<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I guess I'm worried about some of the 'security' comments being
shared here... First of all, if there is a service that is not used,
it should be disabled. Firewall or no firewall... It's somewhat like
locking the doors of your car, but leaving the convertible top
down... Second, while fail2ban would stop the potential 'hacker'
from potentially reaching the service or application itself, the
incoming packet/ frame still has to be processed to find out if it
should be banned, dropped or allowed... So a DoS or DDos attack is
not squelched... <br>
<br>
A couple of things to recommend is that you use some sort of
two-factor authentication on your SSH users. Google auth is free and
works well... Find yourself a password generator and make strong
passwords (like 32 characters)... Disable any service that is not
critical for the operation of the intended use... I recommend all of
these, and best of all, ALL of this can be done for FREE!
Installation and setup can readily be found online... <br>
<br>
<br>
-Joe<br>
KA3NAM<br>
<br>
<br>
<div class="moz-cite-prefix">On 9/25/2014 9:06 AM, Jon Byrne wrote:<br>
</div>
<blockquote
cite="mid:CALLtVpVx93SZ__NWTyCWHabZpoDZVid7da84gyFD6o_z6jTC6A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:tahoma,sans-serif">Hi
Loren,<br>
<br>
I guess you are running your Allstar node on a Virtual server,
I do the same and have found bouts of activity from Chinese IP
Addresses and other countries. Mostly SIP attempts, but also
SSH. <br>
<br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif">If
you do not use SIP then unload it and set your IPTABLES to
block that port. <br>
<br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif">As
for the SSH, this is will probably not be a targeted attack
more that they are targeting the block of IP Addresses yours
is in. If you have specific IP Addresses you connect to then
you can lock connections to those IP's, plus install the
fail2ban as mentioned and ensure there is a secure password
and you should be ok. You could also enable PORTKNOCKING <a
moz-do-not-send="true"
href="http://en.wikipedia.org/wiki/Port_knocking">http://en.wikipedia.org/wiki/Port_knocking</a><br>
<br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif">As
for the 3101702 connection, is that no an Echolink node?<br>
<br>
<a moz-do-not-send="true"
href="http://ns2.s13avahost.net/repeaters/echolink/node_status.php?node=CX4BBH#sthash.n00kxN55.32DNtjrl.dpbs">http://ns2.s13avahost.net/repeaters/echolink/node_status.php?node=CX4BBH#sthash.n00kxN55.32DNtjrl.dpbs</a><br>
<br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif">Hope
that helps.<br>
<br>
Jon<br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif">2E0RFU<br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif"><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>------------<br>
Jon Byrne<br>
<a moz-do-not-send="true" href="mailto:email@jonbyrne.com"
target="_blank">email@jonbyrne.com</a></div>
<br>
<div class="gmail_quote">On 25 September 2014 08:43, Ken Boyle <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:ken@kc2idb.net" target="_blank">ken@kc2idb.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">You could
also install fail2ban. By default it allows three failed
password attempts. Than temporarily bans the IP address.<br>
<div class="HOEnZb">
<div class="h5"><br>
On Sep 24, 2014 10:43 PM, Doug Crompton <<a
moz-do-not-send="true" href="mailto:doug@crompton.com">doug@crompton.com</a>>
wrote:<br>
><br>
> I assume you have the linux box behind a router? If
so why would you have sip even routed to your linux box
if you are not using it? Routers make good firewalls.
The only thing you should have routed is 4569 (udp) and
222 (tcp) neither have to be routed. 4569 would only
need to be routed if you wanted to accept incoming
connections. Outgoing would work fine without it. 222
would only be needed for administration.<br>
><br>
> From what you are saying you obviously must not
have a front-end (router firewall etc.) on your system .
It sounds like you are just hanging on the raw
Internet!! Some people go the easy route and put thhings
in the DMZ of their routers which does open them up to
the world. I went into an Allstar system this week to
help with setup and I immediately knew it was on the
DMZ. In the Asterisk client I was getting sip messages
left and right. I unloaded the sip module and they went
away. Not the right way to do it though as it should not
be on dmz to begin with. Simply not having a sip.conf
file does not prevent sip traffic!!!<br>
><br>
> Assuming you have a router there should be no need
to disable sip as it is never going to get to your box
unless you port forward it there. It would be a good
idea thought to not load the code for it if you are not
using it. A noload=chan_sip.so in modules.conf would
take care of that.<br>
><br>
> Most good routers also allow you to specify
specific or blocks of IP addresses to disallow. If there
is a specific foreign block, say in China you can
identify you could probably block it.<br>
><br>
> So the bottom line is you could make your linux
system tottally unavailable to the outside world by just
not forwarding any ports. The downside is no one could
connect to you (sometimes desirable) and you could not
remotely administer your system. <br>
><br>
><br>
> 73 Doug<br>
> WA3DSP<br>
> <a moz-do-not-send="true"
href="http://www.crompton.com/hamradio"
target="_blank">http://www.crompton.com/hamradio</a><br>
><br>
><br>
> ________________________________<br>
> Date: Wed, 24 Sep 2014 20:52:22 -0500<br>
> From: <a moz-do-not-send="true"
href="mailto:lorentedford@gmail.com">lorentedford@gmail.com</a><br>
> To: <a moz-do-not-send="true"
href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a><br>
> Subject: [App_rpt-users] Security Issues<br>
><br>
> Hey its Loren here again...<br>
><br>
> Was curious what everyone found was the most
substantial security risk with a Acid installation
connected too two repeaters.. The sip.conf was deleted
from the asterisks folder.. Noticed a strange node
connection that didn’t match all stars normal node
numbers 3101702 also found some thing with <a
moz-do-not-send="true" href="http://x.allstarlink.org"
target="_blank">x.allstarlink.org</a> in it anybody
know what this is?? Anyway my linode server has been
under constant attack from China they keep wanting to
ssh into the server we had to drastically beef up things
on the server such as changing the whole root user issue
and moving to another port number etc.. Any thoughts
ideas did i just become victum of a Sip attack too
besides 19 ddos attacks this week already and over a
million failed ssh attempts into my person linode
server...<br>
><br>
><br>
> Loren Tedford (KC9ZHV) <br>
> Email: <a moz-do-not-send="true"
href="mailto:lorentedford@gmail.com">lorentedford@gmail.com</a><br>
><br>
> <a moz-do-not-send="true"
href="http://www.lorentedford.com" target="_blank">http://www.lorentedford.com</a><br>
> <a moz-do-not-send="true"
href="http://www.Ltcraft.net" target="_blank">http://www.Ltcraft.net</a><br>
> <a moz-do-not-send="true"
href="http://www.richlandcountycomputers.com"
target="_blank">http://www.richlandcountycomputers.com</a><br>
> <a moz-do-not-send="true"
href="http://kc9zhv.lorentedford.com" target="_blank">http://kc9zhv.lorentedford.com</a><br>
><br>
><br>
> _______________________________________________
App_rpt-users mailing list <a moz-do-not-send="true"
href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a moz-do-not-send="true"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a
moz-do-not-send="true"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
and scroll down to the bottom of the page. Enter your
email address and press the "Unsubscribe or edit options
button" You do not need a password to unsubscribe, you
can do it via email confirmation. If you have trouble
unsubscribing, please send a message to the list
detailing the problem.<br>
_______________________________________________<br>
App_rpt-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a><br>
<a moz-do-not-send="true"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a><br>
<br>
To unsubscribe from this list please visit <a
moz-do-not-send="true"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users"
target="_blank">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
and scroll down to the bottom of the page. Enter your
email address and press the "Unsubscribe or edit options
button"<br>
You do not need a password to unsubscribe, you can do it
via email confirmation. If you have trouble
unsubscribing, please send a message to the list
detailing the problem. </div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
App_rpt-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
</body>
</html>