[arm-allstar] Firewall thoughts ---was:Trouble with Supermon
Charles Powell
5h3dx.zinga at gmail.com
Thu May 17 17:12:54 EST 2018
I have tacked my last rule as an addition to Doug’s (WA3DSP)’s iptables entry for Supermon. One note - since I have dynamic DNS at all points for my nodes, I do NOT run this in a cron tab. I use the name instead of IP in Doug’s script. That way I only run the script at boot from /etc/rc.local and does not get flushed out every 10 minutes or whatever the interval was. So here is my addition to the end of the file:
iptables -A INPUT -p tcp -m tcp --dport 222 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
# Use this statement at the Linux prompt to view results # iptables -L
# EOF
So when the hitcount gets to 4 with an incorrect password, that IP is dropped and my node becomes invisible. I couple that with redirecting my incoming port in my router. Between the two, my log is clean and clear of hacking attempts. If you are using a different port ON THE LOCAL MACHINE (not at the router) make sure you change the -dport ‘???’ entry. Doug has a fine HowTo on setting up iptables for Supermon. As I said, I do not refresh it because there is no need with a dynamic DNS at each router/access, provided you use the name and not an IP address. I use NoIP for dynamic assignments and although I have to verify once a month, it has never failed to update the IP within a few minutes. The NoIP system reminds me with an e-mail a couple of days before the confirmation is due, and it’s free that way.
73,
Charles - NK8O
> On May 17, 2018, at 7:14 AM, k6cks01 via arm-allstar <arm-allstar at hamvoip.org> wrote:
>
> That is very interesting Charles, would you be interested in sharing an example of your script?Rory, K5CKS
>
>
> Sent via the Samsung Galaxy S®6 active, an AT&T 4G LTE smartphone
> -------- Original message --------From: Charles Powell via arm-allstar <arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org>> Date: 5/16/18 9:55 PM (GMT-06:00) To: ARM Allstar <arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org>> Cc: Charles Powell <5h3dx.zinga at gmail.com <mailto:5h3dx.zinga at gmail.com>> Subject: Re: [arm-allstar] Firewall thoughts ---was:Trouble with Supermon
> Remember it is still possible to write an IP tables rule that blocks an attacker after the 3rd (or whatever number you choose) attempt with an incorrect password It is VERY effective. A log with a brute force attack will have pages and pages of information from the same IP address. Between diversion and a good IP tables script, I see absolutely no hack attempts. I take that back. I had one - that was shutdown on password #4.
>
> 73,
>
> Charles - NK8O
>
>> On May 16, 2018, at 9:48 PM, David McGough via arm-allstar <arm-allstar at hamvoip.org> wrote:
>>
>>
>> My opinion is that pre-shared keys for SSH are a great step in the right
>> direction. But, leaving it on port 22 might still lead to problems. First,
>> this is still a TCP port, and it can be impacted by protocol-level (level
>> 3 or level 2) attacts. If nothing else, it might lead to a DoS condition.
>>
>> Second, even with pre-shared keys, the ssh daemon leaks information. For
>> example, on my system with ssh passwords disabled:
>>
>> mcgough at david-vb:~$ telnet 192.168.232.111 222
>> Trying 192.168.232.111...
>> Connected to 192.168.232.111.
>> Escape character is '^]'.
>> SSH-2.0-OpenSSH_7.2
>>
>>
>> So, with this info, I can rapidly determine that the sshd is present and I
>> can determine it only seems to allow PSK authentication. So, I change my
>> attack strategy!
>>
>>
>> 73, David KB4FXC
>>
>>
>>
>>
>>
>> On Wed, 16 May 2018, "Jeff Karpinski via arm-allstar" wrote:
>>
>>> Really should disable password SSH logins. Limit to pre-shared keys and it won’t matter what bit what port you use. 22 is fine.
>>
>>
>>> On May 16, 2018, at 7:18 PM, David McGough via arm-allstar <arm-allstar at hamvoip.org> wrote:
>>>
>>>
>>> Hi Guys,
>>>
>>> I haven't commented much about the firewall / open ports issue, so
>>> far...I've been really busy this week.
>>>
>>> Anyhow, I agree with Tony that "security by obscurity" is indeed a viable
>>> strategy to reduce the number of drive-by port scans and attacks. But, the
>>> ports you choose must truly be OBSCURE! For example, with a SSH server,
>>> ports 22, 222, 2022, 2222, 4022, etc., (most everything ending in "22")
>>> will get rampantly scanned!! But, put ssh on port 7589. Nada! Not a
>>> single scan!
>>>
>>> There are a number of excellent tools for Linux which will help with
>>> understanding what ports are open and the traffic on your network, too.
>>> Some are: netstat, nmap and tcpdump/wireshark.
>>>
>>> Running a "netstat -anp" (as root) on your local Linux box show all the
>>> current network bindings, including open ports, connections to ports, etc.
>>>
>>> The nmap program is a "hackers wonderland" ...nmap is a robust tool which
>>> will allow you to actively probe networks looking for open ports, hidden
>>> devices, etc. Just do BE AWARE that if you probe someone's network on the
>>> Internet, you'll likely trip intrusion alarms!!! This type of Internet
>>> probing is also a violation of most ISP's acceptable use policies--so be
>>> careful with this tool!!!!
>>>
>>> tcpdump and wireshark/tshark help round out your network analysis toolkit!
>>> These tools allow you to "sniff" all the traffic passing through a network
>>> interface by placing the interface in promiscuous mode---meaning it
>>> reports anything it can hear, whether destined for its IP address or not.
>>> I won't get into the details about these scanners in this message or I'll
>>> be writing a novel--these tools are VERY sophisticated! For example, you
>>> can use them to sniff plain-text passwords or even passively monitor and
>>> PLAY the actual audio traffic from Asterisk/AllStar!
>>>
>>>
>>> Finally, I want to mention that firewalls are not the end-all be-all of
>>> security and they can lull you into a FALSE sense of security! Here is an
>>> example of how this is frequently true: Lets say that your system has 3
>>> ports open: port tcp/222 (ssh), port tcp/80 (http) and port udp/4569
>>> (IAX2). You setup a firewall and block everything, but open pinholes for
>>> the 3 ports listed above. Your firewall allows everyone to connect to
>>> these ports, no restrictions....So, what have you accomplished with the
>>> firewall???? NOTHING! ....I'll end on this note as something to ponder.
>>>
>>>
>>> 73, David KB4FXC
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, 16 May 2018, "Tony Ross via arm-allstar" wrote:
>>>
>>>> While some people would criticize such alternate ports for wks
>>> (well-known services) as "security by obscurity", it does work.
>>>
>>> I had a repeater owner ask for my help, as one of his irlp nodes seemed
>>> to not respond to ssh client requests; he couldn't log in remotely. It
>>> was difficult, but I eventually found a prompt. I immediately looked at
>>> /var/log/* and found some very large syslog files. Looking at their
>>> contents showed an ssh attack on port 22, so I changed the port to
>>> something in a different range, re-started the sshd and the problem stopped.
>>>
>>> Using simple system tools such as grep, sort, awk, uniq and wc, it was
>>> easy to find that > 3.7 million ssh attempts in 4 days from 4 east-Asian
>>> IP addresses had essentially crippled the system.
>>>
>>> It did speak well for his choice of passwords though.
>>>
>>> On 05/15/2018 07:19 PM, "Charles Powell via arm-allstar" wrote:
>>>> I use a port in the 9000s because it is an unexpected service there. Your mileage may vary.
>>>>
>>>> 73,
>>>>
>>>> Charles - NK8O
>>>>
>>>>> On May 15, 2018, at 12:59 PM, Doug Crompton via arm-allstar <arm-allstar at hamvoip.org> wrote:
>>>>>
>>>>> Typically port 8080 is used but you can use high number if that does not
>>>>> work. Here are three examples - 15700, 16300, 17400 but you are not
>>>>> limited to them.
>>>>>
>>>>>
>>>>> *73 Doug*
>>>>>
>>>>> *WA3DSP*
>>>>>
>>>>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>>>>
>>>>>
>>>>>
>>>
>>> _______________________________________________
>>>
>>> arm-allstar mailing list
>>> arm-allstar at hamvoip.org
>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>
>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>
>> _______________________________________________
>>
>> arm-allstar mailing list
>> arm-allstar at hamvoip.org
>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>
>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>
>> _______________________________________________
>>
>> arm-allstar mailing list
>> arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org> <mailto:arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org>>
>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar <http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar> <http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar <http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar>>
>>
>> Visit the BBB and RPi2/3 web page - http://hamvoip.org <http://hamvoip.org/> <http://hamvoip.org/ <http://hamvoip.org/>>
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org>
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar <http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar>
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org <http://hamvoip.org/>
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org>
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar <http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar>
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org <http://hamvoip.org/>
More information about the arm-allstar
mailing list