Proof that UPnP on home routers is bad

January 14, 2008

I said it for years it is a bad idea to enable UPnP on systems that protects your local network and/or PC from the internet. With UPnP any program on you PC is able to open “firewall” ports on your home router without requiring a user interaction. UPnP may has its purpose at streaming media within a secure network, which I’m not totally convinced anyway, but letting any malicious or bad written program open your PC/network for the whole internet is plain stupid. Ok, this is all known for years – why now this post?

Some folks at GNU Citizen have created a flash swf file capable of opening open ports into your network simply by visiting an malicious URL. This is done via the UPnP functionality common home routers provide. As flash is installed on the majority of personal computers this is a significant attack vector, specially since a “flash ad” can be inserted quite easily into trusted websites or by hacking such a website.

As this is not a new thread I can just repeat my normal statement when it comes to setting up a home router:

• Unbox
• Throw the disk away
• Plug in your machine, Turn on the router and navigate to the Web-GUI
• Turn off UPNP
• Change default name and password, set WPA-PSK
• Check that remote management is disabled
• ….

Bruce Schneier is wrong about unencrypted WLAN!

January 12, 2008

Bruce is right with many statements but his last one (Steal This Wi-Fi) is just populist and tries to provoke people. People with an understanding in this topic will see that and take it the right way, but not the ones who have a default setup of a access point / router running at home. They heard in the media that they have an insecure setup at home, and hopefully thought about changing that – but now a security expert tells them that’s not needed. He is simplifying the whole topic and is forgetting some important points.

Most users which have an unencrypted WLAN also have insecure PC at home. What is easier for them to do? Make a Windows System secure besides activating the automatic updates or login onto his router and change the password and configure the WLAN to be encrypted with 20 char long password?
Sure this still leaves the attack vector via malicious websites and emails but it is a start and a drive by attack is now much more complicated. Would a security computer help? Sure, but is it realistic?

Bruce also writes about his dear neighbors, which may need his internet access. Some thoughts about this. Not all neighbors are your friends, just talk to your friends – ask them if all there neighbors are their friends? If you like your neighbors, why not make an encrypted WLAN and tell them the password and share the costs of the internet connection with them. That helps all – except the ISP 😉

But lets look more at his technical points. He says that he is as secure at his unencrypted WLAN at home as at a public hotspot. Public access points normally allow no direct communication between clients. In infrastructure mode all traffic even between 2 clients need to be relayed by the access point and in a public access point setup it just makes no sense to activate this feature. Due the limited address space with IPv4 almost all public access points will provide only local IP addresses which are then masqueraded to one global IP address. Due to this facts it is possible to sniff the packet from and to the clients it is not possible initiate a direct communication to a client.
But still I would not do my e-banking via a public hotspot. Sure I trust my notebook and the CAs I’ve installed and I think the current version of SSL is secure. But still I would not do it. Call me paranoid, but it is different to do something like this at home or at a public hotspot.

I believe in layered security. Bruce writes in this commentary that one layer of security is enough (the one of his PCs). I can’t believe that he really means that. If you want to provide yourself with plausible deny ability then use 2 separate WLANs. One that is unencrypted and provides only access to the internet and one thats encrypted with WPA and at least a 20 char long password, as a passive dictionary attack is possible on WPA . Within this network you and your family can work within a first line of defense. That is a similar setup as FON provides, which he mentions in his commentary. So why should someone like Bruce use the unencrypted network for himself?

Besides these technical points someone needs to look also at the legal ones. He writes about the situation in the US, which is quite different from the laws in Europe. e.g. a German court ruled that the owner of a WLAN is required to make and keep it secure (german)
And I won’t talk about the problems you get into if the police raids your home, even if they don’t find something and to the gossip this leads in your village.

PPTP DSL Linux mini howto

I live in Austria and the only broad band Internet connection (not including the UMTS stuff) I can get is from the Telekom Austria and it is PPTP based and I’m using AON as Provider. I often hear from new guys in the LUGT (Linux User Group Tirol) that it is hard to set it up with Linux. It is not! I will explain here how to setup a PPTP tunnel to an Alcatel Speed Touch Ethernet modem on a Debian based distribution.

First we need to install some packages:


# apt-get install ppp pptp-linux


Than we need to set following IP on the network interface which is connected to the modem:


10.0.0.1/255.255.255.0


after this is done following should work:


ping 10.0.0.138


If not check if the LED for the LAN connection on the modem is on and that you’ve configured your interface correctly with “ifconfig”. It is now possible to use something like knet oder kppp to make the tunnel but I describe here the manual way for an small Linux server/router). Create a file
/etc/ppp/peers/aon with following content:


user your_long_aon_number (e.g. 49373880000)
noipdefault
defaultroute
hide-password
connect /bin/true
noauth
persist
debug


And /etc/ppp/pap-secrets with following:


49373880000 aon secret_password


Replace the number above with our own. If you’ve done this you just need to type following to make the connection:


# pptp 10.0.0.138 call aon


As this connection should be persistent we need to add a fail save script which monitors the pppd daemon. With this reconnect script, which I have running for > 5 years, I never had problems even if the tunnel stalled it was discovered and the tunnel reestablished. The content of the /usr/local/sbin/reconnect script is:


#!/bin/bash
/usr/bin/killall pppd 1>/dev/null 2>/dev/null
/bin/sleep 3
/usr/bin/killall pptp 1>/dev/null 2>/dev/null
/bin/sleep 3
/usr/bin/killall -9 pppd 1>/dev/null 2>/dev/null
/usr/bin/killall -9 pptp 1>/dev/null 2>/dev/null
/bin/rm /var/run/pptp/10.0.0.138 1>/dev/null 2>/dev/null
/bin/sleep 2
/usr/sbin/pptp 10.0.0.138 call aon


and in the crontab I’ve:


# m h dom mon dow command
0,30 * * * * ping -c 2 195.58.160.194 > /dev/null || ping -c 2 195.58.161.122
> /dev/null || /usr/local/sbin/reconnect


DMZ on SOHO routers is a joke!

January 10, 2008

If I talk to people with a DSL router/NAT they sometimes tell me they have placed a PC or gaming console into a DMZ (Demilitarized zone) and now they are secure. If I hear something like this I am at the brink of crying. Why?

First let’s take a look at how this routers are making their version of a DMZ. You specify the IP address of the device which should be in the DMZ. Basically that’s it. This IP address is from the same subnet as your other internal devices, which should be protected from the systems in the DMZ. But this is not the case in this scenario! Why? The device in the DMZ can communicate without filtering by a firewall to the devices in the internal network – which is the same anyway. In theory it would be possible by a filtering bridge (Layer2) but at the SOHO routers I checked it’s just an internal switch. As their version of DMZ cannot protect your internal network from your DMZ devices if they get compromised, you are in the false impression of being secure.

How to make a secure DMZ setup with a SOHO router?

I recommend to install openwrt onto your router if you’re fit enough with Linux. You can then specify (at least at the Linksys WRT54GL routers I always buy/recommend) which VLAN should be untagged on which switch port (the Linksys has an internal 6 port switch – 1 for the CPU, 1 for the uplink and 4 for devices). After you’ve specified the VLANs you can configure separate subnets for the internal network and the DMZ. After that configure the firewall rules so that only the internal network can initiate connections to the DMZ but not the other way round.

The problem with this setup is that it requires a lot more knowledge than the wrong version above, and the described solution therefore is not passable for the majority of the users. Anyway this post should show the users of such a DMZ at least the design flaws in their DMZ. And maybe, just maybe, some SOHO DSL router manufacture will create a real DMZ feature.
This is my first blog entry in the IT security segment, so please tell me what you think about it. Thx.

Simple SNMP service for a remotely monitored Linux Server

January 3, 2008

I though for some time that it is complicated to setup an SNMP daemon so a monitoring solution can readout critical information about the server, but it is not. Here a really simple setup that works fine with my monitoring solutions. (e.g. Zenoss)

First you need to install the SNMP daemon and activate it for automatic launch. For Centos do following:


# yum install net-snmp
# /sbin/chkconfig --level 345 snmpd on


and for Ubuntu/Debian:


# apt-get install snmpd


and remove the 127.0.0.1 in /etc/default/snmpd

After that you just need a single line in this file


# cat > /etc/snmp/snmpd.conf
rocommunity secretcommunityname x.x.x.x


Where secretcommunityname is a secret name you need to choose and x.x.x.x is the IP address of the monitoring server which should read the values. Don’t forget to enable this service in the firewall.


# iptables -A INPUT -s x.x.x.x -p udp --dport 161 -m state --state NEW -j ACCEPT
# iptables -A INPUT -s x.x.x.x -p tcp --dport 161 -m state --state NEW -j ACCEPT


How do activate an automatic update for a Debian based distribution?

December 31, 2007

I’m running many VE’s (virtual environments) on some OpenVZ servers. A Linux distribution within the VE has no own kernel and I can always access a VE from the hardware node so I thought it is save to update them automatically every day, but they should not do the update at the same time (more than one runs on the same physical server) and if an error occurs I would like to get an email. Sounds not that easy, but it is. Just do following:


# apt-get -y install cron-apt
# cat > /etc/cron-apt/action.d/9-dist-upgrade
dist-upgrade -y -V -u -o Dpkg::Options::=--force-confold


and you’re done. If you configured the root mail alias to the right address you get a mail if something didn’t work. cron-apt waits a random amount of time when started by cron before it starts calling apt-get – so we are done. I’ve this setup running now for some years without ever having a problem with it. I use it for Debian Sarge and Etch and Ubuntu Dapper 6.06 LTS.

How to read a RAID1 hard disk if you can’t use the RAID Controller?

December 30, 2007

I had following problem:
An 3ware RAID controller got destroyed after a power surge and I needed to read the data on the RAID without waiting for a replacement controller. I therefore attached one of the hard disks via an USB adapter (PATA/SATA to USB2) to my notebook. The problem now is that a RAID Controller uses some blocks at the beginning of the disk for itself, this leads to the problem that the partition table is not found by the Linux kernel.

Solution:
I used LDE (The Linux Disk Editor) to find out how many blocks are used by the RAID controller. My 3ware controller used 0x200 = 512 blocks with 1024 byte = 524288 bytes offset. I therefore created an loop back device with this offset:

# losetup -o 524288 /dev/loop0 /dev/sdb

and I checked if the partition table is readable via:

# fdisk -l /dev/loop/0
Disk /dev/loop/0: 160.0 GB, 160041361408 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/loop/0p1               1         249     2000061   82  Linux swap /
Solaris
/dev/loop/0p2   *         250        1494    10000462+  83  Linux
/dev/loop/0p3            1495       19457   144287797+  83  Linux

Looks good, but mounting didn’t work directly but I didn’t have the time to look into more detail (maybe udev didn’t created the /dev entries), it was important to get the data of the disks as fast as possible. So I just removed the loop back device with

# losetup -d /dev/loop0

and started to do some math. The swap partition was of no need, I needed only the two ext3 partitions. I calculated the offset of the first of these partitions this way: 249 units with each 8225280 bytes and of cource the RAID controller offset:

249*8225280 + 524288 = 2048619008

with this I did the mounting like this:

# losetup -o 2048619008 /dev/loop0 /dev/sdb
# mount -r /dev/loop0 /tmp/1

and for the second ext3 partition this.

1494*8225280 + 524288 = 12289092608


# losetup -o 12289092608 /dev/loop1 /dev/sdb
# mount -r /dev/loop1 /tmp/2/

I hope this helps someone in a similar situation as I was.

Goals and purpose of this blog

This blog is about Linux (and open source in general), IT security, and tips and tricks and if possible some off topic stuff. I define Linux in this case as the whole ecosystem which is built around the Linux kernel. Still to fuzzy?

In my spare time I often write small scripts which help me to save time. These are often small scripts, but even the medium ones (at least in the beginning) are too small for a dedicated project page (e.g. on sourceforge) like I did for ignis or cdemu. I specially don’t know if anyone is
interested in them and/or what additional features and functionality are needed. In this blog I can just post them and attach the source to post and look if they are interesting for others.

In my daily life I come also across problems where I’m not able to find HowTos or good solutions by simple searching in Google. Maybe it’s because I’m not entering the correct search terms ;-). In this cases I will post the problem and solution in this blog so Google will hopefully find it for others who search with the same terms I do.

This blog should also be the place which links my various online stuff together, and provide it hence with a higher Page Range in Google and makes all of my stuff easier findable for others.

The above topics are mostly about making stuff, which I would have also done without this blog, easier accessible for others, which will be the major part of the blog’s content (at least in the beginning), the following topics are more likely to generate content explicitly for this blog.

IT security interested me since my time at the university – and my master thesis with the topic “Analysis and design of a SIM based authentication solution for WLAN” was also in this field. As you see I’ve quite an interest in this field, and I therefore thought it should be fun to blog about it. There won’t be many articles as I’m not thinking about just linking to other information and saying. “Yeah they’re right”