[300] Security

[Krusher_r]

@Omertron,
>I think, you have to understand that the PCH, whilst it might be a point of ingress onto your network is unlikely to need a great deal of protection unless you open it up to the internet rather than your intranet.

Yes that's true, although an accidental or unintentional event (over WiFi) could cause problems. To me, it's the same as password protecting my home computer. It'll never leave the desk, but I do it anyway.

Rather than filling up this thread with comments which were intended for the A-300 series, I created a poll in the 200 series forums instead. So I suppose you three can answer "no" right away but at least I'll get a few more votes to see if I'm the only one who wants a telnet password.

[accident]

They aren't going to add anything to the 200 series since they are about to throw out the firmware and port the 300 to it.

I posted a quick and to the point 300 request that should translate well via google for the engineers.. I find a poll tends to hurt the request because no poll gets that many votes and makes it look unimportant.

[Krusher_r]

I've heard the 300 firmware is coming to the 200 eventually. I think we're all eager to get that one.

I have to check my poll to see how it's doing, but after only one day I won't judge it too hard. If it's low on the votes, then maybe they are better working on something else that everyone else wants more.

[Willem53]

I don't believe for a minute that a firewall on a 200 will work successful as it will consume resources the box is already short of.

Just set the firewall rule in your router to not treat the NMT as a Internet server.

And remember.. no matter how many locks on the doors of your house...... the windows are still made of glass....

[Krusher_r]

For a work-around, I just found the telnetd process and killed it. If I need telnet again, I can just reboot the box.

I'd agree Willem53, I would not put a firewall on a 200 or 300. The only reason for doing that would be if you put the box in the DMZ, and that's asking for all sorts of problems.

The windows might be made of glass, but you can still get hurricane windows. They'll stop everything but bullets.

[accident]

Too bad you forgot too close the windows.

[Krusher_r]

I didn't forget. The guy who didn't require a password over telnet did lol.

Actually, I didn't close the windows. I replaced them with brick by killing telnetd.

Ok I'm finished with analogies.

[accident]

don't put words in my mouth, I never said what my setup is.

so you stopped telnet.. you still have dozens of other security holes that any script kiddie can exploit.. and if you have a share that the pch is allowed to write to, then it's pretty easy to come through the api to destroy everything or even turn telnet back on.

The front door isn't the only way to get in.

[Willem53]

Point is... there is no security on the NMT...., closing down Telnet doesn't do anything to improve that.
Your protection should be a firewall with smart rules on the border of your private network a second line of defense(firewall) on each PC when they interact with untrustworthy or unknown server from outside your network.

The problem is that people just leave holes in their security and behave in such a way that they invite trouble..... the tools to really protect your network are there, learning to deploy them in the right way is the big challenge for most....

[Krusher_r]

I certainly see your point--this is not a hardened Linux server.

However, we should try and protect what can be reasonably protected. Leaving telnet running with automatic root access is a potential security problem IMO. This is my home and not a business with untrusted users, but that doesn't mean I'm going to say it's OK to ignore it.

I can't fix the other flaws that may already exist. This OP was started to address this same concern that I have. I think we have a reasonable work-around for now.

I also noticed the new firmware for the A200 series came out today. We can finally join the rest of you! Rejoice!!!

[Willem53]

(07-31-2012 07:32 PM)Krusher_r Wrote:  I certainly see your point--this is not a hardened Linux server.

However, we should try and protect what can be reasonably protected. Leaving telnet running with automatic root access is a potential security problem IMO. This is my home and not a business with untrusted users, but that doesn't mean I'm going to say it's OK to ignore it.

I can't fix the other flaws that may already exist. This OP was started to address this same concern that I have. I think we have a reasonable work-around for now.

I also noticed the new firmware for the A200 series came out today. We can finally join the rest of you! Rejoice!!!

In my home LAN I got a Internet enthusiastic wife with no sense of security and two teenage kids who think security is something their dad will worry about.

All PC's have firewalls that report events to my admin PC that also is a syslog server for the border firewall that send me traps of certain events.

On top of that I run and maintain several types of (realtime)scanners on each PC..... and trust me they find unwanted stuff each week....

What I'm saying is you need more than a password to secure a Internet connected device... "nmt 1234" is a joke.

you need to enable SPI on your router's firewall and set the rules for the NMT....much safer than a Telnet password is no port 23 traffic from outside the LAN to the IP of the NMT ............. http://en.wikipedia.org/wiki/Stateful_firewall

[Krusher_r]

It sounds like we have pretty much the same setup then, but thanks for posting those tips. I'm sure others are not as careful.