Getestet mit FRITZ!Box Fon WLAN 7170 & Firmware-Version 29.04.70
Wenn man etwas sucht, findet man schon einige Anleitungen, daher hier nur die Kurzfassung..
Telnet-Server auf der FRITZ!Box aktivieren (via Telefon):
#96*7* -> telnetd an
Via telnet konnektieren und mit dem Kennwort der Weboberfläche einloggen.
In der Konsole in das Verzeichnis /var/flash/ wechseln und mit nvi die Datei ar7.cfg bearbeiten.
Hier gibt es (bei meiner Box vier) Einträge für overwrite_dns.
Diese entsprechend anpassen (z.B. für OpenDNS):
overwrite_dns1 = 208.67.220.220;
overwrite_dns2 = 208.67.222.222;
Speichern, beenden und anschliessend die Box mit reboot neustarten.
Aus Sicherheitsgründen Telnet-Server auf der Box wieder deaktivieren:
#96*8* -> telnetd aus
Ob das ganze geklappt hat, sieht man bei OpenDNS z.B. beim Aufruf der Startseite.
Hier sollte jetzt ein Hinweis “You’re using OpenDNS!” angezeigt werden.
PS: Basics über den Texteditor vim (oder dessen Ableger) sollten vorhanden sein.
Category Archives: Security
Prevent SSH Brute Force attacks
When checking logfiles, I often can see brute force attacks – especially against the ssh daemon.
Of course, best way would be to block all ssh traffic except from your office/home ip.
If this is not possible for various reasons, you can make life a little harder for “intruders” using iptables.
Aim:
If there are more than three connection attemps within 120 seconds,
all traffic from potential attacker to ssh port (tcp, 22) shall be blocked temporarily.
#!/bin/bash
#
IPTABLES=`which iptables`
#
### if more than three new connections in 120 sec -> log
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent \
--rcheck --seconds 120 --hitcount 3 --rttl --name SSH -j LOG --log-level 7 \
--log-prefix "Possible SSH breakin attemp: "
#
### if more than three new connections in 120 sec -> drop requests
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent \
--update --seconds 120 --hitcount 3 --rttl --name SSH -j DROP
#
### remember new, established connections
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent \
--set --name SSH -j ACCEPT
#
### generally allow ssh connections
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
#
# ---
# -I INPUT .. -> iptables chain
# -i eth0 ... -> interface to apply rule to
# -p tcp .... -> use tcp port
# --dport ... -> destination port 22 (SSH)
# -m recent . -> matching state
# --state ... -> can be NEW, ESTABLISHED, RELATED or INVALID
# -rcheck ... -> will check if the source address of the packet is currently in the list
# ---
If it works, you should see entries like this in your firewall log
(i.e. in /var/log/firewall [ openSuSE ]):
Feb 28 15:14:20 cypher kernel: Possible SSH breakin attemp: IN=eth0 OUT= MAC=00:0c:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=123.xxx.xxx.xxx DST=223.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=52858 DF PROTO=TCP SPT=38220 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Fixing Astaro 7.202 (when upgrade fails)
again …
if upgrading from ASG 7.202 to newer versions fails, apply the following fix [as root]:
auisys.plx --rpmargs --force
Maybe you’ll have to stay calm until your up2date packages get “re-new-ed” .. so, wait a few days if first try fails.
VMware Server 1.0.7 released
A few days ago, VMware Server 1.0.7 has been released.
The update mainly cares about security issues:
- Security Fix for VMware ISAPI Extension
- Setting ActiveX killbit
- Security Fix for Local Privilege Escalation on Host System
- Update to Freetype 2.3.7
More info can be found in VMware’s Release Notes
Fixing Astaro 7.200 (when upgrade fails)
If upgrading from ASG 7.200 to newer versions fails, apply the following fix [as root]:
rpm -q ep-asg && cd /tmp && wget http://www.astaro.com/content/download/5618/51408/version/1/file/ep-asg-7.2-23.i686.rpm && rpm -Uvh /tmp/ep-asg-7.2-23.i686.rpm
More info at Astaro Knowledge Base Article #288713.
SUSE Linux 10.1 discontinued and out of support
SUSE Linux 10.1 has reached End of Life : /
Quote from the opensuse-security-announce mailing list:
With the release of an mysql security fix on August 13 we have released
the last update for SUSE Linux 10.1. (Actually 10.1 was discontinued on
May 31st, but the queue took a bit longer to flush from all updates.)
