Thursday, June 26, 2008

Securing SSH with Iptables

So you want to open up port 22 on the WAN side of your router for remote access. Is it really a legitimate concern that someone could try to get in through SSH? I mean it's SSH right?

Well yes and no, yes you should be concerned with any open port available to the world, even if it's SSH. There was a brief time where there were some SSH exploits publicly available, those were quickly patched and most systems have been upgraded since then.

However there's always the chance someone could try and brute force your SSH credentials, and for those of you who allow logging in as root this is even more scary. Your first line of defense is obviously your password, there are tons of websites and utilities out there to help you generate a good password and you should always use a password consisting of at minimum 8 characters, at least 1 number, and 1 special type of character like a !, @, or #, etc.

With IPtables it's actually quite easy to setup rate-limiting for any traffic coming in on port 22, or any TCP/UDP port really.
  • You want to make sure you compiled or included the "recent" option with IPtables
  • Next you want to add the rules to Iptables manually and verify they're functioning correctly.
  • iptables -t nat -A prerouting_wan -p tcp --dport 22 -m state --state NEW -m recent --name SSH_BRUTEFORCE --rsource --update --seconds 180 --hitcount 6 -j DROP
  • iptables -t nat -A prerouting_wan -p tcp --dport 22 -m state --state NEW -m recent --name SSH_BRUTEFORCE --rsource --set
  • iptables -A input_wan -p tcp --dport 22 -m state --state NEW -j ACCEPT
You can hit up http://www.grc.com/ and use the ShieldsUP! port scanning service if you don't have access to a remote shell to test with. I just entered port 22 and clicked "User Specified Custom Port Probe" 6 times to test it.

Trying to test Iptables rules from inside your LAN isn't a smart way to test firewall rules since they're coming in on the LAN side and not the WAN side.

You can tweak how quickly it rate-limits the packets with the --seconds and --hitcount options, I set it for 900 seconds and 6 packets. Meaning if you hit port 22 more then 6 times within 900 seconds (15 minutes) it drops all packets from your source IP for 15 minutes. And I chose 6 packets because by default SSH lets you try 3 times per log entry/disconnect, so 2 "attempts" to login.Once you're satisfied everything is working correctly, add the 3 lines to the bottom of your /etc/firewall.user and issue a /etc/rc.d/S45firewall restart (might be different depending on your version of OpenWrt/X-Wrt).

References:
http://www.netfilter.org/
http://www.openwrt.org/
http://www.snowman.net/projects/ipt_recent/

Similar:
There's also a script available that will monitor your logs for malicious SSH activity and block IPs that way, check it out.. http://www.pettingers.org/code/sshblack.html

I hope you find the information provided helpful in some way, you can show your appreciation by clicking on an Ad or two. Or if you'd like to hire me and have me secure your system you can click on the oDesk Ad on the site as well.

~Matt
Posted by Matt at 4:58 PM 0 comments

Tuesday, June 24, 2008

OpenWrt on a Dell Truemobile 2300

Well for those of you not already enlightened by the awesome greatness of Dell's Truemobile 2300 Wireless Router let me share some, thoughts.. with you about it. The Dell software shipped with it is a pile of shit, it hasn't had an official update since 2004, when a security vulnerability was publicly disclosed allowing anyone with access to the built-in web interface to send a HTTP request to it and reset the login credentials allowing anyone full access to the router's web interface.

Now instead of Dell saying something like "Oh, that's a quick 2 second fix, lets just do an update.." haha instead they decided to discontinue their "product" and make you buy something new instead of just simply issuing a simple software update and correcting the issue. Having not even mentioned the fact that there are numerous other software "anomalies" where configuration pages just don't work right, and the router itself locks up at the least 1-2 times per week during normal use or every time you play any online game (World of Warcraft) over Wireless.

Now don't get me wrong, this little router packs a punch and it's very similar in hardware to that of a Linksys WRT54G v1 router, and has 4mb of flash and 16mb of RAM available which is plenty of room for our purposes.

Let's get to the meat of it.. To install OpenWrt you want to start with a stable and tested version of the software to make sure nothing happens during the upgrade and/or first boot of the new OS.

  • Hit up downloads.openwrt.org and browse to the /whiterussian/newest/default/ 0.9 release of "openwrt-brcm-2.4-squashfs.trx" (note the .trx extension)
  • After the image downloads, make sure you're connected to the router via a cable and not wireless and login to the router like you normally would (defaults are IP: 192.168.1.1, User: admin, Pass: admin)
  • Once you're in you want to click on System Tools, then Firmware Upgrade and select the new trx image you just downloaded and flash it.
  • Now go get a Dr. Pepper and leave the computer and router be for at least a few minutes.
  • Once the flash completes you usually will have no indication that anything has been done really, except you may notice the LED for the port you're plugged into may be green but the power LED is not, this is normal.
  • Now you want to hard-code a static IP on the same subnet, say 192.168.1.50/24 and try to ping 192.168.1.1, once the router has booted and responds to ICMP (you may need to power cycle it) then browse to 192.168.1.1 from a web browser.
The first and most important thing you want to do now before anything else is set an option called wait_boot to on. This option should be in the web interface and allows the device to pause briefly during boot and allow a small window to initiate a tftp copy of an image to the router if for some reason you can't boot the device and login for whatever reason. (Unless you enjoy opening it up and shorting the on-board flash memory)

Now you should have a working version of OpenWrt v0.9 on your Truemobile 2300 and you can enjoy a much more reliable and functional router. Now I'd recommend upgrading from White Russian 0.9 up to Kamikazi 7.x for much more functionality and support. I found a lot of little things in 0.9 that bugged me and made me want to just tweak the web gui a little here and there or adjust little things just a tad. But after upgrading to the X-Wrt version of Kamikazi I found most of those issues had already been addressed and it was a much more elaborate and functional web interface to deal with.

To upgrade it's as simple as going to the X-Wrt Downloads section and grabbing the latest Kamikazi image (latest at the time of this post) and upgrade it via the web interface.

I hope you find the information provided helpful in some way, you can show your appreciation by clicking on an Ad or two. Obviously I take no responsibility if you turn your router into a very sophisticated paper weight with an antenna.

If you do happen to brick the router, you can see what these guys did to un-brick it.. http://forum.openwrt.org/viewtopic.php?id=5656

~Matt
Posted by Matt at 2:02 AM 0 comments
Subscribe to: Posts (Atom)