[App_rpt-users] Security Issues

Jon Byrne email at jonbyrne.com
Thu Sep 25 14:06:17 UTC 2014


Hi Loren,

I guess you are running your Allstar node on a Virtual server, I do the
same and have found bouts of activity from Chinese IP Addresses and other
countries. Mostly SIP attempts, but also SSH.

If you do not use SIP then unload it and set your IPTABLES to block that
port.

As for the SSH, this is will probably not be a targeted attack more that
they are targeting the block of IP Addresses yours is in. If you have
specific IP Addresses you connect to then you can lock connections to those
IP's, plus install the fail2ban as mentioned and ensure there is a secure
password and you should be ok. You could also enable PORTKNOCKING
http://en.wikipedia.org/wiki/Port_knocking

As for the 3101702 connection, is that no an Echolink node?

http://ns2.s13avahost.net/repeaters/echolink/node_status.php?node=CX4BBH#sthash.n00kxN55.32DNtjrl.dpbs

Hope that helps.

Jon
2E0RFU



------------
Jon Byrne
email at jonbyrne.com

On 25 September 2014 08:43, Ken Boyle <ken at kc2idb.net> wrote:

> You could also install fail2ban. By default it allows three failed
> password attempts. Than temporarily bans the IP address.
>
> On Sep 24, 2014 10:43 PM, Doug Crompton <doug at crompton.com> wrote:
> >
> > I assume you have the linux box behind a router? If so why would you
> have sip even routed to your linux box if you are not using it? Routers
> make good firewalls. The only thing you should have routed is 4569 (udp)
> and 222 (tcp)   neither have to be routed.  4569 would only need to be
> routed if you wanted to accept incoming connections. Outgoing would work
> fine without it. 222 would only be needed for administration.
> >
> > From what you are saying you obviously must not have a front-end (router
> firewall etc.) on your system . It sounds like you are just hanging on the
> raw Internet!! Some people go the easy route and put thhings in the DMZ of
> their routers which does open them up to the world. I went into an Allstar
> system this week to help with setup and I immediately knew it was on the
> DMZ. In the Asterisk client I was getting sip messages left and right. I
> unloaded the sip module and they went away. Not the right way to do it
> though as it should not be on dmz to begin with. Simply not having a
> sip.conf file does not prevent sip traffic!!!
> >
> > Assuming you have a router there should be no need to disable sip as it
> is never going to get to your box unless you port forward it there. It
> would be a good idea thought to not load the code for it if you are not
> using it. A noload=chan_sip.so   in modules.conf would take care of that.
> >
> > Most good routers also allow you to specify specific or blocks of IP
> addresses to disallow. If there is a specific foreign block, say in China
> you can identify you could probably block it.
> >
> > So the bottom line is you could make your linux system tottally
> unavailable to the outside world by just not forwarding any ports. The
> downside is no one could connect to you (sometimes desirable) and you could
> not remotely administer your system.
> >
> >
> > 73 Doug
> > WA3DSP
> > http://www.crompton.com/hamradio
> >
> >
> > ________________________________
> > Date: Wed, 24 Sep 2014 20:52:22 -0500
> > From: lorentedford at gmail.com
> > To: app_rpt-users at ohnosec.org
> > Subject: [App_rpt-users] Security Issues
> >
> > Hey its Loren here again...
> >
> > Was curious what everyone found was the most substantial security risk
> with a Acid installation connected too two repeaters.. The sip.conf was
> deleted from the asterisks folder..  Noticed a strange node connection that
> didn’t match all stars normal node numbers 3101702 also found some thing
> with x.allstarlink.org in it anybody know what this is?? Anyway my linode
> server has been under constant attack from China they keep wanting to ssh
> into the server we had to drastically beef up things on the server such as
> changing the whole root user issue and moving to another port number etc..
> Any thoughts ideas did i just become victum of a Sip attack too besides 19
> ddos attacks this week already and over a million failed ssh attempts into
> my person linode server...
> >
> >
> > Loren Tedford (KC9ZHV)
> > Email: lorentedford at gmail.com
> >
> > http://www.lorentedford.com
> > http://www.Ltcraft.net
> > http://www.richlandcountycomputers.com
> > http://kc9zhv.lorentedford.com
> >
> >
> > _______________________________________________ App_rpt-users mailing
> list App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users To unsubscribe
> from this list please visit
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down
> to the bottom of the page. Enter your email address and press the
> "Unsubscribe or edit options button" You do not need a password to
> unsubscribe, you can do it via email confirmation. If you have trouble
> unsubscribing, please send a message to the list detailing the problem.
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down
> to the bottom of the page. Enter your email address and press the
> "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email
> confirmation. If you have trouble unsubscribing, please send a message to
> the list detailing the problem.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20140925/e4e82955/attachment.html>


More information about the App_rpt-users mailing list