4 replies to this topic

[squidden]

Hi, I have a DM800se which I can't place behind a router or FW (for some reasons).
Is there a way to install a firewall inside the DM itself? Or should I shut down all open ports? (would that be enough).

I'm free to'go back to older software if it's necessary.

How would you guys do in this case?
(Please don't say that I should buy a router, I know that's the best soase I wolution but in this cnt install anything more than the box connected directly on the internet).

If anyone could point me in the right direction I would be very helpful.

Thanks in advance!

//Squidden

[BuGless]

Hi, I have a DM800se which I can't place behind a router or FW (for some reasons).
Is there a way to install a firewall inside the DM itself? Or should I shut down all open ports? (would that be enough).

I have two boxes, running like this.

You should start by changing the root password to something hard-to-guess.
Then proceed by deinstalling all unnecessary packages (like avahi daemon, nfs server, samba server).
Once you have done that, on that box a "ps" should show as much as or less than the following:

  290 root      2664 S    /usr/sbin/dropbear -r /etc/dropbear/dropbear_rsa_hos
  294 root      2892 S    /usr/sbin/crond -c /etc/cron/crontabs
  301 root      3008 S    /usr/sbin/inetd
  304 root      3792 S    /usr/bin/ntpd -p /var/run/ntp.pid -g
  307 root      2632 S    /sbin/syslogd -n -O /var/log/messages
  309 root      2632 S    /sbin/klogd -n
  313 root     20924 S    /usr/bin/CCcam
 8910 root      3040 S    {enigma2.sh} /bin/sh /usr/bin/enigma2.sh
 8920 root      145m S    /usr/bin/enigma2

Which should leave you with roughly the following open ports:
TCP 21, 22, 23, 80, 443 which are ok.
TCP 8001 streaming port for enigma2, which is not quite ok.
Some ports for CCcam which you should close and/or protect with proper passwords.
UDP 123 which is ok.
UDP 161 which is the SNMP port for enigma2 SnmpAgent (possibly), make sure it doesn't answer to default communities.

The 8001 tcp port allows someone/anyone to open a stream, if he/she knows the streams name on your box.
It might be possible to protect against that port, but it would require iptables support with support for tcp ports (not quite sure if that is already in there).

[BuGless]

TCP 21, 22, 23, 80, 443 which are ok.

Ah yes, before I forget...
Put a proper password on the webinterface of enigma2.
Also, once you have things in this state, you might move any or all of the above well-known ports to other portnumbers to make it harder for drive-by bots to probe your system (they usually won't get in, but they take away bandwidth and CPU time while they try).

[squidden]

Hi, thanks for your input... What I want the box to do is to close down all incoming ports, even telnet/ssh/http etc...
The box itself will bring up one ssh tunnel so it will be accessible connecting ssh through that one tunnel and one for connecting the server.
Probably I will enable SSH on the box but only using publickey. All other stuff should be shutdown/de-installed.

The tunnels itselfs are not the issue. I want everything closed so it's safe to connect it directly on the Internet. (w/o router/fw)

I remember from earlier versions of OpenPLI that there was a firewall plugin? May that be a solution? Did it work?

[BuGless]

Hi, thanks for your input... What I want the box to do is to close down all incoming ports, even telnet/ssh/http etc...
The box itself will bring up one ssh tunnel so it will be accessible connecting ssh through that one tunnel and one for connecting the server.
Probably I will enable SSH on the box but only using publickey. All other stuff should be shutdown/de-installed.

Well, looks like you already know what to do for that, just deinstall all the software you don't need.

I remember from earlier versions of OpenPLI that there was a firewall plugin? May that be a solution? Did it work?

Not for port 8001 (the current kernel does not support port filtering iptables entries),
unless you restrict access based on IP-address only.