nmap scan on my linux dd wrt router finds a 512bit ssl key that is already public record.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ok so that ssl known key at the end is that something i should be worried about? i am concerned this ssl known key is what my router uses when i sign in with my password to it.
also ports 53,80 and 443 are visible from inside my network.
PLEASE note i am doing this scan from the INSIDE not the outside of my network.
Distribution: CentOS, Ubuntu, Debian, Oracle, Red Hat
Posts: 17
Rep:
I wouldn't worry about. You are correct, you SSL key for your router is known, so is millions of others. Not a big deal so long as logging in to your router from the OUTSIDE is prevented. From the inside, keep it tight by blocking the 80 and keeping the 443. I personally use MikroTik routers, and the only way to actually connect is through a specific physical port.
This is why I also don't let my wireless hang-out just for anyone to connect to (20 character randomized password), place my wireless on a restricted subnet, and prevent router management access to anyone who is on the wireless.
Again, not a big worry. Do your own due-diligence, and carry on.
ok so that ssl known key at the end is that something i should be worried about? i am concerned this ssl known key is what my router uses when i sign in with my password to it.
First of all the fact the private key is in the littleblackbox repo of known private SSL keys is a Fact of Life where embedded devices are concerned. (Plus vendors can not be expected to be careful anyway but that's another discussion). Secondly obtaining the private key makes a MiTM possible but as long as you don't expose any remote management features that would confine this to your own LAN ( and device security like custom admin password, separate vlans and ACLs should be thought of as "basic" anyway in this day and age and regardless of providing services in a DMZ or not, and especially when using heterogeneous environments, enabling BYOD or allowing otherwise untrusted clients), and this certificate is used only to provide an encrypted connection to the admin web interface of your router, so using it for any other purpose (public-facing or not) should be corrected immediately. Most importantly though, third: once resolved (see this and this) there is no issue to "worry" about any more...
So well done for running the scan in the first place, now understand the potential risks and then fix things. That actually allays fears.
abbreviations just making sure i got them and other
acl = access control list?
byod = bring your own device??
i have remote administration all turned off.
i have access point isolation and all clients on the network are isolated from each other.
i really think it's time to just buy a newer router
and i do have a big password for the router 20+ characters
i tried to follow the dd wrt directions to separate the wireless LAN from the wired LAN via a VLAN setup but couldn't get it to take.
the router is the old standby wrtg54g 11 years old!
Quote:
Originally Posted by unSpawn
First of all the fact the private key is in the littleblackbox repo of known private SSL keys is a Fact of Life where embedded devices are concerned. (Plus vendors can not be expected to be careful anyway but that's another discussion). Secondly obtaining the private key makes a MiTM possible but as long as you don't expose any remote management features that would confine this to your own LAN ( and device security like custom admin password, separate vlans and ACLs should be thought of as "basic" anyway in this day and age and regardless of providing services in a DMZ or not, and especially when using heterogeneous environments, enabling BYOD or allowing otherwise untrusted clients), and this certificate is used only to provide an encrypted connection to the admin web interface of your router, so using it for any other purpose (public-facing or not) should be corrected immediately. Most importantly though, third: once resolved (see this and this) there is no issue to "worry" about any more...
So well done for running the scan in the first place, now understand the potential risks and then fix things. That actually allays fears.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.