Network Security

Kernels & Hardware, configuring network, installing services

Network Security

Postby milomak » 2017-07-06 21:18

i have a kodi box (running sid)

i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato. this is through a tp-link router that has as security the following enabled
Code: Select all
SPI Firewall:
PPTP Pass-through:
L2TP Pass-through:
IPSec Pass-through:
FTP ALG:
TFTP ALG:
H323 ALG:
RTSP ALG:


my concern is that someone could access the kodi box and then access my main box which is on the same network. what extra steps should i take to make the jump from the kodi box to what else is on the network difficult?

i realise that the likelihood of anyone targeting me is extremely low.
iMac - MacOS and Windows 10 (Bootcamp)/ Debian Sid (External SSD)
Laptop (64-bit) - Debian Sid, Win10,
Kodi Box - Debian Sid
milomak
 
Posts: 1671
Joined: 2009-06-09 22:20

Re: Network Security

Postby acewiza » 2017-07-06 22:23

milomak wrote:my concern is that someone could access the kodi box and then access my main box...

Not understanding why you seem to imply the Kodi machine might be more accessible or vulnerable than the main box.
milomak wrote:...make the jump from the kodi box to what else is on the network difficult?

The above statement seems to also imply the Kodi machine is less secure for some reason.

I would only suggest to ensure taking the basic local lockdown steps necessary to satisfy your need. Better detail on the security posture and use case(s) for the local network itself, not just the 2 boxes in question would lead to better ideas.

For example, if the machines listed in your sig is all there is and you are the only user, I wouldn't worry much more about it at all. :wink:
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 241
Joined: 2013-05-28 12:38
Location: Out West

Re: Network Security

Postby milomak » 2017-07-12 20:41

the kodi box has the added ability of being accessed directly through http://ddns.service.com:1234

the other computers on the network are not accessible via ddns. this seems to me to suggest it is more accessible. though possibly marginally so.
iMac - MacOS and Windows 10 (Bootcamp)/ Debian Sid (External SSD)
Laptop (64-bit) - Debian Sid, Win10,
Kodi Box - Debian Sid
milomak
 
Posts: 1671
Joined: 2009-06-09 22:20

Re: Network Security

Postby acewiza » 2017-07-12 23:54

What service responds to external connections on port 1234?
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 241
Joined: 2013-05-28 12:38
Location: Out West

Re: Network Security

Postby milomak » 2017-07-19 20:01

acewiza wrote:What service responds to external connections on port 1234?


the 1234 was an example of a random port i access the service through
iMac - MacOS and Windows 10 (Bootcamp)/ Debian Sid (External SSD)
Laptop (64-bit) - Debian Sid, Win10,
Kodi Box - Debian Sid
milomak
 
Posts: 1671
Joined: 2009-06-09 22:20

Re: Network Security

Postby acewiza » 2017-07-19 22:48

So if you're wanting to secure or verify security WRT this external access, you need to research and evaluate the security profile/posture/vulnerability status of the service you are forwarding this port to from the Internet.

The fact you appear to be running it on Sid would raise my old-school network security eyebrow, so to speak. I would never recommend running an Internet-facing service on a testing platform, just as a general best practice.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 241
Joined: 2013-05-28 12:38
Location: Out West

Re: Network Security

Postby milomak » 2017-09-07 21:04

So I saw this when running journalctl -xe on this box
Code: Select all
Sep 07 23:40:10 kodi sshd[1977]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
Sep 07 23:40:12 kodi sshd[1977]: Failed password for root from xxx.xxx.xxx.xxx port 50135 ssh2
Sep 07 23:40:14 kodi sshd[1977]: Failed password for root from xxx.xxx.xxx.xxx port 50135 ssh2
Sep 07 23:40:17 kodi sshd[1977]: Failed password for root from xxx.xxx.xxx.xxxport 50135 ssh2
Sep 07 23:40:17 kodi sshd[1977]: Received disconnect from xxx.xxx.xxx.xxx port 50135:11:  [preauth]
Sep 07 23:40:17 kodi sshd[1977]: Disconnected from authenticating user root xxx.xxx.xxx.xxxport 50135 [preauth]

xxx.xxx.xxx.xxx represents the IP address my ISP has served to me

there are multiple entries like this.

