[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] FW:

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] FW:
From: bad apple <mr.meowski@xxxxxxxx>
Date: Sun, 16 Jun 2013 23:20:28 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

On 16/06/13 21:36, Brad Rogers wrote:
> On Sun, 16 Jun 2013 19:36:11 +0100
> bad apple <mr.meowski@xxxxxxxx> wrote:
>
> Hello bad,
>
>> Whilst we're at it, immediately disable WPS on your router and kill the
>> UPnP service with fire: do your port forwarding manually.
> Damn;  I recently had cause to change my router.  Guess what I forgot to
> do?.....
>
> Not to worry, it's done now.  Thanks for the reminder.

No problem, glad to help.

But really, EVERYONE on this list, check your router for UPnP right now
and if it's on (it will be by default) kill it right now. Trust me (or
Simon, or anyone else competent for that matter) on this. Inside your
network, UPnP is still an ugly piece of crap but is pretty helpful,
especially for your average user who doesn't know, or want to know,
anything about their computers, smart TVs, games consoles and other
gadgets: largely speaking, it will do what it's supposed to and all your
gear should hopefully automagically configure itself to chat happily.
The problem is the IGD (Internet Gateway Device) component, that if left
to its own business, will negotiate with your router and implement NAT
traversal, i.e., as Simon just pointed out, will poke random holes in
your firewall mapping ingress and egress ports as it sees fit. These are
obviously wide open to the internet at large, and trivially findable via
SHOGAN, google-fu or any of your other favourite methods. Believe it or
not, UPnP does not implement authorisation by default... I'll let that
sink in for a moment.

This problem should really have died years ago - it really is an old
issue - but there are literally millions of unsupported, outdated
devices already out there running unpatched versions and you may well be
one of them. Don't just trust me: Rapid7 (security company, home of HD
Moore and Metasploit) revisited this just a few months ago in January
this year and found 40-50 million vulnerable devices reachable on the
internet!

https://community.rapid7.com/docs/DOC-2150

So, UPnP is fine inside your network edge, but for god's sake, make sure
your gateway box(es), which is probably just your ISP supplied router
for the vast majority of you, doesn't have it's UPnP facility enabled.
You will have to map any forwarded ports you require manually (hopefully
to your DMZ - you do have a DMZ, don't you?) but it's a small price to pay.

Regards

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: [LUG] Home router settings was Re: FW:
- From: Simon Waters
Follow-up: Re: [LUG] FW:
- From: Neil Winchurst

References:
- [LUG] FW:
  - From: Alex Mclennan
- Re: [LUG] FW:
  - From: Dave Foxcroft
- Re: [LUG] FW:
  - From: Gordon Henderson
- Re: [LUG] FW:
  - From: bad apple
- Re: [LUG] FW:
  - From: henry . bremridge
- Re: [LUG] FW:
  - From: Daniel Robinson
- Re: [LUG] FW:
  - From: bad apple
- Re: [LUG] FW:
  - From: Brad Rogers

Prev by Date: Re: [LUG] Debian 7 and wifi
Next by Date: Re: [LUG] Debian 7 and wifi
Previous by thread: Re: [LUG] FW:
Next by thread: [LUG] Home router settings was Re: FW:
Index(es):
- Date
- Thread