more PEBCAC

Story: New worm directly infects Linux-based home routers Total Replies: 32
Author Content
tuxchick

Mar 25, 2009
6:30 PM EDT
No admin password, the same default admin password that everyone in the world knows-- I'm surprised more exploits like this haven't been discovered.
azerthoth

Mar 25, 2009
7:03 PM EDT
Yet another reason for me to get off my lazy butt and build my own instead of using an off the shelf. I bet TC's book would be helpful for that project too.
Sander_Marechal

Mar 25, 2009
7:49 PM EDT
Or just set your admin password to something strong.
gus3

Mar 25, 2009
8:25 PM EDT
Like "Hercules".
tuxchick

Mar 25, 2009
8:27 PM EDT
"limberger"
ColonelPanik

Mar 25, 2009
8:45 PM EDT
Help the old guy here. If I have set up a super great secret log in passwd I will be invincible?

@gus3: How did you know that....?
gus3

Mar 25, 2009
9:03 PM EDT
tc, if only I knew where I could get some that didn't cost a leg and an ARM...
tracyanne

Mar 25, 2009
11:54 PM EDT
CP how about "myreallyreallylongsupergreatsecretpasswordthatnoonewillguess" will that do? I use it all the time, it's never been hacked yet.
gus3

Mar 26, 2009
12:59 AM EDT
I'm sure it will be trivial to come up with a less complicated passphrase having the same MD5 hash.
tuxchick

Mar 26, 2009
2:27 AM EDT
ow @ gus3.

Yes, I'm mad I couldn't think of a good one to retaliate with.
jezuch

Mar 26, 2009
2:55 AM EDT
My router limits admin access to only from the "inside" ports. Access to port 80 from "outside" is supposed to be prohibited and/or subject to NAT port forwarding only. I should be safe, but you never know...
tuxtom

Mar 26, 2009
5:16 AM EDT
Port 80? You're kidding, right? Even 8080 is dubious.

I do need outside access to my router. How else do I set up NAT's, etc, and get to my stuff when I'm not home? It can be done quite safely if you know what you are doing.

Passwords are nice and all, but anyone running any admin-level utility on a standard port (e.g. 22) deserves to get hacked.
Sander_Marechal

Mar 26, 2009
5:49 AM EDT
IMHO running services on non-standard ports is just security-by-obscurity. Finding out the right port is just an nmap away.
tuxtom

Mar 26, 2009
7:53 AM EDT
Nmap is a targeted attack. If you are under a targeted attack you gotta look inside for the answer because it's "Another Done Somebody Wrong Song". You gotta hope you're a better hacker than they are...or get law enforcement involved. 8^)

But the good news is that 99.9% of the attacks out there are bot-scripts randomly hammering away at standard ports. Sooner or later they get a sucker (admin:linksys?)...just like the Viagra spammers do. It's more a numbers game more than will or wit.

I have yet to see a single attempt at my chosen obscure ports on my servers, whereas I have thousands of futile port 22 attempts (who are summarily drop-routed after their first attempt).

By the same token, strong passwords are security-by-obscurity.
ColonelPanik

Mar 26, 2009
11:41 AM EDT
I'll just unplug that damn router. The editors here can expect snail-mail. erm, wait, does canihascheeseburgernow have a print edition?
tuxchick

Mar 26, 2009
11:47 AM EDT
Quoting: By the same token, strong passwords are security-by-obscurity.


True, but an effective form of security-by-obscurity. There is nothing wrong with including some smart security-by-obscurity in your security toolbag.
Bob_Robertson

Mar 26, 2009
4:20 PM EDT
As much as I preferred having my server also acting as my router, for some reason the IP-Phone dongle didn't work through the NAT.

Everything else worked. Port forwarding, IPv6 tunneling, Gnutella and Bittorrent on the inside of the NAT, etc.

Just not the off-the-shelf Linksys VoIP box.

So I went and bought a router, and everything worked for a while, but now Gnutella can't connect.

Oh, and the idiot Belkin router inserts itself into the DHCP list of DNS servers, and then DOES NOT act as a DNS cache, so everything is slowed to a crawl unless I set things static. Maybe some day I'll let experience instead of budget be my buying guide.
gus3

Mar 26, 2009
4:33 PM EDT
Set up your DNS servers in /etc/resolv.conf, then

chattr +i /etc/resolv.conf

Alternately, if you're using dhcpcd, you can add -R or --nodns to leave /etc/resolv.conf as-is. But using chattr is more certain.
techiem2

Mar 26, 2009
5:58 PM EDT
Yup, that's what I do on my router box gus3 since I run my own local dns server and don't want silly ISP changing me to using theirs.
jdixon

Mar 26, 2009
9:15 PM EDT
> ...and the idiot Belkin router...

I think you just identified the problem. :) Seriously, Dlink, Netgear, and Linksys are all acceptable and reasonably priced. There's never a good reason to go with Belkin.
ColonelPanik

Mar 26, 2009
10:31 PM EDT
I have had one Belkin and one re-branded Belkin router. Never gave me any problems but I was using them with service from Charter so who knows. I don't do anything tricky, just pump out a signal and pray. Only used with Linux.

With our fiber to the home connection I have a Linksys WRT160n and it is sweet. Easy to configure, cheap too.

jdixon

Mar 27, 2009
7:10 AM EDT
> ...and don't want silly ISP changing me to using theirs.

Apparently Roadrunner won't let you use and outside DNS (I don't see how they could keep you from using your own). Our machines are set up for OpenDNS. When my wife was at Myrtle Beach this winter an using their service, our DNS queries always came back from Roadrunner, even though our settings hadn't changed. It looks like they intercept the DNS queries and answer them themselves. Which makes it fun when their DNS goes down, which it seemed to do on a semi-regular basis.
Sander_Marechal

Mar 27, 2009
7:30 AM EDT
jdixon: I think you could have solved that by using a socks proxy. With a socks proxy, all traffic is redirected, including DNS queries.
Bob_Robertson

Mar 27, 2009
8:09 AM EDT
> Belkin

It was on sale.
tuxtom

Mar 27, 2009
9:10 AM EDT
Quoting: Quoted: By the same token, strong passwords are security-by-obscurity.

True, but an effective form of security-by-obscurity. There is nothing wrong with including some smart security-by-obscurity in your security toolbag.


My experience reinforces the effectiveness of running admin-level services on obscure ports. Sending anyone who attempts unauthorized access on common ports to Never Never Land is smart...smarter than allowing them to keep running brute-force attacks on 22 and choking your logs. What's nice is that your well-crafted password will give you some temporary protection against anyone who stumbles upon your active port and starts hammering that. You really need a pretty big tool bag.
Sander_Marechal

Mar 27, 2009
9:20 AM EDT
Quoting:smarter than allowing them to keep running brute-force attacks on 22 and choking your logs.


I run denyhosts and tarpit to solve that.

Denyhosts adds hosts trying and failing to access my machine to /etc/hosts.deny. It's like the ATM. You get three attempts. Denyhosts can also connect to a big database on the web that shares all these blocked hosts. It's pretty cool.

Tarpit intercepts connections to ports and IP address that you don't have anything running on. It then keeps these connections open for as long as possible, tying up the other guy's resources. A real stomp in the face of would-be intruders because suddenly nmap takes a few hours instead of a few seconds to scan all 65,535 porst on you machine :-)
ColonelPanik

Mar 27, 2009
12:29 PM EDT
Old Guy question: With all the security you have between your computer and the internet how much does that slow things down? At my age I don't want to wait too lone for a page to load.
Sander_Marechal

Mar 27, 2009
2:28 PM EDT
Colonel: In my case, nothing. DenyHosts and Tarpit only affect incoming connections and not outgoing connections. To boot, they only kick in when you fail to authenticate or try to connect to a port or IP address I'm not using.
ColonelPanik

Mar 27, 2009
5:30 PM EDT
Sander, thanks, thats food for thought.
Bob_Robertson

Mar 29, 2009
8:11 AM EDT
CP, I've found two things that SUBSTANTIALLY speed up the apparent speed of 'Net connections:

The Ad Block Plus extension in Firefox;

The Hosts File Project http://hostsfile.mine.nu

Since I prefer using Konqueror, the former does not have as much impact as the latter, but they have been of fantastic use. A few clients have reported that they thought their whole computer had been upgraded just by using Firefox with Ad Block Plus.

Both of which have nothing to do with security, specifically, but a great deal to do with human-perceptable speed issues.
tuxtom

Mar 30, 2009
8:23 AM EDT
There's a lot of good ways to skin the cat. I deny ALL in hosts.deny and only allow specific IPs in hosts.allow. Then I run some homegrown perl listening to 22 which permanently drop-routes ANYONE making a single attempt if they are not in hosts.allow. They can't do anything now...not even view a web page. Too bad. I don't have to worry about them any more.There's no need to waste my time tying up someone else's resources. I've got more important things to do.

If I want to mess with people I'll just set up an access point and have fun with squid...or better yet just come hang out and post on LXer!
tuxchick

Mar 30, 2009
10:07 AM EDT
http://www.ex-parrot.com/~pete/upside-down-ternet.html Upside-Down-Ternet

My neighbours are stealing my wireless internet access. I could encrypt it or alternately I could have fun.
gus3

Mar 30, 2009
1:37 PM EDT
tuxtom,

I did something similar on my home-based web server a few years ago. The 404 page was a CGI script that checked the URL for Nimda- or CodeRed-style attacks. Positive hits were promptly handled by 'iptables -A INPUT --source $evil_system -j IGNORE'.

Access and error logs suddenly cleaned up a lot; and it prevented the normal closing of the TCP connection on both ends, an evil my RAM-heavy system could tolerate. And it was fun writing evil in Perl.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!