Protect password site

janhoedt
janhoedt used Ask the Experts™
on
Hi,

I have a router which webpage is open to the Internet, secured by user and password. However I think the level of security (only 1 user & password), is not strong enough.

Is there a simple way to have a more layered security?

J.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
You should not leave that open.
Does the router support VPN connections?
This is the way you can secure it.  I.e. you have to first establish the VPN connection.
Rich RumbleSecurity Samurai
Top Expert 2006

Commented:
The best way is to control who can access that page by using an access list. If you can't lock it down to a few IP's because they are changing, and your firewall doesn't support DNS access list's, it may be best to use another protocol if possible and turn off the web page. Use SSH if possible, you can typically lock ssh down very well to by using public and private keys to authenticate, or again using an IP address ACL to only allow connections from certain IP's.
Who makes the router and what version of the operating system is it running? There may be flaws that bypass the login entirely or there could be well know "backdoor" account's that would let someone in no matter what you have the password set to.
http://www.phenoelit-us.org/dpl/dpl.html
-rich
btanExec Consultant
Distinguished Expert 2018

Commented:
Also good to pentest the website to surface any security bugs esp in the web application. OWASP has good resources on the cheatsheet on the prevention - mostly in the coding. Also can consider the use of Web application firewall (WAF) which will help to form the first layer of defence especially when attack is launched and required time to remediate and not wanting to pull down the site. ModSecurity is one WAF resource to check out. There is also website monitoring services like Armorise's HackAlert and Host integrity prevention software like OSSEC  (something towards tripwire to detect website defacement etc).

http://www.greebo.net/2010/02/09/owasp-top-10-2010-cheat-sheet/
http://www.modsecurity.org/
https://hackalert.armorize.com/
http://www.ossec.net/

But hardening on the specific web server should be considered as well - if it is MS IIS, do check out their Lockdown and Urlscan
http://www.symantec.com/connect/articles/iis-lockdown-and-urlscan

For apache, can see tips
@ http://httpd.apache.org/docs/2.0/misc/security_tips.html
@ http://xianshield.org/guides/apache2.0guide.html

Also best to have some log correlation to keep track if possible to detect early sign of intrusion attempts like brute forcing etc. Splunk or OSSIM are some open efforts but can be overkill if you are only looking at one web server.
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

btanExec Consultant
Distinguished Expert 2018

Commented:
Another - MyPHPIPS (MyPHP Intrusion Prevention System) is an open source PHP Web Application Intrusion Prevention System.

@ http://www.pentestit.com/2011/08/31/myphpips-phpintrusion-prevention-system-tool/
Rich RumbleSecurity Samurai
Top Expert 2006

Commented:
@breadtan You can't add this kind of software, or change much on a router typically, sometimes you can get something like DD-WRT or other 3rd party OS and then add them, but if the user is using the vanilla router resources, these tips won't apply.
-rich
btanExec Consultant
Distinguished Expert 2018

Commented:
@rich. Thanks for getting me back to track of discussion. Pardon me for not being clear in my previous reply.
Agree that these will not be able to "add" into the router.
I see them more of layered defence but outside of the router.

Probably hardening the router (to its best where possible) will be minimal defence to put up for risk mitigation approach - kill off the low hanging fruits @ http://searchnetworking.techtarget.com/tip/Hardening-your-router-in-9-easy-steps

Author

Commented:
Thanks, however, I have ddwrt and a nas with php. An ids looks great to me. What would be interesting is to block for example ip s from US or Russia or get notice (as gmail does) if logon occurs from suspicious ip.
Rich RumbleSecurity Samurai
Top Expert 2006

Commented:
DD-WRT has some decent security, and allows SSH. I prefer to use the "local only" login option, so that only wired host's can use the web interface. Here are some recommended option for securing the console itself using encryption first: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=29181
It may be best to leave SSH open only, then like I said before, open the web interface up from the remote ip... SSH into the WAP, then issue this command
iptables -I INPUT -p tcp -s <remote_location_ip> --dport 80 -j ACCEPT
You can also enable https like in the link I provided above. This way only <remote_Ip> will be able to access the web interface, and will need to provide the user/pass to get in.
-rich
btanExec Consultant
Distinguished Expert 2018

Commented:
this may also be useful reference for iptable for dd-wrt

http://www.dd-wrt.com/wiki/index.php/Iptables_command

Author

Commented:
It looks like ddwrt has no stable release. I have some issues so I might get back to my Linksys E3000 firmware. Then again my question arises how to securely access the webinterface ... and the data on my network.
Exec Consultant
Distinguished Expert 2018
Commented:
Some quick general points
- the mgmt lan and the data traffic facing lan should be segregated.
- mgmt lan should be authenticated before access (default password changed) and channel should be encrypted if possible with SSL/TLS (certificate support will be good).
- configure your DHCP settings with only the number of computers that need Internet access.
- further secure your router with DHCP, find out the MAC address of each computer and configure DHCP to assign leases to specific MAC addresses only.
- if there is any Remote Upgrade and Remote Administration in your router, do limit the risk of attack by disabling these settings.
- if interested, can also visit Shields UP (https://www.grc.com/x/ne.dll?bh0bkyd2) and run its battery of tests to check how secure your router looks to the outside world.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial