Secure your own device
The main D-PHYS network is different from your network at home or from usual corporate networks. It has an almost fully open firewall to allow connections to arbitrary ports and services on your device. If your computer is not configured correctly and exposes vulnerable services to the network, it is at risk of being attacked from the whole internet.
This page provides a rough checklist what you should do to minimize the attack surface and greatly reduce the chances that your device will be hacked.
If some of the steps described here do not mean anything to you or if you would like to have fewer headaches keeping your device secure in an open network, please contact us! We will help you or place your device in a more restricted (firewalled) network, where it cannot be accessed directly (without VPN) from the internet.
All operating systems
- Always have your device/software fully updated
- Use good passwords
- Never install software from untrusted sources
- Enable your host firewall
- Only expose services (ports) needed
More detailed recommendations can be found on monster.phys.ethz.ch.
Windows updates are installed automatically. Please check sometimes if everything is installed correctly here: Settings > Update & Security > Windows Update. There should be a green symbol.
It's recommendable to enable these two settings: Settings > Update & Security > Windows Update > Advanced Options, Enable Receive updates for other Microsoft products... this is for updating other Microsoft products like MS Office and Show a notification when your PC requires a restart... to get an additional notification if a restart is required after installing updates.
Network and firewall
Check that your network settings are set to Public. Go to Settings > Network & Internet > Status > Network status, go to the network interface Properties and set it to Public. This will enable more restricive firewall settings.
Go to Settings > Update & Security > Windows Security > Open Windows Security, check that all is green.
If you enable Remote Desktop it will be world wide open. But we block RDP traffic from outside the ETH, therefore you will always need a VPN connection to ETH network.
You can restrict it more with a powershell in admin mode.
# Allow just current subnet. Set-NetFirewallRule -DisplayGroup "Remote Desktop" ` -RemoteAddress "LocalSubnet" # Allow just current subnet and eth vpn networks Set-NetFirewallRule -DisplayGroup "Remote Desktop" ` -RemoteAddress "LocalSubnet", 10.5.0.0/16, 10.6.0.0/16
All example configs and commands are for a most recent Debian installation or derivatives (Debian, Ubuntu, Raspbian) and may need adaptions for other distributions.
- Always change default passwords of default users (root, pi, ...)
- Install packages from trusted repositories only
Secure SSH access to use key-based authentication only
PermitRootLogin without-password ChallengeResponseAuthentication no PasswordAuthentication no AuthorizedKeysFile .ssh/authorized_keys
systemctl restart sshd.service
This is the most secure option and will disable password-based authentication.
Secure SSH access with passwords
Alternatively enable password-based authentication for non-root users and limit the allowed users:
PermitRootLogin without-password ChallengeResponseAuthentication no PasswordAuthentication yes AuthorizedKeysFile .ssh/authorized_keys AllowUsers root alice bob
systemctl restart sshd.service
Install fail2ban to slow down brute-force attacks:
apt install fail2ban
Enable automatic update installation
apt install aptitude-robot
- Alternative: Install and configure
Secure services and ports
Keep the list of services exposed to the network as small as possible. Exposed here means services listening on non-loopback interfaces. To check that use the following command:
All sockets listed in column
Local Address:Port that are NOT listening on
127.0.0.1 (IPv4 loopback address) or
[::1] (IPv6 loopback address)
may be exposted to the network. This includes any explicit IP adresses
or all addresses/interfaces, noted as
0.0.0.0 (IPv4) and
If some services are needed/exposed, secure them by configuration or firewall.
Avoid high risk and unencrypted services
The following non-exhaustive list of services/ports are known to be insecure and should be avoided/protected at all cost:
See also SWITCH report of vulnerable services.
Use a host firewall
Very simple example using
ufw (Uncomplicated Firewall) to allow SSH access only:
apt install ufw ufw enable ufw allow 22
Do not forget IPv6.