[arm-allstar] Firewall thoughts ---was:Trouble with Supermon
Doug Crompton
wa3dsp at gmail.com
Sat May 19 15:36:39 EST 2018
Yeah, and how many years would it take to hack at 10 digit random
upper/lower, numeric, special character password? Probably not in your
lifetime with the limits imposed by ssh. I wish people would worry about
more important things! No one is going to hack your password if it is a
good one.
Can we end the firewall/security talk. No one with a good password has been
hacked into. If you can't make up a password use a password generator to
see what a good one looks like.
https://passwordsgenerator.net/
*73 Doug*
*WA3DSP*
*http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
On Sat, May 19, 2018 at 3:48 PM, "Mark Grigsby via arm-allstar" <
arm-allstar at hamvoip.org> wrote:
> I am new to allstar hamvoip and the list. I would like to say thank you
> for all the hard work others do. In regard to the iptables / netfilter
> rule above, I think there might be a little confusion about the meaning of
> the rule.
>
> ""iptables -A INPUT -p tcp -m tcp --dport 222 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j
> DROP""
>
> In this rule you have to make an attempt to connect to the ssh server 4
> times in 60 seconds, the 5th connection withing 60 seconds will be denied.
> Many ssh servers will allow several attempts at passwords and the hamvoip
> server allows up to 6 failures before it disconnects you. As long as you
> don't exceed 4 connections in 60 seconds (one attempt every 20 seconds)
> this rule will never activate, and if you pause for 60 seconds it will
> automatically clear the offending address from the firewall. this means
> that you could try 24 combinations in 60 seconds then pause for 60 seconds
> and try all over again.
>
> I use a slightly different version that I will explain below.
>
> iptables -A INPUT -p tcp --dport 22 ! -s 192.168.12.0/27 -m conntrack
> --ctstate NEW -m recent --set --name SSH
> iptables -A INPUT -p tcp --dport 22 ! -s 192.168.12.0/27 -m conntrack
> --ctstate NEW -m recent --update --seconds 600 --hitcount 4 --rttl --name
> SSH -j DROP
>
>
> The difference in this command is that any connections from my personal
> virtual host network (192.168.12.0/27) is ignored, and I can try as many
> times as I like with no fear of getting locked out. The second part is
> that you only have to try 4 times in 10 minutes before you get locked out.
> I have also set my ssh server to only allow 3 attempts per connection and
> additionally I force the use of ssh keys and never allow passwords to be
> entered interactively.
>
> In my "day-Job" I also record the IP address of repeated failed logins and
> generate a list of addresses that I import to the firewall to deny them
> before they get a chance.
>
> I hope this helps someone, and I would be happy to discuss this and help
> others that may not be comfortable at the command line.
>
>
>
>
>
> On Thu, May 17, 2018 at 3:12 PM, "Charles Powell via arm-allstar" <
> arm-allstar at hamvoip.org> wrote:
>
> > I have tacked my last rule as an addition to Doug’s (WA3DSP)’s iptables
> > entry for Supermon. One note - since I have dynamic DNS at all points
> for
> > my nodes, I do NOT run this in a cron tab. I use the name instead of IP
> in
> > Doug’s script. That way I only run the script at boot from /etc/rc.local
> > and does not get flushed out every 10 minutes or whatever the interval
> > was. So here is my addition to the end of the file:
> >
> >
> > iptables -A INPUT -p tcp -m tcp --dport 222 -m state --state NEW -m
> > recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j
> DROP
> >
> > # Use this statement at the Linux prompt to view results # iptables -L
> >
> > # EOF
> >
> >
> > So when the hitcount gets to 4 with an incorrect password, that IP is
> > dropped and my node becomes invisible. I couple that with redirecting my
> > incoming port in my router. Between the two, my log is clean and clear
> of
> > hacking attempts. If you are using a different port ON THE LOCAL MACHINE
> > (not at the router) make sure you change the -dport ‘???’ entry. Doug
> has
> > a fine HowTo on setting up iptables for Supermon. As I said, I do not
> > refresh it because there is no need with a dynamic DNS at each
> > router/access, provided you use the name and not an IP address. I use
> NoIP
> > for dynamic assignments and although I have to verify once a month, it
> has
> > never failed to update the IP within a few minutes. The NoIP system
> > reminds me with an e-mail a couple of days before the confirmation is
> due,
> > and it’s free that way.
> >
> > 73,
> >
> > Charles - NK8O
> >
> > > On May 17, 2018, at 7:14 AM, k6cks01 via arm-allstar <
> > arm-allstar at hamvoip.org> wrote:
> > >
> > > That is very interesting Charles, would you be interested in sharing an
> > example of your script?Rory, K5CKS
> > >
> > >
> > > Sent via the Samsung Galaxy S®6 active, an AT&T 4G LTE smartphone
> > > -------- Original message --------From: Charles Powell via arm-allstar
> <
> > arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org>> Date: 5/16/18
> > 9:55 PM (GMT-06:00) To: ARM Allstar <arm-allstar at hamvoip.org <mailto:
> > arm-allstar at hamvoip.org>> Cc: Charles Powell <5h3dx.zinga at gmail.com
> > <mailto:5h3dx.zinga at gmail.com>> Subject: Re: [arm-allstar] Firewall
> > thoughts ---was:Trouble with Supermon
> > > Remember it is still possible to write an IP tables rule that blocks an
> > attacker after the 3rd (or whatever number you choose) attempt with an
> > incorrect password It is VERY effective. A log with a brute force
> attack
> > will have pages and pages of information from the same IP address.
> Between
> > diversion and a good IP tables script, I see absolutely no hack attempts.
> > I take that back. I had one - that was shutdown on password #4.
> > >
> > > 73,
> > >
> > > Charles - NK8O
> > >
> > >> On May 16, 2018, at 9:48 PM, David McGough via arm-allstar <
> > arm-allstar at hamvoip.org> wrote:
> > >>
> > >>
> > >> My opinion is that pre-shared keys for SSH are a great step in the
> right
> > >> direction. But, leaving it on port 22 might still lead to problems.
> > First,
> > >> this is still a TCP port, and it can be impacted by protocol-level
> > (level
> > >> 3 or level 2) attacts. If nothing else, it might lead to a DoS
> > condition.
> > >>
> > >> Second, even with pre-shared keys, the ssh daemon leaks information.
> > For
> > >> example, on my system with ssh passwords disabled:
> > >>
> > >> mcgough at david-vb:~$ telnet 192.168.232.111 222
> > >> Trying 192.168.232.111...
> > >> Connected to 192.168.232.111.
> > >> Escape character is '^]'.
> > >> SSH-2.0-OpenSSH_7.2
> > >>
> > >>
> > >> So, with this info, I can rapidly determine that the sshd is present
> > and I
> > >> can determine it only seems to allow PSK authentication. So, I change
> > my
> > >> attack strategy!
> > >>
> > >>
> > >> 73, David KB4FXC
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> On Wed, 16 May 2018, "Jeff Karpinski via arm-allstar" wrote:
> > >>
> > >>> Really should disable password SSH logins. Limit to pre-shared keys
> > and it won’t matter what bit what port you use. 22 is fine.
> > >>
> > >>
> > >>> On May 16, 2018, at 7:18 PM, David McGough via arm-allstar <
> > arm-allstar at hamvoip.org> wrote:
> > >>>
> > >>>
> > >>> Hi Guys,
> > >>>
> > >>> I haven't commented much about the firewall / open ports issue, so
> > >>> far...I've been really busy this week.
> > >>>
> > >>> Anyhow, I agree with Tony that "security by obscurity" is indeed a
> > viable
> > >>> strategy to reduce the number of drive-by port scans and attacks.
> But,
> > the
> > >>> ports you choose must truly be OBSCURE! For example, with a SSH
> server,
> > >>> ports 22, 222, 2022, 2222, 4022, etc., (most everything ending in
> > "22")
> > >>> will get rampantly scanned!! But, put ssh on port 7589. Nada! Not a
> > >>> single scan!
> > >>>
> > >>> There are a number of excellent tools for Linux which will help with
> > >>> understanding what ports are open and the traffic on your network,
> > too.
> > >>> Some are: netstat, nmap and tcpdump/wireshark.
> > >>>
> > >>> Running a "netstat -anp" (as root) on your local Linux box show all
> > the
> > >>> current network bindings, including open ports, connections to ports,
> > etc.
> > >>>
> > >>> The nmap program is a "hackers wonderland" ...nmap is a robust tool
> > which
> > >>> will allow you to actively probe networks looking for open ports,
> > hidden
> > >>> devices, etc. Just do BE AWARE that if you probe someone's network on
> > the
> > >>> Internet, you'll likely trip intrusion alarms!!! This type of
> Internet
> > >>> probing is also a violation of most ISP's acceptable use policies--so
> > be
> > >>> careful with this tool!!!!
> > >>>
> > >>> tcpdump and wireshark/tshark help round out your network analysis
> > toolkit!
> > >>> These tools allow you to "sniff" all the traffic passing through a
> > network
> > >>> interface by placing the interface in promiscuous mode---meaning it
> > >>> reports anything it can hear, whether destined for its IP address or
> > not.
> > >>> I won't get into the details about these scanners in this message or
> > I'll
> > >>> be writing a novel--these tools are VERY sophisticated! For example,
> > you
> > >>> can use them to sniff plain-text passwords or even passively monitor
> > and
> > >>> PLAY the actual audio traffic from Asterisk/AllStar!
> > >>>
> > >>>
> > >>> Finally, I want to mention that firewalls are not the end-all be-all
> of
> > >>> security and they can lull you into a FALSE sense of security! Here
> is
> > an
> > >>> example of how this is frequently true: Lets say that your system
> has 3
> > >>> ports open: port tcp/222 (ssh), port tcp/80 (http) and port udp/4569
> > >>> (IAX2). You setup a firewall and block everything, but open pinholes
> > for
> > >>> the 3 ports listed above. Your firewall allows everyone to connect to
> > >>> these ports, no restrictions....So, what have you accomplished with
> > the
> > >>> firewall???? NOTHING! ....I'll end on this note as something to
> > ponder.
> > >>>
> > >>>
> > >>> 73, David KB4FXC
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> On Wed, 16 May 2018, "Tony Ross via arm-allstar" wrote:
> > >>>
> > >>>> While some people would criticize such alternate ports for wks
> > >>> (well-known services) as "security by obscurity", it does work.
> > >>>
> > >>> I had a repeater owner ask for my help, as one of his irlp nodes
> > seemed
> > >>> to not respond to ssh client requests; he couldn't log in remotely.
> It
> > >>> was difficult, but I eventually found a prompt. I immediately looked
> > at
> > >>> /var/log/* and found some very large syslog files. Looking at their
> > >>> contents showed an ssh attack on port 22, so I changed the port to
> > >>> something in a different range, re-started the sshd and the problem
> > stopped.
> > >>>
> > >>> Using simple system tools such as grep, sort, awk, uniq and wc, it
> was
> > >>> easy to find that > 3.7 million ssh attempts in 4 days from 4
> > east-Asian
> > >>> IP addresses had essentially crippled the system.
> > >>>
> > >>> It did speak well for his choice of passwords though.
> > >>>
> > >>> On 05/15/2018 07:19 PM, "Charles Powell via arm-allstar" wrote:
> > >>>> I use a port in the 9000s because it is an unexpected service there.
> > Your mileage may vary.
> > >>>>
> > >>>> 73,
> > >>>>
> > >>>> Charles - NK8O
> > >>>>
> > >>>>> On May 15, 2018, at 12:59 PM, Doug Crompton via arm-allstar <
> > arm-allstar at hamvoip.org> wrote:
> > >>>>>
> > >>>>> Typically port 8080 is used but you can use high number if that
> does
> > not
> > >>>>> work. Here are three examples - 15700, 16300, 17400 but you are
> not
> > >>>>> limited to them.
> > >>>>>
> > >>>>>
> > >>>>> *73 Doug*
> > >>>>>
> > >>>>> *WA3DSP*
> > >>>>>
> > >>>>> *http://www.crompton.com/hamradio <http://www.crompton.com/
> hamradio
> > >*
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>
> > >>> _______________________________________________
> > >>>
> > >>> arm-allstar mailing list
> > >>> arm-allstar at hamvoip.org
> > >>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > >>>
> > >>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
> > >>
> > >> _______________________________________________
> > >>
> > >> arm-allstar mailing list
> > >> arm-allstar at hamvoip.org
> > >> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > >>
> > >> Visit the BBB and RPi2/3 web page - http://hamvoip.org
> > >>
> > >> _______________________________________________
> > >>
> > >> arm-allstar mailing list
> > >> arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org> <mailto:
> > arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org>>
> > >> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar <
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar> <
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar <
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar>>
> > >>
> > >> Visit the BBB and RPi2/3 web page - http://hamvoip.org <
> > http://hamvoip.org/> <http://hamvoip.org/ <http://hamvoip.org/>>
> > > _______________________________________________
> > >
> > > arm-allstar mailing list
> > > arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org>
> > > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar <
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar>
> > >
> > > Visit the BBB and RPi2/3 web page - http://hamvoip.org <
> > http://hamvoip.org/>
> > > _______________________________________________
> > >
> > > arm-allstar mailing list
> > > arm-allstar at hamvoip.org <mailto:arm-allstar at hamvoip.org>
> > > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar <
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar>
> > >
> > > Visit the BBB and RPi2/3 web page - http://hamvoip.org <
> > http://hamvoip.org/>
> > _______________________________________________
> >
> > arm-allstar mailing list
> > arm-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> >
>
>
>
> --
> DE KA7FHA
> --
> Some carbon based operating systems should be left with no accessible
> keyboard or mouse
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
More information about the arm-allstar
mailing list