1
0

&***; are changed to its symbols.

This commit is contained in:
Alexander Andreev 2023-02-05 06:03:37 +04:00
parent c3c299e066
commit 8172c0b07f
Signed by: Arav
GPG Key ID: 0388CC8FAA51063F
3 changed files with 22 additions and 22 deletions

View File

@ -22,13 +22,13 @@ I always wandered, since I ~~joined a cult~~ got mine, why almost no one can pro
In this article I'll show you how to harden your router's security. There's nothing difficult and could be find just by learning available features. Considering the firewall, I will just copy-paste a default set of rules, yeah, that feels no good, but what can I do if many haven't done even that.
If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to reset a configuration to clear a router. For that in Winbox go to `System->Reset Configuration` and check an option `No Default Configuration`. In teminal `> system/reset-configuration no-defaults=yes`. And then using `Quick Set` configure basic access to the Internet and a LAN. We need `No Default Configuration` because these defaults doesn't include a firewall (if I recall correctly, I did that in 2019 for the last time).
If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to reset a configuration to clear a router. For that in Winbox go to `System->Reset Configuration` and check an option `No Default Configuration`. In teminal `> system/reset-configuration no-defaults=yes`. And then using `Quick Set` configure basic access to the Internet and a LAN. We need `No Default Configuration` because these defaults doesn't include a firewall (if I recall correctly, I did that in 2019 for the last time).
### 2. Ways to harden your router {#art-2}
Vital thing to do is to keep a firmware up to date. That's another major reason why routers becomes a part of a botnet — vulnerabilities.
Vital thing to do is to keep a firmware up to date. That's another major reason why routers becomes a part of a botnet vulnerabilities.
To do it in Winbox go to `System->Packages` and click a `Check For Updates` button. Or using teminal: `> system/package/update/check-for-updates`. After a reboot you need to upgrade a RouterBOARD firmware. In Winbox go to `System->RouterBOARD` and click `Upgrade` button. After that reboot a router again, go for it in `System->Reboot`. In a CLI `> system/routerboard/upgrade`, and then `> system/reboot`.
To do it in Winbox go to `System->Packages` and click a `Check For Updates` button. Or using teminal: `> system/package/update/check-for-updates`. After a reboot you need to upgrade a RouterBOARD firmware. In Winbox go to `System->RouterBOARD` and click `Upgrade` button. After that reboot a router again, go for it in `System->Reboot`. In a CLI `> system/routerboard/upgrade`, and then `> system/reboot`.
First thing is setting a password for your admin account. Many other articles recommend to rename it, but I never do that, because there's no access from outside anyway. Also we restrict from what addresses we can login.
@ -36,41 +36,41 @@ Second, restrict access to router's configuration by IP, and disable not used se
And here comes a firewall.
And before we start I want to give you a vital tip that will save your time, and, maybe, money — use Safe Mode! To toggle it in Winbox click button `Safe Mode` that you can find at the top left corner. In teminal press `Ctrl-X`. And when you're done, don't forget to disable this mode to save all applied changes or they will revert. Winbox will warn you about activated Safe Mode, but teminal not. :)
And before we start I want to give you a vital tip that will save your time, and, maybe, money use Safe Mode! To toggle it in Winbox click button `Safe Mode` that you can find at the top left corner. In teminal press `Ctrl-X`. And when you're done, don't forget to disable this mode to save all applied changes or they will revert. Winbox will warn you about activated Safe Mode, but teminal not. :)
### 3. Password protection, SSH and address-based access restriction {#art-3}
#### 3.1. Password {#art-3-1}
To change a password in Winbox go to `System->Users`, double-click on your admin account and in an edit dialogue click `Password...` button. In teminal type in `> user/set admin password=new_password`.
To change a password in Winbox go to `System->Users`, double-click on your admin account and in an edit dialogue click `Password...` button. In teminal type in `> user/set admin password=new_password`.
#### 3.2. SSH {#art-3-2}
Alas, built-in SSH doesn't support modern ciphers and we cannot use keybased authentification. Hope it will change in the future. But now we have only passwords.
To configure SSH go to `IP->SSH`. We need there options `Always Allow Password Login` and `Strong Crypto` to be enabled. You may change `Host Key Size` to something more secure and click `Regenerate Host Key` button. Using teminal type in `> ip/ssh/set always-allow-password-login=yes strong-crypto=yes`. In a terminal works autocompletion, just tap Tab key twice. To regenerate a key type in `> ip/ssh/regenerate-host-key` and confirm.
To configure SSH go to `IP->SSH`. We need there options `Always Allow Password Login` and `Strong Crypto` to be enabled. You may change `Host Key Size` to something more secure and click `Regenerate Host Key` button. Using teminal type in `> ip/ssh/set always-allow-password-login=yes strong-crypto=yes`. In a terminal works autocompletion, just tap Tab key twice. To regenerate a key type in `> ip/ssh/regenerate-host-key` and confirm.
#### 3.3. Allowed Address list {#art-3-3}
Every user can be restricted by what addresses he allowed to login from. You may have already noticed a field `Allowed Address` when was setting a password. So, again, in Winbox go to `System->Users`, double-click your user and you will see a field `Allowed Address`, there could be multiple entries that can be added/removed using arrow buttons at the end of fields. You can type in individual IP-addresses and whole subnets in CIDR (e.g. 192.168.88.0/24) notation.
In teminal type in `> user/set admin address=` and type all addresses separated by a comma, e.g. `address=192.168.88.3,192.168.89.0/24`.
In teminal type in `> user/set admin address=` and type all addresses separated by a comma, e.g. `address=192.168.88.3,192.168.89.0/24`.
### 4. Configuring service list {#art-4}
There are a bunch of different ways to configure your router: Winbox, SSH, Telnet, WebFig and API. And you can access its filesystem with FTP or SFTP.
Good thing to do first will be disabling all not needed services. Go to `IP->Services` in Winbox and then using a button with a red cross disable them, or a blue check mark to enable it. Or in an edit dialogue click `Disable` button. In teminal type in `> ip/service/set service disabled=yes`.
Good thing to do first will be disabling all not needed services. Go to `IP->Services` in Winbox and then using a button with a red cross disable them, or a blue check mark to enable it. Or in an edit dialogue click `Disable` button. In teminal type in `> ip/service/set service disabled=yes`.
As for me, I leave only SSH and Winbox services.
Okay, now let's restrict access to our services by IP. It is the same as for a user, just a field called `Available From`. In teminal: `> ip/service/set service address=192.168.88.2,192.168.89.0/24`.
Okay, now let's restrict access to our services by IP. It is the same as for a user, just a field called `Available From`. In teminal: `> ip/service/set service address=192.168.88.2,192.168.89.0/24`.
### 5. Basic firewall {#art-5}
As I previously stated, default firewall we get using `Quick Set` is pretty much sufficient.
Go to `IP->Firewall` in Winbox or `> ip/firewall/filter` in teminal. For IPv6 sections called `IPv6` for Winbox, and `ipv6` for teminal.
Go to `IP->Firewall` in Winbox or `> ip/firewall/filter` in teminal. For IPv6 sections called `IPv6` for Winbox, and `ipv6` for teminal.
In terminal you can switch to a needed section instead of typing it every time. To add a rule there is a command called `add`, and `remove` to remove a rule by its number. To see all rules and theirs numbers type `print` command.

View File

@ -41,7 +41,7 @@
### 1. Introduction {#art-1}
E-mail itself is a system consisting of several parts. A main E-mail protocol — SMTP is used for exchanging of mail between servers. For a user to manage his mail IMAP and POP3 protocols are used. Difference between IMAP and POP3 is that IMAP manages mail stored on a server, while POP3, once fetched mail, deletes it from server.
E-mail itself is a system consisting of several parts. A main E-mail protocol SMTP is used for exchanging of mail between servers. For a user to manage his mail IMAP and POP3 protocols are used. Difference between IMAP and POP3 is that IMAP manages mail stored on a server, while POP3, once fetched mail, deletes it from server.
As SMTP server I use Postfix. For IMAP (I don't use POP3 because I need access from multiple devices) I use Dovecot. Dovecot is also being used for SASL authentication in Postfix. And Dovecot supports Sieve protocol, through its implementation called Pigeonhole, that allows users to write their own message filtering rules.
@ -153,7 +153,7 @@ Now lets add some tweaks:
`biff` set to no to disable local service for new mail notifications. It is a server, we don't need them here.
`strict_rfc821_envelopes` set to yes require addresses to be enclosed with <>.
`strict_rfc821_envelopes` set to yes require addresses to be enclosed with <>.
Disabling VRFY command with `disable_vrfy_command` prevents some email addresses harvesting techniques.
@ -280,7 +280,7 @@ The following services are needed: `smtp`, `submission`, `smtps`, and we add `sp
#### 3.3. User aliases {#art-3-3}
User aliases are in `aliases` file. They has a form &quot;`&lt;alias&gt;: &lt;username&gt;`&quot;, e.g. `me: arav`. Where `username` may be other alias. After editing you need to run `newaliases` program to update `aliases.db` file.
User aliases are in `aliases` file. They has a form &quot;`<alias>: <username>`&quot;, e.g. `me: arav`. Where `username` may be other alias. After editing you need to run `newaliases` program to update `aliases.db` file.
#### 3.4. Starting Postfix {#art-3-4}
@ -579,13 +579,13 @@ It's good to have a dedicated A (IPv4 address) or AAAA (IPv6 address) record for
And A record looks like this:
mail&nbsp;&nbsp;IN&nbsp;&nbsp;86400&nbsp;&nbsp;A&nbsp;&nbsp;203.0.113.4
mail IN 86400 A 203.0.113.4
Where `mail` is a hostname, 86400 is a TTL of a record in seconds.
Next we need to add a MX (mail exchanger) record that looks like this:
&nbsp;&nbsp;MX 10 mail.example.org.
MX 10 mail.example.org.
Here 10 is a priority of a record. The lower a number the higher a priority.
@ -627,8 +627,8 @@ In 5.2 we generated a key pair for our domain and now we'll take what's inside a
DKIM DNS record looks like this:
myselector._domainkey IN TXT ( "v=DKIMv1; k=rsa; s=email; p=&lt;public key goes here&gt;"
"&lt;public key continues here&gt;" )
myselector._domainkey IN TXT ( "v=DKIMv1; k=rsa; s=email; p=<public key goes here>"
"<public key continues here>" )
Brackets are used in case a content of a record doesn't fit on one line, and it won't fit.

View File

@ -7,7 +7,7 @@
2. [Tor relay](#art-3-2)
3. [Hidden service](#art-3-3)
4. [Miscellaneous](#art-4)
1. [Nyx &mdash; status monitor for Tor nodes](#art-4-1)
1. [Nyx status monitor for Tor nodes](#art-4-1)
2. [Notes](#art-4-2)
### 1. Introduction {#art-1}
@ -60,7 +60,7 @@ Here is an example of relay settings.
ORPort 8443, [::]:8443
Nickname Anon
Address example.org
ContactInfo Anon &lt;anon@example.org&gt;
ContactInfo Anon <anon@example.org>
RelayBandwithRate 8MBits
RelayBandwithBurst 10MBits
@ -94,9 +94,9 @@ There are two mandatory options to work with: `HiddenServiceDir` and `HiddenServ
Of course, there are many other options, e.g. client authentication. But in simple case all you need are those two options above.
Every hidden service starts with `HiddenServiceDir &lt;path&gt;` directory that contains public and secret keys, hostname for a hidden service and a directory called `authorized_clients` that stores info on all clients that are authorized to access this hidden service.
Every hidden service starts with `HiddenServiceDir <path>` directory that contains public and secret keys, hostname for a hidden service and a directory called `authorized_clients` that stores info on all clients that are authorized to access this hidden service.
And at least one `HiddenServicePort &lt;tor port&gt; &lt;host:port of service&gt;` sets port to listen to in Tor network as first parameter and the second one is a service that you want to give access from Tor to. E.g. `HiddenServicePort 80 localhost:8201` for webserver.
And at least one `HiddenServicePort <tor port> <host:port of service>` sets port to listen to in Tor network as first parameter and the second one is a service that you want to give access from Tor to. E.g. `HiddenServicePort 80 localhost:8201` for webserver.
It allows you to give access to many services by one Tor hostname.
@ -108,7 +108,7 @@ Example:
### 4. Miscellaneous {#art-4}
#### 4.1. Nyx &mdash; status monitor for Tor nodes {#art-4-1}
#### 4.1. Nyx status monitor for Tor nodes {#art-4-1}
You have to set `ControlPort` option to desired port, it will listen on localhost. If you need access from outside then set it to IP:9051. Also, you need to set `DisableDebuggerAttachment` option to 0, otherwise you'll not be able to use nyx. At least in my case nyx cannot connect with this option being set to 1.