1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Sharing my "newbie" experience on how to protect one's files yet have them available online whenever

Discussion in 'Asuswrt-Merlin' started by Cokie, Jun 24, 2018.

  1. Cokie

    Cokie New Around Here

    Joined:
    Jun 23, 2018
    Messages:
    5
    *** WARNING: This is a post aimed to newbies like me! ***

    Hi there,

    I just managed to successfully install Merlin's firmware (june 2018) to my AC68U and now the FTP feature works flawlessly. Thanks, Eric!

    Firstly... I am a Windows user, sorry -not knowledgeable for Linux and the like.

    I am a consultant and I have my office at home. In order to have my files available when I am at a client's office, at first I used to have a portable hard disk which was connected to the computer with the software SecondCopy syncing my PC's folders with this disk. Problem was that, as time passed, I often forgot to take it with me when leaving home -sounds familiar? :)

    Then I started to leave my computer on all the time -which I don't like to do, for many reasons- so I could access it remotely. This basically resorted to Window's "security" (alas!) to protect it from intruders. Not a great move, I know.

    On top of this, I used to have a shi**y Comtrend router provided as standard by a big telecom to its customers so no AiProtection tools (as in ASUS routers) or anything of that sort.

    Most recently, I've come up with a compromise which I believe offers a much better protection and peace of mind for me and which is easy to setup so I thought about sharing it with other newbies here which, like me, might not be as proficient in IT as some other folks in the forum.

    • I bought an ASUS RT-AC68U, which although a bit old now, it seems to be a decent piece of hardware for a reasonable price. Disabled WPS, remote WAN access, and so on, as recommended in the forum.
    • I, however, activated Cloud Disk at the section Aicloud 2.0 and got an Asus DDNS (I know, I know!...) so I could access my data from wherever I need to. Then I have plugged a 2.5 HARDDISK to the USB3 AC68U router's port where I have my data (projects' files). I also thought about a VPN but I found it a bit confusing/complex to set up.
    HOWEVER,

    Since I have been quite concerned reading about the security flaws shown in ASUS firmware for many years (and other vendors!) I added an easy to setup "extra" layer of protection which gives me peace of mind: ENCRYPTION in my data.



    MY APPROACH

    There's a program called Boxcryptor -offered by a very reputable German company called Secomba GmbH- which I had been using for years. Btw, it's free for personal use. They're now in v2.x but I find v1.x easier (more portable) for the purpose I will describe hereafter. Note there is other similarly good encryption software out there: Tresorit, Veracrypt, TrueCrypt... I simply happen to have settled with this one.

    • I setup Boxcryptor Classic (or v1.x) in my computer and I choose a folder to encrypt (say for example "C:\DOCS"). Once the folder is encrypted it creates a virtual disk (say "Z:") which loads on computer startup and which is the folder I need to access, and not the first one, to see and work with my (unencrypted) stuff. Easy peasy. Nothing more to it, the software automatically encrypts and decrypts. Within the folder, in the example (C:\DOCS\) Boxcryptor creates an XML file (which starts with a dot, as in ".encfs6.xml") which we'll later need.
    • I have also a software called SecondCopy which allows me to sync folders within the same disk or different disks and also via FTP. I've set up a task to sync every hour or so, via an FTP connection, my ENCRYPTED C:\DOCS folder to the USB3 disk mentioned earlier which is connected to the ASUS AC68U router. The initial sync, if your data folder is large, can take a few hours, but then, subsequent syncing is a breeze. So... now I have a bunch of encrypted files available to me from anywhere in my open-to-the-world portable hard disk connected to my router.
    • Thus, from any computer anywhere in the world I can connect to my Asus DDNS (xxxxxx.asuscomm.com) with my credentials, remotely access the USB3 disk at my AC68U, download whatever ENCRYPTED file I need into my USB (or client's computer) and simply by executing the Portable Boxcryptor file -which is barely 2Mb and doesn't need to install anything into the client's computer- it automatically decrypts "on-the-fly" whatever I download. Note: the XML file needs to be in the same directory I download the file.
    With this setup, even if someone hacks the ASUS router and access my files, those will be encrypted and he'll need to spend considerable time decrypting them noting it uses AES-256 encryption. Yes, every encrypted file is hackable and so on and so forth... but that takes time and resources and I'm not necessarily a juicy target to really spend all that, am I? So, how exposed to hackers achieving their goal I really am? Even if an intruder decides to cause havoc and say "delete" my disk, the periodical syncing of SecondCopy would copy the contents from my PC -whenever I turn it on- again to the USB disc.

    **Update**... maybe someone more knowledgeable can enlight us about this later news: https://www.theinquirer.net/inquirer/news/3012648/aes-256-encryption-keys-cracked-by-hands-off-hack

    Thanks, I hope it can be helpful to someone.

    All feedback welcome.
     
    Last edited: Jun 24, 2018
    joe scian and Grisu like this.
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,698
    Location:
    UK
    @Cokie I would make two observations:

    1) If a person has no other option than to use FTP, which is inherently insecure, then encrypting the files is essential if you want to keep the data private. I had to setup a similar process in one company where, for various reasons, some of their clients had to use FTP.

