Plug Security

Support for your TonidoPlug
papai
Super Tonidoid
Super Tonidoid
Posts: 36
Joined: Sun Aug 23, 2009 4:05 pm
Location: Miami, FL
Contact:

Plug Security

Postby papai » Mon Aug 31, 2009 4:07 pm

ezelkow1 travails bring up an interesting issue, how do we harden the Plug.

I was thinking of not allowing root ssh login and add a key. But this only protects shell access. How about the other two ports/processes?

Hopefully ezelkow1 has not placed anything interesting in there but what about other computers in his network. I am also planning to place my Plug in a DMZ.

So far I have only placed in there some photos and some test files. Security, for those of us exposing Tonido to the Internet should be of primary concern.

I welcome any suggestions.

Thanks,

ezelkow1
Veteran Tonidoid
Veteran Tonidoid
Posts: 66
Joined: Thu Aug 20, 2009 4:09 pm

Re: Plug Security

Postby ezelkow1 » Mon Aug 31, 2009 5:11 pm

Luckily with their devs quick help I was able to get it up and running in no time. But I would not suggest putting it in the dmz as I have a feeling thats what left mine open. Looking at the auth logs they just hammered away at my plug while I wasnt home.

Again much thanks to the tonido devs for the quick response and help

User avatar
madhan
Admin Tonidoid
Admin Tonidoid
Posts: 8617
Joined: Tue Dec 30, 2008 12:13 am
Location: Austin, TX, USA
Contact:

Re: Plug Security

Postby madhan » Mon Aug 31, 2009 5:46 pm

Here's a few:

1. Don't port forward SSH access to your plug. Also don't put it on the DMZ.
2. Don't have weak passwords for SSH and Tonido. Atleast 8 to 10 characters with at least 1 number

ezelkow1
Veteran Tonidoid
Veteran Tonidoid
Posts: 66
Joined: Thu Aug 20, 2009 4:09 pm

Re: Plug Security

Postby ezelkow1 » Mon Aug 31, 2009 6:22 pm

You may want an even stronger password than that. The one I used was 8 chars with a number and it still got broken, then again dmz access didnt help things.

papai
Super Tonidoid
Super Tonidoid
Posts: 36
Joined: Sun Aug 23, 2009 4:05 pm
Location: Miami, FL
Contact:

Re: Plug Security

Postby papai » Tue Sep 01, 2009 2:34 pm

Once you open a port to the internet, if the application is note securely coded it may be cracked if the crackers are tenatious enough. The DMZ could be as secure as your internal LAN. The advantage of a DMZ is that if your machine in a DMZ is compromised only the machines in the DMZ are at risk, Given that you would not open ports from the DMZ into your internal LAN.

I have SSH exposed to the internet but I take precautions. I do not allow root login except at the console. I have a separate account with low privileges to access remotely using a public/private key. This on my Linux firewall.

I am placing the Plug on a firewall with similar security precautions. My concern is how secure are the Tonido applications. If ezelkow1 Plug was hacked through the app then we have a very serious issue at hand.


P.S.

I meant placing the Plug in the DMZ, not the Firewall. :oops:

User avatar
madhan
Admin Tonidoid
Admin Tonidoid
Posts: 8617
Joined: Tue Dec 30, 2008 12:13 am
Location: Austin, TX, USA
Contact:

Re: Plug Security

Postby madhan » Tue Sep 01, 2009 6:17 pm

Tonido software has been audited by a independent security auditing company for flaws and the changes suggested implemented.

You can read more here
http://www.tonido.com/support/Tonido_Security

ezelkow1
Veteran Tonidoid
Veteran Tonidoid
Posts: 66
Joined: Thu Aug 20, 2009 4:09 pm

Re: Plug Security

Postby ezelkow1 » Tue Sep 01, 2009 7:18 pm

I really dont think my hack had anything to do with the tonido software, I believe it was just and issue of leaving my plug out in the open. I think the only thing that could be added to the tonido software is ssl, and they have already said that is being added.


Return to “TonidoPlug Support”

Who is online

Users browsing this forum: No registered users and 11 guests