Monday, February 23, 2015

My Ultimate .htaccess Recipe

About a year ago, I got really tired of seeing infinite "script not found or unable to stat (that's how you spell start, apache?) : xmlrpc.php" in my error logs. This file does not, did not, and will never exist on my server, yet bots from too many IP addresses to block would request it anyway, over and over... and over... 24/7.

So I turned to Google for a solution and discovered that .htaccess files can be pretty damn handy. Here is the .htaccess file of one of the servers I maintain, and explanations of what each directive does:

First, it's good to use custom error pages. Except for 404's, I like to send bogus error messages back to the user, because it throws attackers off. So, I have a friendly 404 page that explains the page the visitor is looking for does not exist, and that it's totally my fault, with a link back home and the webmaster (my) email address. All other common errors are sent to a generic "Error 696" page that explains an undeclared error has occured, and redirects them back home.
<Files *errorpage.php>
allow from all
</Files>

 ErrorDocument 400 /errorpage.php
ErrorDocument 401 /errorpage.php
ErrorDocument 403 /errorpage.php
ErrorDocument 404 /404_errorpage.php
ErrorDocument 500 /errorpage.php
ErrorDocument 501 /errorpage.php


Next, we have mod rewrite directives. Mod rewrite kicks ass, and as you can see,  I can use it to send requests of questionable nature to 'mytrap.php' (a script I found online, credit to author 'Inque187' for writing it! I wish I could find his page to link you to.) Mytrap.php grabs the attackers IP address and adds a Deny from x.x.x.x to the end of the .htaccess file. This permanently bans the IP address, and with the custom error page, they get a bogus '696' error page forever after being greeted by mytrap.php's harsh "F*** You, Don't Come Again" page.

RewriteEngine On
RewriteRule ^cgi-bin /mytrap.php [NC,L]
RewriteRule ^cgi-bin/(.*)$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?cgi(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?chat(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?db(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?pma(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?rpc(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?xmlrpc(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?wp-login(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?ssh(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^xmlrpc.php /mytrap.php [NC]
RewriteRule ^(/*.*)?admin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?config(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?manager(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?webdav(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?wp-content(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?cgibin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?phppath(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?xbxb(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?phpMyAdmin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?myadmin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?.git(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?phpmyadmin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?Admin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?webmin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?cpanel(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?panel(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?restricted(.*/*)?$ /mytrap.php [NC,L]
Note: for all this to work properly, you need to make sure that the <Files> directives above allows access to the error pages. This is because if an attacker gets banned, he will get a double-403 error, as he is denied access to the error pages as well. That's not only not pretty, it's counterproductive. The code for mytrap can be found here, if you're interested. To be fair, I have modified it somewhat. The original code was slightly kinder to the attacker.

And of course, it is desirable to stop image 'hot-linking', because it consumes bandwidth. This works with mod rewrite as well, and makes sure that if the http referrer came from anywhere but my site, they are given a 403 (or, "696" in this case) error.

#hotlink kill
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www.)?donotaccept.tk/.*$ [NC]
    RewriteRule .*.(gif|jpg|jpeg|png|js|css)$ - [F]
To get you started, here is a starter list of IP addresses that have tried funny stuff on my server over the last year or so:

