mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-02-03 23:40:14 +08:00
Translated by qhwdw
This commit is contained in:
qhwdw
parent
a57d7d8995
commit
366c131488
@ -1,81 +0,0 @@
|
||||
Translating by qhwdw
|
||||
How insecure is your router?
|
||||
======
|
||||
|
||||
|
||||
I've always had a problem with the t-shirt that reads, "There's no place like 127.0.0.1." I know you're supposed to read it as "home," but to me, it says, "There's no place like localhost," which just doesn't have the same ring to it. And in this post, I want to talk about something broader: the entry point to your home network, which for most people will be a cable or broadband router.1 The UK and U.S. governments just published advice that "Russia"2 is attacking routers. This attack will be aimed mostly, I suspect, at organisations (see my previous post "[What's a state actor, and should I care?][1]"), rather than homes, but it's a useful wake-up call for all of us.
|
||||
|
||||
### What do routers do?
|
||||
|
||||
Routers are important. They provide the link between one network (in this case, our home network) and another one (in this case, the internet, via our ISP's network). In fact, for most of us, the box we think of as "the router"3 is doing a lot more than that. The "routing" bit is what is sounds like; it helps computers on your network find routes to send data to computers outside the network—and vice-versa, for when you're getting data back.
|
||||
|
||||
High among a router's other functions, many also perform as a modem. Most of us4 connect to the internet via a phone line—whether cable or standard landline—though there is a growing trend for mobile internet to the home. When you're connecting via a phone line, the signals we use for the internet must be converted to something else and then (at the other end) back again. For those of us old enough to remember the old "dial-up" days, that's what the screechy box next to your computer used to do.
|
||||
|
||||
But routers often do more things, sometimes many more things, including traffic logging, acting as a WiFi access point, providing a VPN for external access to your internal network, child access, firewalling, and all the rest.
|
||||
|
||||
Home routers are complex things these days; although state actors may not be trying to get into them, other people may.
|
||||
|
||||
Does this matter, you ask? Well, if other people can get into your system, they have easy access to attacking your laptops, phones, network drives, and the rest. They can access and delete unprotected personal data. They can plausibly pretend to be you. They can use your network to host illegal data or launch attacks on others. Basically, all the bad things.
|
||||
|
||||
Luckily, routers tend to come set up by your ISP, with the implication being that you can leave them, and they'll be nice and safe.
|
||||
|
||||
### So we're safe, then?
|
||||
|
||||
Unluckily, we're really not.
|
||||
|
||||
The first problem is that ISPs are working on a budget, and it's in their best interests to provide cheap kit that just does the job. The quality of ISP-provided routers tends to be pretty terrible. It's also high on the list of things to try to attack by malicious actors: If they know that a particular router model is installed in several million homes, there's a great incentive to find an attack, because an attack on that model will be very valuable to them.
|
||||
|
||||
Other problems that arise include:
|
||||
|
||||
* Slowness to fix known bugs or vulnerabilities. Updating firmware can be costly to your ISP, so fixes may be slow to arrive (if they do at all).
|
||||
* Easily derived or default admin passwords, which means attackers don't even need to find a real vulnerability—they can just log in.
|
||||
|
||||
|
||||
|
||||
### Measures to take
|
||||
|
||||
Here's a quick list of steps you can take to try to improve the security of your first hop to the internet. I've tried to order them in terms of ease—simplest first. Before you do any of these, however, save the configuration data so you can bring it back if you need it.
|
||||
|
||||
1. **Passwords:** Always, always, always change the admin password for your router. It's probably going to be one you rarely use, so you'll want to record it somewhere. This is one of the few times where you might want to consider taping it to the router itself, as long as the router is in a secure place where only authorised people (you and your family5) have access.
|
||||
2. **Internal admin access only:** Unless you have very good reasons and you know what you're doing, don't allow machines to administer the router unless they're on your home network. There should be a setting on your router for this.
|
||||
3. **WiFi passwords:** Once you've done item 2, also ensure that WiFi passwords on your network—whether set on your router or elsewhere—are strong. It's easy to set a "friendly" password to make it easy for visitors to connect to your network, but if a malicious person who happens to be nearby guesses it, the first thing that person will do is to look for routers on the network. As they're on the internal network, they'll have access to it (hence why item 1 is important).
|
||||
4. **Turn on only the functions that you understand and need:** As I noted above, modern routers have all sorts of cool options. Disregard them. Unless you really need them, and you actually understand what they do and the dangers of turning them on, then leave them off. Otherwise, you're just increasing your attack surface.
|
||||
5. **Buy your own router:** Replace your ISP-supplied router with a better one. Go to your local computer store and ask for suggestions. You can pay an awful lot, but you can also get something fairly cheap that does the job and is more robust, performant, and easy to secure than the one you have at the moment. You may also want to buy a separate modem. Generally, setting up your modem or router is simple, and you can copy the settings from the ISP-supplied one and it will "just work."
|
||||
6. **Firmware updates:** I'd love to move this further up the list, but it's not always easy. From time to time, firmware updates appear for your router. Most routers will check automatically and may prompt you to update when you next log in. The problem is that failure to update correctly can cause catastrophic results6 or lose configuration data that you'll need to re-enter. But you really do need to consider keeping a lookout for firmware updates that fix severe security issues and implement them.
|
||||
7. **Go open source:** There are some great open source router projects out there that allow you to take an existing router and replace all of its firmware/software with open source alternatives. You can find many of them on [Wikipedia][2], and a search for ["router" on Opensource.com][3] will open your eyes to a set of fascinating opportunities. This isn't a step for the faint-hearted, as you'll definitely void the warranty on your router, but if you want to have real control, open source is always the way to go.
|
||||
|
||||
|
||||
|
||||
### Other issues
|
||||
|
||||
I'd love to pretend that once you've improved the security of your router, all's well and good on your home network, but it's not. What about IoT devices in your home (Alexa, Nest, Ring doorbells, smart lightbulbs, etc.?) What about VPNs to other networks? Malicious hosts via WiFi, malicious apps on your children's phones…?
|
||||
|
||||
No, you won't be safe. But, as we've discussed before, although there is no such thing as "secure," it doesn't mean we shouldn't raise the bar and make it harder for the Bad Folks.™
|
||||
|
||||
1. I'm simplifying—but read on, we'll get there.
|
||||
2. "Russian state-sponsored cyber actors"
|
||||
3. Or, in my parents' case, "the internet box," I suspect.
|
||||
4. This is one of these cases where I don't want comments telling me how you have a direct, 1TB/s connection to your local backbone, thank you very much.
|
||||
5. Maybe not the entire family.
|
||||
6. Your router is now a brick, and you have no access to the internet.
|
||||
|
||||
|
||||
|
||||
This article originally appeared on [Alice, Eve, and Bob – a security blog][4] and is republished with permission.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://opensource.com/article/18/5/how-insecure-your-router
|
||||
|
||||
作者:[Mike Bursell][a]
|
||||
选题:[lujun9972](https://github.com/lujun9972)
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://opensource.com/users/mikecamel
|
||||
[1]:https://aliceevebob.com/2018/03/13/whats-a-state-actor-and-should-i-care/
|
||||
[2]:https://en.wikipedia.org/wiki/List_of_router_firmware_projects
|
||||
[3]:https://opensource.com/sitewide-search?search_api_views_fulltext=router
|
||||
[4]:https://aliceevebob.com/2018/04/17/defending-our-homes/
|
||||
80
translated/tech/20180525 How insecure is your router.md
Normal file
80
translated/tech/20180525 How insecure is your router.md
Normal file
@ -0,0 +1,80 @@
|
||||
你的路由器有多不安全?
