Using a DD-WRT router to bypass network snooping

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
DrPereira
DD-WRT Novice


Joined: 16 Nov 2018
Posts: 5

PostPosted: Sun Jun 21, 2020 13:26    Post subject: Using a DD-WRT router to bypass network snooping Reply with quote
I'm not sure this is the place for such a question; if not, I apologize in advance and ask guidance to the right place.

I'm in a (public administration) network, and our work PCs were all changed recently.

They're running Ubuntu 18.04, with no significant mods that I can see.

The thing is, they all have remote SSH viewing enabled by default, and impossible to shut down without admin login.

Our old computers enabled that only if you ran TeamViewer, and with express knowledge.

Since most of my computer work is M.D. level access to patient registers, I'm concerned about screen mirroring and keylogging regarding what I'm working upon (yeah, they are THAT much corrupt). I see that as a breach of patient-doctor confidentiality that I cannot allow.

My first solution was to use a TP-Link WR740N with micro DD-WRT that I had lying around unused and use it beetween machine and ethernet connection, and configure it to block all SSH requests; it "worked", but now I have two problems:

1) I need a way to test if all SSH incoming and outgoing from the machine is blocked, sans admin access on the client;

2) If I connect my personal machine on said router, it gets no internet connection, even though the work PC does, even routed. I tried MAC cloning, to no avail.

Thanks in advance. I know I'm a noob playing with fire, but I believe the cause is just. Willing to provide information and learn as I go.
Sponsor
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 815

PostPosted: Sun Jun 21, 2020 15:08    Post subject: Reply with quote
It sounds as though you are wanting to create an external firewall for a machine that you do not have admin access to.

Based on that assumption, how much access are you wanting the machine to have?

The most secure way would be to set the router up to by default deny all. If you are using teh router to do NAT, then incoming will all be denied, unless you open up a hole yourself. For the outgoing side, you would add a rule to the firewall denying all except things like http, https, dns, ntp.

To just deny outgoing ssh from machines through the router it is:

iptables -I FORWARD -p tcp -m tcp --dport 22 -j DROP

this is not blocking ssh traffic into the source machine, just out of (that is being blocked by NAT, and you would not know what the destination port is but you would know the source port of 22)

Once a machine is on the router's unmanaged switch there is nothing that you can do to stop traffic. In that case you would want to physically secure the router so that no one could plug in to one of the ports (and have wi-fi disabled)
DrPereira
DD-WRT Novice


Joined: 16 Nov 2018
Posts: 5

PostPosted: Sun Jun 21, 2020 15:22    Post subject: Reply with quote
Thanks for the prompt response.

Yeah,this will probably be enough; I want the work machine to have the access it needs to run the electronic medical record interface (node.js over HTTPS, if I understand correctly), I just don't want someone from IT snooping over SSH while I'm working with sensitive data.

There should be no "leaking" problems, since the "middle-man" router is mine; I'm interposing (patching?) the connection from the work machine to the local router.

If I'm talking out of my ass, or need to observe any other caveats, all info and criticism is appreciated.

I'm so proud of this community! (insert meme here) 😎
SolderAmateur
DD-WRT Novice


Joined: 07 Jul 2020
Posts: 11

PostPosted: Thu Jul 09, 2020 10:49    Post subject: Reply with quote
DrPereira wrote:
Thanks for the prompt response.

Yeah,this will probably be enough; I want the work machine to have the access it needs to run the electronic medical record interface (node.js over HTTPS, if I understand correctly), I just don't want someone from IT snooping over SSH while I'm working with sensitive data.

There should be no "leaking" problems, since the "middle-man" router is mine; I'm interposing (patching?) the connection from the work machine to the local router.

If I'm talking out of my ass, or need to observe any other caveats, all info and criticism is appreciated.

I'm so proud of this community! (insert meme here) 😎


Blocking their SSH access wouldn't matter if they are really determined to steal your work data and if it's true that they are, we can assume that they have already planted a spyware on the machine in question.

Putting the DDwrt between that machine and the network helps prevent external attacks yes, but it doesn't prevent the spyware from sending data back to the enemy.

Preventing the spyware from sending data back is a tricky and difficult thing to figure out as there are many varied techniques in exfiltrating data but while it's hard to know what to block, it may be easier to figure out the only connections that the machine needs in order for it to perform its function (still hard if the machine requires internet access to perform the work but relatively easy if it only needs to communicate with X number of devices)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3822
Location: UK, London, just across the river..

PostPosted: Thu Jul 09, 2020 12:11    Post subject: Reply with quote
and if they are clever they would've change ssh port too..
so they will be using any other than 22..
this is cats'n dogs game....
as Wildlion suggested deny all and than build
only permitted connections.... its the only way, you can do something...but even thou, if they are ISP..they can still see the communication..so you'd need a VPN + DNS over HTTPS or TLS or DNScrypt...
to find out what is running, you can use tcpdump, nmap, wireshark, ggl those, they have good manuals to start with...
with a bit of digging here and there, you will make it as you wish..its not a brain surgery...

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 44251 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 444467 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 44340 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 44467 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 44467 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
DrPereira
DD-WRT Novice


Joined: 16 Nov 2018
Posts: 5

PostPosted: Thu Jul 09, 2020 12:36    Post subject: Reply with quote
Alozaros wrote:
and if they are clever they would've change ssh port too..
so they will be using any other than 22..
this is cats'n dogs game....
as Wildlion suggested deny all and than build
only permitted connections.... its the only way, you can do something...but even thou, if they are ISP..they can still see the communication..so you'd need a VPN + DNS over HTTPS or TLS or DNScrypt...
to find out what is running, you can use tcpdump, nmap, wireshark, ggl those, they have good manuals to start with...
with a bit of digging here and there, you will make it as you wish..its not a brain surgery...


Wow, a lot of good reading for the weekend! Very Happy

Thanks for all the help, I'm really just trying to protect patient data, will update as it goes.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3822
Location: UK, London, just across the river..

PostPosted: Thu Jul 09, 2020 12:41    Post subject: Reply with quote
DrPereira wrote:

Wow, a lot of good reading for the weekend! Very Happy

Thanks for all the help, I'm really just trying to protect patient data, will update as it goes.



best DDWRT compatible VPN -> PIA ...
links for DNS over TLS (using stubby ) and DNSCrypt
in my signature Wink
best DDWRT compatible router, price/performance value Netgear R7800 it has all the futures/specs and support..

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 44251 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 444467 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 44340 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 44467 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 44467 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 815

PostPosted: Thu Jul 09, 2020 20:29    Post subject: Reply with quote
The best part is when you start using normal ports. Think things like DNS over HTTP or HTTPS. You cannot block outgoing to port 80 or 443, because you are wanting internet access.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum