RE: starting by iptable deny all of china is a good start. -…

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: plug-discuss
New-Topics: RE: starting by iptable deny all of china is a good start. - Re:OT?Linux-based trojans now targeting WRT and other linux-based routers
Subject: RE: starting by iptable deny all of china is a good start. - Re:OT? Linux-based trojans now targeting WRT and other linux-based routers

Unfortunately, a scan like nmap or netcat can trivially use random or source choice IP.

So a distributed denial of service (and more than a few script kiddie bots and toolz) originate from Chinese source addresses.

The real scanner is actually behind the proxy watching it all ready for the all important moment when the results don't equal null and he can reset your firmware with his own.

Some of the fun items that his firmware can include are:

1) Javascript XSS tunnel browser exploit for whoever maintains the router.
2) All remote management to a list of his IPS.
3) Port forward certain packets outbound to certain IP's to another place.
4) Allow for sniffing of internal router packet traffic (all clear text email, etc.)
5) Allow for sniffing and decrypt via ettercap and john of encrypted traffic (passwords, etc.)
6) Create a ipsec tunnel or VPN.
7) It will usually remove certificates or help files to do this, and often one will see very quickly the "real" web based forms, during save.

The only thing you will notice are network slowage, router reboots, and if you are slightly saavy, fantom ports opening and system that are strangely changes (Bonobo suddenly being implemented for instance).

Your linux system is going to have all the binary changed via RootInABox and files low level iode changes, so you probably won't even see them via MidnightCommander.

You are pwned = just keep ignoring it all; keep pretending that it's a nice secure Matrix world?

Obnosis | (503)754-4452




PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM

> From: 
> To: 
> Subject: RE: starting by iptable deny all of china is a good start. - Re:OT?    Linux-based trojans now targeting WRT and other linux-based routers
> Date: Mon, 30 Mar 2009 23:31:03 -0700

>
> If you should never get a request outside the US why should you look any
> further to deny it? This is not complete protection by any measure but it
> makes an easy first step. I used to go one step further and block my
> dynamic hosted websites (where you don't get to mess with iptables) from
> being touched by people out side their target zone (usually US and Canada).
> It immediately cuts the number of admin.php request by more then half ;)
>
> That said you still need additional protection for ips you do allow through
> to the next set of rules.
>
> -----Original Message-----
> From:
> [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Craig
> White
> Sent: Monday, March 30, 2009 8:39 AM
> To: Main PLUG discussion list
> Subject: Re: starting by iptable deny all of china is a good start. - Re:OT?
> Linux-based trojans now targeting WRT and other linux-based routers
>
> On Mon, 2009-03-30 at 08:30 -0400, wrote:
> > And how do I:
> > "starting by iptable deny all of china" ?
> >
> > I can figure out the "iptable" part, it is the "china" part (and other
> > possible places where I know I will only get spam from) that I am
> > unaware of...
> ----
> I do not believe that this is constructive thinking. It's easy enough for
> someone in China to use a computer somewhere else as a base for operations
> and that security doesn't come from just arbitrarily picking ranges of ip
> addresses to block. Security would necessarily require effectiveness from
> virtually everywhere - possibly even your own 'trusted' lan.
>
> Spam control on the other hand doesn't rely much on iptables at all but
> rather many layers of implementation such as RBL's, greylisting (optional
> but effective), spamassassin, smtp level restrictions and more.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


_________________________________________________________________
Express your personality in color! Preview and select themes for Hotmail®.
http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss