Posted: Sun Jun 21, 2020 13:26 Post subject: Using a DD-WRT router to bypass network snooping
I'm not sure this is the place for such a question; if not, I apologize in advance and ask guidance to the right place.
I'm in a (public administration) network, and our work PCs were all changed recently.
They're running Ubuntu 18.04, with no significant mods that I can see.
The thing is, they all have remote SSH viewing enabled by default, and impossible to shut down without admin login.
Our old computers enabled that only if you ran TeamViewer, and with express knowledge.
Since most of my computer work is M.D. level access to patient registers, I'm concerned about screen mirroring and keylogging regarding what I'm working upon (yeah, they are THAT much corrupt). I see that as a breach of patient-doctor confidentiality that I cannot allow.
My first solution was to use a TP-Link WR740N with micro DD-WRT that I had lying around unused and use it beetween machine and ethernet connection, and configure it to block all SSH requests; it "worked", but now I have two problems:
1) I need a way to test if all SSH incoming and outgoing from the machine is blocked, sans admin access on the client;
2) If I connect my personal machine on said router, it gets no internet connection, even though the work PC does, even routed. I tried MAC cloning, to no avail.
Thanks in advance. I know I'm a noob playing with fire, but I believe the cause is just. Willing to provide information and learn as I go.
It sounds as though you are wanting to create an external firewall for a machine that you do not have admin access to.
Based on that assumption, how much access are you wanting the machine to have?
The most secure way would be to set the router up to by default deny all. If you are using teh router to do NAT, then incoming will all be denied, unless you open up a hole yourself. For the outgoing side, you would add a rule to the firewall denying all except things like http, https, dns, ntp.
To just deny outgoing ssh from machines through the router it is:
this is not blocking ssh traffic into the source machine, just out of (that is being blocked by NAT, and you would not know what the destination port is but you would know the source port of 22)
Once a machine is on the router's unmanaged switch there is nothing that you can do to stop traffic. In that case you would want to physically secure the router so that no one could plug in to one of the ports (and have wi-fi disabled)
Yeah,this will probably be enough; I want the work machine to have the access it needs to run the electronic medical record interface (node.js over HTTPS, if I understand correctly), I just don't want someone from IT snooping over SSH while I'm working with sensitive data.
There should be no "leaking" problems, since the "middle-man" router is mine; I'm interposing (patching?) the connection from the work machine to the local router.
If I'm talking out of my ass, or need to observe any other caveats, all info and criticism is appreciated.
I'm so proud of this community! (insert meme here) 😎
Yeah,this will probably be enough; I want the work machine to have the access it needs to run the electronic medical record interface (node.js over HTTPS, if I understand correctly), I just don't want someone from IT snooping over SSH while I'm working with sensitive data.
There should be no "leaking" problems, since the "middle-man" router is mine; I'm interposing (patching?) the connection from the work machine to the local router.
If I'm talking out of my ass, or need to observe any other caveats, all info and criticism is appreciated.
I'm so proud of this community! (insert meme here) 😎
Blocking their SSH access wouldn't matter if they are really determined to steal your work data and if it's true that they are, we can assume that they have already planted a spyware on the machine in question.
Putting the DDwrt between that machine and the network helps prevent external attacks yes, but it doesn't prevent the spyware from sending data back to the enemy.
Preventing the spyware from sending data back is a tricky and difficult thing to figure out as there are many varied techniques in exfiltrating data but while it's hard to know what to block, it may be easier to figure out the only connections that the machine needs in order for it to perform its function (still hard if the machine requires internet access to perform the work but relatively easy if it only needs to communicate with X number of devices)
Joined: 16 Nov 2015 Posts: 6435 Location: UK, London, just across the river..
Posted: Thu Jul 09, 2020 12:11 Post subject:
and if they are clever they would've change ssh port too..
so they will be using any other than 22..
this is cats'n dogs game....
as Wildlion suggested deny all and than build
only permitted connections.... its the only way, you can do something...but even thou, if they are ISP..they can still see the communication..so you'd need a VPN + DNS over HTTPS or TLS or DNScrypt...
to find out what is running, you can use tcpdump, nmap, wireshark, ggl those, they have good manuals to start with...
with a bit of digging here and there, you will make it as you wish..its not a brain surgery... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
and if they are clever they would've change ssh port too..
so they will be using any other than 22..
this is cats'n dogs game....
as Wildlion suggested deny all and than build
only permitted connections.... its the only way, you can do something...but even thou, if they are ISP..they can still see the communication..so you'd need a VPN + DNS over HTTPS or TLS or DNScrypt...
to find out what is running, you can use tcpdump, nmap, wireshark, ggl those, they have good manuals to start with...
with a bit of digging here and there, you will make it as you wish..its not a brain surgery...
Wow, a lot of good reading for the weekend!
Thanks for all the help, I'm really just trying to protect patient data, will update as it goes.
Joined: 16 Nov 2015 Posts: 6435 Location: UK, London, just across the river..
Posted: Thu Jul 09, 2020 12:41 Post subject:
DrPereira wrote:
Wow, a lot of good reading for the weekend!
Thanks for all the help, I'm really just trying to protect patient data, will update as it goes.
best DDWRT compatible VPN -> PIA ...
links for DNS over TLS (using stubby ) and DNSCrypt
in my signature
best DDWRT compatible router, price/performance value Netgear R7800 it has all the features/specs and support.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
The best part is when you start using normal ports. Think things like DNS over HTTP or HTTPS. You cannot block outgoing to port 80 or 443, because you are wanting internet access.
