[arm-allstar] General Internet Security --was: General Observation

David McGough kb4fxc at inttek.net
Wed May 17 10:35:42 EST 2017 

Hi Sam,

Sorry to hear that you had a node get compromised! What OS/release
software was that node running? And, do you know how it got
compromised--was it a weak password issue, or an attack via some other
vector?

We're trying to stay on top of any reported security issues with the 
hamvoip release, whether Asterisk/AllStar related or OS software. Since we 
can easily update and replace packages as of V1.5, we'll do our best to 
stay on top of anything that needs immediate attention.

There are a lot of philosophies and best practices when it comes to
securing any Internet-visible computer, and the practices differ depending
on whether your host system is a high-powered PC or a minimal-resources
embedded box, like a RPi. I've been designing software for and building
OEM Linux-based commercial routers for almost 20 years now and have had a
few "oh crap" moments over those years! I also maintain a farm of big 
boxen and an Internet ISP.

I'll mention that the single best policy is to NEVER unnecessarily expose
any TCP/UDP ports to the public Internet;  use firewall rules to
explicitly open "pinholes" to needed services. When I say firewall, that 
doesn't necessarily mean a separate hardware device--Linux itself provides 
an excellent firewall system via iptables, ebtables, etc.

As you mentioned, moving services (like SSH or SIP) to non-standard ports 
will help, too. But, that isn't fool-proof.

Personally, I use several approaches. Here are some notable points:

...For public-facing access gateways, I use high-powered hosts which
don't get bogged down running applications like fail2ban; which is setup 
to aggressively block would-be attackers via dynamic firewall rules.

...I lock down all direct access using a Linux iptables firewall to only
allow access from explicit IP-address ranges, where practical.

...I use VPN's between all internal systems, globally. I'm a fan of 
OpenVPN, which is included by default in the hamvoip release.

...For any low-resource embedded system that must have SSH exposed to
the Internet, I typically turn off password access and only allow access 
via public/private key pairs.

...As for system passwords, I'll mention a hint that, as long as you're
careful, -combinations- of various ham callsigns and dates can make
reasonable passwords, which are easy for hams to remember, and will foil a
dictionary attack.

...Please DO NOT use the same system password everywhere!

...If you're accessing your systems from *ANY* kind of public WiFi (like
the corner restaurant or coffee shop), assume that there IS a "man in the
middle," and ALL your traffic is being monitored!!!!  What I do in this
type setting is to first access the public WiFi and then IMMEDIATELY bring
up a VPN to my office, forwarding all traffic across the VPN.


73, David KB4FXC



On Wed, 17 May 2017, "Sam Nabkey via arm-allstar" wrote:

> In my experience, I received a call that someone had compromised my node
> and was mining bitcoin and weak PlayStation account logins.
> 
> I have changed the ssh port on all my nodes up and away from standard, I've
> changed the SIP port also as I run SIP to connect an IP phone as a node
> monitor.
> 
> I also run a ubiquity router that I've added scripts on to automatically
> adjust the firewall to change a blacklist of ip addresses from a few
> different databases every hour.
> 
> I'm a green rookie on network security but when a subnet gets poisoned by a
> ddos attack you learn really quick.
> 
> Sam
> 
> On May 17, 2017 00:46, David Lang via arm-allstar <arm-allstar at hamvoip.org>
> wrote:
> 
> > On Wed, 17 May 2017, "Nathaniel Biser via arm-allstar" wrote:
> >
> > The one consistency that I have read and heard about Linux is that you
> >> shouldn't run as root on a regular basis.  The specific reasons escape me
> >> at the moment but I'm gonna go out on the limb and hypothesize that it's
> >> because if your system was compromised, and you are running as root, it
> >> would be much more detrimental then if you were running as a user.
> >>
> >
> > my day job is security (banking and such)
> >
> > The "don't run as root" dates back to the days of Unix machines running
> > multiple users, and since root can do anything, if a process running as
> > root has a flaw, the attacker then has full control over the machine.
> >
> > When a machine is only running for one purpose (in this case the allstar
> > software), and the machine doesn't have any special permissions on your
> > network, it really doesn't matter much if an attacker ends up as root on
> > the machine, or as the user that runs everything that matters on the machine
> >
> > https://xkcd.com/1200/
> >
> > I am curious as to why is the Allstar software page defaults to running as
> >> root upon installation.  Like I said, I am only a student in all of this
> >> but I would like to hear the pros and cons of doing so.
> >>
> >
> > running as root is much simpler to setup, and even if it was running as
> > the user 'allstar' with permissions added for anything it needs to do, the
> > damage that someone could do on the pi once they get in is virtually
> > identical, so it's arguably not worth the effort to set it up to run as a
> > different user.
> >
> > Davdi Lang
> > _______________________________________________
> >
> > arm-allstar mailing list
> > arm-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> >
> _______________________________________________
> 
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> 
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>

More information about the arm-allstar mailing list