Virgin Media SH2 Security

sybaris

sybaris

sybaris

Associate
Joined
21 Jun 2010
Posts
787
Location
infornt of my PC
Hi
Just wanted to ask anyone who knows a bit about Virgin Media SH2 security.
Being the paranoid that I am, I've set up MAC filtering on my wireless connections. However are there any other security settings I should be aware of to prevent any other penetration?

Perhaps any default settings that should be changed or ports locked down ?
 
'Security' and 'consumer level hardware built by the cheapest bidder' don't really go hand in hand. :p The SH is open for remote access (in more than one way) and it wasn't long ago I exposed a hidden telnet and ssh listening service on them, which VM promptly closed off but didn't acknowledge.

MAC filtering is a bit of a false sense of security anyway, it's easy enough to spoof past. If you're really bothered build yourself a wired-only pfSense or similar router/firewall and hope the NSA BIOS, hard drive and CPU backdoors in all your hardware don't get used (no, really). :p

More realistically, what 'penetration' are you worrying about? If the adversary is just other Joe Blows sipping your wifi and browsing/downloading naughty stuff on your connection without consent, then a WPA2+ key with hourly key rotation will be ample. Being behind NAT (the router) is also protection against attacks, even without a firewall. Ports will naturally be 'closed' behind NAT unless you specifically forward them on the router side.

If you're more worried about ISP monitoring or interference then there are a number of steps you can take to harden and shrink your attack surface (VPN, self build BSD appliance, etc). If it's organisational or even state monitoring then... good luck lol. :D
 
Last edited:
Im not worried about ISP monitoring. Some odd things happened on my desktop earlier.

I was playing a game and the window minimised. Then my ftp app started up.
I closed it and returned to my game and it happened again.

I then rebooted and so far all ok.

I am running up to date bitdefender total security and as I say have Mac filtering enabled to deter the average freeloader, even though there is only a 10M range on my wifi.

What/How do I NAT my router and will that cause any problems with anything?
 
I'd suggest that any decent length WPA2 passphrase would more than deter a casual passerby, with or without MAC filtering (which is trivial to bypass). Your router is already functioning as NAT. See this for a bit more info. If you were connected directly the the internet (e.g. via ADSL or cable modem with no router), then you'd need to consider things like a good firewall to protect the connected machine.

With a router (which acts as hardware NAT and firewall in one), this isn't an issue. Any external person/machine scanning your WAN IP would only see the router not your own machine (that's what NAT is for), and as such unless you've specifically opened ports you have nothing to worry about.
 
For just general protection against the average semi competent computer user WPA2 with a long complex passcode should be fine, be careful who you let onto your network. If someone is determined to get through that (it's not impossible, just hard) then they are good enough that wireless encryption is the least of your problems.
WEP and WPA can be cracked so easily, MAC address filtering is also easy to spoof. Hiding your network SSID is pretty pointless as well. I haven't really looked much into the SH2 but it should do fine, it's a rebadged Netgear unit with custom firmware.
 
OK so if someone wants in and they are pretty good, they will probably get in. I guess once past the router they then have to get in to my PC and there would be another hurdle of security to get past.

OK I am a little less worried about being compromised over wifi but
what settings should I enable as good practice?

Is it really likely that I can be hacked across the internet, I think that is more likely.
As I say I am using Bitdefender. Anything in there that should be changed from default?

Thanks for your help
 
From a being attacked from the Internet perspective, you can reduce the chances of this happening by:

- Have at least a half decent (not cheapest) router in the first place.
- Use NAT (will be doing so if IPv4 anyway).
- Have a SPI firewall on your router, and enabled.
- Having DOS / brute force protection enabled on the router/router's firewall.
- Turn off UPnP if you really don't need it on.
- Don't put anything in the DMZ.
- Don't forward ports unless you need to.
- If you do need to forward ports for services then at least use secure protocols (eg don't use FTP, telnet, HTTP - instead use SFTP, SSH, HTTPS).
- Disable WAN ping replies.
- Disable remote/Internet management of the router.

To be honest if you've got NAT and an SPI firewall on and setup, that's half the battle.

The biggest threat comes from your computers and devices and installing software on them downloaded from the Internet. It's not always viruses... But it could be unintentional or nefarious malware still....

Bitdefender is a very good choice for AV/malware protection, but with the number of new threats released on a weekly basis using common sense also helps. Don't turn off UAC on Windows (even if it's a bit annoying at times), do ensure Bitdefender updates and Windows (or other OS) patches are installed and up to date, etc.
 
You must log in or register to reply here.
Back
Top Bottom