[Cerowrt-devel] blocking probes...

[Cerowrt-devel] blocking probes...

[Dave Taht]

one of the underused features of cerowrt is that I stuck a sensor on
xinetd to detect attempts to telnet or ftp to the router and cut off
access to some other services, notably ssh.

I would have loved to extend this facility to either do it entirely in
iptables or leverage xinetd to talk to iptables to (for example)
disable access to the web server.

I'm curious if anyone elses server logs ever show something like this
in the Real World:

Jan 12 20:44:02 europa daemon.crit xinetd[3273]: 3273 {process_sensor}
Adding 190.185.12.121 to the global_no_access list for 120 minutes

And I'm curious as to what more fully blown tools like this already exist.

-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

Re: [Cerowrt-devel] blocking probes...

[Sebastian Moeller]

Hi Dave,


On Jan 12, 2013, at 20:50 , Dave Taht wrote:

> one of the underused features of cerowrt is that I stuck a sensor on
> xinetd to detect attempts to telnet or ftp to the router and cut off
> access to some other services, notably ssh.
> 
> I would have loved to extend this facility to either do it entirely in
> iptables or leverage xinetd to talk to iptables to (for example)
> disable access to the web server.
> 
> I'm curious if anyone elses server logs ever show something like this
> in the Real World:
> 
> Jan 12 20:44:02 europa daemon.crit xinetd[3273]: 3273 {process_sensor}
> Adding 190.185.12.121 to the global_no_access list for 120 minutes
> 
> And I'm curious as to what more fully blown tools like this already exist.

	This sounds remotely like a sort of reverse port knocking system, where you would connect to certain ports before allowing say ssh on some unusual port. You probably know this but on the off chance it might be news… 

best
	Sebastian

> 
> -- 
> Dave Täht
> 
> Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel

Re: [Cerowrt-devel] blocking probes...

[Török Edwin]

On 01/13/2013 06:50 AM, Dave Taht wrote:
> one of the underused features of cerowrt is that I stuck a sensor on
> xinetd to detect attempts to telnet or ftp to the router and cut off
> access to some other services, notably ssh.

I don't see this on my cerowrt, is this only in the 3.7.x series?

> 
> I would have loved to extend this facility to either do it entirely in
> iptables or leverage xinetd to talk to iptables to (for example)
> disable access to the web server.
> 
> I'm curious if anyone elses server logs ever show something like this
> in the Real World:
> 
> Jan 12 20:44:02 europa daemon.crit xinetd[3273]: 3273 {process_sensor}
> Adding 190.185.12.121 to the global_no_access list for 120 minutes
> 
> And I'm curious as to what more fully blown tools like this already exist.
> 

I'm using fail2ban on my server (not the router), and see between 2-7 of these bans/day:
Jan 13 03:34:28 sshd[22392]: Did not receive identification string from 83.231.93.133
Jan 13 04:03:05 sshd[23167]: Invalid user delta from 83.231.93.133
Jan 13 04:03:05 sshd[23170]: Invalid user admin from 83.231.93.133
2013-01-13 04:03:06,376 fail2ban.actions: WARNING [ssh] Ban 83.231.93.133
2013-01-13 07:47:21,738 fail2ban.actions: WARNING [ssh] Unban 66.135.32.170



--Edwin

Re: [Cerowrt-devel] blocking probes...

[Török Edwin]

On 01/13/2013 11:15 AM, Török Edwin wrote:
> On 01/13/2013 06:50 AM, Dave Taht wrote:
>> one of the underused features of cerowrt is that I stuck a sensor on
>> xinetd to detect attempts to telnet or ftp to the router and cut off
>> access to some other services, notably ssh.
> 
> I don't see this on my cerowrt, is this only in the 3.7.x series?
> 
>>
>> I would have loved to extend this facility to either do it entirely in
>> iptables or leverage xinetd to talk to iptables to (for example)
>> disable access to the web server.
>>
>> I'm curious if anyone elses server logs ever show something like this
>> in the Real World:
>>
>> Jan 12 20:44:02 europa daemon.crit xinetd[3273]: 3273 {process_sensor}
>> Adding 190.185.12.121 to the global_no_access list for 120 minutes

With 3.7.4 I see these now on my home router, so its definetely working:
root@OpenWrt:~# logread|grep xinetd|grep Adding|wc -l
20

The IPs are from Russia, Peru, Colombia, Egypt, UK, Kuwait, Turkey, Azerbaijan.


Best regards,
--Edwin

Re: [Cerowrt-devel] blocking probes...

[Maciej Soltysiak]

[-- Attachment #1: Type: text/plain, Size: 1532 bytes --]

I've said it before and I'll say it again:
iptables -I zone_wan -j DROP
And if you really need access from wan INSERT a rule before that DROP.

Regards,
Maciej


On Mon, Jan 28, 2013 at 4:44 PM, Török Edwin <edwin+ml-cerowrt@etorok.net>wrote:

> On 01/13/2013 11:15 AM, Török Edwin wrote:
> > On 01/13/2013 06:50 AM, Dave Taht wrote:
> >> one of the underused features of cerowrt is that I stuck a sensor on
> >> xinetd to detect attempts to telnet or ftp to the router and cut off
> >> access to some other services, notably ssh.
> >
> > I don't see this on my cerowrt, is this only in the 3.7.x series?
> >
> >>
> >> I would have loved to extend this facility to either do it entirely in
> >> iptables or leverage xinetd to talk to iptables to (for example)
> >> disable access to the web server.
> >>
> >> I'm curious if anyone elses server logs ever show something like this
> >> in the Real World:
> >>
> >> Jan 12 20:44:02 europa daemon.crit xinetd[3273]: 3273 {process_sensor}
> >> Adding 190.185.12.121 to the global_no_access list for 120 minutes
>
> With 3.7.4 I see these now on my home router, so its definetely working:
> root@OpenWrt:~# logread|grep xinetd|grep Adding|wc -l
> 20
>
> The IPs are from Russia, Peru, Colombia, Egypt, UK, Kuwait, Turkey,
> Azerbaijan.
>
>
> Best regards,
> --Edwin
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>

[-- Attachment #2: Type: text/html, Size: 2297 bytes --]

Re: [Cerowrt-devel] blocking probes...

[Michael Richardson]

>>>>> "Dave" == Dave Taht <dave.taht@gmail.com> writes:
    Dave> one of the underused features of cerowrt is that I stuck a sensor on
    Dave> xinetd to detect attempts to telnet or ftp to the router and cut off
    Dave> access to some other services, notably ssh.

    Dave> I would have loved to extend this facility to either do it
    Dave> entirely in 
    Dave> iptables or leverage xinetd to talk to iptables to (for example)
    Dave> disable access to the web server.

I didn't know that was there... what version does it start?
I get lots of probes... can I run this detector on port-22 (on the
outside) as well?

With the 3800s having dried up, I'm now really concerned... what if my
device blows up?  and I've got nothing to experiment with.

I was planning to buy more in the new year (now), but I didn't do it
fast enough.  Given that they have dried up now, I'm thinking that I
need to go back and replace my 3800 with something else that can run
cerowrt, or at least can run the QOS scripts.   
I am not happy running my firewall as a VM, but I certainly could do
that... 

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [