If you keep TFTP-Server running or if you keep the TFTP-client tool available to run anytime, then abusive hackers can abuse/exploit it, to load harmful firmware and/or to change sensitive security settings inside your existing router firmware 1, 2, 3, 4, 5, 6, etc.
If your computer is also used as a desktop computer for general purpose or for other purpose than build/compile, then make sure TFTP-client & TFTP-server, both are placed behind a firewall ( frwl) system or rules 1, 2, firewall rules should be: (frwl rule # 1) allow TFTP traffic when connections originated from local LAN ip.address range and also ended into local LAN ip.address range, (frwl rule # 2) TFTP traffic is Not-Allowed when it is from/to 127.0.0.1 or lo, (frwl rule # 3) TFTP traffic is Not-Allowed when originated from Internet-ip-address (aka: NON private- LAN ip-address ranges), And you must also make sure to do this: after your develop / troubleshooting etc work is done or when you pause to goto other work, then make sure the TFTP-server and TFTP-client both are completely disabled in your OS/distro : turn off TFTP-Server service / process, disable TFTP-server startup script file, and move the TFTP-client ( tftp) & the TFTP-server ( tftpd) executable / binary ( bin) files out of all folders mentioned in your PATH variable, into a different folder (which is NOT in the PATH variable), and also move bin files out of the folder which is mentioned in startup-script (if such is used). If necessary, create a separate subnet under a 2nd level router, then work / develop / troubleshoot under that separate subnet with network devices which will handle TFTP client/server protocols.
Access to TFTP-client ( tftp) and TFTP-Server ( tftpd) tool/app must be made secure, from (primarily) hackers in internet (and TFTP-Server & Client both must also be kept securely isolated from harmful/ignorant internal users or from hijacked computers, inside your own LAN network).
0 kommentar(er)
