Q: port blocking 5900
My system administrator has told me to take down my Apple Airport Extreme because of a vulnerability. The administrator says,
"The remote host is an Apple Airport Wireless Access Point which
can be administrated on top of TCP port 5009.
There is a design flaw in the administrative protocol which makes
the clients which connect to this port send the password
in cleartext (although slightly obsfuscated).
An attacker who has the ability to sniff the data going to this
device may use this flaw to gain its administrative password and
gain its control. Since the airport base station does not keep any
log, it will be difficult to determine that administrative access
has been stolen.
Solution:
Block incoming traffic to this port, and only administer
this base station when connected to it using a cross-over ethernet
cable."
I am led to believe that Airport Extreme does not allow port blocking, and that one must forward port 5900 to a non-existent IP address.
Can someone comment on this, and perhaps provide clear instructions as to how to forward a port to a non-existent IP address?
MacBook (Retina, 12-inch, Early 2015), OS X El Capitan (10.11)
Posted on Aug 12, 2016 10:09 AM
Sorry, I tried to write the tip to be easy to understand, but it must be the Engineer in me that keeps tripping up.
"MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>"
refers to the MAC address of the Extreme?
No, this would be the MAC address of your computer that would be connected to the Extreme. Port mapping/forwarding is designed to allow data traffic from the Internet through a specific port on the Extreme to arrive at your computer. In this case, we would be using an IP address that would not exist on the local network.
For what you are trying to do here, you can skip the whole first step of the tip. It's the second step where you will want to make the mapping for the Extreme.
- Public UDP Ports: <enter the appropriate UDP port value(s)>
- Public TCP Ports: <enter the appropriate TCP port value(s)>
- Private IP Address: <enter the reserved IP address of the host device (from step 1)>
- Private UDP Ports: <enter the same Public UDP Ports or your choice>
- Private TCP Ports: <enter the same Public TCP Ports or your choice>
- Click "Save"
is a bit cryptic and I don't understand this.
Ok, here is a cheat sheet for you:
- Public UDP Ports: 5900
- Public TCP Ports: 5900
- Private IP Address: 10.0.1.201
- Private UDP Ports: 5900
- Public TCP Ports: 5900
Scary easy ... only if you are well-versed in networking which means you don't have a life.
Posted on Aug 12, 2016 10:45 AM