certificate->Common Name (CN), enter in your fixed IP address or DNS name. The router certificate will then be generated against this and not your local LAN address.

    Firefox 3 may still give a warning about a self-signed certificate but you can set an exception to allow it.
     
  21. fyellin

    fyellin LI Guru Member

    If I were to get myself a signed certificate, is there an simple way to get Tomato to use it? Or does it only support the SSL ceritificates that it generates for itself.
     
  22. mstombs

    mstombs Network Guru Member

    Thanks, now done this using my router dyndns.com name, I'm now curious about the comment "(optional; space separated)", I wonder if I can have multiple names?

    Now had to do this for LAN access, will find out next week what my static IP work machine thinks of it!
     

Share This Page