Solved

Protect password site

Posted on 2011-09-02
11
313 Views
Last Modified: 2012-05-12
Hi,

I have a router which webpage is open to the Internet, secured by user and password. However I think the level of security (only 1 user & password), is not strong enough.

Is there a simple way to have a more layered security?

J.
0
Comment
Question by:janhoedt
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 36476767
You should not leave that open.
Does the router support VPN connections?
This is the way you can secure it.  I.e. you have to first establish the VPN connection.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36476778
The best way is to control who can access that page by using an access list. If you can't lock it down to a few IP's because they are changing, and your firewall doesn't support DNS access list's, it may be best to use another protocol if possible and turn off the web page. Use SSH if possible, you can typically lock ssh down very well to by using public and private keys to authenticate, or again using an IP address ACL to only allow connections from certain IP's.
Who makes the router and what version of the operating system is it running? There may be flaws that bypass the login entirely or there could be well know "backdoor" account's that would let someone in no matter what you have the password set to.
http://www.phenoelit-us.org/dpl/dpl.html
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 36477426
Also good to pentest the website to surface any security bugs esp in the web application. OWASP has good resources on the cheatsheet on the prevention - mostly in the coding. Also can consider the use of Web application firewall (WAF) which will help to form the first layer of defence especially when attack is launched and required time to remediate and not wanting to pull down the site. ModSecurity is one WAF resource to check out. There is also website monitoring services like Armorise's HackAlert and Host integrity prevention software like OSSEC  (something towards tripwire to detect website defacement etc).

http://www.greebo.net/2010/02/09/owasp-top-10-2010-cheat-sheet/
http://www.modsecurity.org/
https://hackalert.armorize.com/
http://www.ossec.net/

But hardening on the specific web server should be considered as well - if it is MS IIS, do check out their Lockdown and Urlscan
http://www.symantec.com/connect/articles/iis-lockdown-and-urlscan

For apache, can see tips
@ http://httpd.apache.org/docs/2.0/misc/security_tips.html
@ http://xianshield.org/guides/apache2.0guide.html

Also best to have some log correlation to keep track if possible to detect early sign of intrusion attempts like brute forcing etc. Splunk or OSSIM are some open efforts but can be overkill if you are only looking at one web server.
0
 
LVL 61

Expert Comment

by:btan
ID: 36477431
Another - MyPHPIPS (MyPHP Intrusion Prevention System) is an open source PHP Web Application Intrusion Prevention System.

@ http://www.pentestit.com/2011/08/31/myphpips-phpintrusion-prevention-system-tool/
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36477708
@breadtan You can't add this kind of software, or change much on a router typically, sometimes you can get something like DD-WRT or other 3rd party OS and then add them, but if the user is using the vanilla router resources, these tips won't apply.
-rich
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 61

Expert Comment

by:btan
ID: 36479753
@rich. Thanks for getting me back to track of discussion. Pardon me for not being clear in my previous reply.
Agree that these will not be able to "add" into the router.
I see them more of layered defence but outside of the router.

Probably hardening the router (to its best where possible) will be minimal defence to put up for risk mitigation approach - kill off the low hanging fruits @ http://searchnetworking.techtarget.com/tip/Hardening-your-router-in-9-easy-steps
0
 

Author Comment

by:janhoedt
ID: 36480522
Thanks, however, I have ddwrt and a nas with php. An ids looks great to me. What would be interesting is to block for example ip s from US or Russia or get notice (as gmail does) if logon occurs from suspicious ip.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36480608
DD-WRT has some decent security, and allows SSH. I prefer to use the "local only" login option, so that only wired host's can use the web interface. Here are some recommended option for securing the console itself using encryption first: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=29181
It may be best to leave SSH open only, then like I said before, open the web interface up from the remote ip... SSH into the WAP, then issue this command
iptables -I INPUT -p tcp -s <remote_location_ip> --dport 80 -j ACCEPT
You can also enable https like in the link I provided above. This way only <remote_Ip> will be able to access the web interface, and will need to provide the user/pass to get in.
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 36481770
this may also be useful reference for iptable for dd-wrt

http://www.dd-wrt.com/wiki/index.php/Iptables_command
0
 

Author Comment

by:janhoedt
ID: 36495444
It looks like ddwrt has no stable release. I have some issues so I might get back to my Linksys E3000 firmware. Then again my question arises how to securely access the webinterface ... and the data on my network.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 36501182
Some quick general points
- the mgmt lan and the data traffic facing lan should be segregated.
- mgmt lan should be authenticated before access (default password changed) and channel should be encrypted if possible with SSL/TLS (certificate support will be good).
- configure your DHCP settings with only the number of computers that need Internet access.
- further secure your router with DHCP, find out the MAC address of each computer and configure DHCP to assign leases to specific MAC addresses only.
- if there is any Remote Upgrade and Remote Administration in your router, do limit the risk of attack by disabling these settings.
- if interested, can also visit Shields UP (https://www.grc.com/x/ne.dll?bh0bkyd2) and run its battery of tests to check how secure your router looks to the outside world.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now