Jump to content
Sign in to follow this  
twh/f2

public tnfsd : 16384 - security concerns?

Recommended Posts

Hi there,

 

this is probably just an indirect Fujinet question rgd. thh Spectranet TNFS demon (https://github.com/FujiNetWIFI/spectranet )

 

Like many from us Fujinet-users, I setup a local TNFSD on a low-end RPI1B+ (Which turns out to be just the right hardware for this matter).

Let's say I now want to expose the TNFSD-port (16384) to my public IP.

 

What do you say how secure that would be?

Is it likely that the tnsfd service can be exploited? 

Would it be beneficial to setup some kind of local firewall on the RPI? (nftables, firewalld)

Should I consider putting my RPI in an isolated subnet (managed switch, WAN access only)

 

grüße

\thomas

 

 

Edited by twh/f2

Share this post


Link to post
Share on other sites

Good questions all, and I would suggest doing what you feel is appropriate.

 

In addition, it's important to make sure file permissions are set correctly for your repository.

 

-Thom

 

Share this post


Link to post
Share on other sites
15 minutes ago, twh/f2 said:

I setup a local TNFSD on a low-end RPI1B+ (Which turns out to be just the right hardware for this matter).

Let's say I now want to expose the TNFSD-port (16384) to my public IP.

 

What do you say how secure that would be?

Is it likely that the tnsfd service can be exploited? 

Although your question is worth asking and also nice to know more about the security aspects, but I've got to wonder what would be exploited on RPI1B+ that is worth worrying about? Surely this isn't your main desktop computer :) . Just wondering.

Share this post


Link to post
Share on other sites
41 minutes ago, mytek said:

Although your question is worth asking and also nice to know more about the security aspects, but I've got to wonder what would be exploited on RPI1B+ that is worth worrying about? Surely this isn't your main desktop computer :) . Just wondering.

 

Even though it's a 1B+, there are still reasons you'd care about security.  For instance, it could end up part of a botnet or bitcoin mining farm, or run something to snoop on your local subnet.

  • Thanks 1

Share this post


Link to post
Share on other sites
36 minutes ago, FifthPlayer said:

 

Even though it's a 1B+, there are still reasons you'd care about security.  For instance, it could end up part of a botnet or bitcoin mining farm, or run something to snoop on your local subnet.

exactly.

 

I have no other files on the 1B+ than those I want to be public anyway, but that "snooping" on my local subnet is my biggest concern.

Share this post


Link to post
Share on other sites
On 2/15/2021 at 4:01 PM, twh/f2 said:

exactly.

 

I have no other files on the 1B+ than those I want to be public anyway, but that "snooping" on my local subnet is my biggest concern.

 

If your network hardware supports it, put the RasPi in the DMZ network.  Forward the ports as you would normally.

 

Most consumer-grade routers with DMZ capability allow traffic from the LAN into the DMZ (for administration, etc.), but not from the DMZ to the LAN.  This pretty much takes care of the issue of it being used as a pivot point into the internal network.

 

On top of that, have tnfsd run as a non-privileged user inside its own chroot jail.  This should pretty much negate the most obnoxious things that could be done if someone did manage to exploit it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...