[ubuntu-uk] Hamachi

kasperd nabble at kmhhh.04.jul.2012.kasperd.net
Wed Jul 4 16:27:42 UTC 2012


I will recommend that you don't use Hamachi as long as it is using 5.0.0.0/8
addresses. Those addresses were never supposed to be used by Hamachi. There
are now legitimate users of those addresses. The people behind Hamachi have
known for years that this was going to happen. And though they have
repeatedly been asked in their own forum, what they were going to do about
it, they remained silent.

If you install Hamachi, you will cut off your own access to parts of the
Internet. Servers are now being deployed with legitimate addresses from the
5.0.0.0/8 range. Hamachi users are unable to access those servers.

It is not clear if using Hamachi or using a port forwarding will be best
from a security point of view. With a port forwarding it is quite clear what
traffic is permitted into your network and what is not. However usually a
port forwarding will be accessible to anybody on the Internet. So anybody
can connect to the server, if the server has a vulnerability, then it can be
exploited.

If you use Hamachi, I believe Hamachi has a feature to let you decide who
gets to communicate with you using Hamachi. That way it will be restricted
to only certain people. However those people who can connect will still be
able to exploit any vulnerabilities which might exist in that server.
Moreover, unless you explicitly filter it, they will be able to access other
ports on your computer as well. Additionally you have to trust Hamachi. It
means another piece of software that could potentially have vulnerabilities.

Those are the arguments for and against. You get to decide which you find
more important. Overall I think avoiding Hamachi sounds like the best
solution.

If you are worried about letting a port forwarding remain open for the
entire world, there is a few things you can do to reduce the risk:
- Keep up with updates for the server software running on the port being
forwarded to.
- Put the server software on a separate computer on a different segment of
your network.
- Put the port forwarding on a non-standard port where it is less likely to
be found by port scanning.
- Restrict the port forwarding to only work for specific client IPs.
Each of those four suggestions will help even if you don't follow all four.

You are welcome to send follow up questions to
kasperd at zcwvd.04.jul.2012.kasperd.net, but do it before that address get
flooded with spam.

--
View this message in context: http://ubuntu.5.n6.nabble.com/Hamachi-tp4980068p4982504.html
Sent from the ubuntu-uk mailing list archive at Nabble.com.



More information about the ubuntu-uk mailing list