starting by iptable deny all of china is a good start. - Re:OT?Linux-based trojans now targeting WRT and other linux-based routers
Bryan O'Neal
boneal at cornerstonehome.com
Tue Mar 31 00:04:57 MST 2009
I agree that you can and will get attacked from US addresses, that may or
may not be US machines. However I am still failing to see the problem with
block denying a large address range. For example if I am getting 1000 port
scans a day from various china addresses why would I not start by denying
those addresses and then moving on to other rules? Just because it is not a
100% solution does not mean it is not a good idea to easily trim off the top
80% of your attacks before dealing with the remaining 20% in a more
intelligent manor.
As for being pwnd, well it is possible he was already compromised in which
case their is nothing you can do but wipe out the old and bring in the new.
I have a friend who compared a compromised system to dropping your favorite
fork in a pile of feces, no mater how well you clean it you'll never feel
comfortable eating with the fork again. And since formatting/replacing a
drive and reloading the OS is so easy (Even on most embedded devices) it
should be done if you have the slightest inclination of being owned.
_____
From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Lisa
Kachold
Sent: Monday, March 30, 2009 11:48 PM
To: plug-discuss at lists.plug.phoenix.az.us
Subject: RE: starting by iptable deny all of china is a good start. -
Re:OT?Linux-based trojans now targeting WRT and other linux-based routers
Unfortunately, a scan like nmap or netcat can trivially use random or source
choice IP.
So a distributed denial of service (and more than a few script kiddie bots
and toolz) originate from Chinese source addresses.
The real scanner is actually behind the proxy watching it all ready for the
all important moment when the results don't equal null and he can reset your
firmware with his own.
Some of the fun items that his firmware can include are:
1) Javascript XSS tunnel browser exploit for whoever maintains the router.
2) All remote management to a list of his IPS.
3) Port forward certain packets outbound to certain IP's to another place.
4) Allow for sniffing of internal router packet traffic (all clear text
email, etc.)
5) Allow for sniffing and decrypt via ettercap and john of encrypted traffic
(passwords, etc.)
6) Create a ipsec tunnel or VPN.
7) It will usually remove certificates or help files to do this, and often
one will see very quickly the "real" web based forms, during save.
The only thing you will notice are network slowage, router reboots, and if
you are slightly saavy, fantom ports opening and system that are strangely
changes (Bonobo suddenly being implemented for instance).
Your linux system is going to have all the binary changed via RootInABox and
files low level iode changes, so you probably won't even see them via
MidnightCommander.
You are pwned = just keep ignoring it all; keep pretending that it's a nice
secure Matrix world?
Obnosis <http://www.obnosis.com/> | (503)754-4452
PLUG <http://http//plug.phoenix.az.us> Linux <http://uat.edu/> Security
Labs 2nd Saturday Each Month at Noon - 3PM
> From: boneal at cornerstonehome.com
> To: plug-discuss at lists.plug.phoenix.az.us
> Subject: RE: starting by iptable deny all of china is a good start. -
Re:OT? Linux-based trojans now targeting WRT and other linux-based routers
> Date: Mon, 30 Mar 2009 23:31:03 -0700
>
> If you should never get a request outside the US why should you look any
> further to deny it? This is not complete protection by any measure but it
> makes an easy first step. I used to go one step further and block my
> dynamic hosted websites (where you don't get to mess with iptables) from
> being touched by people out side their target zone (usually US and
Canada).
> It immediately cuts the number of admin.php request by more then half ;)
>
> That said you still need additional protection for ips you do allow
through
> to the next set of rules.
>
> -----Original Message-----
> From: plug-discuss-bounces at lists.plug.phoenix.az.us
> [mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Craig
> White
> Sent: Monday, March 30, 2009 8:39 AM
> To: Main PLUG discussion list
> Subject: Re: starting by iptable deny all of china is a good start. -
Re:OT?
> Linux-based trojans now targeting WRT and other linux-based routers
>
> On Mon, 2009-03-30 at 08:30 -0400, kitepilot at kitepilot.com wrote:
> > And how do I:
> > "starting by iptable deny all of china" ?
> >
> > I can figure out the "iptable" part, it is the "china" part (and other
> > possible places where I know I will only get spam from) that I am
> > unaware of...
> ----
> I do not believe that this is constructive thinking. It's easy enough for
> someone in China to use a computer somewhere else as a base for operations
> and that security doesn't come from just arbitrarily picking ranges of ip
> addresses to block. Security would necessarily require effectiveness from
> virtually everywhere - possibly even your own 'trusted' lan.
>
> Spam control on the other hand doesn't rely much on iptables at all but
> rather many layers of implementation such as RBL's, greylisting (optional
> but effective), spamassassin, smtp level restrictions and more.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_____
Express your personality in color! Preview and select themes for HotmailR.
See how.
<http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGT
X_WL_HM_express_032009#colortheme>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090331/22c33886/attachment.htm
More information about the PLUG-discuss
mailing list