[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server
Michelle Sullivan
michelle at sorbs.net
Sat Feb 10 17:03:34 PST 2018
Paul Oranje wrote:
> Your aptness for seeing the possible attack vectors warrants your judgement ...
>
>> Op 10 feb. 2018, om 17:07 heeft Philip Prindeville <philipp_subx at redfish-solutions.com> het volgende geschreven:
>>
>>
>>> On Feb 10, 2018, at 3:28 AM, Paul Oranje <por at oranjevos.nl> wrote:
>>>
>>> Wouldn't it be appropriate to disallow password authentication on wan only and allow it on all networks "behind" the router?
>> Not necessarily.
>>
>> That’s why UPnP is such an issue. A machine inside a firewall gets infected by a virus through a download or email... then the first thing the virus does is punch holes in the firewall to allow outside scans of the remaining hosts.
>>
>> Allowing password logins from an infected host just means that the virus has to do slightly more work before it owns the router (ie run a password attack).
>>
>> Not substantially more secure...
>>
uPNP should be disabled by default and where possible as it is a
security hazard for those that understand it. For those that don't it's
a compromise waiting to happen.
Juniper doesn't support uPNP in the commercial market at all (and even
given their statement in
https://kb.juniper.net/InfoCenter/index?page=content&id=KB5615 I can
point out that even in their semi-residential products - ie their small
office gear doesn't support it either I'd suggest that any support for
uPNP is off by default and gives a warning if someone tries to enable it.)
--
Michelle Sullivan
http://www.mhix.org/
More information about the Lede-dev
mailing list