    2) Your "solution" isn't specific to Asus or Asus-Merlin, so might be better placed in the General Network Security section. You're just recommending that people use Boxcryptor on their FTP server files. The FTP server could be anywhere on any device, it's not Asus-specific.
     
    st3v3n likes this.
  4. Cokie

    Cokie New Around Here

    Joined:
    Jun 23, 2018
    Messages:
    5
    Actually I would love to hear alternatives from the pros :)

    Can this be edited so I move it to another section of the forum?
     
  5. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,238
    Location:
    United Kingdom
    One point I’d make: you wrote “I also thought about a VPN but I found it a bitconfusing/complex to set up.”. Settiing up OpenVPN server on an Asus-Merlin router is far easier than you’d imagine. Perhaps you came across dated articles about creating your own certs and keys? Nowadays, it is simplicity itself: everything is done for you and you’re up and running in just a few minutes usually, with a very strong likelihood of it working first time.
     
    Last edited: Jun 24, 2018
    SMS786 likes this.
  6. netware5

    netware5 Senior Member

    Joined:
    Mar 9, 2013
    Messages:
    330
    Location:
    Bulgaria
    Just set up an OpenVPN server on your router and you will be able to access all your files remotely - easy, fast and MOST secure.
     
    martinr likes this.
  7. Cokie

    Cokie New Around Here

    Joined:
    Jun 23, 2018
    Messages:
    5
    Thanks guys for pointing this -yes, when I checked that I came across some details on keys and certificates which turned me away. I'll give it another try.

    Two questions though:
    1. when one has an OpenVPN server in one's router and wants to access it remotely... is it necessary to install a client in the remote computer? Last time I checked that was the case and I have a problem with that as I am often using PC's at my clients, where I can't install anything. Hence the reason I had to come up with the "thing" I described above.
    2. so, you're saying that setting up a VPN with OpenVPN at the ASUS CT-AC68U with the latest Merlin firmware.... IS TOTALLY SECURE against intruders peeking my USB3 disk? To be frank, if that's so, it's far more convenient than to keep going around with my USB and the decrypter!
     
  8. st3v3n

    st3v3n Senior Member

    Joined:
    Feb 24, 2016
    Messages:
    373
    Location:
    Central US
    Cokie, with all respect, what is your specialty (what do you specialize in as a consultant), how long have you consulted in your practice and what knowledge would help you? As an observation from my perspective as a retired consultant of many years, the pros responding thus far have excellent points. Suggest you might spend some time researching this area further, in order to narrow down which area is most important to you, then find the appropriate area of the forum; there are many other forums that cn help you, and many of the VPN providers have up to date tutorials, as well as the many YouTube videos. The forum search engine function and wiki is the best place to begin in your quest. If you already have the latest Merlin FW build installed on your router, VPN on an Asus router doesn't get much easier. Every question you might think of has likely been asked several times over the years, so dig in and search. Cheers.
     
  9. Cokie

    Cokie New Around Here

    Joined:
    Jun 23, 2018
    Messages:
    5
    No patronizing, thank you.
     
  10. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    12,664
    Location:
    San Diego, CA
    @Cokie - all due respect...

    You're probably over thinking things, and making it more complex. Don't provide a 10 dollar answer to a 1 dollar problem.

    Router/AP's are good for the edge to secure a LAN, but not the best for services - better to have a hardened host behind the firewall/gateway.
     
  11. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,698
    Location:
    UK
    Yes you do need a VPN client on the remote computer that you're using.

    This answer may be academic given the answer to 1 above. Nothing is totally secure, nothing. However, of all the options available on the Asus router OpenVPN would be the most secure.

    You raise a good point though. Many companies restrict what access to the internet you have, and that may include FTP. Some companies might only allow access to web-based services, like Microsoft OneDrive. The reason being that their network security devices can automatically scan any files for malware before it gets onto their LAN. Allowing unrestricted access to FTP servers bypasses this important layer of security.
     
    martinr likes this.
  12. Theliel

    Theliel Occasional Visitor

    Joined:
    Apr 7, 2014
    Messages:
    43
    I think the thing here is much simpler, as has been said, this is not a big problem, and as far as options are concerned there are many. The best one will be the one that best suits the needs of each one.

    If what you want is data security (encryption), remote access and synchronization, possibly the option to follow is a NAS (with full disk encryption if you want). For access it could be done by HTTPS or VPN if you want to isolate NAS from the outside.

    Create a USB HDD to store encrypted files through Boxcryptor, so allow FTP access, and also require a second USB memory to decrypt the content ... I do not think it is the safest way or more efficient.

    In Windows, another even more simple option would be to create an HDD bitlocker accessible by VPN or even by RDP
     
  13. st3v3n

    st3v3n Senior Member

    Joined:
    Feb 24, 2016
    Messages:
    373
    Location:
    Central US
    Cokie, no patronizing; given the level/volume of data in your post, curiosity has nothing to do with your perception of any response garnered from veteran members who took the time to reply. If you're a consultant, it's a fair question. End of line.
     
  14. Cokie

    Cokie New Around Here

    Joined:
    Jun 23, 2018
    Messages:
    5
    Thank you all for your replies. They've given me food for thought.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!