|
||||
======
|
||||
|
||||
|
||||
我一直对写在 T 恤上的“127.0.0.1 这个地方是独一无二的” 这句话持有异议。我知道你可能会认为应该将它读作是“家”,但是对于我来说,我认为应该是“本地主机是独一无二的地方”,就像世界上没有完全相同的二个戒指一样。在本文中,我想去讨论一些宽泛的问题:家庭网络的入口,对大多数人来说它是线缆或宽带路由器。英国和美国政府刚公布了“俄罗斯”攻击路由器的通告。我估计这次的攻击主要针对的是机构,而不是家庭,(看我以前的文章 "[国家行为者是什么,我们应该注意些什么?][1]"),但这对我们所有人都是一个警示。
|
||||
|
||||
### 路由器有什么用?
|
||||
|
||||
路由器很重要。它用于将一个网络(在本文中,是我们的家庭网络)与另外一个网络(在本文中,是指因特网,通过我们的因特网服务提供商的网络)连接。事实上,对于大多数人来说,我们所谓的”路由器“这个小盒子能够做的事情远比我们想到的要多。"routing" 比特就像它的发音一样;它让网络中的计算机能够找到一条向外部网络中计算机发送数据的路径 —— 当你接收数据时,正好是相反的方式。
|
||||
|
||||
在路由器的其它功能中,大多数时候也作为一台调制解调器来使用。在英国大部分到因特网的连接是通过电话线来实现的 —— 无论是电缆还是标准电话线 —— 尽管现在的最新趋势是通过移动互联网连接到家庭中。当你通过电话线连接时,我们所使用的因特网信号必须转换成其它的一些东西,(从另一端来的)返回信号也是如此。对于那些还记得过去的”拨号上网“时代的人来说,它就是你的电脑边上那个用于上网的发出刺耳声音的小盒子。
|
||||
|
||||
但是路由器能做的事情很多,有时候很多的事情,包括流量记录、作为一个无线接入点、提供 VPN 功能以便于从外部访问你的内网、儿童上网控制、防火墙等等。
|
||||
|
||||
现在的家用路由器越来越复杂;虽然国家行为者并不想参与其中,但是其它人可以。
|
||||
|
||||
你会问,这很重要吗?如果其它人可以进入你的系统,他们可以很容易地攻击你的笔记本电脑、电话、网络设备等等。他们可以访问和删除未被保护的个人数据。他们可以假装是你。他们使用你的网络去寄存非法数据或者用于攻击其它人。基本上所有的坏事都可以做。
|
||||
|
||||
幸运的是,现在的路由器趋向于因特网提供商来做设置,言外之意是你可以忘了它的存在,他们将保证它是运行良好和安全的。
|
||||
|
||||
### 因此,我们是安全的吗?
|
||||
|
||||
不幸的是,事实并非如此。
|
||||
|
||||
第一个问题是,因特网提供商是在有限的预算范围内做这些事情,而使用便宜的设备来做这些事可以让他们的利益最大化。因特网提供商的路由器质量越来越差。它是恶意攻击者的首选目标:如果他们知道特定型号的路由器被安装在几百万个家庭使用,那么很容易找到攻击的动机,因为攻击那个型号的路由器对他们来说是非常有价值的。
|
||||
|
||||
产生的其它问题还包括:
|
||||
|
||||
* 修复 bug 或者漏洞的过程很缓慢。升级固件可能会让因特网提供商产生较高的成本,因此,修复过程可能非常缓慢(如果他们打算修复的话)。
|
||||
* 非常容易获得或者默认的管理员密码,这意味着攻击者甚至都不需要去找到真实的漏洞 —— 他们就可以登入到路由器中。
|
||||
|
||||
|
||||
|
||||
### 对策
|
||||
|
||||
对于进入因特网第一跳的路由器,如何才能提升它的安全性,这里给你提供一个快速应对的清单。我是按从简单到复杂的顺序来列出它们的。在你对路由器做任何改变之前,需要先保存配置数据,以便于你需要的时候回滚它们。
|
||||
|
||||
1. **密码:** 一定,一定,一定要改变你的路由器的管理员密码。你可能很少会用到它,所以你一定要把密码记录在某个地方。它用的次数很少,你可以考虑将密码粘贴到路由器上,因为路由器一般都放置在仅授权的人(你和你的家人)才可以接触到的地方。
|
||||
2. **仅允许管理员从内部进行访问:** 除非你有足够好的理由和你知道如何去做,否则不要允许任何机器从外部的因特网上管理你的路由器。在你的路由器上有一个这样的设置。
|
||||
3. **WiFi 密码:** 一旦你做到了第 2 点,也要确保在你的网络上的那个 WiFi 密码 —— 无论是设置为你的路由器管理密码还是别的 —— 一定要是强密码。为了简单,为连接你的网络的访客设置一个”友好的“简单密码,但是,如果附近一个恶意的人猜到了密码,他做的第一件事情就是查找网络中的路由器。由于他在内部网络,他是可以访问路由器的(因此,第 1 点很重要)。
