How to Secure IOT Device that uses Port 514 shell BSD rshd(8)

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

agfine

New member
Sep 24, 2020
4
0
I have an IOT music system that uses an internet service for internet radio. I discovered device has several open ports which seem to have insecure in caps. In particular, it uses the BSD shell on an open Port 514. Other open ports are 8080, and just recently I noticed that port 80 was added(!). Since the BSD function doesn't require a password to login, I'd like to use the safest way to secure the device. I can link it to my guest network, and I think isolate it from any other devices that might also use the network (there are none currently). Would that work to secure the device from my LAN?
 

PHolder

Well-known member
Sep 16, 2020
481
2
230
Ontario, Canada
Is this device wired or wireless. You said guest network, so I assume wireless. There have been other posts here that suggest the guest network is not actually well secured from the rest of your network. If hard wiring it is an option, plug in into a firewall, or at least a cheap (or disused) router.

If you just want an internet radio device, maybe ditch this old insecure thing and get a google home device and use it to play TuneIn.
 

agfine

New member
Sep 24, 2020
4
0
The device is currently wired. I will take a look at using an old router, although I'm not sure where on the LAN it should be set up.
 

PHolder

Well-known member
Sep 16, 2020
481
2
230
Ontario, Canada
Remembering that a router in normally designed to protect the LAN (ports) from the WAN port, you would WANT to use it in reverse... plugging the device into the WAN side. The problem with this is that most routers won't likely be easy to operate that way. A firewall would really be much simpler in the end, because you could say "block everything" and then just add the one or two things you need to allow through. Think of a firewall as a clever magic Ethernet cable that lets pass what is permitted but doesn't pass things it wasn't informed about.

There are multi-port firewall devices (some as cheap as $100.) This way you designate a port for a purpose, and apply the necessary rules for each port. Then you figure which port any given device earns the right to connect to. In essence this allows your to segment you LAN.

Another way to segment your LAN is to use VLANing. For this, you would need a somewhat expensive network switch. The idea with segmenting is that only devices on the same segment see each other.
 

agfine

New member
Sep 24, 2020
4
0
Thanks for the advice. Looks as if I will be looking at getting and installing a hardware firewall.
 

MichaelRSorg

Active member
Nov 1, 2020
36
3
RouterSecurity.org
Starting in the very beginning, are the open ports you are referring to LAN side or WAN side (via UPnP or port forwarding)?

As for isolating LAN side devices into a VLAN, see
https://www.routersecurity.org/vlan.php

Isolating devices is only half the issue if you have more than one device to be isolated. In that case, you need to ask if the isolated devices should be allowed to see each other or not.

Or, you can also isolate devices using a second router as explained here
https://www.michaelhorowitz.com/second.router.for.wfh.php

Or, with an Asus router you can have multiple Guest WiFi networks. But, Guest Wifi networks are not the same in terms of how much isolation they offer. And, they are only Wi-Fi, no Ethernet.
 
  • Like
Reactions: eroc1990

agfine

New member
Sep 24, 2020
4
0
Starting in the very beginning, are the open ports you are referring to LAN side or WAN side (via UPnP or port forwarding)?

As for isolating LAN side devices into a VLAN, see
https://www.routersecurity.org/vlan.php

Isolating devices is only half the issue if you have more than one device to be isolated. In that case, you need to ask if the isolated devices should be allowed to see each other or not.

Or, you can also isolate devices using a second router as explained here
https://www.michaelhorowitz.com/second.router.for.wfh.php

Or, with an Asus router you can have multiple Guest WiFi networks. But, Guest Wifi networks are not the same in terms of how much isolation they offer. And, they are only Wi-Fi, no Ethernet.
Thanks for the information and links. The open ports are on the LAN side--I think. I've disabled UPnP and don't use port forwarding (Shields UP agrees!). This device would be the only one connected to my Guest network; my current router has options so that devices cannot see each other. Appreciate your article on how to use two routers. I've got an extra one hanging around. I happened across the VLAN link a bit ago. That may be more than I can cope with at the moment. Not happy that guest networks are only WiFI, but I will work with the device vendor and see what I can do. Thanks for the info.