Hello Ubuntuers: With the recent news about the ATT hack, I thought I'd ask how to secure my ome network and ubuntu computers from being hacked. I have a VPN and use UFW to allow TCP traffic from a main server in my home... but nothing else. What else should I do? Thanks, Old
I cannot talk about AT&T hack stuff. Sorry. Non-disclosure agreements. You understand. I can assure people that AT&T does patch their CPE (customer premise equipment) as needed for their broadband customers. I worked that project to ensure patching happened. The highest levels of AT&T were involved in the decision to patch and to validate that every CPE was patched. Patching was easier than getting an accurate report about the current patch level on the devices. If you aren't with AT&T, I wouldn't assume any provided router is patched until you check and validate that yourself. I don't use AT&T for my ISP. I've verified they patch, but they aren't exactly quick about it. Anytime a patch requires a reboot, that means downtime and downtime is bad for the type of SLA I have with the ISP. I use the ISP's router just as a bridge. I have my own router and patch it weekly. About every other week, there are patches available for it. I run OPNSense as the router software on a purpose-built AMD x86-64 SBC w/ 4GB RAM just for routing. I don't have wifi capability on my router. wifi is just another attack vector and none of the current wifi standards should be considered as "secure". Actually, no wifi standards have been secure that we know since 2000. If you use wifi, do it outside your LAN and use a VPN for all wifi using devices. For example, we have a roku streaming stick and it sits between the ISP's router and my router in an untrusted part of the network. Other IoT stuff goes there too and cannot access any of my LAN stuff. If you have more questions, join ALE-NW on Sunday for more interactive answers. There are many things you didn't answer which would determine what you need to do. In general, use the fewest "features" of the router that you can. Disable all the others. Patch frequently based on the router you have and their update periods. Most will update monthly or quarterly. If you haven't patched your router in the last quarter, perhaps it is out of support and needs to be replaced? If it can run dd-wrt or OpenWRT, you may be able to vastly extend the useful life. The guidelines are the same for most computers. Stay patched. Don't enable services you don't need or use. If you do enable any listeners, lock those down to allow only the client connections you want. Never leave them open to the internet. Beware of LAN-wide broadcast protcols like ZeroConf/Avahi and CUPS and DHCP. These can be abused. Heck all network protocols can be abused. The idea that you don't need to protect systems that are on your LAN is something some people push. There are different opinions about this. I think we should run a firewall on all our computers and only allow the specific protocols between the specific systems that need it. Whether that is useful for your situation or not depends on many things.
Use a password manager and multi-factor authentication. Install updates on time. Don't click on silly stuff or install unknown software, i.e., use common sense. The VPN and exposing your home network is not doing you any favors, either.
Hello currentshaft, YOu wrote, "The VPN... is not doing you any favors?" Why should we not use VPN?
Because you're literally sending all of your network traffic to a third party? Why does anyone think this is a good idea?
I use a VPN server at home for remote access to Nextcloud running at home. The WG & NC servers are both on a separate subnet from my primary LAN. There is a 3rd subnet for IoT stuff & wireless. I use Nftables firewall on the WG/NC VMs, and their host. Mostly, my office computer will VPN back home for docs and such. It replaced Dropbox. Careful network and router configuration is important. Router should be updated regularly, and have a password that you could never memorize. My password is probably over 30 characters, not sure, but KeePass created it for me and it seems to work. That gets changed periodically as well. Oh, and be stingy about opening up ports and services to the internet. I like to deny all to subnets at the router level, and I do not promote subnet hops. If I want a desktop at home to access NC at home, it goes out to the internet and back through the VPN. I currently do not have a VPN for any outbound traffic but I am thinking about how I might do this for sensitive logins such as payroll, brokerage accounts, banks, etc. This is probably the first thing I should have figured out how to do, oh well. I do not yet have a grasp on how to best do this without using a commercial service which I do not want to use for sensitive stuff. I probably would want to rent a VPS I think and run an outbound Wireguard server there, or perhaps run it from home, not sure. I wrestle with this topic as well... On a VPS I would avoid the one-click WG server setup that they provide and would rather set up my own server there and run it when I need it.
Official Ubuntu Documentation
Originally Posted by aljames2 My password is probably over 30 characters, That gets changed periodically as well. If I want a desktop at home to access NC at home, it goes out to the internet and back through the VPN. I currently do not have a VPN for any outbound traffic but I am thinking about how I might do this for sensitive logins such as payroll, brokerage accounts, banks, etc. All of these things may make you feel good, but they are security anti-patterns which actually worsen your posture. 30 character password is so overkill it borders on ridiculous. Yet it also gets changed, which is a total contradiction. Then you claim to send traffic out through the Internet to access servers inside your own private LAN, which is so unbelievable, I'm honestly not even sure what to say. Respectfully, a classic example of trying to implement solutions without asking what problem is being solved. I only say this because OP is asking how to secure their network and this ain't it.
I have recently turned to deploying Proton developed by CERN engineers. Proton Mail Proton VPN Proton Vault Proton Pass https://proton.me/pass/password-generator
Last edited by dragonfly41; July 13th, 2024 at 09:56 PM.
Originally Posted by currentshaft Because you're literally sending all of your network traffic to a third party? Why does anyone think this is a good idea? Because you've picked one that promises no logging and they've passed privacy and security audits?
Originally Posted by donald187 Because you've picked one that promises no logging and they've passed privacy and security audits? Like a pinky promise? Honest question, do you think scammers and bad actors are capable of setting up "totally private, trust us bro" VPN services, or do only Good Guys (tm) run them, in your opinion?
Ubuntu Forums Code of Conduct