44net

44net@mailman.ampr.org

3194 discussions

Re: [44net] IPv6
by Rob Janssen 01 Oct '16

01 Oct '16

> Currently many routers (I’ve tested and written a tutorial on Ubiquiti, and OpenWRT) allow you to set the subnet you want. In addition to that, some ISPs have pages that have details on how to do this in FreeBSD, OpenBSD, Gentoo, Windows, Cisco, etc. Of course, the modem / router / switch / access point provided by the ISPs may not allow you this, but it’s certainly possible. In the MikroTik routers quite popular in amateur networking, and also in the AVM Fritz!box routers that my ISP provides, it is not possible to do this when DHCPv6-PD is used. (it is possible when static IPv6 addresses are used as is done by some ISPs) There is an open feature request at MikroTik to implement something like you depict in your tutorial, but currently it is not there. Rob

2 1

Re: [44net] IPv6
by Rob Janssen 01 Oct '16

01 Oct '16

> The good thing about IPv6 is that due to the large address space it's > possible to make it mandatory to encode the callsign in the last 64 bits > of the address. This eliminates the problem that we have in IPv4 of > trying to trace back which callsign is behind an IP. I think it basically is a good idea, but it needs to be more flexible. We would like to be able to derive the callsign from the IP, but there should be no 1:1 mapping between callsign and IP, because that would mean only a single system can be online for each callsign. The standard should leave some bits (at least 8) available for use as "SSID" as we had in the packet days (callsign-1 callsign-2 etc), maybe also with some encoding of alphanumeric values. Rob

4 5

IPv6
by Dani EA4GPZ 01 Oct '16

01 Oct '16

Hi all, Sorry for the slight off-topic. I'm testing in my systems the idea of using IPv6 for Amateur Radio. My idea is to use some way of encoding the callsign in the IPv6 address. I'm using this proposal in my systems: https://github.com/darconeous/ham-addr/blob/master/ham-addr.txt.md Certainly, there are several other proposals that could be used. The good thing about IPv6 is that due to the large address space it's possible to make it mandatory to encode the callsign in the last 64 bits of the address. This eliminates the problem that we have in IPv4 of trying to trace back which callsign is behind an IP. The idea is to make some sort of whitelist of globally routable subnets that are using some way of encoding the callsign into the IPv6 (I would like to allow for the admin of a net to choose the encoding he wants to use). This whitelist can then be used in a firewall for several things: allowing access to some services to Amateurs only or deciding if a packet is fit to be routed by an RF link (for instance, one could require that the source and destination have both their callsigns encoded in their IPv6's). I'm using the subnet 2001:470:6915:8000::/49 for these tests. If someone has IPv6 connectivity and wants to try, there's a mumble server and a DX cluster (telnet port 7300) at ea4gpz.destevez.net (its IPv6 has the callsign EA4GPZ-Z encoded). The long term goal would be to have something similar to the 44net but where each user is using subnets allocated directly from their ISP instead of having a large block for amateurs (like the 44.0.0.0/8). Connectivity between different amateur subnets would run over the IPv6 internet instead of using a mesh VPN (as the IPIP mesh of 44net). The whitelist could be used to decide which IPv6's are amateur and get "special treatment". I have a longer text describing these ideas, but it's in Spanish. I'll translate it and put it somewhere, but I want to keep this email short enough. So, is anyone doing something similar already? I would like to get some subnets into the whitelist, so I can test how well this works. Questions, suggestions, comments? Anyone interested in joining these tests? 73, Dani EA4GPZ.

1 0

Re: [44net] Security - Telnet (port tcp/23)
by Rob Janssen 01 Oct '16

01 Oct '16

> the "Iot" is quite a culprit..I am constantly probed and attacked by > routers, refrigerators, and many, many so-called "smart > TV's"...sometimes, when I'm bored, I shut them off...it gives me a > tickle to think of someone botting away and abruptly being shut > down...but the poor, unknowing customer is the one who suffers...I've > got to wonder if they even notice their appliance is acting strangely, > or laggy, and why... > this would best be fixed at the manufacturers end.. At least half of the problem is the refusal of ISPs in general to implement BCP38. When there would be source address filtering, we would not see all the backscatter (DNS replies mainly). Then there are shodan.io and a lot of other "research" systems. I keep a blacklist to drop all their traffic, but of course it still arrives at the router. They usually offer unlisting the network, but at least in the case of shodan.io this is completely fake. A day or a week later they just resume. Finally we all know about the cheap virtual Linux cloudhosting companies like AWS, Linode, etc. Probably half blackhats, half sincere users don't even know that they got hacked. After all, Linux is secure so you don't have to think about that. Rob

1 0

Re: [44net] Security - Telnet (port tcp/23)
by Rob Janssen 30 Sep '16

30 Sep '16

> The unanswered SYN traffic to port 23 is much, much more. Especially before the "allow only > registered hosts" filter. We are dropping around 80 Mbyte/day of traffic for our /16 subnet due > to the address not being registered, so that would be about 20 GByte/day for amprgw.... Of course it is way more than that. I forgot that the about count is only for the subnets within our /16 that are actually routed. That is about 1/5 of our space. So the total "noise" traffic is more like 400 MB/day and would be like 100 GB/day for the entire AMPRnet. Rob

