[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 17/06/13 00:35, Simon Waters wrote: > On 16/06/13 23:20, bad apple wrote: >> But really, EVERYONE on this list, check your router for UPnP right now >> and if it's on (it will be by default) kill it right now. Trust me (or >> Simon, or anyone else competent for that matter) on this. > Not sure I'm competent in this matter, as it is down to managing other > people's networks, but I can discuss my choices. > > 1) I have UPNP disabled. > > I don't need it. > > 2) I don't allow management from the Internet (at least that default was > right). > > I see no advantage, I can generally ssh in to a box inside and connect > from inside if I really want to break my router config when I'm away > from home. > > 3) I don't allow management of the router from the Wireless LAN > > Since I was allowing anyone to connect to the WLAN interface, opinions > differ on that matter, but I saw it as a courtesy to guests to my house > to make it as easy as possible to connect. Guests definitely don't need > to reconfigure the router. If your WIFI is secured, and you usually use > a laptop that goes places, this might not be for you. > > Running an open access point carries some risk, and is something that > has recently been revoked, I would add not due to abuse. On the other > hand it may add "plausible deniability", if your IP address is accused > of something. > > Part of running an open access point was the assumption that my own > devices on the network must anticipate potentially hostile traffic, so > they would expose minimal services (something I've been changing > recently, as I experience with some fun multimedia protocols), be > regularly patched, etc. > > 4) I don't run the embedded IGMP proxy. > > I can see this might be more controversial, but I don't currently need > IGMP, and I probably would do it some other way if I did. > > 5) I don't use any of the embedded programs if I can avoid it, with the > exception of the DHCP server (and that because I want to be able to > allocate addresses when everything on the wired network is down). Boxes > that stay put use static addresses, so don't rely on the DHCP service > being available. > > I don't trust the vendor to issue fixes, and there appears to be no easy > way to be notified of new firmware updates, and they haven't released > any updates for this router hardware for nearly 7 years. > > 6) I disable the firewall functionality. > > It comes with HTTP proxy type service. This would be a router based > program, which could be communicated to (via a browser inside the > network) from malicious actors from the outside, which might have > vulnerabilities (see also point 5). > > It does NAT, it does simple QoS, it does DHCP for mobile clients > (originally I did this from a Debian box, but switched it back). > > 7) I disable SNMP > > The routers functions are simple, my home LAN simple enough not to need > this. I note the last firmware update fixed a password disclosure over > SNMP vulnerability. > > > Replacing this router is on the cards, because it lacks support for > IPv6, and apparent lack of support. > Well, actually I meant the other Simon (Avery) who had just posted a very sensible warning about the general dangers of UPnP, but as everything you've said makes complete sense I'll gladly extend that to "listen to either Simon". I agree with literally every single point you've just made, and my system is setup the same way, even down to disabling the worthless firewall on my router. It operates purely as a pass-through modem handing over all traffic to my OpenBSD box, which is the god of all things network-related in my house. I don't use QoS on the router either, purely because it's A: crap and B: the OpenBSD machine does all of that for me. SNMP is also disabled, because although it is in principle useful, the actual implementation on SOHO equipment is generally mind-blowingly incompetent and SNMP is notoriously insecure. If I see another default community string then I'll... oh, who am I kidding. I'll see another one the next time I look and will just disable it immediately, as per usual. I've actually completely given up on that fight. I do however still run an open wifi access point - but I've just deleted the next 5 or 6 paragraphs I had typed about that whole saga though, as I have a bad habit of completely wandering off-topic and you've only just re-named the thread after I did it last time. So I think we all agree then: disable UPnP on your router, post haste. The standard joke is of course the (fake) acronym: Universal Plug and Pray. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq