[arm-allstar] Firewall thoughts ---was:Trouble with Supermon

David McGough kb4fxc at inttek.net
Wed May 16 20:48:52 EST 2018 

My opinion is that pre-shared keys for SSH are a great step in the right
direction. But, leaving it on port 22 might still lead to problems. First,
this is still a TCP port, and it can be impacted by protocol-level (level
3 or level 2) attacts. If nothing else, it might lead to a DoS condition.

Second, even with pre-shared keys, the ssh daemon leaks information. For 
example, on my system with ssh passwords disabled:

mcgough at david-vb:~$ telnet 192.168.232.111 222
Trying 192.168.232.111...
Connected to 192.168.232.111.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2


So, with this info, I can rapidly determine that the sshd is present and I 
can determine it only seems to allow PSK authentication. So, I change my 
attack strategy!


73, David KB4FXC





On Wed, 16 May 2018, "Jeff Karpinski via arm-allstar" wrote:

> Really should disable password SSH logins. Limit to pre-shared keys and it won’t matter what bit what port you use. 22 is fine.


> On May 16, 2018, at 7:18 PM, David McGough via arm-allstar <arm-allstar at hamvoip.org> wrote:
> 
> 
> Hi Guys,
> 
> I haven't commented much about the firewall / open ports issue, so 
> far...I've been really busy this week.
> 
> Anyhow, I agree with Tony that "security by obscurity" is indeed a viable
> strategy to reduce the number of drive-by port scans and attacks. But, the
> ports you choose must truly be OBSCURE! For example, with a SSH server,
> ports 22, 222, 2022, 2222, 4022, etc., (most everything ending in "22")  
> will get rampantly scanned!!  But, put ssh on port 7589. Nada! Not a
> single scan!
> 
> There are a number of excellent tools for Linux which will help with 
> understanding what ports are open and the traffic on your network, too. 
> Some are: netstat, nmap and tcpdump/wireshark.
> 
> Running a "netstat -anp" (as root) on your local Linux box show all the 
> current network bindings, including open ports, connections to ports, etc.
> 
> The nmap program is a "hackers wonderland" ...nmap is a robust tool which
> will allow you to actively probe networks looking for open ports, hidden
> devices, etc. Just do BE AWARE that if you probe someone's network on the
> Internet, you'll likely trip intrusion alarms!!! This type of Internet
> probing is also a violation of most ISP's acceptable use policies--so be
> careful with this tool!!!!
> 
> tcpdump and wireshark/tshark help round out your network analysis toolkit!
> These tools allow you to "sniff" all the traffic passing through a network
> interface by placing the interface in promiscuous mode---meaning it
> reports anything it can hear, whether destined for its IP address or not.
> I won't get into the details about these scanners in this message or I'll
> be writing a novel--these tools are VERY sophisticated! For example, you
> can use them to sniff plain-text passwords or even passively monitor and
> PLAY the actual audio traffic from Asterisk/AllStar!
> 
> 
> Finally, I want to mention that firewalls are not the end-all be-all of
> security and they can lull you into a FALSE sense of security! Here is an
> example of how this is frequently true: Lets say that your system has 3
> ports open: port tcp/222 (ssh), port tcp/80 (http) and port udp/4569
> (IAX2). You setup a firewall and block everything, but open pinholes for 
> the 3 ports listed above. Your firewall allows everyone to connect to 
> these ports, no restrictions....So, what have you accomplished with the 
> firewall????  NOTHING!  ....I'll end on this note as something to ponder.
> 
> 
> 73, David KB4FXC
> 
> 
> 
> 
> 
> 
> On Wed, 16 May 2018, "Tony Ross via arm-allstar" wrote:
> 
>> While some people would criticize such alternate ports for wks 
> (well-known services) as "security by obscurity", it does work.
> 
> I had a repeater owner ask for my help, as one of his irlp nodes seemed 
> to not respond to ssh client requests; he couldn't log in remotely. It 
> was difficult, but I eventually found a prompt. I immediately looked at 
> /var/log/* and found some very large syslog files. Looking at their 
> contents showed an ssh attack on port 22, so I changed the port to 
> something in a different range, re-started the sshd and the problem stopped.
> 
> Using simple system tools such as grep, sort, awk, uniq and wc, it was 
> easy to find that > 3.7 million ssh attempts in 4 days from 4 east-Asian 
> IP addresses had essentially crippled the system.
> 
> It did speak well for his choice of passwords though.
> 
> On 05/15/2018 07:19 PM, "Charles Powell via arm-allstar" wrote:
>> I use a port in the 9000s because it is an unexpected service there.  Your mileage may vary.
>> 
>> 73,
>> 
>> Charles - NK8O
>> 
>>> On May 15, 2018, at 12:59 PM, Doug Crompton via arm-allstar <arm-allstar at hamvoip.org> wrote:
>>> 
>>> Typically port 8080 is used but you can use high number if that does not
>>> work. Here are three examples - 15700, 16300, 17400  but you are not
>>> limited to them.
>>> 
>>> 
>>> *73 Doug*
>>> 
>>> *WA3DSP*
>>> 
>>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>> 
>>> 
>>> 
> 
> _______________________________________________
> 
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> 
> Visit the BBB and RPi2/3 web page - http://hamvoip.org

_______________________________________________

arm-allstar mailing list
arm-allstar at hamvoip.org
http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar

Visit the BBB and RPi2/3 web page - http://hamvoip.org

More information about the arm-allstar mailing list