OUR NETWORK:TiVoCommunity TechLore MyOpenRouter Dijit Community MediaSmart Home See all... About UsAdvertiseContact Us
Previous Thread | Next Thread

 
Learn about scoring Forum's Raw Score: 252272.0
February 25, 2011 12:31 PM

Categories: News

Rating (0 votes)
  • 1
  • 2
  • 3
  • 4
  • 5
Rate This!

Member Avatar

Louie

Member
Joined: 02/25/2011

Hello everyone.

I am thinking of purchasing a Pogoplug and did a little research on it. I hear a lot of good things and I must admit seems like a great product, however, Something I read did catch my attention.

http://robpickering.com/2010/01/beware-the-pogoplug-7

This thread talks about a high risk security gap that really concerns me. I cannot seem to find any information addressing this on this website or other sites I have looked at. Is there anyone here that might be able to explain how high a risk it is and if/or not Pogo Plug has addressed this issue? I would really like to know as I am considering ordering a few of these and just want to the full lowdown on it before I decide to go with it. Thanks in advance to anyone that can clarify.

Discussion:    Add a Comment | Comments 1-5 of 5 | Latest Comment

Peter Redmer Avatar
Editor
February 25, 2011 3:59 PM

Yep, this issue was addressed a long time ago. There is a checkbox in the security settings of the Pogoplug UI that enables you to enable or disable SSH access. However, the Pogoplug resides behind your router and firewall, and doesn't require ports to be opened, so it's very, very safe regardless.

Peter Redmer
Administrator
Blog | Twitter

kinoini Avatar
Member
May 18, 2011 4:31 PM

Peter Redmer said: Yep, this issue was addressed a long time ago. There is a checkbox in the security settings of the Pogoplug UI that enables you to enable or disable SSH access. However, the Pogoplug resides behind your router and firewall, and doesn't require ports to be opened, so it's very, very safe regardless.
From what I can tell, my router does not block port 22 and allows it to flow through to the pogoplug.  This exposes the plug to a brute force attack.  Unless I'm mistaken, but I was able to SSH to root@my.pogoplug.com and get a terminal session.  I can't log in, but with a brute force attack, there is no need to log in.   The intention is to bring the server to it's knees.  I'd recommend keeping that SSH option disabled unless you absolutely need it.

Generic Member Avatar
Member
May 19, 2011 10:51 AM

I have already purchased half dozen of these pogoplugs and have been working great for me. I have disabled ssh and will continue to monitor them and look up more information on security gaps. Thanks for your replies

Generic Member Avatar
Member
May 19, 2011 12:23 PM

i was able to get a terminal session as well. however, this looks like it ;s going to CE's server my.pogoplug.com, not any individual users pogoplug. it;s ipaddress is 38.126.11.29

Cloud Engines might want to close this hole to their servers. atleast change the SSH port to something other than 22.

OddballHero Avatar
Member
May 20, 2011 7:46 PM

If a router is that open, ssh is the least of your problems.

Discussion:    Add a Comment | Back to Top | Comments 1-5 of 5 | Latest Comment

Add Your Reply

(will not be displayed)

Email me when comments are added to this thread

 
 

Please log in or register to participate in this community!

Log In

Remember

Not a member? Sign up!

Did you forget your password?

You can also log in using OpenID.

close this window
close this window