[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server
Philip Prindeville
philipp_subx at redfish-solutions.com
Sat Feb 10 20:44:08 PST 2018
> On Feb 10, 2018, at 6:03 PM, Michelle Sullivan <michelle at sorbs.net> wrote:
>
> Paul Oranje wrote:
>> Your aptness for seeing the possible attack vectors warrants your judgement ...
>>
>>> Op 10 feb. 2018, om 17:07 heeft Philip Prindeville <philipp_subx at redfish-solutions.com> het volgende geschreven:
>>>
>>>
>>>> On Feb 10, 2018, at 3:28 AM, Paul Oranje <por at oranjevos.nl> wrote:
>>>>
>>>> Wouldn't it be appropriate to disallow password authentication on wan only and allow it on all networks "behind" the router?
>>> Not necessarily.
>>>
>>> That’s why UPnP is such an issue. A machine inside a firewall gets infected by a virus through a download or email... then the first thing the virus does is punch holes in the firewall to allow outside scans of the remaining hosts.
>>>
>>> Allowing password logins from an infected host just means that the virus has to do slightly more work before it owns the router (ie run a password attack).
>>>
>>> Not substantially more secure...
>>>
>
> uPNP should be disabled by default and where possible as it is a security hazard for those that understand it. For those that don't it's a compromise waiting to happen.
>
> Juniper doesn't support uPNP in the commercial market at all (and even given their statement in https://kb.juniper.net/InfoCenter/index?page=content&id=KB5615 I can point out that even in their semi-residential products - ie their small office gear doesn't support it either I'd suggest that any support for uPNP is off by default and gives a warning if someone tries to enable it.)
>
My point was simply that sometimes attack come inside your own firewall. Don’t naively assume that all attacks are external only; that’s not “defense in depth”.
-Philip
More information about the Lede-dev
mailing list