public tnfsd : 16384 - security concerns?

[twh/f2]

Hi there,

 

this is probably just an indirect Fujinet question rgd. thh Spectranet TNFS demon (https://github.com/FujiNetWIFI/spectranet )

 

Like many from us Fujinet-users, I setup a local TNFSD on a low-end RPI1B+ (Which turns out to be just the right hardware for this matter).

Let's say I now want to expose the TNFSD-port (16384) to my public IP.

 

What do you say how secure that would be?

Is it likely that the tnsfd service can be exploited? 

Would it be beneficial to setup some kind of local firewall on the RPI? (nftables, firewalld)

Should I consider putting my RPI in an isolated subnet (managed switch, WAN access only)

 

grüße

\thomas

 

 

Edited February 15, 2021 by twh/f2

[tschak909]

Good questions all, and I would suggest doing what you feel is appropriate.

 

In addition, it's important to make sure file permissions are set correctly for your repository.

 

-Thom

 

[+mytek]

15 minutes ago, twh/f2 said:

I setup a local TNFSD on a low-end RPI1B+ (Which turns out to be just the right hardware for this matter).

Let's say I now want to expose the TNFSD-port (16384) to my public IP.

 

What do you say how secure that would be?

Is it likely that the tnsfd service can be exploited? 

Although your question is worth asking and also nice to know more about the security aspects, but I've got to wonder what would be exploited on RPI1B+ that is worth worrying about? Surely this isn't your main desktop computer . Just wondering.

[FifthPlayer]

41 minutes ago, mytek said:

Although your question is worth asking and also nice to know more about the security aspects, but I've got to wonder what would be exploited on RPI1B+ that is worth worrying about? Surely this isn't your main desktop computer . Just wondering.

 

Even though it's a 1B+, there are still reasons you'd care about security.  For instance, it could end up part of a botnet or bitcoin mining farm, or run something to snoop on your local subnet.

[twh/f2]

36 minutes ago, FifthPlayer said:

 

Even though it's a 1B+, there are still reasons you'd care about security.  For instance, it could end up part of a botnet or bitcoin mining farm, or run something to snoop on your local subnet.

exactly.

 

I have no other files on the 1B+ than those I want to be public anyway, but that "snooping" on my local subnet is my biggest concern.

[+x=usr(1536)]

On 2/15/2021 at 4:01 PM, twh/f2 said:

exactly.

 

I have no other files on the 1B+ than those I want to be public anyway, but that "snooping" on my local subnet is my biggest concern.

 

If your network hardware supports it, put the RasPi in the DMZ network.  Forward the ports as you would normally.

 

Most consumer-grade routers with DMZ capability allow traffic from the LAN into the DMZ (for administration, etc.), but not from the DMZ to the LAN.  This pretty much takes care of the issue of it being used as a pivot point into the internal network.

 

On top of that, have tnfsd run as a non-privileged user inside its own chroot jail.  This should pretty much negate the most obnoxious things that could be done if someone did manage to exploit it.