4 4

Re: [44net] Security - Telnet (port tcp/23)
by Rob Janssen 30 Sep '16

30 Sep '16

> I usually allow remote access (SSH, RDP, etc...) through VPN only. > When access from Internet is absolutely required (because it's not > possible to have a VPN), then I usually add a firewall rule to allow > access only from a list of known WAN IP addresses. That is certainly the best approach! Also, whenever possible, I run those protocols on IPv6 only, preferably on an address that is not as well in DNS for other services on the host. They cannot viably scan the IPv6 range so this obscurity hides the remote access quite well. Rob

2 1

Re: [44net] Security - Telnet (port tcp/23)
by Rob Janssen 30 Sep '16

30 Sep '16

> >/When I had SSH open to the world, I saw similar usernames in the failure log as I now /> >/see on this telnet honeypot. / > If your connectivity to the world is via a tunnel from amprgw, please > resist the temptation to run a honeypot - we're trying to reduce the > amount of bandwidth, not increase it. Although a honeypot isn't > necessarily a big bandwidth consumer, every bit helps. > - Brian It is on our BGP-routed subnet so the traffic is via our own gateway through a direct IPIP tunnel to that system. However, it is not really something to worry about. It attracts about 10-20 kbytes of internet->host traffic per day (the usernames and passwords that I log). Those attackers are trying maybe 10-15 different logons then move on. It is not like they try a list of 100,000 most often use passwords, they probably have the default passwords for some commonly used routers and other IoT devices, in some cases probably only a single one. (the worms that infect one particular device) The unanswered SYN traffic to port 23 is much, much more. Especially before the "allow only registered hosts" filter. We are dropping around 80 Mbyte/day of traffic for our /16 subnet due to the address not being registered, so that would be about 20 GByte/day for amprgw.... Rob

1 0

Re: [44net] Security - Telnet (port tcp/23)
by Rob Janssen 30 Sep '16

30 Sep '16

> As always, the best practice recommendation is to disable telnet logins > entirely as it represents a security issue because passwords pass over > the connection in clear plaintext. > - Brian Well, the issue is not really the passwords being in plaintext. The issue is the availability of a remote login feature with possibly weak passwords. It affects SSH just as much as it affects telnet. The malvolents are scanning the IPv4 space and when they can connect to a remote logon service (telnet, SSH, RDP, VNC) they try a number of common usernames and passwords. They are not listening in on your traffic. While it is clear that telnet is not the most secure login service, it really doesn't make a difference. I have a fake telnetd running on one of my systems that simply presents the user with a login prompt and logs what is being typed, and it shows endless connections trying things like root/12345 root/password admin/admin etc. They probably get into certain routers or other systems like that, then install some trojan that does further scanning. This is also indicated by certain loggings where they apparently believe they got logged in and then send a long string like "wget something; chmod a+x something; ./something" or similar. Rob

5 4

Re: [44net] Security - Telnet (port tcp/23)
by Rob Janssen 29 Sep '16

29 Sep '16

> The term to search for is 'honeypot'. There are many such scripts out there > on github and on the web in general. That is correct. In my case I quickly hacked something together but there are lots of examples to be found that are probably much more advanced. When I had SSH open to the world, I saw similar usernames in the failure log as I now see on this telnet honeypot. Rob

2 1

Re: [44net] Security - Telnet (port tcp/23)
by Gabriel Medinas 29 Sep '16

29 Sep '16

Hello Lynwood, I had in my JNOS virtually a lot of attempts connections to port 23 from all part of the world, to achieve forwarding to other BBS had change the telnet port to 2323 and substantially lower these attempts. When I speak attempts to port 23 are evidence of brute force, it is almost impossible to have open this port, also same the 20, 21, 443, etc. 73 Gabriel YV5KXE. Venezuela AmprNet Coordinator yv5kxe.ampr.org Date: Thu, 29 Sep 2016 12:15:57 -0400 From: lleachii(a)aol.com To: 44net(a)hamradio.ucsd.edu Subject:Date: Thu, 29 Sep 2016 12:15:57 -0400 From: lleachii(a)aol.com To: 44net(a)hamradio.ucsd.edu Subject: [44net] Security - Telnet (port tcp/23) Message-ID: <8c28faa2-76ff-45a9-06c6-1705433cf307(a)aol.com> Content-Type: text/plain; charset=windows-1252; format=flowed All, In June, we discussed a topic entitled: "Odd Username attempts at login" where Bill, KG6BAJ noticed odd connection attempts to his JNOS system via Telnet. I have recently been working on my SNMP and NetFlow servers, and noticed quite a bit of Telnet connection attempts from Asia, Europe and South America. While I have also seen SSH, RDP, NTP, ICMP and VNC, by far the largest amount of traffic reaching my border interface is Telnet. Doing some research, I discovered that NIC.CZ <http://nic.cz/> has been operating the Turris Project. They have determined that these attempts are coming from a botnet of embedded devices that have Telnet vulnerabilities. I have provided a link to those findings here: https://en.blog.nic.cz/2016/09/01/telnet-is-not-dead-at- least-not-on-smart-devices/ 09-28 19:57:36 0.000 TCP 60.189.137.98:28940 -> 44.60.44.128:2323 09-28 19:57:55 0.000 TCP 115.219.124.37:49067 -> 44.60.44.133:23 09-28 19:57:55 0.000 TCP 222.124.85.17:34905 -> 44.60.44.133:23 09-28 19:57:52 5.552 TCP 190.67.215.114:29593 -> 44.60.44.6:23 09-28 19:58:03 0.123 TCP 115.219.124.37:21070 -> 44.60.44.133:23 09-28 19:58:54 0.000 TCP 116.102.62.182:37311 -> 44.60.44.135:23 Please be mindful. 73, - Lynwood KB3VWG

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net