Category Archives: Security

DNS-Server bei FRITZ!Box umstellen

Getestet mit FRITZ!Box Fon WLAN 7170 & Firmware-Version 29.04.70
 
Wenn man etwas sucht, findet man schon einige Anleitungen, daher hier nur die Kurzfassung..
 
Telnet-Server auf der FRITZ!Box aktivieren (via Telefon):
#96*7* -> telnetd an
 
Via telnet konnektieren und mit dem Kennwort der Weboberfläche einloggen.
In der Konsole in das Verzeichnis /var/flash/ wechseln und mit nvi die Datei ar7.cfg bearbeiten.
Hier gibt es (bei meiner Box vier) Einträge für overwrite_dns.
Diese entsprechend anpassen (z.B. für OpenDNS):
  overwrite_dns1 = 208.67.220.220;
  overwrite_dns2 = 208.67.222.222;

 
Speichern, beenden und anschliessend die Box mit reboot neustarten.
 
Aus Sicherheitsgründen Telnet-Server auf der Box wieder deaktivieren:
#96*8* -> telnetd aus
 
Ob das ganze geklappt hat, sieht man bei OpenDNS z.B. beim Aufruf der Startseite.
Hier sollte jetzt ein Hinweis “You’re using OpenDNS!” angezeigt werden.
 
PS: Basics über den Texteditor vim (oder dessen Ableger) sollten vorhanden sein.

Prevent SSH Brute Force attacks

When checking logfiles, I often can see brute force attacks – especially against the ssh daemon.
Of course, best way would be to block all ssh traffic except from your office/home ip.
If this is not possible for various reasons, you can make life a little harder for “intruders” using iptables.
 
Aim:
If there are more than three connection attemps within 120 seconds,
all traffic from potential attacker to ssh port (tcp, 22) shall be blocked temporarily.
 

#!/bin/bash
#
IPTABLES=`which iptables`
#
### if more than three new connections in 120 sec -> log
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent \
--rcheck --seconds 120 --hitcount 3 --rttl --name SSH -j LOG --log-level 7 \
--log-prefix "Possible SSH breakin attemp: "
#
### if more than three new connections in 120 sec -> drop requests
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent \
--update --seconds 120 --hitcount 3 --rttl --name SSH -j DROP
#
### remember new, established connections
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent \
--set --name SSH -j ACCEPT
#
### generally allow ssh connections
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
#
# ---
# -I INPUT .. -> iptables chain
# -i eth0 ... -> interface to apply rule to
# -p tcp .... -> use tcp port
# --dport ... -> destination port 22 (SSH)
# -m recent . -> matching state
# --state ... -> can be NEW, ESTABLISHED, RELATED or INVALID
# -rcheck ... -> will check if the source address of the packet is currently in the list
# ---

 
 
If it works, you should see entries like this in your firewall log
(i.e. in /var/log/firewall [ openSuSE ]):
 

Feb 28 15:14:20 cypher kernel: Possible SSH breakin attemp: IN=eth0 OUT= MAC=00:0c:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=123.xxx.xxx.xxx DST=223.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=52858 DF PROTO=TCP SPT=38220 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

SUSE Linux 10.1 discontinued and out of support

SUSE Linux 10.1 has reached End of Life : /

 
Quote from the opensuse-security-announce mailing list:

With the release of an mysql security fix on August 13 we have released
the last update for SUSE Linux 10.1. (Actually 10.1 was discontinued on
May 31st, but the queue took a bit longer to flush from all updates.)

 
See: http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00004.html

Critical Bug in Joomla 1.5.5 (and older 1.5.x versions)

The password of the user with the lowest ID (typically an administrator) can be reset by an unauthorized user in Joomla 1.5.x installations prior version 1.5.6 because of a bug in the password remind functionality.

All 1.5.x installations prior to and including 1.5.5 are affected

The Joomla developer team advises to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file with the code below).

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
    $this->setError(JText::_('INVALID_TOKEN'));
    return false;
}


 
See: Joomla! Developer – Password Remind Functionality

Should I use DNSBL?

RBLs – yes / no.. a big discussion always..
Right now, I can recommend zen.spamhaus.org & ix.dnsbl.manitu.net (<- especially for german MXs).
I’ve never seen a false positive on these lists ..

Nevertheless, use the lists for scoring (i.e. with spamassassin), not for instant blocking!

Nowadays, prosecuting “backscatter”, sender callouts, etc. seems to be a new trend – and it could be useful in future..
I’ve tested the only free list I know – backscatterer.org.
Don’t you use that one for immediate blocking!
Scoring can be ok, but even there – watch your logs!

Some “hits” (from a test run) to show what I found:

2008-03-04 17:17:42 H=lizzard.sbs.de [194.138.37.39] – possible backscatter
2008-03-04 17:21:59 H=mail.space.net [195.30.0.8] – possible backscatter
2008-03-04 17:25:33 H=relay4.ptmail.sapo.pt [212.55.154.24] – possible backscatter
2008-03-04 17:32:46 H=relay23.arbeitsagentur.de [212.204.77.151] – possible backscatter
2008-03-04 17:33:38 H=mout1.mail.vrmd.de [81.28.224.19] – possible backscatter
2008-03-04 17:48:33 H=dgate1.fujitsu-siemens.com [217.115.66.35] – possible backscatter
2008-03-04 17:50:05 H=mailout05.sul.t-online.de [194.25.134.82] – possible backscatter
2008-03-04 17:51:27 H=relay0-0.brigade.com [209.249.158.73] – possible backscatter
2008-03-04 18:04:42 H=mailout07.sul.t-online.de [194.25.134.83] – possible backscatter
2008-03-04 18:11:21 H=bay0-omc2-s24.bay0.hotmail.com [65.54.246.160] – possible backscatter
2008-03-04 18:13:37 H=mail.space.net [195.30.0.8] – possible backscatter
2008-03-04 18:13:42 H=smtp1.versatel.nl [62.58.50.88] – possible backscatter
2008-03-04 18:15:29 H=mailout09.sul.t-online.de [194.25.134.84] – possible backscatter
2008-03-04 18:16:33 H=ip17.be3a.com (be3a.com) [213.92.9.17] – possible backscatter
2008-03-04 18:18:12 H=gamwsm02.mwga.mailwatch.com [216.157.255.16] – possible backscatter
2008-03-04 18:20:15 H=aps67.muc.ec-messenger.com [195.140.186.67] – possible backscatter
2008-03-04 18:22:56 H=mout1.mail.vrmd.de [81.28.224.19] – possible backscatter
2008-03-04 18:25:46 H=mail.gmx.net [213.165.64.20] – possible backscatter
2008-03-04 18:27:56 H=mail004.thyssenkrupp.com [149.211.153.66] – possible backscatter
2008-03-04 18:30:43 H=mailout04.sul.t-online.de [194.25.134.18] – possible backscatter
2008-03-04 18:33:06 H=mailout03.sul.t-online.de [194.25.134.81] – possible backscatter
2008-03-04 18:39:33 H=mail.gmx.net [213.165.64.20] – possible backscatter
2008-03-04 18:45:20 H=mail.schule.bayern.de [194.95.207.92] – possible backscatter
2008-03-04 18:48:56 H=skibayf20.kirche-bayern.de [141.78.101.100] – possible backscatter


A lot of the BIG players (german companies in this example mainly) are found on the list ..
So don’t get yourself in trouble with users that complain all day long and think about what you’re blocking ..

Any suggestion/comment ist highly appreciated.