[App_rpt-users] Security was Re: What is the "debian" user in the DIAL distro?

Jeremy Utley jerutley at gmail.com
Thu Jun 8 12:26:43 UTC 2017 

UFW is really just a front-end for iptables.  You give instructions to UFW, it does the correct IPTables lines to make it happen.  Firewalld on CentOS 7 is the same way.  Any network firewalling tool on Linux is going to be IPTables under the hood.

 

Jeremy, NQ0M

 

From: App_rpt-users [mailto:app_rpt-users-bounces at lists.allstarlink.org] On Behalf Of Loren Tedford
Sent: Thursday, June 8, 2017 3:13 AM
To: Users of Asterisk app_rpt <app_rpt-users at lists.allstarlink.org>
Subject: Re: [App_rpt-users] Security was Re: What is the "debian" user in the DIAL distro?

 

Bryan What about the use of UFW?? I have been using ufw in place of iptables started that about 4 years ago.. Is their a known risk from ufw rather iptables?? I thought they had similar characteristics.. 




Loren Tedford (KC9ZHV) 

Phone:618-553-0806

Fax: 1-618-551-2755
Email:  <mailto:lorentedford at gmail.com> lorentedford at gmail.com

Email:  <mailto:KC9ZHV at KC9ZHV.com> KC9ZHV at KC9ZHV.com

 <http://www.lorentedford.com/> http://www.lorentedford.com

 <http://www.kc9zhv.com/> http://www.kc9zhv.com

 <http://forum.kc9zhv.com/> http://forum.kc9zhv.com

 <http://hub.kc9zhv.com/> http://hub.kc9zhv.com

 <http://ltcraft.net/> http://Ltcraft.net

http://voipham.com

 

On Wed, Jun 7, 2017 at 8:55 PM, Bryan D. Boyle <bdboyle at bdboyle.com <mailto:bdboyle at bdboyle.com> > wrote:

Based on tests that the security research arm of my company has run (well-known IT company that's been around for over a century...), the elapsed time that a system exposed to the network is discovered, probed, and if well-known vulnerable ports are detailed (and the scum or nation states who do this keep records), then attempted to be pwned is somewhere between a minute to a half hour.  

 

Just for giggles, i spun up a pi with a sip server enabled connected to a second port on my router  and started a tail -f on the messages file and grepped for the sip daemon.  routed the sip port on my external router to the pi, a sat back. (there was no route from the pi to my internal network)

 

3 minutes till the first probe.  15 till the attempted pwning.  SIP was the only inbound port opened.  I just watched...and went on for an hour (no, they didn't take over the system, only ate up bandwidth, of which I am pretty ok with being on FTTH).  It's all automated.  don't even need human intervention for the probe, just to select the attack vectors when the automated system pops a live port selection.

 

Default SSH is NO guarantee.  Allowing root access from an interactive login from the net port deserves to be punished.  Bogus user passwords that are guessable should be cause for your isp to turn off your connection.   Moving to a different port is just attempted security through obscurity.   Open ports from the outside inbound that allow anyone on the network to connect will be probed and attempts (DoS, null sled, buffer overruns, etc) to subvert your system as a c&c node, bitcoin miner, email spam relay, porn repository, or whathaveyou is the goal.

 

After doing this since 1988 or so,  it's only the frequency that it happens that's changing, not that it's happening.  

fail2ban is a good stopgap measure for ports that you positively HAVE to have exposed.  router firewall enabled and locked down?  good.  iptables set up properly?  passwords NOT based on dictionary words or used for your other online activities? yeah, it's a pain. the alternative is your system being taken over and used for other purposes while you sleep.  

 

Lots more you can do.  the basic mantra you should have is: "That which is not expressly permitted is prohibited".  
--

Bryan CISSP/CEH/CISM

Sent from my iPhone 6S...No electrons were harmed in the sending of this message.

 

 


_______________________________________________
App_rpt-users mailing list
App_rpt-users at lists.allstarlink.org <mailto:App_rpt-users at lists.allstarlink.org> 
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20170608/e473956f/attachment.html>

More information about the App_rpt-users mailing list