# Since Implementing mytrap.php:

Deny from 89.46.101.153
Deny from 50.7.139.156
Deny from 50.7.139.117
Deny from 50.7.139.116
Deny from 50.7.139.154
Deny from 50.7.139.158
Deny from 94.242.206.199
Deny from 187.33.2.88
Deny from 31.210.96.90
Deny from 209.126.74.118
Deny from 87.98.252.201
Deny from 176.31.72.184
Deny from 162.217.204.10
Deny from 94.102.63.56
Deny from 89.248.172.145
Deny from 94.102.63.54
Deny from 89.248.169.48
Deny from 93.174.95.125
Deny from 94.102.49.207
Deny from 162.213.155.182
Deny from 184.107.148.154
Deny from 58.137.44.212
Deny from 185.56.80.133
Deny from 80.82.78.112
Deny from 46.105.132.145
Deny from 94.100.17.134
Deny from 91.223.89.150
Deny from 91.223.89.141
Deny from 91.223.89.148
Deny from 94.102.52.144
Deny from 85.17.123.29
Deny from 203.195.212.30
Deny from 176.109.195.139
Deny from 94.102.49.168
Deny from 176.123.2.6
Deny from 176.102.37.84
Deny from 94.102.49.218
Deny from 94.102.63.55
Deny from 50.30.42.71
Deny from 202.201.1.248
Deny from 94.102.52.76
Deny from 89.46.101.196
Deny from 76.73.74.82
Deny from 162.253.224.5
Deny from 69.64.72.41
Deny from 125.24.141.182
Deny from 61.144.224.28
Deny from 178.32.92.98
Deny from 188.40.114.21
Deny from 173.193.120.242
Deny from 1.214.212.74
Deny from 220.177.198.41
Deny from 115.239.248.58
Deny from 31.7.63.210
Deny from 176.123.7.31
Deny from 108.175.157.140
Deny from 222.190.118.224
Deny from 91.208.16.3
Deny from 77.238.15.68
Deny from 212.59.30.101
Deny from 84.17.0.17
Deny from 176.31.215.59
Deny from 162.248.101.225
Deny from 187.45.241.242
Deny from 37.57.231.220
Deny from 80.82.78.57
Deny from 93.174.93.204
Deny from 81.200.30.230
Deny from 212.152.254.101
Deny from 67.23.228.70
Deny from 209.151.165.199
Deny from 54.218.56.220
Deny from 192.42.116.16
Deny from 149.154.67.29
Deny from 107.170.53.191
Deny from 116.213.70.52
Deny from 54.232.227.221
Deny from 2.229.27.202
Deny from 80.82.65.50
Deny from 119.18.109.10
Deny from 162.243.209.165
Deny from 115.239.248.112
Deny from 118.26.205.224
Deny from 91.209.192.252
Deny from 50.7.139.198
Deny from 50.7.139.197
Deny from 50.7.139.202
Deny from 50.7.139.203
Deny from 94.242.206.146
Deny from 94.242.206.244
Deny from 61.227.20.77
Deny from 193.108.160.213
Deny from 118.161.189.190
Deny from 74.81.91.130
Deny from 67.23.249.124
Deny from 187.207.85.34
Deny from 222.186.56.7
Deny from 110.78.155.33
Deny from 92.63.104.233
Deny from 116.74.1.158
Deny from 111.252.179.12
Deny from 104.36.83.104
Deny from 117.21.191.205
Deny from 162.248.101.236
Deny from 198.46.158.94
Deny from 162.248.98.68
Deny from 212.227.114.158
Deny from 180.210.204.141
Deny from 216.128.23.172
Deny from 189.51.133.144
Deny from 91.202.25.217
Deny from 162.248.98.154
Deny from 188.143.234.100
Deny from 130.211.104.110
Deny from 5.45.74.37
Deny from 120.192.174.170
Deny from 95.111.68.120
Deny from 197.162.105.201
Deny from 114.46.8.59
Deny from 188.26.174.234
Deny from 58.177.134.182
Deny from 188.226.3.77
Deny from 207.46.13.98
Deny from 85.17.141.182
Deny from 186.155.250.225
Deny from 61.191.62.7
Deny from 69.85.84.88
Deny from 107.167.176.110
Deny from 46.18.76.4
Deny from 82.146.38.254
Deny from 66.85.171.10
Deny from 182.18.23.26
Deny from 193.169.195.67
Deny from 146.0.72.182
Deny from 195.3.144.84

