DDNS Security Issues

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

needshelpdoing

New Around Here
Im deciding to get a DDNS since I am hosting some games(factorio, valheim, minecraft) for a few friends since I have dynamic IP. I am considering NoIP .

I am using the RT-AC68U, stock firmware, as my router. My concern is about potential security issues.

I have a Synology NAS(no remote access, no FTP, no ssh enabled), and a cctv system.
 

dosborne

Very Senior Member
Having a "name" vs just an ip makes little difference in terms of vulnerability. Not really sure what you are asking, but if it is just that, then it really doesn't matter. Most "attacks" are based on sequential ip sweeps looking for vulnerabilities on open ports. Obviously, the fewer services you run, the fewer potential vulnerabilities you will have.

Make sure your firmware is up to date to reduce potential attacks as well. Take a look at the updates in merlin firmware too as it is often ahead of stock asus in terms of patches. (But not always, all depends on release cycles)
 

dosborne

Very Senior Member
A good starting point, but ideally you investigate and know exactly what services you run and why they need to be exposed. Only allow programs that you trust.
 

cptnoblivious

Regular Contributor
i see. i guess using https://www.grc.com/shieldsup to test is okay?

As @dosborne said, place to start.

Also consider overlaying a decent SPI firewall with blacklist. But once you run services you're not just worried about the port that's being opened, but also about any unpatched vulnerabilities in the service itself. Ideally isolate those exposed systems in a DMZ and don't put anything sensitive on them that you would care about exposing. And of course, separate admin accounts and unique pwds for any accounts that are not shared with other services etc.
 

MichaelCG

Very Senior Member
GRC will tell you what ports are listening, but they tell nothing about the app layer risks. Even if GRC tells you that only one port is available, you have no idea if that port is vulnerable. As others have stated, if you are planning to host always on services, you should probably get a more advanced firewall and consider making a DMZ to segment your public exposed services away from your Internal systems/devices.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top