[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server
Michelle Sullivan
michelle at sorbs.net
Sat Feb 10 21:07:53 PST 2018
Philip Prindeville wrote:
>
>> On Feb 10, 2018, at 6:03 PM, Michelle Sullivan <michelle at sorbs.net> wrote:
>>
>> Paul Oranje wrote:
>>> Your aptness for seeing the possible attack vectors warrants your judgement ...
>>>
>>>> Op 10 feb. 2018, om 17:07 heeft Philip Prindeville <philipp_subx at redfish-solutions.com> het volgende geschreven:
>>>>
>>>>
>>>>> On Feb 10, 2018, at 3:28 AM, Paul Oranje <por at oranjevos.nl> wrote:
>>>>>
>>>>> Wouldn't it be appropriate to disallow password authentication on wan only and allow it on all networks "behind" the router?
>>>> Not necessarily.
>>>>
>>>> That’s why UPnP is such an issue. A machine inside a firewall gets infected by a virus through a download or email... then the first thing the virus does is punch holes in the firewall to allow outside scans of the remaining hosts.
>>>>
>>>> Allowing password logins from an infected host just means that the virus has to do slightly more work before it owns the router (ie run a password attack).
>>>>
>>>> Not substantially more secure...
>>>>
>> uPNP should be disabled by default and where possible as it is a security hazard for those that understand it. For those that don't it's a compromise waiting to happen.
>>
>> Juniper doesn't support uPNP in the commercial market at all (and even given their statement in https://kb.juniper.net/InfoCenter/index?page=content&id=KB5615 I can point out that even in their semi-residential products - ie their small office gear doesn't support it either I'd suggest that any support for uPNP is off by default and gives a warning if someone tries to enable it.)
>>
> My point was simply that sometimes attack come inside your own firewall. Don’t naively assume that all attacks are external only; that’s not “defense in depth”.
>
100% agree, was just using the comments as a platform for ensuring
everyone is on the same page and adding that little more depth where we
can... :)
--
Michelle Sullivan
http://www.mhix.org/
More information about the Lede-dev
mailing list