How to Secure IOT Device that uses Port 514 shell BSD rshd(8)

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

agfine

New member
Sep 24, 2020
4
0
I have an IOT music system that uses an internet service for internet radio. I discovered device has several open ports which seem to have insecure in caps. In particular, it uses the BSD shell on an open Port 514. Other open ports are 8080, and just recently I noticed that port 80 was added(!). Since the BSD function doesn't require a password to login, I'd like to use the safest way to secure the device. I can link it to my guest network, and I think isolate it from any other devices that might also use the network (there are none currently). Would that work to secure the device from my LAN?
 
Is this device wired or wireless. You said guest network, so I assume wireless. There have been other posts here that suggest the guest network is not actually well secured from the rest of your network. If hard wiring it is an option, plug in into a firewall, or at least a cheap (or disused) router.

If you just want an internet radio device, maybe ditch this old insecure thing and get a google home device and use it to play TuneIn.
 
The device is currently wired. I will take a look at using an old router, although I'm not sure where on the LAN it should be set up.
 
Remembering that a router in normally designed to protect the LAN (ports) from the WAN port, you would WANT to use it in reverse... plugging the device into the WAN side. The problem with this is that most routers won't likely be easy to operate that way. A firewall would really be much simpler in the end, because you could say "block everything" and then just add the one or two things you need to allow through. Think of a firewall as a clever magic Ethernet cable that lets pass what is permitted but doesn't pass things it wasn't informed about.

There are multi-port firewall devices (some as cheap as $100.) This way you designate a port for a purpose, and apply the necessary rules for each port. Then you figure which port any given device earns the right to connect to. In essence this allows your to segment you LAN.

Another way to segment your LAN is to use VLANing. For this, you would need a somewhat expensive network switch. The idea with segmenting is that only devices on the same segment see each other.
 
Thanks for the advice. Looks as if I will be looking at getting and installing a hardware firewall.
 
Starting in the very beginning, are the open ports you are referring to LAN side or WAN side (via UPnP or port forwarding)?

As for isolating LAN side devices into a VLAN, see
https://www.routersecurity.org/vlan.php

Isolating devices is only half the issue if you have more than one device to be isolated. In that case, you need to ask if the isolated devices should be allowed to see each other or not.

Or, you can also isolate devices using a second router as explained here
https://www.michaelhorowitz.com/second.router.for.wfh.php

Or, with an Asus router you can have multiple Guest WiFi networks. But, Guest Wifi networks are not the same in terms of how much isolation they offer. And, they are only Wi-Fi, no Ethernet.
 
  • Like
Reactions: eroc1990
Starting in the very beginning, are the open ports you are referring to LAN side or WAN side (via UPnP or port forwarding)?

As for isolating LAN side devices into a VLAN, see
https://www.routersecurity.org/vlan.php

Isolating devices is only half the issue if you have more than one device to be isolated. In that case, you need to ask if the isolated devices should be allowed to see each other or not.

Or, you can also isolate devices using a second router as explained here
https://www.michaelhorowitz.com/second.router.for.wfh.php

Or, with an Asus router you can have multiple Guest WiFi networks. But, Guest Wifi networks are not the same in terms of how much isolation they offer. And, they are only Wi-Fi, no Ethernet.
Thanks for the information and links. The open ports are on the LAN side--I think. I've disabled UPnP and don't use port forwarding (Shields UP agrees!). This device would be the only one connected to my Guest network; my current router has options so that devices cannot see each other. Appreciate your article on how to use two routers. I've got an extra one hanging around. I happened across the VLAN link a bit ago. That may be more than I can cope with at the moment. Not happy that guest networks are only WiFI, but I will work with the device vendor and see what I can do. Thanks for the info.