DM800se on internet (not behind FW or router) how?
#1
Posted 28 January 2013 - 00:31
Is there a way to install a firewall inside the DM itself? Or should I shut down all open ports? (would that be enough).
I'm free to'go back to older software if it's necessary.
How would you guys do in this case?
(Please don't say that I should buy a router, I know that's the best soase I wolution but in this cnt install anything more than the box connected directly on the internet).
If anyone could point me in the right direction I would be very helpful.
Thanks in advance!
//Squidden
Re: DM800se on internet (not behind FW or router) how? #2
Posted 28 January 2013 - 16:06
Hi, I have a DM800se which I can't place behind a router or FW (for some reasons).
Is there a way to install a firewall inside the DM itself? Or should I shut down all open ports? (would that be enough).
I have two boxes, running like this.
You should start by changing the root password to something hard-to-guess.
Then proceed by deinstalling all unnecessary packages (like avahi daemon, nfs server, samba server).
Once you have done that, on that box a "ps" should show as much as or less than the following:
290 root 2664 S /usr/sbin/dropbear -r /etc/dropbear/dropbear_rsa_hos 294 root 2892 S /usr/sbin/crond -c /etc/cron/crontabs 301 root 3008 S /usr/sbin/inetd 304 root 3792 S /usr/bin/ntpd -p /var/run/ntp.pid -g 307 root 2632 S /sbin/syslogd -n -O /var/log/messages 309 root 2632 S /sbin/klogd -n 313 root 20924 S /usr/bin/CCcam 8910 root 3040 S {enigma2.sh} /bin/sh /usr/bin/enigma2.sh 8920 root 145m S /usr/bin/enigma2
Which should leave you with roughly the following open ports:
TCP 21, 22, 23, 80, 443 which are ok.
TCP 8001 streaming port for enigma2, which is not quite ok.
Some ports for CCcam which you should close and/or protect with proper passwords.
UDP 123 which is ok.
UDP 161 which is the SNMP port for enigma2 SnmpAgent (possibly), make sure it doesn't answer to default communities.
The 8001 tcp port allows someone/anyone to open a stream, if he/she knows the streams name on your box.
It might be possible to protect against that port, but it would require iptables support with support for tcp ports (not quite sure if that is already in there).
Re: DM800se on internet (not behind FW or router) how? #3
Posted 28 January 2013 - 16:13
TCP 21, 22, 23, 80, 443 which are ok.
Ah yes, before I forget...
Put a proper password on the webinterface of enigma2.
Also, once you have things in this state, you might move any or all of the above well-known ports to other portnumbers to make it harder for drive-by bots to probe your system (they usually won't get in, but they take away bandwidth and CPU time while they try).
Re: DM800se on internet (not behind FW or router) how? #4
Posted 29 January 2013 - 23:37
The box itself will bring up one ssh tunnel so it will be accessible connecting ssh through that one tunnel and one for connecting the server.
Probably I will enable SSH on the box but only using publickey. All other stuff should be shutdown/de-installed.
The tunnels itselfs are not the issue. I want everything closed so it's safe to connect it directly on the Internet. (w/o router/fw)
I remember from earlier versions of OpenPLI that there was a firewall plugin? May that be a solution? Did it work?
Re: DM800se on internet (not behind FW or router) how? #5
Posted 31 January 2013 - 10:29
Well, looks like you already know what to do for that, just deinstall all the software you don't need.Hi, thanks for your input... What I want the box to do is to close down all incoming ports, even telnet/ssh/http etc...
The box itself will bring up one ssh tunnel so it will be accessible connecting ssh through that one tunnel and one for connecting the server.
Probably I will enable SSH on the box but only using publickey. All other stuff should be shutdown/de-installed.
Not for port 8001 (the current kernel does not support port filtering iptables entries),I remember from earlier versions of OpenPLI that there was a firewall plugin? May that be a solution? Did it work?
unless you restrict access based on IP-address only.
3 user(s) are reading this topic
0 members, 3 guests, 0 anonymous users