 # since server transfer

 Deny from 78.191.212.15
Deny from 91.232.21.238
Deny from 114.252.43.77
Deny from 157.55.39.203
Deny from 192.227.227.107
Deny from 107.178.219.218
Deny from 23.251.155.105
Deny from 162.243.197.28
Deny from 91.121.18.214
Deny from 123.110.225.234
Deny from 176.123.3.14
Deny from 111.207.253.234
Deny from 46.105.24.37
Deny from 69.28.85.57
Deny from 207.46.13.0
Deny from 159.224.160.42
Deny from 86.34.134.179
Deny from 157.55.39.139
Deny from 96.8.115.114
Deny from 115.239.248.56
Deny from 69.174.245.163
Deny from 157.55.39.140
Deny from 117.21.191.208
Deny from 184.171.255.59
Deny from 117.21.226.160
Deny from 218.188.39.201
Deny from 184.154.150.120
Deny from 208.70.160.45
Deny from 117.27.158.108
Deny from 222.76.242.219
Deny from 88.35.245.157
Deny from 23.250.11.26
Deny from 124.160.193.67
Deny from 207.46.13.63
Deny from 108.178.24.130
Deny from 104.131.231.235
Deny from 202.176.80.22
Deny from 207.46.13.65
Deny from 198.57.210.19
Deny from 182.52.60.66
Deny from 81.82.255.164
Deny from 130.211.101.147
Deny from 5.248.87.10
Deny from 82.107.207.117
Deny from 218.245.6.22
Deny from 117.21.225.176
Deny from 114.24.153.21
Deny from 188.226.216.40
Deny from 162.253.66.76
Deny from 8.18.225.37
Deny from 50.6.77.43
Deny from 74.208.16.123
Deny from 83.64.10.186
Deny from 183.91.14.219
Deny from 194.72.112.130
Deny from 207.12.89.139
Deny from 216.158.84.92
Deny from 208.89.211.195
Deny from 189.164.59.181
Deny from 95.211.188.230
Deny from 46.105.121.70
Deny from 125.25.203.57
Deny from 89.42.216.25
Deny from 64.34.169.249
Deny from 69.64.38.144
Deny from 184.168.200.12
Deny from 68.90.68.227
Deny from 184.168.200.33
Deny from 96.8.125.27
Deny from 114.45.29.212
Deny from 122.155.174.172
Deny from 103.253.73.170
Deny from 207.46.13.104
Deny from 216.158.84.79
Deny from 201.219.60.5
Deny from 95.211.188.234
Deny from 74.91.127.130
Deny from 123.204.159.141
Deny from 146.0.72.185
Deny from 114.35.47.170
Deny from 114.35.183.103
Deny from 117.21.191.211
Deny from 217.40.96.250
Deny from 212.126.101.3
Deny from 140.119.19.28
Deny from 211.22.8.125
Deny from 50.22.53.71
Deny from 77.38.197.67
Deny from 140.113.146.59
Deny from 115.84.107.150
Deny from 192.210.200.51
Deny from 23.94.13.28
Deny from 217.70.142.135
Deny from 110.168.5.86
Deny from 62.210.167.201
Deny from 114.40.49.196
Deny from 103.31.204.82
Deny from 23.94.13.30
Deny from 192.210.200.254
Deny from 192.210.200.253
Deny from 192.210.200.130
Deny from 46.28.206.150
Deny from 23.94.13.106
Deny from 192.210.200.115
Deny from 220.133.153.220
Deny from 211.149.187.150
Deny from 222.74.129.6
Deny from 117.21.173.155
Deny from 81.88.49.30
Deny from 79.170.44.113
Deny from 184.168.200.234
Deny from 123.240.235.46
Deny from 188.225.72.145
Deny from 114.35.8.11
Deny from 64.187.235.199
Deny from 192.99.144.140
Deny from 27.28.52.129
Deny from 125.230.145.168
Deny from 195.206.253.146
Deny from 189.222.228.125
Deny from 188.225.34.139
Deny from 69.26.171.195
Deny from 74.63.199.120
Deny from 113.107.235.80
Deny from 218.152.216.82
Deny from 123.157.150.56
Deny from 162.17.16.249
Deny from 82.104.65.14
Deny from 187.174.166.135
Deny from 23.94.13.43
Deny from 27.159.203.63
Deny from 213.136.75.23
Deny from 123.192.113.27
Deny from 46.165.244.13
Deny from 75.102.34.114
Deny from 218.248.232.24
Deny from 5.11.36.140
Deny from 188.120.253.137
Deny from 5.238.81.96
Deny from 209.54.40.31
Deny from 213.136.79.113
Deny from 179.182.55.179
Deny from 192.99.152.38
Deny from 201.155.192.248
Deny from 213.136.75.34
Deny from 202.129.28.14
Deny from 37.187.78.33
Deny from 219.139.115.221
Deny from 117.26.248.30
Deny from 187.210.68.89
Deny from 186.37.78.157
Deny from 91.232.21.1
Deny from 103.253.73.229
Deny from 23.250.37.218
Deny from 201.243.63.188
Deny from 188.54.6.140
Deny from 81.17.20.38
Deny from 117.21.191.206
Deny from 120.43.22.104
Deny from 213.136.84.220
Deny from 123.30.213.33
Deny from 117.26.253.251
Deny from 27.153.231.194
Deny from 27.159.210.3
Deny from 114.32.175.165
Deny from 118.244.201.4
Deny from 201.163.235.196
Deny from 219.84.201.20
Deny from 196.42.30.146
Deny from 37.57.200.107
Deny from 95.70.30.78
Deny from 220.161.168.201
Deny from 27.159.213.115
Deny from 192.99.47.125
Deny from 27.159.252.12
Deny from 123.192.250.35
Deny from 202.119.166.37
Deny from 178.205.85.192
Deny from 93.94.219.69
Deny from 120.37.235.107
Deny from 222.79.146.2
Deny from 190.215.113.83
Deny from 110.169.153.246
Deny from 116.0.23.222
Deny from 188.40.137.21
Deny from 198.101.223.246
Deny from 88.100.179.195
Deny from 213.108.208.111
Deny from 89.248.166.139
Deny from 198.12.87.153
Deny from 203.158.167.2
Deny from 173.54.103.58
Deny from 46.105.158.150
Deny from 192.228.107.187
Deny from 114.27.35.93
Deny from 205.186.157.200
Deny from 117.26.255.56
Deny from 202.29.178.12
Deny from 27.159.202.129
Deny from 219.77.242.61
Deny from 201.166.63.25
Deny from 207.46.13.18
Deny from 189.167.17.122
Deny from 96.8.117.98
Deny from 140.123.226.217
Deny from 198.12.87.152
Deny from 113.252.247.235
Deny from 39.118.12.172
Deny from 93.89.232.19
Deny from 207.46.13.49
Deny from 189.236.145.1
Deny from 89.207.135.125
Deny from 71.86.48.83
Deny from 59.124.2.157
Deny from 84.52.30.37
Deny from 23.95.113.232
Deny from 201.214.3.74
Deny from 121.40.134.116
Deny from 192.187.110.179
Deny from 204.11.35.6
Deny from 173.45.100.18
Deny from 218.30.21.144
Deny from 60.18.147.183
Deny from 5.39.90.148
Deny from 125.212.197.67
Deny from 94.102.49.82
Deny from 140.117.53.39
Deny from 178.18.250.4
Deny from 193.150.120.74
Deny from 116.113.96.171
Deny from 104.192.103.24
Deny from 94.242.58.132
Deny from 74.208.105.217
Deny from 209.190.11.26
Deny from 162.244.32.47
Deny from 176.10.100.226
Deny from 142.4.215.115
Deny from 207.46.13.44
Deny from 200.90.118.98
Deny from 5.39.222.250
Deny from 46.4.93.52
Deny from 198.8.90.61
Deny from 182.48.49.155
Deny from 79.170.40.232
Deny from 209.239.114.46
Deny from 174.136.50.43
Deny from 192.163.236.48
Deny from 69.162.74.146
Deny from 203.114.105.46
Deny from 104.192.103.3
Deny from 117.21.173.34
Deny from 94.102.52.84
Deny from 149.210.135.28
Deny from 192.3.140.202
Deny from 146.71.111.226
Deny from 85.25.199.119
Deny from 88.135.0.50
Deny from 80.82.78.87
Deny from 91.200.12.28
Deny from 192.161.174.151
Deny from 128.73.172.235
Deny from 123.196.124.103
Deny from 46.72.212.75
Deny from 59.126.171.82
Deny from 58.96.172.3
Deny from 107.182.136.203
Deny from 109.86.15.95
Deny from 198.46.154.202
Deny from 173.199.73.34
Deny from 140.113.68.233
Deny from 110.82.157.175
Deny from 200.85.205.25
Deny from 176.102.38.45
Deny from 124.121.248.39
Deny from 124.192.229.236
Deny from 60.164.173.49
Deny from 188.225.76.82
Deny from 86.57.189.220
Deny from 180.186.121.254
Deny from 182.92.11.194
Deny from 80.244.35.222
Deny from 188.225.76.102
Deny from 178.20.229.132
Deny from 200.93.183.56

 #Since server upgrade
Deny from 89.163.227.192
Deny from 72.249.47.87
Deny from 184.154.202.243
Deny from 94.102.77.42
Deny from 207.240.10.33
Deny from 212.59.30.110
Deny from 37.57.231.123
Deny from 84.45.122.217
Deny from 159.226.170.29
Deny from 46.4.97.132
Deny from 174.142.192.166
Deny from 5.248.10.80
Deny from 213.175.205.68
Deny from 93.170.147.174
Deny from 177.224.62.184
Deny from 144.76.70.133
Deny from 89.248.171.2
Deny from 193.150.120.176
Deny from 198.23.149.154
Deny from 94.102.63.155
Deny from 64.95.98.210
Deny from 64.95.98.214
Deny from 23.229.20.17
Deny from 95.128.246.45
Deny from 95.128.246.45
Deny from 95.128.246.45
Deny from 200.98.200.144
Deny from 37.115.185.37
Deny from 208.97.71.66
Deny from 187.61.61.120
Deny from 95.172.83.162
Deny from 1.10.218.171
Deny from 62.133.183.223
Deny from 82.165.150.150
Deny from 23.95.82.42
Deny from 217.126.50.212
Deny from 5.39.222.252
Deny from 174.129.126.216
Deny from 37.57.231.110
Deny from 198.211.30.100
Deny from 46.118.159.153
Deny from 74.208.173.45
Deny from 5.102.190.148
Deny from 93.158.200.18
Deny from 94.247.40.140
Deny from 37.57.231.235
Deny from 189.1.161.210
Deny from 120.126.36.198
Deny from 24.97.237.154
Deny from 188.40.84.105
Deny from 198.154.60.143
Deny from 203.146.170.165
Deny from 61.147.103.173
Deny from 64.95.98.10
Deny from 176.209.215.188
Deny from 93.186.202.16
Deny from 176.67.25.127
Deny from 46.32.239.84
Deny from 201.2.79.42
Deny from 190.221.1.136
Deny from 93.158.200.40
Deny from 85.17.25.195
Deny from 208.52.149.222
Deny from 111.226.131.113
Deny from 176.102.38.151
Deny from 176.103.49.29
Deny from 194.126.139.13
Deny from 23.94.186.154
Deny from 217.114.212.26
Deny from 2.139.237.110
Deny from 37.187.169.132
Deny from 89.46.101.145
Deny from 175.102.9.100
Deny from 76.178.222.142
Deny from 65.196.87.161
Deny from 198.154.63.131
Deny from 192.3.182.186
Deny from 64.95.98.11
Deny from 108.166.85.126
Deny from 23.94.17.82
Deny from 62.210.189.161
Deny from 85.194.82.10
Deny from 37.220.35.142
Deny from 195.154.169.102
Deny from 82.213.78.2

