[App_rpt-users] DIAL node hack
Jeremy Utley
jerutley at gmail.com
Fri Jun 16 03:22:15 UTC 2017
Port 4569 has to be open to the world for inbound link connections, but unless you're also running Echolink, that's the only port that needs to be open to the world. My own nodes now sit behind a NAT gateway that only forwards 4569 back. The NAT gateway also serves as an OpenVPN endpoint which I connect to from home to allow SSH administration of the node.
Most likely, I would suspect it's an older install without the "debian" or "pi" user secured, and they logged into the node that way.
I need to finish my HowTo on how to properly provide security to an AllStar node that's exposed to the internet. If at all possible, people should put their nodes behind something like a PFSense firewall box, or at least behind some kind of NAT router, with only the necessary port 4569 forwarded back to the machine.
Jeremy, NQ0M
-----Original Message-----
From: App_rpt-users [mailto:app_rpt-users-bounces at lists.allstarlink.org] On Behalf Of Benjamin Naber
Sent: Thursday, June 15, 2017 3:19 PM
To: app_rpt-users at lists.allstarlink.org
Subject: Re: [App_rpt-users] DIAL node hack
What was the exploit attack?
Was the node DMZ'ed, or had more than necessary ports open to it?
Was the standard port, 4569, opened on the WAN into the network?
On Wed, 2017-06-14 at 12:03 -0400, DuaneVT . wrote:
> Our node is offline currently due to an exploit attack. Our network
> administrator shows heavy traffic out on port 2222 among others. We
> don't use this port.
> So reload the new image.
> For future reloads, how best to reconstruct the local changes done to
> the original image to carry over the custom config files?
> 73,
> Duane KA1LM
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at lists.allstarlink.org
> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
_______________________________________________
App_rpt-users mailing list
App_rpt-users at lists.allstarlink.org
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
More information about the App_rpt-users
mailing list