From my understanding you can run into issues when you have a combination of ports being forwarded and some other issue like SSH enabled on a Raspberry Pi with default credentials but I feel like I’m missing things or misunderstanding port forwarding.

I don’t know if, for example, a computer connected to a network running a dated version of Windows is a risk simply because it is connected to the network. Even if it isn’t being used for things such as web browsing.

I’m more concerned about remote threats versus local ones like someone having access to my WiFi password.

  • Still
    link
    English
    31 year ago

    simply keep everything up to date, don’t install shady stuff, and don’t use insecure passwords

    ssh isn’t really a security issue as long as you have either a good password or key based authentication

    running outdated versions of systems can pose a risk of being compromised but the chance of that is much less likely than you download something bad, but avoiding out of date windows is easy

  • Dr. Jenkem
    link
    fedilink
    English
    31 year ago

    I don’t know if, for example, a computer connected to a network running a dated version of Windows is a risk simply because it is connected to the network. Even if it isn’t being used for things such as web browsing.

    Well, probably not going to be how an attacker gets in. But let’s say they crack your ssh password on the raspberry pi. Now the attacker can reach the other devices on your network, even if ports aren’t forwarded to those devices. Let’s say you’re running an smb file share on that old Windows computer. They could potentially use a vulnerability to get access to that computer.

    So yes, you want good security at the perimeter (make sure your router firmware is up to date, any devices with ports forwarded are properly secured, reduce attack surface by not port forwarding anything unnecessarily, etc.). But it’s also a good idea to practice security in depth, protect even the computers that are on the LAN.

    Btw, I would only forward ports to things that you want people who aren’t you to access. Something like ssh generally shouldn’t have ports forwarded for as you’re probably the only one that should be accessing it. Instead, use a VPN (I like wireguard). And when you want to access ssh outside the network, just VPN to your home first and then ssh like you’re on the LAN. You can do the same with any other service. But if you want say share a Plex server with friends and family, you don’t want to make them use a VPN, you pretty much have to port forward.

    • @[email protected]OP
      link
      fedilink
      English
      1
      edit-2
      1 year ago

      Let’s say you’re running an smb file share on that old Windows computer. They could potentially use a vulnerability to get access to that computer.

      Wouldn’t an SMB share only be visible to the internet through forwarded ports? I thought they were only available through LAN connections unless modified to do otherwise.

      If that isn’t the case do you have any recommendations for protecting SMB shares from outside connections?

      • Dr. Jenkem
        link
        fedilink
        English
        31 year ago

        Yes, the smb isn’t visible directly to the internet. But if that raspberry pi gets hacked, then the attacker can use the raspberry pi to access your entire LAN.

  • @Devils69Advocate
    link
    English
    21 year ago

    A router or firewall by default will block incoming traffic from the internet; it only allows outgoing traffic. So a computer simply being connected to the network shouldn’t just all of a sudden get a virus or malware. Users browsing not safe websites, downloading random things, opening random email attachments, or installing unsafe applications will cause the compromise.

    However, port forwarding will open a port on your router/firewall to allow incoming traffic to whatever device you’ve forwarded that traffic to. SSH itself is not really the concern, but the strength of the password used for the account.

    The internet is constantly being scanned by bots looking for easy targets. Even if you change the default SSH port to something else, it will eventually be discovered and if your server/device responds in such a way to reveal it’s an SSH server, then whatever automated system will start trying common usernames and passwords to get in (brute force).

    If you were going to expose SSH, it’s best to change the default port, use an uncommon username (not root, admin, pi, etc.) and don’t accept connections from anything other than that username, use key based authentication, and probably install Fail2Ban to block brute force attempts. And if you are only going to be connecting from a known source, like your work, maybe just allow that IP with your port forward.

  • @[email protected]
    link
    fedilink
    English
    11 year ago

    If your port forwarding ssh and ssh is using default creds you shouldn’t do that. Change those credentials.