Which remote access method to use?

Discussion in 'Tomato Firmware' started by dolly_oops, Feb 13, 2008.

  1. dolly_oops

    dolly_oops Network Guru Member


    I've got a question about how you configure Tomato for remote access from other machines.

    Here's my situation - I want to make my router remotely accessible so that I can configure it remotely. There are a few things I can do - enable remote web access, or remote SSH - or just by having OpenVPN enabled.

    To reduce the chances of other people connecting to my machine, I guess I could tie down to IP address which I most commonly would access them from... But I like the idea that I could access my router from anywhere if I need to. I don't like the thought of making my router permanently remotely accessible - but the odds are that I won't remember to make it accessible before leaving my house.

    So I just wondered what other people do... am I being over paranoid and is leaving the router permanently accessible OK to do? Or do you use other techniques to open up your router on demand - I've been considering port knocking or having a script running every X minutes to check the status of a particular file on a webserver to decide whether to open up access or not...
  2. kevanj

    kevanj LI Guru Member

    Personally, I use SSL access to the GUI from outside my network, unless I need to 'get linuxy', then I enable SSH as needed, but use an alternate port for the web gui (not 443) to prevent casual scans of popular ports from seeing my router as having an open port. A strong password is also a must...
  3. humba

    humba Network Guru Member

    As far as changing port goes.. security through obscurity has never been a good idea. Any port scanner that only scans a few ports is not worth its money.

    Since I got openvpn working, that's my preferred access method. Prior to that, I had no remote access.
  4. kevanj

    kevanj LI Guru Member

    Could you explain why you consider that to be true? Or is that just your opinion?
  5. LLigetfa

    LLigetfa LI Guru Member

    It is not just kevanj''s opinion. It is an opinion shared by most of the security community.
  6. cpgbg

    cpgbg LI Guru Member

    I was wondering why Tomato uses such weak encryption method and certificates for SSL. Here is what Opera tells me when I try to connect:

    - This site is using an outdated encryption method which is no longer classified as secure. It cannot sufficiently protect sensitive data.
    - The server is using a short public encryption key, which is not considered to be secure.

    Encryption protocol:
    SSL v3.0 128 bit ARC4 (512 bit RSA/SHA)

    It would be much more secure if it was:
    TLS v1.0 256 bit AES (1024 bit RSA/SHA)
  7. kevanj

    kevanj LI Guru Member

    It's actually Humba's 'opinion'...and one of kevanj's secondary methods of keeping prying eyes away from my router.
    I think that there are arguments for and against using an 'alternate' port to provide security, and as a method of primary security, it is certainly weak, however in the case of using it as a secondary method to protect against casual port scans, the opinion that it is a 'bad idea' is just that, an opinion. In my opinion, I see no reason not to add a secondary level of security, however minor, to protect an asset. I don't see that it reduces the security of the system, and it may not significantly increase it, however it provides a certain anonymity which the use of port 443 may not. It also allows secure (as secure as the firmware allows without further modification) remote access when ISPs may block port 443.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice