Port forwarding is found in both business enterprise and small-business computer networks. As home computer networks are becoming both more common and complex, port forwarding can be found here as well. While enterprise level networks use highly advanced routers and hardware firewalls for protection, the processes of secure shells, tunneling, and port forwarding can function with a relative high degree of safety. Adding to their safety net, “big business” networks have trained people to focus on managing the entire scope of digital data processing. On the other hand, some small businesses have scaled down versions of the networking hardware and services of their enterprise level big brothers, while other small business networks run much like home networks with just a router and computer software firewalls for protection. In these later two networking examples, human focus on network operation overall, and security in particular, is a low priority, until something bad happens……… As a result, port forwarding in all but the most advanced of small business and home networks can be a risky venture.
What Is Port Forwarding
Before continuing in the discussion of security issues with port forwarding in “small” networks, let’s make sure we are on the same page as to what port forwarding actually is.
Port forwarding, also called tunneling, is essentially the process of intercepting traffic bound for a certain IP/port combination and redirecting it to a different IP and/or port. This redirection is accomplished by an application running on the destination host, or it is performed by intermediate hardware, like a router, proxy server or firewall. Normally, a routing device will look at the header of a packet and simply send it to the proper interface to reach the destination it finds in the header. In port forwarding, however, the intercepting application or device reads the packet header, notes the destination, but rewrites the header information and sends it to a another host destination, different from the one requested. That host destination is a different IP using the same port, a different port on the same IP, or completely different combination of the two[1].
Port forwarding is extensively used to keep unwanted traffic off networks. It allows administrators to use one IP address for all external communications on the Internet while dedicating multiple servers with different IPs and ports to the task internally. This is very useful for home network users, who may wish to run a FTP server, a Web server and a gaming server on one network. Users with this type of need can set up a single public IP address on the router to translate requests to the proper server on the internal network. This arrangement has the advantage of hiding exactly what services are running on the network, using only IP address to carry out multiple tasks, and dropping all traffic at the firewall unrelated to the services provided[2].
If you have UPnP (Universal Plug and Play) setup on your home network, you have implemented “automated” port forwarding. UPnP, through its “streamlined” protocol, allows for the seamless connectivity of devices, thus simplifying their implementation on the home network.
What Happened To Me
For sometime, I have wanted to be able to use my server remotely so that I can stream videos and music, have broader access to my data (documents and photos), and finally to be able to do maintenance on my server from anywhere. I decided to do this in “baby steps”.
The first “step” would be to set up a secure tunnel for ssh access to my server. This is relatively simple to do:
- Visit no-ip.com, and setup a free 30 day account (you have to renew it every 30 days, or pay $20.00 a year for the service)
- While still on no-ip.com, once an account is created, you select a domain name, and map your internet address to it.
- Now, access your router, forward port 22 to a specific computer, in this case it was my server (host name or IP address) Depending on your router, it may ask for the program being used as well (in this case “ssh”).
- Next go to the host or receiving computer (my server) and open a hole in its firewall. I use Debain Linux on my server, and the UFW firewall. So to do this, in the server’s terminal type: sudo allow 22 or sudo allow ssh In the later example, UFW will default to port 22.
At this point, from any computer anywhere with internet access, all you have to do is access a “terminal” program, and providing you have a user name and password established on the host (the computer you are tying to get access to), type the following:
sudo ssh username@new-domain-name-from-step-2.com.
Once this is done, hit the “Enter” key, supply some passwords when prompted, and you are “in” the host. Pretty cool.
I thought it was pretty cool too, for about an hour and half. Then my email began to receive mail from several port monitoring programs on my server. A “bot” had made a 173 attempts to access my server using the username “root” and brute forcing passwords. Another “bot” had made 5 attempts to use pam and wind bind, trying to get, I think, passwords.
Though my security software held off the unwanted bot advances, I was not happy that my network in general, and my “secure” tunnel in specific, had been penetrated. I returned to my router and removed the port forwarding configuration to my server. This closed the “hole” in my router’s firewall, and the attacks stopped. So did my “baby steps”.
Degrees of Risk
I had to make a decision if holding off a seemingly perpetual amount of bot attacks on my server was worth the convenience I would gain by accessing my server remotely. To me, it simply wasn’t worth the risk that sooner or later, a bot might find a hole in my defense. If you feel you have to use port forwarding, then make sure you have a strong defense on your host computer.
Earlier in the article, I mentioned UPnP. How safe is it? Here is an excerpt from an article, Security Flaws in Universal Plug and Play: Unplug, Don’t Play:
“This morning we released a whitepaper entitled Security Flaws in Universal Plug and Play. This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices. The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper. The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet. All told, we were able to find over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself[3].”
Digital Bouncers
My solution to the security issues relating to port forwarding is a simple one: i.e., eliminate it. For many other users, port forwarding is a means to an end, and is needed to remotely carry out specific goals and tasks from one computer to another, often across great distances. If you are one of these people, then you need some extra protection, primarily for the host computer (the computer you are logging into remotely) if you are using port forwarding. Here are some programs and suggestions to do this:
First of all, change your host ssh login so that it will not allow access from user “root”. Yes, this will be a little awkward, but your computer will be much safer (once logged in, you can always use “sudo” and/or “su” commands). To do this, from your terminal:
#> nano /etc/ssh/sshd_config
Now that you have sshd-config open in your editor, make these changes:
PermitRootLogin no
X11Forwarding no
For Linux, there are numerous programs that can help. Late last year, I published an article (Six Free Linux Network Monitoring Tools For Your Home Network) that will point you toward programs that will help you be aware of what is happening on your network . You can read the article here. These Linux programs mentioned include:
- iptraf – a console based network statistics utility
- netstat – a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics.
