Page 4 of 5 FirstFirst ... 2345 LastLast
Results 31 to 40 of 41

Thread: Is Teamviewer a security risk

  1. #31
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    13,326
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: Is Teamviewer a security risk

    For one machine behind one server, a lot of this discussion is overkill.

    OP, the only way open ports on an Ubuntu machine behind a firewall can be seen from the Internet is if you choose to forward those ports on the router. Suppose you were running a web server on TCP port 80. You might want to make this server visible to the entire globe. In that case you would use port forwarding to accept inbound traffic on your router and pass it back to the web server. Port forwarding essentially makes an open port publicly visible.

    I don't see you intending to do anything like that. So, to answer your original question, no, Teamviewer is not a "security risk" if you mean "can someone maliciously connect to my machine via the exposed Teamviewer port?" There is no exposed port because of the way the application is designed. Could there be vulnerabilities in the software itself? Of course, but I suspect they would have been discovered and fixed already.

    I appreciate that people here often want to give a "complete" explanation with all the nuances that any security question requires, but often that isn't a helpful answer for a simple question like the OPs.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  2. #32
    Join Date
    Apr 2006
    Beans
    527

    Re: Is Teamviewer a security risk

    SS, thanks for your always incisive and to-the-point guidance. With enormous respect, I think Charles post #22 did establish this.

    What I haven't stated is that our LAN has 5 computers on it and we do our banking online. In addition, we have frequent house guests who use our WiFi and you know how scary that might be. Also there are any number of devices such as AIO network printers, media server type devices, Direct TV DVR's, slingbox, etc.

    So it isn't as simple as you have imagined, but your post was very informative nonetheless.

    And thus answers to the subnet question are definitely interesting.
    I'm am old guy, but still tryin'. Your patience appreciated.

  3. #33
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    13,326
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: Is Teamviewer a security risk

    I do my banking online; I have a few qualms about doing so, but my network isn't one of them. I'm always more concerned about trusting institutions beyond my control. IT security is generally underfunded by corporations since it's seen only as a cost. Lax security at Sony required us to cancel a credit card after its Playstation Network was cracked.

    My house has a couple of servers, a PS3, a "smart" TV, some workstations, and Android phones, all connected to my network. I don't see any of this as a security threat. The most vulnerable device is the wifi router. I use WPA encryption with a complete mixed-case sentence including punctuation as a pass-phrase. It's both personally memorable and unlikely to be in a rainbow table.

    I just used the invaluable tool nmap (available from the repositories) to scan my external router from the Internet. I ran the scan from a server on the Net to which I have access, but not one I have granted any special permissions on my router. After five minutes of "stealth" scanning by nmap, not one of the 1,680 tested ports was open. This is a stock router from Verizon with no additional hardening.

    I have another router running dd-wrt behind that one. It provides my actual network services, both wired and wireless. That router handles DHCP address management and includes a custom static route for connections to my online servers. That traffic is forwarded to a server on my network which maintains an OpenVPN tunnel with my server at Linode. That local server also provides private DNS resolution on the local network and handles all my mail.

    From the point of view of machines on my local network, the Verizon router is just another hop between them and the Internet.
    Code:
    Seiji@GhostWorld:~$ traceroute -n 8.8.8.8
    traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
     1  192.168.0.1  4.216 ms  4.165 ms  4.165 ms     (ASUS router with dd-wrt)
     2  192.168.1.1  4.168 ms  4.145 ms  4.112 ms     (Verizon router at my house)
     3  96.252.37.1  12.996 ms  15.517 ms  15.529 ms  (Verizon router upstream)
        [ The Internet ]
    15  8.8.8.8  43.514 ms  39.743 ms  39.593 ms
    That's my home network in a nutshell. I'm not protected against a physical wiretap, or even a malicious piece of Javascript downloaded in the background to Firefox. I have some protections against those in my browser, and I generally don't browse the back alleys of the Internet where malware lurks. I will say that the only time my browser was compromised by a Javascript was when I tried to close it after reading the New York Times! All of a sudden Antivirus 2010 appeared and told me I had all sorts of infected "DLL" files residing in C:\Windows that needed cleaning. Seeing as I was on an Ubuntu machine, I laughed out loud.
    Last edited by SeijiSensei; March 3rd, 2014 at 04:56 AM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  4. #34
    Join Date
    Apr 2006
    Beans
    527

    Re: Is Teamviewer a security risk

    SS, I have every confidence that your system, whatever it might consist of, is hardened, very hardened. That happened because you have the knowledge and understanding to make it so. OTOH, I am only a beginner, and just beginning to get a glimpse into the complexity that may take years of gaining understanding, to begin to successfully address. So all my questions are from behind a veil through which I cannot see clearly, but they do come from thinking about, and trying to find solutions to those mysterious, and not understood, problems.

