Port forwarding is found in both business enterprise and small-business computer networks. As home computer networks are becoming both more common and complex, port forwarding can be found here as well. While enterprise level networks use highly advanced routers and hardware firewalls for protection, the processes of secure shells, tunneling, and port forwarding can function with a relative high degree of safety. Adding to their safety net, “big business” networks have trained people to focus on managing the entire scope of digital data processing. On the other hand, some small businesses have scaled down versions of the networking hardware and services of their enterprise level big brothers, while other small business networks run much like home networks with just a router and computer software firewalls for protection. In these later two networking examples, human focus on network operation overall, and security in particular, is a low priority, until something bad happens……… As a result, port forwarding in all but the most advanced of small business and home networks can be a risky venture.
What Is Port Forwarding
Before continuing in the discussion of security issues with port forwarding in “small” networks, let’s make sure we are on the same page as to what port forwarding actually is.
Port forwarding, also called tunneling, is essentially the process of intercepting traffic bound for a certain IP/port combination and redirecting it to a different IP and/or port. This redirection is accomplished by an application running on the destination host, or it is performed by intermediate hardware, like a router, proxy server or firewall. Normally, a routing device will look at the header of a packet and simply send it to the proper interface to reach the destination it finds in the header. In port forwarding, however, the intercepting application or device reads the packet header, notes the destination, but rewrites the header information and sends it to a another host destination, different from the one requested. That host destination is a different IP using the same port, a different port on the same IP, or completely different combination of the two.
Port forwarding is extensively used to keep unwanted traffic off networks. It allows administrators to use one IP address for all external communications on the Internet while dedicating multiple servers with different IPs and ports to the task internally. This is very useful for home network users, who may wish to run a FTP server, a Web server and a gaming server on one network. Users with this type of need can set up a single public IP address on the router to translate requests to the proper server on the internal network. This arrangement has the advantage of hiding exactly what services are running on the network, using only IP address to carry out multiple tasks, and dropping all traffic at the firewall unrelated to the services provided.
If you have UPnP (Universal Plug and Play) setup on your home network, you have implemented “automated” port forwarding. UPnP, through its “streamlined” protocol, allows for the seamless connectivity of devices, thus simplifying their implementation on the home network.
What Happened To Me
For sometime, I have wanted to be able to use my server remotely so that I can stream videos and music, have broader access to my data (documents and photos), and finally to be able to do maintenance on my server from anywhere. I decided to do this in “baby steps”.
The first “step” would be to set up a secure tunnel for ssh access to my server. This is relatively simple to do:
- Visit no-ip.com, and setup a free 30 day account (you have to renew it every 30 days, or pay $20.00 a year for the service)
- While still on no-ip.com, once an account is created, you select a domain name, and map your internet address to it.
- Now, access your router, forward port 22 to a specific computer, in this case it was my server (host name or IP address) Depending on your router, it may ask for the program being used as well (in this case “ssh”).
- Next go to the host or receiving computer (my server) and open a hole in its firewall. I use Debain Linux on my server, and the UFW firewall. So to do this, in the server’s terminal type: sudo allow 22 or sudo allow ssh In the later example, UFW will default to port 22.
At this point, from any computer anywhere with internet access, all you have to do is access a “terminal” program, and providing you have a user name and password established on the host (the computer you are tying to get access to), type the following:
sudo ssh email@example.com.
Once this is done, hit the “Enter” key, supply some passwords when prompted, and you are “in” the host. Pretty cool.
I thought it was pretty cool too, for about an hour and half. Then my email began to receive mail from several port monitoring programs on my server. A “bot” had made a 173 attempts to access my server using the username “root” and brute forcing passwords. Another “bot” had made 5 attempts to use pam and wind bind, trying to get, I think, passwords.
Though my security software held off the unwanted bot advances, I was not happy that my network in general, and my “secure” tunnel in specific, had been penetrated. I returned to my router and removed the port forwarding configuration to my server. This closed the “hole” in my router’s firewall, and the attacks stopped. So did my “baby steps”.
Degrees of Risk
I had to make a decision if holding off a seemingly perpetual amount of bot attacks on my server was worth the convenience I would gain by accessing my server remotely. To me, it simply wasn’t worth the risk that sooner or later, a bot might find a hole in my defense. If you feel you have to use port forwarding, then make sure you have a strong defense on your host computer.
Earlier in the article, I mentioned UPnP. How safe is it? Here is an excerpt from an article, Security Flaws in Universal Plug and Play: Unplug, Don’t Play:
“This morning we released a whitepaper entitled Security Flaws in Universal Plug and Play. This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices. The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper. The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet. All told, we were able to find over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself.”
My solution to the security issues relating to port forwarding is a simple one: i.e., eliminate it. For many other users, port forwarding is a means to an end, and is needed to remotely carry out specific goals and tasks from one computer to another, often across great distances. If you are one of these people, then you need some extra protection, primarily for the host computer (the computer you are logging into remotely) if you are using port forwarding. Here are some programs and suggestions to do this:
First of all, change your host ssh login so that it will not allow access from user “root”. Yes, this will be a little awkward, but your computer will be much safer (once logged in, you can always use “sudo” and/or “su” commands). To do this, from your terminal:
#> nano /etc/ssh/sshd_config
Now that you have sshd-config open in your editor, make these changes:
For Linux, there are numerous programs that can help. Late last year, I published an article (Six Free Linux Network Monitoring Tools For Your Home Network) that will point you toward programs that will help you be aware of what is happening on your network . You can read the article here. These Linux programs mentioned include:
- iptraf – a console based network statistics utility
- netstat – a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics.
- tcpdump – analyzes network behavior, performance and applications that generate or receive network traffic. It can also be used for analyzing the network infrastructure itself by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem.
- iftop – displays on a table the current bandwidth hosts, with the pair of host using the most bandwidth at the top of the table. This makes it easier to spot the host using the most bandwidth. From the command line: iftop -p will broaden your capture to include all available interfaces.
- nmap – an open source tool for network exploration and security auditing.
- TShark – a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.
Here are three additional programs that I use every day:
- logwatch. This program parses through your system’s logs and creates a daily summary report for each. It is available from most Linux repositories. Read more about Logwatch here.
- psad – uses iptables to detect port scans. Psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data. The program can provide email alerts. Read more about psad here.
- Fail2Ban – Scan log files and bans IPs that show malicious signs (I.e., too many password failures, seeking for exploits, etc.). Generally, Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time. Read more about Fail2Ban here.
- Uncomplicated Firewall – a simple firewall for Linux. Read more about it here.
There are a lot of programs to help you secure your host computer, the ten mentioned here are but a few. If you are a minimalist, then at least: change the ssh login, and install the Uncomplicated Firewall, psad, and Fail2Ban. You’ll be glad you did.