 #Since move to new server
Deny from 64.188.44.114
Deny from 220.132.34.57
Deny from 220.241.216.6
Deny from 189.170.162.100
Deny from 58.96.180.91
Deny from 59.124.165.52
Deny from 103.253.113.172
Deny from 59.148.184.220
Deny from 219.232.247.108
Deny from 189.222.209.244
Deny from 121.199.17.183
Deny from 211.67.208.79
Deny from 212.175.87.57
Deny from 103.240.220.164
Deny from 42.3.128.111
Deny from 110.78.141.125
Deny from 194.27.60.106
Deny from 77.223.129.145
Deny from 194.27.68.28
Deny from 199.217.115.37
Deny from 186.115.6.148
Deny from 113.53.250.75
Deny from 222.124.155.106

 Enjoy.
Posted by at 1 comment:

Tuesday, February 17, 2015

Vps Deploy (stable!)

This is a script I am working on. The point is to quickly secure and configure a vps and install necessary software. The script will attempt to quickly guild the user through the process. I hate getting root passwords in the mail. Eventually this script should copy itself and automatically run on the target system to minimize the time that the server is sitting like lame duck with port 22 wide open and the root password emailed in plain text...

Script should be placed in a directory with a sub directory called "conf" with your public key file on one line in a file named "authorized_keys", and also your desired sshd_config file. The entire directory should be uploaded to the server with scp or similar. So the structure is
/folder/script+directory "conf"
Directory "conf" contains:
authorized_keys/
sshd_config".

I have not tested it yet. I am open to suggestions. Excuse my blogs formatting, this looked better in the terminal.

Updated 2/18/15 to reload open-ssh after configuration + fix format errors.

Updated again, removed many syntax errors (2/19/15) and simplified things. About to test it on a VM...

Updated 2/22/15: Script works great and is available on github: https://github.com/darkerego/vpsdeploy
Posted by at 1 comment:

Wednesday, February 11, 2015

OpenVPN: Something to Keep in Mind.