    If subnets can help isolate our house guests, who use our WiFi, from any problems that they might generate, all the better. There are probably much better solutions of which I don't have the benefit of an insight or a clue (as in the subnet tidbit) yet, but I keep asking, and learning, and am very grateful for your guidance, as for those of others. Mine was not at all intended to be critical of you.
    I'm am old guy, but still tryin'. Your patience appreciated.

  5. #35
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    13,326
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: Is Teamviewer a security risk

    I didn't feel criticized at all. I was trying to give you an idea of the sorts of questions I had when I was connecting things up in my house. I hope it was helpful.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  6. #36
    Join Date
    Apr 2006
    Beans
    527

    Re: Is Teamviewer a security risk

    Having had a bit of time to think about the description of your set-up, I have a couple of questions that I think are still within the scope of this thread. If not I can start a new one.

    1) Do you have the second router because you do not feel that the Verizon router can give you either the control or the security that you want from your router? (Since it did not show an open port after 5 minutes of nmap scanning, it must be pretty good? Or is that because of the setup behind the Verizon router?)

    2)
    Code:
     I use WPA encryption with a complete mixed-case sentence...pass-phrase
    From context, this is in your WiFi access point, no? If so, is this pass-phrase for access by users, or the admin pass-phrase? I assume the former, but if not, is the pass-phrase you have for user access similarly complex? OTOH, if so, do you have a similarly complex pass-phrase for admin access?

    Code:
    I have another router running dd-wrt behind that one. It provides my actual network services, both wired and wireless.
    3) dd-wrt to give you improved capability/performance of the router, or what?

    4) I assume that you prefer not to have PnP (I may not have that right, but it's the automated, easy admission for users thingy) enabled? If so, is that another reason for dd-wrt?

    5) do you have PnP on your WiFi access point?

    Code:
    That router handles DHCP address management ....
    6) I believe I understand enough about DHCP to think that this would be necessarily handled by the second router, but if not please elaborate on this

    Code:
    ...and includes a custom static route for connections to my online servers. That traffic is forwarded to a server on my network which maintains an OpenVPN tunnel with my server at Linode.
    7a) Not trying to be nosy, but wanting to better understand your setup, are your "online servers" handling functions unrelated to your home network (i.e. for business purposes, or ?) If wrong, how to they augment your home network?

    7b) Is this server maintaining the OpenVPN tunnel a sole purpose device, and if so, virtual or mechanical? If not, what other functions does it serve?

    Code:
    That local server also provides private DNS resolution on the local network....
    8) I don't understand this, could you please elaborate a bit? I thought DNS was something provided by a worldwide network of public servers for this purpose. Is yours to speed up the process for the ones that you frequent or what? (I.e., sort of a caching function?)

    Code:
    ....and handles all my mail.
    9) So you have your own mail server and I assume for a domain that you control so that mail comes from "yourname@SeijiSensei.com" or whatever? Do you do this in preference to an online service such as gmail.com for any particular reason?

    I have numbered all of the above to facilitate your reply. Apology for the long list, but really want to better understand yours for the purpose of learning from it. If any of it you do not wish to comment on for any reason, no problem.
    I'm am old guy, but still tryin'. Your patience appreciated.

  7. #37
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    13,326
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: Is Teamviewer a security risk

    Quote Originally Posted by Odyssey1942 View Post
    Having had a bit of time to think about the description of your set-up, I have a couple of questions that I think are still within the scope of this thread. If not I can start a new one.

    1) Do you have the second router because you do not feel that the Verizon router can give you either the control or the security that you want from your router? (Since it did not show an open port after 5 minutes of nmap scanning, it must be pretty good? Or is that because of the setup behind the Verizon router?)
    Partly it is "defense-in-depth," partly it's because I don't like mucking around in my ISP's router.

    2)From context, this is in your WiFi access point, no? If so, is this pass-phrase for access by users, or the admin pass-phrase? I assume the former, but if not, is the pass-phrase you have for user access similarly complex? OTOH, if so, do you have a similarly complex pass-phrase for admin access?
    I use the web GUI for administrative access. That password is unique. The long pass-phrase is the one required for anyone to use the access point. Since most devices will remember the pass-phrase, users only need to enter it once.

    3) dd-wrt to give you improved capability/performance of the router, or what?
    dd-wrt is a Linux derivative so I'm comfortable with that. It also offers a variety of more advanced controls than ordinary home routers.

    4) I assume that you prefer not to have PnP (I may not have that right, but it's the automated, easy admission for users thingy) enabled? If so, is that another reason for dd-wrt?
    UPNP can be a major security hole; I have nothing that requires it. Do you? I certainly wouldn't enable UPNP just to make life convenient for guests.

    6) I believe I understand enough about DHCP to think that this would be necessarily handled by the second router, but if not please elaborate on this
    Yes, the ASUS router faces the local network and handles DHCP.

    7a) Not trying to be nosy, but wanting to better understand your setup, are your "online servers" handling functions unrelated to your home network (i.e. for business purposes, or ?) If wrong, how to they augment your home network?
    Yes, the servers at Linode provide public services like web hosting and email. The one with OpenVPN acts as a hub for a number of tunnels I have running in different locations. They enable me to see machines behind a client's firewall, for instance.

