this post was submitted on 06 Jul 2023
7 points (100.0% liked)
techsupport
2481 readers
29 users here now
The Lemmy community will help you with your tech problems and questions about anything here. Do not be shy, we will try to help you.
If something works or if you find a solution to your problem let us know it will be greatly apreciated.
Rules: instance rules + stay on topic
Partnered communities:
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Well, probably not going to be how an attacker gets in. But let's say they crack your ssh password on the raspberry pi. Now the attacker can reach the other devices on your network, even if ports aren't forwarded to those devices. Let's say you're running an smb file share on that old Windows computer. They could potentially use a vulnerability to get access to that computer.
So yes, you want good security at the perimeter (make sure your router firmware is up to date, any devices with ports forwarded are properly secured, reduce attack surface by not port forwarding anything unnecessarily, etc.). But it's also a good idea to practice security in depth, protect even the computers that are on the LAN.
Btw, I would only forward ports to things that you want people who aren't you to access. Something like ssh generally shouldn't have ports forwarded for as you're probably the only one that should be accessing it. Instead, use a VPN (I like wireguard). And when you want to access ssh outside the network, just VPN to your home first and then ssh like you're on the LAN. You can do the same with any other service. But if you want say share a Plex server with friends and family, you don't want to make them use a VPN, you pretty much have to port forward.
Wouldn't an SMB share only be visible to the internet through forwarded ports? I thought they were only available through LAN connections unless modified to do otherwise.
If that isn't the case do you have any recommendations for protecting SMB shares from outside connections?
Yes, the smb isn't visible directly to the internet. But if that raspberry pi gets hacked, then the attacker can use the raspberry pi to access your entire LAN.