I initially called this a "potential vulnerability", but it's actually just something to be aware of. Always use the VPN ip when accessing the server. Duh. I have been trying to figure this out for a while. I have a few OpenVPN servers scattered across the cloud, and at least one of them has multiple IP addresses. A while ago, I noticed that when connected to the VPN, if I then SSH into that server, than the SSH connection appeared to be coming from my real IP address, and thus was not being routed through the VPN, like all my other traffic was. At first, I figured that was due to netstat not being able to show the VPN addresses:
anon@randombox~$ netstat | grep 2222

tcp        0    208 randomserver.example:2222 1.2.3.4              ESTABLISHED

But then I noticed that on one of servers with dual IP addresses, the opposite thing was happening, and the ssh connection was being routed through the VPN, as it ought to be:

 anon@randombox~$ netstat | grep 2222

tcp        0    208 randomnserver2.xx:2222 10.8.0.8:56789          ESTABLISHED

Checking my routing table, I realized the reason this happens is because any traffic destined for the VPN server's IP address will be routed through your default interface (ie when not connected to the VPN, let's say eth1):

anon@somebox:~$ route
Kernel IP routing table
Destination     Gateway         Genmask                Flags   Metric Ref    Use Iface
default           10.8.0.5                 0.0.0.0                  UG      0        0        0 tun0
10.8.0.1          10.8.0.5                255.255.255.255 UGH    0         0        0 tun0
10.8.0.5           *                          255.255.255.255   UH      0        0        0 tun0
vpn.rando      192.168.1.1     255.255.255.255   UGH   0        0        0 eth0
192.168.1.0      *                         255.255.255.0       U        1         0        0 eth0
So it seems that if you initiate an OpenVPN connection, and then access that same server on some other port, it will not be routed through the VPN, rather it will be treated as another VPN connection. Now, this is not a huge deal, as SSH is pretty secure, and any sensitive traffic should be sent using encryption. However, it could definitely break your privacy, and also opens up the possibility for other DNS or browser based exploits to occur. Personally, I do not trust my ISP or government, so I try to avoid using a direct connection whenever possible, and route my traffic overseas, into some other country that does not spy on civilians.

There are of course very easy solutions to this issue. You could simply tweak the iptables on your server to only allow ssh through the VPN (tun/tap) interface, or if you have multiple IP addresses on your server, you could simply connect to a different IP than your inbound VPN uses. I'm sure you could also alter the routing table on your pc, but I cannot think of a way that would work as of this moment, because this is kind of just how VPN's work.

Perhaps a patch for OpenVPN could be written that ensures that only traffic destined for the VPN's gateway port is routed through the default interface. This way, you would not have these kind of leaks.
Posted by at No comments:

Unleash Your Routers Power with OpenWRT

It is now 2015 and many cyber-security experts are predicting this will be a bad year for internet security. Many people have switched from insecure, proprietary software systems towards more secure open source operating systems on their PC's and phones. This is always a great move, but the weakest link in your network's security likely can be found at the source: your router.

After all, every packet that reaches each of your client devices first passes through your router. Thus, it seems to me that in a logical world, the routers security should be the primary concern of a good system administrator. If you can stop the bad packets before they ever reach your internal network, then your systems will be a lot safer. Surprisingly, this fact is often overlooked, at least in the non-technical populace.

A router, modem, or access point is an embedded system. These systems seldom get security updates, and are often used for long periods of time before they are replaced. Some of them (especially the router/modem/AP combo that Verizon or Comcast gave you), are insecure by design, containing backdoors that allow access to your network at any given time. If you are lucky, there may be a firmware update issued every year or so. But in my experience, the average person never even logs into their router to check if these updates are available. To make matters worse, typically router firmware is closed source, maintained by the company that built the device, and full of security holes. Seldom does a company ever update firmware on existing units yet to be sold, even when a serious exploit is discovered. Why should they care? If your router bricks on you, then you have to buy another router...

So the fate of embedded systems is often a dark one of becoming part of a bot-net, or maybe hosting a trogran, allowing unknown entities to spy on the owners network traffic. Sometimes these entities are Russian hackers, sometimes they are the NSA, sometimes your own ISP,  and sometimes they are the same entity or company that built the device, working with law enforcement, happily giving up their encryption keys for a bribe.

