Protecting your SOHO network

Check Network Vulnerability with OpenVAS

1. Check your public ip address, via searching "what is my ip" in Google.
2. Go to https://pentest-tools.com/network-vulnerability-scanning/network-security-scanner-online-openvas, and enter your ip.
3. If there are no opened ports, it should be fine.

Scan by nmap

nmap -sT public_ip # T: TCP scan gives you a list of opened ports
nmap --script vuln public_ip # gives you a list of vulnerability
nmap -sT -p port public_ip
    

Wifi Router settings

• Turn on Firewall. (Ciso ASA 5506)
• Stop unwanted ports for port forwarding.
• Turn off Remote Management.
• Change username and password.
• Update and Upgrade Firmware.
• Security uses the latest version like WPA2.
• Network Name avoids using the machine name.
• Guest uses their own network.
• Disable pings from WAN.
• Need specific separate network (DD-WRT, Cisco,Ubiquiti Unifi) for iot device.
• Use a VPN for Remote Access, enabling secure tunneling to your home or office.
• Site-to-site.

Server update

sudo apt update # manual
sudo apt dist-upgrade # manual
sudo apt install unattended-upgrades # auto
sudo dpkg-reconfigure --priority=low unattended-upgrades
    

Create user in sudo group

sudo adduser username # then password, edit profile question
sudo usermod -aG sudo username
    

Public and Private Key to replace password

1. In Linux server, create a folder to store public key,

mkdir ~/.ssh && chmod 700 ~/.ssh
    

2. In client, create a key pair (public and private).

ssh-keygen -b 4096 # store in default, id_rsa can be overwritten. Avoid overwriting, can skip passphrase
# private: id_rsa, public: id_rsa.pub
    

3. Copy the public key to the server side.

# Windows 
scp $env:USERPROFILE/.ssh/id_rsa.pub username@ip
# Linux
scp ~/.ssh/id_rsa.pub username@ip
ssh-copy-id username@ip
    

Change ssh server settings

Port xxxx # not 22 
AddressFamily inet # just for ipv4
PermitRootLogin no
PasswordAuthentication no
    

Then restart by sudo systemctl restart sshd.

Next time, ssh with ssh username@ip -p port.

Server firewall settings

1. Check the ports.

sudo ss -tupln
    

2. Get uncomplicated firewall (ufw) working.

sudo ufw status
sudo ufw allow port # for example, 80/tcp
sudo ufw enable # y
    

3. Edit firewall rules in /etc/ufw/before.rules.

# Add this line to 
...
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
...
    

This avoids pinging me. sudo ufw reload && sudo reboot

References