Solved

Protect password site

Posted on 2011-09-02
11
324 Views
Last Modified: 2012-05-12
Hi,

I have a router which webpage is open to the Internet, secured by user and password. However I think the level of security (only 1 user & password), is not strong enough.

Is there a simple way to have a more layered security?

J.
0
Comment
Question by:janhoedt
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 36476767
You should not leave that open.
Does the router support VPN connections?
This is the way you can secure it.  I.e. you have to first establish the VPN connection.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36476778
The best way is to control who can access that page by using an access list. If you can't lock it down to a few IP's because they are changing, and your firewall doesn't support DNS access list's, it may be best to use another protocol if possible and turn off the web page. Use SSH if possible, you can typically lock ssh down very well to by using public and private keys to authenticate, or again using an IP address ACL to only allow connections from certain IP's.
Who makes the router and what version of the operating system is it running? There may be flaws that bypass the login entirely or there could be well know "backdoor" account's that would let someone in no matter what you have the password set to.
http://www.phenoelit-us.org/dpl/dpl.html
-rich
0
 
LVL 62

Expert Comment

by:btan
ID: 36477426
Also good to pentest the website to surface any security bugs esp in the web application. OWASP has good resources on the cheatsheet on the prevention - mostly in the coding. Also can consider the use of Web application firewall (WAF) which will help to form the first layer of defence especially when attack is launched and required time to remediate and not wanting to pull down the site. ModSecurity is one WAF resource to check out. There is also website monitoring services like Armorise's HackAlert and Host integrity prevention software like OSSEC  (something towards tripwire to detect website defacement etc).

http://www.greebo.net/2010/02/09/owasp-top-10-2010-cheat-sheet/
http://www.modsecurity.org/
https://hackalert.armorize.com/
http://www.ossec.net/

But hardening on the specific web server should be considered as well - if it is MS IIS, do check out their Lockdown and Urlscan
http://www.symantec.com/connect/articles/iis-lockdown-and-urlscan

For apache, can see tips
@ http://httpd.apache.org/docs/2.0/misc/security_tips.html
@ http://xianshield.org/guides/apache2.0guide.html

Also best to have some log correlation to keep track if possible to detect early sign of intrusion attempts like brute forcing etc. Splunk or OSSIM are some open efforts but can be overkill if you are only looking at one web server.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 62

Expert Comment

by:btan
ID: 36477431
Another - MyPHPIPS (MyPHP Intrusion Prevention System) is an open source PHP Web Application Intrusion Prevention System.

@ http://www.pentestit.com/2011/08/31/myphpips-phpintrusion-prevention-system-tool/
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36477708
@breadtan You can't add this kind of software, or change much on a router typically, sometimes you can get something like DD-WRT or other 3rd party OS and then add them, but if the user is using the vanilla router resources, these tips won't apply.
-rich
0
 
LVL 62

Expert Comment

by:btan
ID: 36479753
@rich. Thanks for getting me back to track of discussion. Pardon me for not being clear in my previous reply.
Agree that these will not be able to "add" into the router.
I see them more of layered defence but outside of the router.

Probably hardening the router (to its best where possible) will be minimal defence to put up for risk mitigation approach - kill off the low hanging fruits @ http://searchnetworking.techtarget.com/tip/Hardening-your-router-in-9-easy-steps
0
 

Author Comment

by:janhoedt
ID: 36480522
Thanks, however, I have ddwrt and a nas with php. An ids looks great to me. What would be interesting is to block for example ip s from US or Russia or get notice (as gmail does) if logon occurs from suspicious ip.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36480608
DD-WRT has some decent security, and allows SSH. I prefer to use the "local only" login option, so that only wired host's can use the web interface. Here are some recommended option for securing the console itself using encryption first: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=29181
It may be best to leave SSH open only, then like I said before, open the web interface up from the remote ip... SSH into the WAP, then issue this command
iptables -I INPUT -p tcp -s <remote_location_ip> --dport 80 -j ACCEPT
You can also enable https like in the link I provided above. This way only <remote_Ip> will be able to access the web interface, and will need to provide the user/pass to get in.
-rich
0
 
LVL 62

Expert Comment

by:btan
ID: 36481770
this may also be useful reference for iptable for dd-wrt

http://www.dd-wrt.com/wiki/index.php/Iptables_command
0
 

Author Comment

by:janhoedt
ID: 36495444
It looks like ddwrt has no stable release. I have some issues so I might get back to my Linksys E3000 firmware. Then again my question arises how to securely access the webinterface ... and the data on my network.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 36501182
Some quick general points
- the mgmt lan and the data traffic facing lan should be segregated.
- mgmt lan should be authenticated before access (default password changed) and channel should be encrypted if possible with SSL/TLS (certificate support will be good).
- configure your DHCP settings with only the number of computers that need Internet access.
- further secure your router with DHCP, find out the MAC address of each computer and configure DHCP to assign leases to specific MAC addresses only.
- if there is any Remote Upgrade and Remote Administration in your router, do limit the risk of attack by disabling these settings.
- if interested, can also visit Shields UP (https://www.grc.com/x/ne.dll?bh0bkyd2) and run its battery of tests to check how secure your router looks to the outside world.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ensuring effective and secure communication in the age of healthcare BYOD.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question