|
||||
4. **仅打开你知道的并且是你需要的功能:** 正如我在上面所提到的,现代的路由器有各种很酷的选项。不要使用它们。除非你真的需要它们,并且你真正理解了它们是做什么的,并且打开它们后有什么危险。否则,将增加你的路由器被攻击的风险。
|
||||
5. **购买你自己的路由器:** 用一个更好的路由器替换掉因特网提供商给你的路由器。去到你本地的电脑商店,让他们给你一些建议。你可能会花很多钱,但是也可能会遇到一些非常便宜的设备,而且比你现在拥有的更好、性能更强、更安全。你也可以只买一个调制解调器。一般设置调制解调器和路由器都很简单,并且,你可以从你的因特网提供商给你的设备中复制配置,它一般就能”正常工作“。
|
||||
6. **更新固件:** 我喜欢使用最新的功能,但是通常这并不容易。有时,你的路由器上会出现固件更新的提示。大多数的路由器会自动检查并且提示你在下次登入的时候去更新它。问题是如果更新失败则会产生灾难性后果或者丢失配置数据,那就需要你重新输入。但是你真的需要考虑去持续关注修复安全问题的固件更新,并更新它们。
|
||||
7. **转向开源:** 有一些非常好的开源路由器项目,可以让你用在现有的路由器上,用开源的软件去替换它的固件/软件。你可以在 [Wikipedia][2] 上找到许多这样的项目,以及在 [Opensource.com 上搜索 "router"][3],你将看到很多非常好的东西。对于谨慎的人来说要小心,这将会让你的路由器失去保修,但是如果你想真正控制你的路由器,开源永远是最好的选择。
|
||||
|
||||
|
||||
|
||||
### 其它问题
|
||||
|
||||
一旦你提升了你的路由器的安全性,你的家庭网络将变的很好,这是假像,事实并不是如此。你家里的物联网设备(Alexa、Nest、门铃、智能灯泡、等等)安全性如何?连接到其它网络的 VPN 安全性如何?通过 WiFi 的恶意主机、你的孩子手机上的恶意应用程序 …?
|
||||
|
||||
不,你永远不会有绝对的安全。但是正如我们前面讨论的,虽然没有绝对的”安全“这种事情,但是并不意味着我们不需要去提升安全标准,以让坏人干坏事更困难。
|
||||
|
||||
1. 我写的很简单 — 但请继续读下去,我们将达到目的。
|
||||
2. "俄罗斯政府赞助的信息技术国家行为者"
|
||||
3. 或者,以我父母的例子来说,我不相信 ”这个路由器“。
|
||||
4. 这里还有一种这样的情况,我不希望在评论区告诉我,你是直接以 1TB/s 的带宽连接到本地骨干网络的。非常感谢!
|
||||
5. 或许并没有包含全部的家庭。
|
||||
6. 你的路由器现在是一块”砖“,并且你不想访问因特网。
|
||||
|
||||
|
||||
|
||||
这篇文章最初发表在 [Alice, Eve, 和 Bob – 安全博客][4] 并授权重发布。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://opensource.com/article/18/5/how-insecure-your-router
|
||||
|
||||
作者:[Mike Bursell][a]
|
||||
选题:[lujun9972](https://github.com/lujun9972)
|
||||
译者:[qhwdw](https://github.com/qhwdw)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://opensource.com/users/mikecamel
|
||||
[1]:https://aliceevebob.com/2018/03/13/whats-a-state-actor-and-should-i-care/
|
||||
[2]:https://en.wikipedia.org/wiki/List_of_router_firmware_projects
|
||||
[3]:https://opensource.com/sitewide-search?search_api_views_fulltext=router
|
||||
[4]:https://aliceevebob.com/2018/04/17/defending-our-homes/
|
||||
Loading…
Reference in New Issue
Block a user