I suspect that this may have happened to me recently when my TP-Link WR841N got infected by some nasty piece of malware. I tried reflashing the official firmware over and over, but the virus remained. For a week or so my router sat in my closet, and I ordered a new one. The new router, a Netgear (can't remember the model) that costed me about $70 was even worse than my $20 TP-Link. Netgear firmware is definitively the worst firmware I have ever had the displeasure of using. It was completely dumbed down, and offered less features than the cheap TP-Link did. Only your Great Grandma would benefit from such simplicity. For example, it lacked the ability to act as a WPA2 client bridge. Only WEP was offered. Now again, this is 2015. Everyone knows that WEP is broken. Why the hell does a device sold in this day and age only offer WEP as a security option for a WDS system? Pathetic! Not to mention there is no reason in hell that could justify such lameness. That hardware is fully capable of acting as a WPA2 client bridge.

So I returned the Netgear router and finally tried installing OpenWRT on my bricked TP-Link. The only time I've ever been close to as happy with my router is when I was running DD-WRT a few years ago. Since ditching the stock firmware, virtually all of the odd things happening on my network stopped. No longer are there any questionable open ports on any devices, or unexplainable, hostile looking traffic showing up on Wireshark. Everything just works.

OpenWRT is alternative, open source, 3rd party firmware that runs on the Linux kernel. It greatly increases not only the security, but the functionality of your router. It allows you to be the one in control, and not the company that sold you the box. It has been developed almost entirely by volunteer developers seeking to make their systems and networks more secure, and help others to do so as well. The self interest factor, which I have discussed before, goes a long way in the computer world. That is, if the same people who maintain a system are also the ones using it, there is an inherent self interest to make sure the system works properly. This is not so much the case with proprietary software. They just sell the stuff... (Remember how none of the Philip Morris executives smoked cigarettes?) My $20 p.o.s. now has more functionality than some routers selling for over $150!

One of the challenges in developing alternative firmware for embedded systems like routers is the lack of sufficient ROM or flash to work with. My TP-Link only has 4 MBs of flash, and 32 mbs of RAM. I have about 160 kbs of ROM left after installing OpenWRT, with the graphical interface Luci. Initially I ran into some trouble after first flashing it because I did not have a GUI to work with, as there was not enough space left to install Luci. I suppose I was just feeling lazy, because I still had a perfectly good Linux shell to work with. But rather than doing it correctly and building the firmware myself, I found a working build packaged by someone else, with the GUI (Luci) and all of functionality the stock firmware provided (and more!). After uploading the firmware, I was able to connect the router to my main access point and use it as a client bridge, with no further configuration needed. But this build came from a questionable website,  was downloaded over an insecure HTTP connection, and was also somewhat outdated. Soon enough, trusty NMAP was warning me that fishy things might be happening again. So this time I found a build on Openwrt's https secured forums, with the md5sum available, and I flashed that. But after performing a factory reset, I lost the 'out of the box' WPA2 client bridge functionality!

This time, I had to learn how to configure it myself, using the bare bones ASH shell over ssh. And God damn, am I happy. It was stupid easy to configure the router as a bridge once I found a tutorial and just did it. It was honestly easier and more effective to do so using the shell, rather than the Luci GUI. Of course, having prior knowledge of how Linux works was very helpful. Perhaps even necessary, because if I had not switched to Linux on my PC two years ago, than chances are I never would have even heard of OpenWRT. Yeah, Unix based systems do that... they encourage you to use your brain and figure out how computer systems in general work.

OpenWRT runs on a variety of devices. To find out if yours is supported, consult the Table of Hardware. With abundant predictions that this year will be a bad year for computer security, why risk running shitty sub-par, outdated, and never updated firmware on any of your internet connected devices?
Posted by at No comments:

Tuesday, February 3, 2015

Reswap Revision

A while ago I wrote about turning off swap if you have enough RAM, for performance reasons. I realized that the original script I posted did not work very well. So, here is a simplified, effective way to empty your swap, thus gaining some system performance (because RAM is so much faster than hard disks).


    #!/bin/bash
    ##Reswap-- place in your $path as reswap
    ##to quickly empty your swap and gain some performance.
    ##
    set -e
    echo "Killing swap."
    swapoff -a
    echo "Success. Reenabling..."
    swapon -a
    echo "Done"
    exit
Posted by at No comments:
Subscribe to: Posts (Atom)