- tcpdump – analyzes network behavior, performance and applications that generate or receive network traffic. It can also be used for analyzing the network infrastructure itself by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem.
- iftop – displays on a table the current bandwidth hosts, with the pair of host using the most bandwidth at the top of the table. This makes it easier to spot the host using the most bandwidth. From the command line: iftop -p will broaden your capture to include all available interfaces.
- nmap – an open source tool for network exploration and security auditing.
- TShark – a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.
Here are three additional programs that I use every day:
- logwatch. This program parses through your system’s logs and creates a daily summary report for each. It is available from most Linux repositories. Read more about Logwatch here.
- psad – uses iptables to detect port scans. Psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data. The program can provide email alerts. Read more about psad here.
- Fail2Ban – Scan log files and bans IPs that show malicious signs (I.e., too many password failures, seeking for exploits, etc.). Generally, Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time. Read more about Fail2Ban here.
- Uncomplicated Firewall – a simple firewall for Linux. Read more about it here.
There are a lot of programs to help you secure your host computer, the ten mentioned here are but a few. If you are a minimalist, then at least: change the ssh login, and install the Uncomplicated Firewall, psad, and Fail2Ban. You’ll be glad you did.
———-
[1] What Is Port Forwarding | whatismyipadress.com
[2] ibid
[3] Security Flaws in Universal Plug and Play; Unplug and Don’t Play | HD Moore | June 29, 2013 | community.rapid7.com
You covered a lot of things except the security risk in port forwarding.
Seems the only one risl port forwarding has from your article is that of an brute force attack. If that is it, then wouldn’t just having a good password solve the problem here?
Also you didn’t cover setting up an ssh tunnel to use port forward into, or something like that exists im not sure.
Allwyn,
I appreciate your questions. Here are my responses:
I did discuss the risk, in general, under the topic “Degrees of Risk”. In the first paragraph, I said:
“I had to make a decision if holding off a seemingly perpetual amount of bot attacks on my server was worth the convenience I would gain by accessing my server remotely. To me, it simply wasn’t worth the risk that sooner or later, a bot might find a hole in my defense. If you feel you have to use port forwarding, then make sure you have a strong defense on your host computer.”
I review traffic on our network in real time, and dedicate one monitor on my desk for this purpose. From observation, I am well aware that the hardware firewall in our router simply does not block all unsolicited traffic. It is because of these reviews that I have added and bolstered firewalls and monitoring software on all my computers. On the day I set up my ability to access my server remotely via port forwarding, in the first half hour in using this setup, my server reported 178 unauthorized attempts to access it. I usually have one or two unauthorized attempts to access the server a week. The shear number of attempts clearly told me my server and possibly other computers and devices on my network were vulnerable as well. After 178 attacks, I wasn’t going to wait and see what other types of mischief bot or hackers would be capable of, – that is why there is no further or specific discussion of “risks”. The biggest risk would be waiting around to see what else was going to come at me. I immediately shutdown the port forwarding setup, and the attacks returned to a “normal” level.
Passwords, which were 12 digit, were in place, and I do not believe were an issue.
Finally, I did cover setting up the ssh tunnel under the heading: “What Happened To Me”. I also provided an example of the ssh string I used in this same area.
If I can provide any additional information, please advise.
Larry
Hi Larry – do you think it is right to say that if you disable root login then no harm can be done even if the password is cracked?
Jamie,
You asked a good question. The answer will sound ambiguous: Yes and No. With “root” blocked from logging in to you computer by way of SSH, logging in as “root” is an unavailable option, regardless of the the root password being cracked or not. For additional security, if you are using Linux, a program called “fail2ban” will provide even more control over SSH access. As far as “no harm being done”, sadly, there are still other ways to attack your machine. LarryTalksTech has a number of articles that will help you secure your computer and its data.
Regards,
Larry
Thanks for the info. I really like your your passion on your site and the story of your entry into tech – great stuff. Have you ever built an stunnel server? Any article how tos you know of? Cheers
So I have a Raspberry Pi (which has a Arm7 processor and a different instruction set ) and it does have a variant of Debian on it so I am feeling confident about my ability to get UFW and Fail2ban on the computer in question but im not so sure about psad because I am not seeing it by distro and the .bz2 and .gz files are new to me. I had a programming class at college that introduced me to the Linux Operating system and I really like it but before I make my Raspberry Pi a computer i can login to through SSH, i want to make sure I am at least cover my bases at least somewhatly security wise first.
PSAD is a port scanner, and will continually scan 65,535 ports on a computer looking for any intrusion. This is a great server tool, or for a computer you have that is always “ON”. For most users, PSAD may well be a bit of “over-kill”. On the Raspberry, I cannot tell you if PSAD will work or not. If you can get UFW and FAil2ban working on the Raspberry, I think you will be in pretty good shape.
Larry