Does anyone allow remote Tomato administration?

Discussion in 'Tomato Firmware' started by jersully, Oct 29, 2008.

  1. jersully

    jersully LI Guru Member

    I'm wondering if anyone enables remote administration of their Tomato router, and what measures are being uses to secure it well.
  2. peyton

    peyton Network Guru Member

    You mean through internet ?
    Yes, i just changed the https port and my admin pass is a bit difficult, i hope. That's all.
  3. jersully

    jersully LI Guru Member

    Yes, through the Internet. I was considering allowing HTTPS but at the mere mention of it my wife (who is decidedly NOT technical) freaked out. The only encryption you have at that point is basic encryption and as you've pointed out hopefully a good password. I suppose I could see if my work's gateway IP is static and restrict it to that...

    Mostly I'm just trying to gauge if other Tomato users feel HTTPS/SSH and restricting by IP address is "good enough".
  4. humba

    humba Network Guru Member

    I consider using a VPN connection to connect to your lan then make local configuration to be safer. You can launch a dictionary attack on your approach of remote administration.. but not on mine. The only reasonable way you get onto my router is if you physically steal the certificate (or hack through the corporate firewall and get onto my machine and grab it from there)..
  5. mstombs

    mstombs Network Guru Member

    I use remote ssh and https, but have enabled access from my office single fixed IP only.
  6. Toastman

    Toastman Super Moderator Staff Member Member

    Few people would know about your router except residents. I allow remote access via HTTP on all my sites, and nobody has ever hacked into them yet. There are far more places of more interest to hackers than somebody's home router. Don't worry too much!
  7. njeske

    njeske Network Guru Member

    i allow access over http to my router at home.
  8. GhaladReam

    GhaladReam Network Guru Member

    I agree. Some home users are FAR too paranoid about this. Why would anyone want to get into your HOME network, unless you have some top secret government files or something? I can totally understand using a VPN for this if it's a large business/firm/corporation. For regular, average Joe home users, a strong password (more than 8 characters) is really all that's needed.
  9. RonWessels

    RonWessels Network Guru Member

    Oh my, you're kidding, right?

    On the off chance you're not, here are a few reasons right off the top of my head.

    - to use your computer(s) as remote spam sending bots
    - to use your computer(s) as remote attack bots to break into other sites
    - to look at the installed software on your computer(s) to get registration keys
    - to install a trojan web browser to capture your banking information when you do internet banking
    - to look at the stuff on your computer to see if there's anything "interesting"

    Given the myriad of compromised systems out there, utilizing a small fraction of them for concerted attacks on home users definitely has a good cost/benefit ratio for the bad guys.
  10. bhlonewolf

    bhlonewolf LI Guru Member

    Well, that's assuming that by hacking the router the hacker has gained complete access to all of the computers on the LAN, too.

    I think the most important thing most people should realize (and likely most people on this board do) is to understand the threats. HTTPS is great for encrypting the traffic but does nothing to secure your router. Moving administration to another port is security through obscurity and really not that useful, but may stop some bots scans, so better than nothing.

    Personally, I think one of the best things you can do for remote administration is simply run SSH on another port, and use a strong RSA key to restrict access. That way, any client that has the private key will be able to connect. Useful if you're on the road and better than just restricting by IP address. And if you're running openvpn, that's another option as well.
  11. humba

    humba Network Guru Member

    There's no need to gain control over machines over the lan.. though I figure one of the main reasons you have a router is that you have a first layer of security.. it's not such a good idea to put your machines directly onto the Internet and if you allow your router to be compromised, your first layer of security is gone.

    Access to your router can be used to do all kinds of mischief.. for instance why do you need a PC do launch a ddos attack if you can use the router directly.
    Why use a PC to send spam mail?
    Or how about simply piping traffic through your Internet connection.. instead of making transactions with a stolen credit card number you do it through somebody else's network so they get caught and have a hard time proving it wasn't them. Or using your line to download kiddie porn... basically do whatever is legal and ensure your own IP is never logged.
    You may remember having seen a film or TV episode where an actor talks about bouncing off traffic.. that's the stuff you can do if you compromise a bunch of systems and so you unwittingly may participate in the commission of a crime.

    I'd even go as far as to say certificates alone could use a bump up.. ideally you'd have to enter a password as well so if somebody steals my notebook, they're still stuck on having to find a password and I should have time to revoke the certificate in the meantime. Or sending a one time token per sms also looks interesting.. in fact I'm looking at ssl explorer for just that.. means another machine behind my Tomato but I'd have two layers of security and would no longer be bound to a machine that has openvpn installed (though whether I'd really connect from someplace else is doubtful).

    And how often do you really need to administer your main router in a network remotely? If you need to make manual changes every day you're probably doing something wrong.. I hardly ever reconfigure anything on the router and remote access is only to access a pc running on my network or get access to a file on my nas. Whenever I reconfigure the router I'm at home - If I break something at least I can get back in and fix it.
  12. bhlonewolf

    bhlonewolf LI Guru Member

    Agree humba, certificates are truly the best way to go, but setting up the infrastructure is very difficult for computer novices. Many just don't understand how PKI works and why it's a great solution. Also agree on the password on top of the certificate. Gets back to the tenants of security authentication: something you have (certificate), something you know (password), and something you are (biometric).

    I think the router itself is more of a target than computers on a LAN, since the router itself is a computer. However, as most of us likely know, NAT isn't about providing security and wasn't really intended to.
  13. ng12345

    ng12345 LI Guru Member

    I do remote administration -- allowed for me to get easy access to 4 routers in a 15 mile radius when I was troubleshooting openvpn configurations.

    I use bitvise tunnelier and use ssh with an rsa key -- i think its an easy solution to put together (bitvise can create the key for you), and pretty secure.

    The only issue is I get bash shell as opposed to the web gui -- if there was a good secure way to do the web gui that would be great
  14. FRiC

    FRiC LI Guru Member

    I have Tomato with remote admin enabled at a number of clients' sites. It's far more likely for users to download a virus and infect the entire LAN, or having the web/database servers hacked into. Tomato by itself isn't likely to be hacked if you use a strong password and use https.
  15. jza80

    jza80 Network Guru Member

    Tunnel http and/or https over ssh.
  16. Badders44

    Badders44 LI Guru Member

    Agreed - I use PuTTY with SSH on a non-standard port and tunnel to the HTTP GUI of the router. From there I can Wake my PC and then VNC (using another tunnel) to control it. I don't need any encryption on the tunnels as that's carried out by SSH.

    I believe the tunnelling only works on TCP connections though (i.e. no UDP).

    this is what I used to set it up.
  17. GreenThumb

    GreenThumb Addicted to LI Member

    Actually you get a Busybox ash shell. ;)
  18. ref38

    ref38 Addicted to LI Member

    Probably not likely to be hacked, but still possible. And depending on the hole (or possibly even a back door) it could be you are wide open to someone who knows the way in.

    I know it sounds paranoid, and I don't in any way mean to slight Jon or insinuate that he has put a back door in Tomato. But there have been cases where there have been hardware back doors put in some products manufactured in a certain country, and software back doors put in various software packages - or at least attempted. And then there is the ever-present issue of just having a bug somewhere that can be exploited.

    You can't prevent all of these but you can prevent some. But it's best to never assume you are safe and to make sure your protections balance the risks.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice