Remote Access - Security? What brand of router is safest with all the open ports?

[RichTJ99]

Hi,

I was curious what router you people tend to lean towards for your HA settings that are accessed remotely? I have a few ports open for various items (CCTV, HA, RDP, etc). How do you keep that secure? Are there routers that can tell you via email when open ports are accessed on the router?

Thanks,
Rich

 

[pete]

open ports is open ports . .

if you can use port re-directing to hide the obvious (ssh, rdp ,and such) . .

by accessing via an obscure port over the wire and having the machine re-direct to the standard port you'll at least limit your exposure . .

I always liked Shields Up for checking my set-up (FreeBSD and PF as firewall/router) . . I could set up e-mail notifications, but it's easy to ssh in and check the log files . .

 

[CollinR]

You can also use a VPN endpoint.

 

[roussell]

Pete is right: Open is open. If you want to go the PC-as-a-firewall route, check out PFSense. It's FreeBSD based and when combined with an IDS like Snort (installable as a plugin in PFSense) will give you the email notification you want on intrusion attempts.

I allow SSH into FreeBSD from my work IPaddress only (You could also do VPN as Collin suggested). After initiating an SSH connection I can tunnel anything I want through it (web, rdp, etc...). For the mobile phone connection, I allow in a range of numbers Cingular uses in my area for the HA app and SSH ports only. Each internet accessible computer also has some form of a host-based firewall/IDS to further protect stuff.

You can build a firewall PC extremely cheaply. Mine is an old Celeron 400 128mb that a friend was throwing out. I added two network cards and it easily handles my 10Meg Charter connection. It took about 20 minutes to install from the PFSense CD. The box is headless and is literally screwed to a wall in the garage and hasn't been touched in months. I'm getting ready to add a wireless card in it so it can begin to function as a secure wireless router.

Terry

 

[RichTJ99]

I think I am more curious if anyone is actually attempting to get into those ports. Is there software to check on that? Im not against another full time server & I even have a shuttle pc (shoebox) that has been sitting plugged in & not turned on in 2 years that would do the trick. I was just hoping to limit the amount of PC's turn on at all times (granted a linksys router is pretty much the same thing).

I was thinking maybe a windows based piece of software that could run on the combo CCTV/HA server that I already have up & running 24/7

EDIT 2: Part of what gets remote access is my WM5 PPC (Treo). I dont know if I can really use a VPN in a 240x240 sized window.

 

[CollinR]

Rich I think you may have VNC and VPN confused. VPN is a virtual private network, dunno if your phone would be able to connect to it though. Basically your devise become connected to the local network through a secure encypted point to point only tunnel. Once on the VPN you can do everything you normally could on the local LAN.

You can buy a router that has an integrated VPN endpoint.

If it's Geovision you are worried about it's pretty hardened after v7.??

Basically I have been tring to hack it locally for a while with no luck, I have added the v6 webserver to v8 server and v8 twinDVR server and still can't get unauthorized feeds out of it. I need unauthorized feeds to integrate it into other applications, either that or deal with their ActiveX which is somewhat strange.

Yes people are doing random port scans. It's possible to have requests emailed however your phone would probably be full in hours.

 

[roussell]

Yes people are doing random port scans. It's possible to have requests emailed however your phone would probably be full in hours.

CollinR is right, your inbox will fill up very quickly. If you just want to see who's attempting to get in; simply enable logging with windows firewall and occasionally view the log. Be sure to log dropped packets and you'll see a ton of hits in a short amount of time - probably mostly all from China.

EDIT: BTW, there is a version of the Snort IDS available for Windows. I've never used it but if it's like the *nix version; it should give you all the logs and email you would ever want. h34r:

Terry

 

[wuench]

SSL VPN is the best security option you are going to find. Basically you would open up 443 (SSL) ONLY, and forward this to an endpoint server running SSL VPN software like SSL Explorer (which is free and open source). I say it is the best option because:

1.) It is encrypted using strong encryption. So no one can eavesdrop on what is going on and you must authenticate to your server to use it.
2.) It is using a common port (SSL/443). This is common and thus usually allowed through firewalls by ISPs and employers.

Best of all if you use something like SSL Explorer is deploys a java component on the desktop on your client, so there is no software to install. Your other traffic (RDP etc) is sent to a local port on the client, redirected through the encrypted tunnel which terminates on the server behind your router.

 

[sic0048]

Is it worth changing the default RDP port from 3389 to something else? Will it really stop anything if I switch it to another, more random port?

 

[CollinR]

worth it, yes
stop everything, no

How hard are your passwords? ALL OF THEM.

 

[sic0048]

All passwords are "Default" is that bad?? h34r:

 

[CollinR]

Want a nifty way to make strong passwords that are also easy to remember?


Pick a song and artist you like, the longer the better but gotta be easy to remember.

Let's say for instance

You Can't Always Get What You Want by The Rolling Stones

Pull the first letters to make an acroynm

YCAGWYW B TRS

Now run that through your internal "hacker speak" translator converting to symbols as often as possible

YC@GWYW B TR$

Now same same with converting to numbers

YC@6WYW 8 7R$


Now mix case, come up with your own method, every other capital or whatever.


So now you have something like

Yc@6WyW87R$

Thats a reasonably hard password, no dictionary terms, no human will ever ~guess~ it. However not too hard to remember either.



http://www.microsoft.com/protect/yourself/...rd/checker.mspx
Microsoft rates that one as "strong" if it had 3 more digits it would be "best".

 

[eufreka]

If you just want to monitor your linksys router, take a look at wallwatcher......

One solution is to disable all your port forwarding, and strong password your router on an obscure port...then only enable a forwarded port on an as needed session duration basis.

If you are really paranoid, sign up with one of the online "wireless" sslvpn services (so you connect to them FIRST) and then only allow incoming connections to your router/net from that PROVIDER's IP space....still opening ports on an as needed session basis.

If you are really really paranoid, invest in an actual sslvpn appliance that supports rdp and two factor authentication...