Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Network Security

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
milomak
Posts: 2158
Joined: 2009-06-09 22:20
Been thanked: 1 time

Network Security

#1 Post by milomak »

i have a kodi box (running sid)

i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato. this is through a tp-link router that has as security the following enabled

Code: Select all

SPI Firewall:
PPTP Pass-through:
L2TP Pass-through:
IPSec Pass-through:
FTP ALG:
TFTP ALG:
H323 ALG:
RTSP ALG:
my concern is that someone could access the kodi box and then access my main box which is on the same network. what extra steps should i take to make the jump from the kodi box to what else is on the network difficult?

i realise that the likelihood of anyone targeting me is extremely low.
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Network Security

#2 Post by acewiza »

milomak wrote:my concern is that someone could access the kodi box and then access my main box...
Not understanding why you seem to imply the Kodi machine might be more accessible or vulnerable than the main box.
milomak wrote:...make the jump from the kodi box to what else is on the network difficult?
The above statement seems to also imply the Kodi machine is less secure for some reason.

I would only suggest to ensure taking the basic local lockdown steps necessary to satisfy your need. Better detail on the security posture and use case(s) for the local network itself, not just the 2 boxes in question would lead to better ideas.

For example, if the machines listed in your sig is all there is and you are the only user, I wouldn't worry much more about it at all. :wink:
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

milomak
Posts: 2158
Joined: 2009-06-09 22:20
Been thanked: 1 time

Re: Network Security

#3 Post by milomak »

the kodi box has the added ability of being accessed directly through http://ddns.service.com:1234

the other computers on the network are not accessible via ddns. this seems to me to suggest it is more accessible. though possibly marginally so.
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Network Security

#4 Post by acewiza »

What service responds to external connections on port 1234?
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

milomak
Posts: 2158
Joined: 2009-06-09 22:20
Been thanked: 1 time

Re: Network Security

#5 Post by milomak »

acewiza wrote:What service responds to external connections on port 1234?
the 1234 was an example of a random port i access the service through
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Network Security

#6 Post by acewiza »

So if you're wanting to secure or verify security WRT this external access, you need to research and evaluate the security profile/posture/vulnerability status of the service you are forwarding this port to from the Internet.

The fact you appear to be running it on Sid would raise my old-school network security eyebrow, so to speak. I would never recommend running an Internet-facing service on a testing platform, just as a general best practice.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

milomak
Posts: 2158
Joined: 2009-06-09 22:20
Been thanked: 1 time

Re: Network Security

#7 Post by milomak »

So I saw this when running journalctl -xe on this box

Code: Select all

Sep 07 23:40:10 kodi sshd[1977]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
Sep 07 23:40:12 kodi sshd[1977]: Failed password for root from xxx.xxx.xxx.xxx port 50135 ssh2
Sep 07 23:40:14 kodi sshd[1977]: Failed password for root from xxx.xxx.xxx.xxx port 50135 ssh2
Sep 07 23:40:17 kodi sshd[1977]: Failed password for root from xxx.xxx.xxx.xxxport 50135 ssh2
Sep 07 23:40:17 kodi sshd[1977]: Received disconnect from xxx.xxx.xxx.xxx port 50135:11:  [preauth]
Sep 07 23:40:17 kodi sshd[1977]: Disconnected from authenticating user root xxx.xxx.xxx.xxxport 50135 [preauth]
xxx.xxx.xxx.xxx represents the IP address my ISP has served to me

there are multiple entries like this.

My firewall settings on the router
Image

Should I worry?

My other computers don't have this
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

Re: Network Security

#8 Post by Bulkley »

My router has several choices for security level. As an experiment I set it to maximum. It did not inhibit my ability to access the Internet. It's an easy experiment.

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Network Security

#9 Post by acewiza »

Allowing remote root login is not, generally speaking, a "good idea." You have alot of ports open, so that IP looks interesting to every passing malware bot out there. If I were you, unsure of my security posture, then yeah, I'd be worried.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

shep
Posts: 423
Joined: 2011-03-15 15:22

Re: Network Security

#10 Post by shep »

One thing to look into is packet filtering. ipfilter is the classic Linux packet filter and is often used for firewalls. I set up a Trendnet TEW732BR with LEDE/OpenWRT and ipfilter. I was able to write a simple filter rule to block router/modem access to all devices on my LAN except my workstation that has a static IP.

This is going take some reading and likely re-provisioning of your present network.

User avatar
RU55EL
Posts: 546
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Network Security

#11 Post by RU55EL »

Some reading material:

Code: Select all

#apt install harden-doc
Then check out /usr/share/doc/harden-doc

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Network Security

#12 Post by dilberts_left_nut »

Something fishy is going on here.
How is your ssh server exposed to the outside?
Are you port- forwarding to it with your router?
Why are there auth failures originating from your own external IP? (If they are just random connection attempts from "the net", which are very common, it should show the originating IP, not your router's).
AdrianTM wrote:There's no hacker in my grandma...

milomak
Posts: 2158
Joined: 2009-06-09 22:20
Been thanked: 1 time

Re: Network Security

#13 Post by milomak »

dilberts_left_nut wrote:Something fishy is going on here.
How is your ssh server exposed to the outside?
Are you port- forwarding to it with your router?
Why are there auth failures originating from your own external IP? (If they are just random connection attempts from "the net", which are very common, it should show the originating IP, not your router's).
as stated in the op

i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato.
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Network Security

#14 Post by dilberts_left_nut »

milomak wrote:as stated in the op

i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato.
How?
AdrianTM wrote:There's no hacker in my grandma...

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Network Security

#15 Post by acewiza »

milomak wrote:i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato.
Please allow me to re-phrase what Dilbert seems to be wondering about: Sounds like you are misconscrewing the function of DDNS and the concept of access. DDNS merely provides a public roadmap to your system which, In your case unfortunately, appears to lead to a system with plenty of "access" enabled, and little understanding of how to control or utilize that access.

I really don't get why you would want Internet access to a Kodi box in the first place. I typically watch TV from my living room Lazy Boy. You are either a troll or a very misguided Kodi user. This will be my last response in this thread, sans full OP disclosure. Hints about what you are trying to do just don't cut it.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

milomak
Posts: 2158
Joined: 2009-06-09 22:20
Been thanked: 1 time

Re: Network Security

#16 Post by milomak »

dilberts_left_nut wrote:
milomak wrote:as stated in the op

i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato.
How?
through portforwarding

so assume i use username.ddnsservice.com. then pointing to that site and using one of 3 ports i have selected will access sonarr, couchpotato or sabnzbd.

username.ddnsservice.com:xxx1/2/3 ---> forwards to one of the sonarr, couchpotato or sabnzbd services.

the port in my screenshot is not one of the ports i use to forward. but is the actual port that was trying to access the kodi box.
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

milomak
Posts: 2158
Joined: 2009-06-09 22:20
Been thanked: 1 time

Re: Network Security

#17 Post by milomak »

so i noticed that that happens when i put the kodi's internal ip address in the dmz on the router
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

Post Reply