What can we do to protect people from access via WAN?

[Yota]

I don't run with ssh completely disabled - I'm logging in many times a day. I leave it set to LAN only. So any attacker would need to be physically present at/near my home. Someone attacking via wifi would need two passwords and guess my root user id. I think I can live with that.

The bad guys can remotely control your computer through the browser's zero-day vulnerability, and can then use this browser to hack into any device on the LAN. so, the safest thing is to disable it every time you run out of SSH, then frequently update all networked devices and programs.
Also, don't think that zero-day is far from you. something you may have not updated to the latest version, so the vulnerabilities could be exploited by bad guys.

Don't forget that many botnet devices are not because their vendors haven't released fix updates, but because people don't check for updates frequently.

 

[RMerlin]

@RMerlin for turning on wan access etc could you not have a add a password\pin prompt that would stop any possible security breaches by those using the app and unknowingy openingup the router to the internet?

I have no control over the mobile app.

I know Asus has some security improvements coming in the next few months, some of which specifically targets the webui. I cannot share any details at this time, but stay tuned for enhancements in this area.

I believe one of these was recently enabled with the very latest RT-AC86U firmware release (385_20253 or something close to that number - I deal with too many different version numbers these days to keep track of them all), but I don't want to share any details unless Asus does so themselves.

 

[Yota]

I have no control over the mobile app.

I know Asus has some security improvements coming in the next few months, some of which specifically targets the webui. I cannot share any details at this time, but stay tuned for enhancements in this area.

I believe one of these was recently enabled with the very latest RT-AC86U firmware release (385_20253 or something close to that number - I deal with too many different version numbers these days to keep track of them all), but I don't want to share any details unless Asus does so themselves.

Thanks for telling us this good news.

 

[Yota]

@RMerlin I just remember that, some people enabled wan access to get the let's encrypt certificates to prevent browsers from complaining about https self-signed. So they sacrificed security to protect their security. LOL

How we can tell these people, don't do it.

 

[L&LD]

@Jack Lee, you just did. And that is all we can do.

 

[Ronald Schwerer]

The bad guys can remotely control your computer through the browser's zero-day vulnerability, and can then use this browser to hack into any device on the LAN. so, the safest thing is to disable it every time you run out of SSH, then frequently update all networked devices and programs.

This unknown "day-zero vulnerability" won't be stopped by me having to repeatedly enable/disable ssh through the GUI. It would capture my Webgui password and enable ssh on its own. After all, it would have to have my login/password before it could do anything via ssh.

I'm not going to worry about something that might, but likely doesn't exist. I quit looking under my bed for the boogie-man long ago.

 

[L&LD]

Not to mention that the definition of a 'zero-day vulnerability' means that it debuts on new/fresh code, no?

 

[Yota]

@Jack Lee, you just did. And that is all we can do.

I think the built-in LE of the router brings more security risks.

I'm not going to worry about something that might, but likely doesn't exist. I quit looking under my bed for the boogie-man long ago.

That's right, it doesn't exist for 99.99999% of people because hackers don't have time to waste on a worthless target. Then hackers just infected many routers with bugs + bots, but strong passwords + frequent updates can avoid it. however, don't forget that the risks is always there.

Not to mention that the definition of a 'zero-day vulnerability' means that it debuts on new/fresh code, no?

Just an example, if you discovered the Kr00k vulnerability two years ago, it would be zero-day, but today it is only a known vulnerability and it still exposes many routers that have not been updated to risk.

 

[TechTinkerer]

I have no control over the mobile app.

I know Asus has some security improvements coming in the next few months, some of which specifically targets the webui. I cannot share any details at this time, but stay tuned for enhancements in this area.

I believe one of these was recently enabled with the very latest RT-AC86U firmware release (385_20253 or something close to that number - I deal with too many different version numbers these days to keep track of them all), but I don't want to share any details unless Asus does so themselves.

Thanks @RMerlin i was just wondering how useful a password\pin wan access prompt would be to stop wan access getting opened not sure how doable it would be was just an idea really

ok, just another thought how about an email being sent should wan access be activated\opened to the internet?

 

[Yota]

Thanks @RMerlin i was just wondering how useful a password\pin wan access prompt would be to stop wan access getting opened not sure how doable it would be was just an idea really

Do you know the old password of my company's servers root account?

dontusetheroot!!

That's ture, I'm pretty sure a simple tip keeps many programmers from making mistakes. so any help is positive.

Edit: @TechTinkerer

ok, just another thought how about an email being sent should wan access be activated\opened to the internet?

I can design a script, like if wan access is enabled then it will send you an email.
But it doesn't make sense, because the only person who will enable wan access may is yourself, not a hacker.