See: http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00004.html
Critical Bug in Joomla 1.5.5 (and older 1.5.x versions)
The password of the user with the lowest ID (typically an administrator) can be reset by an unauthorized user in Joomla 1.5.x installations prior version 1.5.6 because of a bug in the password remind functionality.
All 1.5.x installations prior to and including 1.5.5 are affected
The Joomla developer team advises to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file with the code below).
After global $mainframe; on line 113 of reset.php, add:
if(strlen($token) != 32) {
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}
See: Joomla! Developer – Password Remind Functionality
suPHP 0.6.3 released / security fix
The latestet release of suPHP (v.0.6.3) has been published on Mar 30th, 2008.
It’s a security fix release eliminating two symlink race-conditions.
Users are strongly advised to update immediately.
Should I use DNSBL?
RBLs – yes / no.. a big discussion always..
Right now, I can recommend zen.spamhaus.org & ix.dnsbl.manitu.net (<- especially for german MXs).
I’ve never seen a false positive on these lists ..
Nevertheless, use the lists for scoring (i.e. with spamassassin), not for instant blocking!
Nowadays, prosecuting “backscatter”, sender callouts, etc. seems to be a new trend – and it could be useful in future..
I’ve tested the only free list I know – backscatterer.org.
Don’t you use that one for immediate blocking!
Scoring can be ok, but even there – watch your logs!
Some “hits” (from a test run) to show what I found:
…
2008-03-04 17:17:42 H=lizzard.sbs.de [194.138.37.39] – possible backscatter
2008-03-04 17:21:59 H=mail.space.net [195.30.0.8] – possible backscatter
2008-03-04 17:25:33 H=relay4.ptmail.sapo.pt [212.55.154.24] – possible backscatter
2008-03-04 17:32:46 H=relay23.arbeitsagentur.de [212.204.77.151] – possible backscatter
2008-03-04 17:33:38 H=mout1.mail.vrmd.de [81.28.224.19] – possible backscatter
2008-03-04 17:48:33 H=dgate1.fujitsu-siemens.com [217.115.66.35] – possible backscatter
2008-03-04 17:50:05 H=mailout05.sul.t-online.de [194.25.134.82] – possible backscatter
2008-03-04 17:51:27 H=relay0-0.brigade.com [209.249.158.73] – possible backscatter
2008-03-04 18:04:42 H=mailout07.sul.t-online.de [194.25.134.83] – possible backscatter
2008-03-04 18:11:21 H=bay0-omc2-s24.bay0.hotmail.com [65.54.246.160] – possible backscatter
2008-03-04 18:13:37 H=mail.space.net [195.30.0.8] – possible backscatter
2008-03-04 18:13:42 H=smtp1.versatel.nl [62.58.50.88] – possible backscatter
2008-03-04 18:15:29 H=mailout09.sul.t-online.de [194.25.134.84] – possible backscatter
2008-03-04 18:16:33 H=ip17.be3a.com (be3a.com) [213.92.9.17] – possible backscatter
2008-03-04 18:18:12 H=gamwsm02.mwga.mailwatch.com [216.157.255.16] – possible backscatter
2008-03-04 18:20:15 H=aps67.muc.ec-messenger.com [195.140.186.67] – possible backscatter
2008-03-04 18:22:56 H=mout1.mail.vrmd.de [81.28.224.19] – possible backscatter
2008-03-04 18:25:46 H=mail.gmx.net [213.165.64.20] – possible backscatter
2008-03-04 18:27:56 H=mail004.thyssenkrupp.com [149.211.153.66] – possible backscatter
2008-03-04 18:30:43 H=mailout04.sul.t-online.de [194.25.134.18] – possible backscatter
2008-03-04 18:33:06 H=mailout03.sul.t-online.de [194.25.134.81] – possible backscatter
2008-03-04 18:39:33 H=mail.gmx.net [213.165.64.20] – possible backscatter
2008-03-04 18:45:20 H=mail.schule.bayern.de [194.95.207.92] – possible backscatter
2008-03-04 18:48:56 H=skibayf20.kirche-bayern.de [141.78.101.100] – possible backscatter
…
A lot of the BIG players (german companies in this example mainly) are found on the list ..
So don’t get yourself in trouble with users that complain all day long and think about what you’re blocking ..
Any suggestion/comment ist highly appreciated.
Howto: Single Sign On with Squid Proxy and Active Directory
Tested on: openSUSE 10.2, Squid 2.6 <-> Windows Server 2003
Goal: User authentication should be possible without “extra login” on the squid proxy.
Here we go …
Continue reading Howto: Single Sign On with Squid Proxy and Active Directory