My firewall settings on the router
Image

Should I worry?

My other computers don't have this
iMac - MacOS and Windows 10 (Bootcamp)/ Debian Sid (External SSD)
Laptop (64-bit) - Debian Sid, Win10,
Kodi Box - Debian Sid
milomak
 
Posts: 1671
Joined: 2009-06-09 22:20

Re: Network Security

Postby Bulkley » 2017-09-07 21:33

My router has several choices for security level. As an experiment I set it to maximum. It did not inhibit my ability to access the Internet. It's an easy experiment.
Bulkley
 
Posts: 5263
Joined: 2006-02-11 18:35

Re: Network Security

Postby acewiza » 2017-09-07 22:40

Allowing remote root login is not, generally speaking, a "good idea." You have alot of ports open, so that IP looks interesting to every passing malware bot out there. If I were you, unsure of my security posture, then yeah, I'd be worried.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 241
Joined: 2013-05-28 12:38
Location: Out West

Re: Network Security

Postby shep » 2017-09-08 00:23

One thing to look into is packet filtering. ipfilter is the classic Linux packet filter and is often used for firewalls. I set up a Trendnet TEW732BR with LEDE/OpenWRT and ipfilter. I was able to write a simple filter rule to block router/modem access to all devices on my LAN except my workstation that has a static IP.

This is going take some reading and likely re-provisioning of your present network.
shep
 
Posts: 103
Joined: 2011-03-15 15:22

Re: Network Security

Postby RU55EL » 2017-09-08 01:25

Some reading material:

Code: Select all
#apt install harden-doc


Then check out /usr/share/doc/harden-doc
User avatar
RU55EL
 
Posts: 254
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Network Security

Postby dilberts_left_nut » 2017-09-08 05:54

Something fishy is going on here.
How is your ssh server exposed to the outside?
Are you port- forwarding to it with your router?
Why are there auth failures originating from your own external IP? (If they are just random connection attempts from "the net", which are very common, it should show the originating IP, not your router's).
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4641
Joined: 2009-10-05 07:54
Location: enzed

Re: Network Security

Postby milomak » 2017-09-10 10:14

dilberts_left_nut wrote:Something fishy is going on here.
How is your ssh server exposed to the outside?
Are you port- forwarding to it with your router?
Why are there auth failures originating from your own external IP? (If they are just random connection attempts from "the net", which are very common, it should show the originating IP, not your router's).


as stated in the op

i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato.
iMac - MacOS and Windows 10 (Bootcamp)/ Debian Sid (External SSD)
Laptop (64-bit) - Debian Sid, Win10,
Kodi Box - Debian Sid
milomak
 
Posts: 1671
Joined: 2009-06-09 22:20

Re: Network Security

Postby dilberts_left_nut » 2017-09-10 10:39

milomak wrote:as stated in the op

i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato.
How?
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4641
Joined: 2009-10-05 07:54
Location: enzed

Re: Network Security

Postby acewiza » 2017-09-10 13:07

milomak wrote:i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato.

Please allow me to re-phrase what Dilbert seems to be wondering about: Sounds like you are misconscrewing the function of DDNS and the concept of access. DDNS merely provides a public roadmap to your system which, In your case unfortunately, appears to lead to a system with plenty of "access" enabled, and little understanding of how to control or utilize that access.

I really don't get why you would want Internet access to a Kodi box in the first place. I typically watch TV from my living room Lazy Boy. You are either a troll or a very misguided Kodi user. This will be my last response in this thread, sans full OP disclosure. Hints about what you are trying to do just don't cut it.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 241
Joined: 2013-05-28 12:38
Location: Out West

Next

Return to System configuration

Who is online

Users browsing this forum: Phasitron477, sunrat and 7 guests

fashionable