[arm-allstar] Firewall thoughts ---was:Trouble with Supermon
David McGough
kb4fxc at inttek.net
Wed May 16 20:18:20 EST 2018
Hi Guys,
I haven't commented much about the firewall / open ports issue, so
far...I've been really busy this week.
Anyhow, I agree with Tony that "security by obscurity" is indeed a viable
strategy to reduce the number of drive-by port scans and attacks. But, the
ports you choose must truly be OBSCURE! For example, with a SSH server,
ports 22, 222, 2022, 2222, 4022, etc., (most everything ending in "22")
will get rampantly scanned!! But, put ssh on port 7589. Nada! Not a
single scan!
There are a number of excellent tools for Linux which will help with
understanding what ports are open and the traffic on your network, too.
Some are: netstat, nmap and tcpdump/wireshark.
Running a "netstat -anp" (as root) on your local Linux box show all the
current network bindings, including open ports, connections to ports, etc.
The nmap program is a "hackers wonderland" ...nmap is a robust tool which
will allow you to actively probe networks looking for open ports, hidden
devices, etc. Just do BE AWARE that if you probe someone's network on the
Internet, you'll likely trip intrusion alarms!!! This type of Internet
probing is also a violation of most ISP's acceptable use policies--so be
careful with this tool!!!!
tcpdump and wireshark/tshark help round out your network analysis toolkit!
These tools allow you to "sniff" all the traffic passing through a network
interface by placing the interface in promiscuous mode---meaning it
reports anything it can hear, whether destined for its IP address or not.
I won't get into the details about these scanners in this message or I'll
be writing a novel--these tools are VERY sophisticated! For example, you
can use them to sniff plain-text passwords or even passively monitor and
PLAY the actual audio traffic from Asterisk/AllStar!
Finally, I want to mention that firewalls are not the end-all be-all of
security and they can lull you into a FALSE sense of security! Here is an
example of how this is frequently true: Lets say that your system has 3
ports open: port tcp/222 (ssh), port tcp/80 (http) and port udp/4569
(IAX2). You setup a firewall and block everything, but open pinholes for
the 3 ports listed above. Your firewall allows everyone to connect to
these ports, no restrictions....So, what have you accomplished with the
firewall???? NOTHING! ....I'll end on this note as something to ponder.
73, David KB4FXC
On Wed, 16 May 2018, "Tony Ross via arm-allstar" wrote:
> While some people would criticize such alternate ports for wks
(well-known services) as "security by obscurity", it does work.
I had a repeater owner ask for my help, as one of his irlp nodes seemed
to not respond to ssh client requests; he couldn't log in remotely. It
was difficult, but I eventually found a prompt. I immediately looked at
/var/log/* and found some very large syslog files. Looking at their
contents showed an ssh attack on port 22, so I changed the port to
something in a different range, re-started the sshd and the problem stopped.
Using simple system tools such as grep, sort, awk, uniq and wc, it was
easy to find that > 3.7 million ssh attempts in 4 days from 4 east-Asian
IP addresses had essentially crippled the system.
It did speak well for his choice of passwords though.
On 05/15/2018 07:19 PM, "Charles Powell via arm-allstar" wrote:
> I use a port in the 9000s because it is an unexpected service there. Your mileage may vary.
>
> 73,
>
> Charles - NK8O
>
>> On May 15, 2018, at 12:59 PM, Doug Crompton via arm-allstar <arm-allstar at hamvoip.org> wrote:
>>
>> Typically port 8080 is used but you can use high number if that does not
>> work. Here are three examples - 15700, 16300, 17400 but you are not
>> limited to them.
>>
>>
>> *73 Doug*
>>
>> *WA3DSP*
>>
>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>
>>
>>
More information about the arm-allstar
mailing list