    7b) Is this server maintaining the OpenVPN tunnel a sole purpose device, and if so, virtual or mechanical? If not, what other functions does it serve?
    No, as I said it handles mail and local DNS. It also runs Samba and NFS in parallel for file and printer sharing.

    8) I don't understand this, could you please elaborate a bit? I thought DNS was something provided by a worldwide network of public servers for this purpose. Is yours to speed up the process for the ones that you frequent or what? (I.e., sort of a caching function?)
    I have a domain (actually a number of them). My public DNS server resides on the virtual machines at Linode. The server in my house has a different set of host-to-address mappings for the same domain that point to local resources. On the public internet, mail.mydomain.com points to a server at Linode. At home, that name points to the local server. It also does caching of requests, of course, but that's not it's primarily purpose.

    9) So you have your own mail server and I assume for a domain that you control so that mail comes from "yourname@SeijiSensei.com" or whatever? Do you do this in preference to an online service such as gmail.com for any particular reason?
    I've run my own mail, and some mail services for clients, since 1995. I also manage email listservers that run on my mail servers. I have no reason to change.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  8. #38
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Is Teamviewer a security risk

    Quote Originally Posted by SeijiSensei View Post
    dd-wrt is a Linux derivative so I'm comfortable with that. It also offers a variety of more advanced controls than ordinary home routers.
    I am in total agreement with this one, I got started with dd-wrt on a Linksys 54G, moved to a Dlink DIR-615 and now I'm using an Asus RT-N16. So far it blows away the stock firmware or maybe I am just spoiled because it offers features the stock firmware lacks. Hmm.


    UPNP can be a major security hole; I have nothing that requires it. Do you? I certainly wouldn't enable UPNP just to make life convenient for guests.
    Agreed. I leave it turned off even though I have people tell me you "need" it if you are going to be downloading a torrent or streaming content. I've had no issues.

    My set up is similar as far as public web/email/whatever, but I haven't gotten around to getting a full blown DNS server set up at home for testing, so I've been using dnsmasq off the dd-wrt box.

    I think the key, like with anything, is compartmentalization. One server runs mail, one server is for the web site, etc.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #39
    Join Date
    Apr 2006
    Beans
    527

    Re: Is Teamviewer a security risk

    Are these virtual servers or stand alone hardware? If separate computers, that could result in lots of computers running constantly. What would be the disadvantage/s of virtual?

    If the answer is complicated, then disregard this question, but I don't understand the purpose of DNS servers within the LAN. As I understand it a DNS server translates a name (e.g., google.com) into an IP # which is how the request gets transmitted over the Internet. In my mind, these servers are "public resources" that are just available out there on the Internet. What is the purpose of having your own?

    I have also read that turning UPNP "off" may not be totally effective in eliminating the security risk from having it in the router. Does dd-wrt eliminate UPNP? In answer to SS, I do not regard signing into a WPA/WPA2 access point as a big challenge, and so do not value UPNP, even if it is maybe slightly more convenient for guests.

    TIA.
    I'm am old guy, but still tryin'. Your patience appreciated.

  10. #40
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Is Teamviewer a security risk

    Quote Originally Posted by Odyssey1942 View Post
    Are these virtual servers or stand alone hardware? If separate computers, that could result in lots of computers running constantly. What would be the disadvantage/s of virtual?
    If you are asking me, I have one dedicated server (at home), and the rest are virtualized. My VPSes are hosted at RamNode, and are accessible from the public internet, where my home box isn't accessible from the internet at all.

    If the answer is complicated, then disregard this question, but I don't understand the purpose of DNS servers within the LAN. As I understand it a DNS server translates a name (e.g., google.com) into an IP # which is how the request gets transmitted over the Internet. In my mind, these servers are "public resources" that are just available out there on the Internet. What is the purpose of having your own?
    Testing. I do a bunch of testing locally before pushing things to production and if you are dealing with SSL certs or the like, that are signed for a specific domain, you will get errors if you do not access the server with that domain. By using a local DNS server set up, you can tell your local machines to connect to the local test machine instead of the public one because the DNS server will have an entry for the local machine and not have to query an external DNS server to get that information.

    Also, caching DNS lookups can speed up your browsing.

    I have also read that turning UPNP "off" may not be totally effective in eliminating the security risk from having it in the router. Does dd-wrt eliminate UPNP? In answer to SS, I do not regard signing into a WPA/WPA2 access point as a big challenge, and so do not value UPNP, even if it is maybe slightly more convenient for guests.
    dd-wrt still has a setting for UPnP, but it is disabled by default. I don't know why there would be a different between having it disabled and having it not installed in the first place unless the router gets compromised somehow (weak wireless key, default passwords, etc).
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 4 of 5 FirstFirst ... 2345 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •