All, I implemented the code update. It's been added to Firewall Wiki under the ipset-based script. http://wiki.ampr.org/wiki/Firewalls#ipset
Thanks Rob! https://mailman.ampr.org/mailman/private/44net/2018-September/009316.html
- Lynwood KB3VWG
someone offered an update to the script, but it has not yet been tested or implemented in the one found at the Wiki
-----Original Message----- From: lleachii lleachii@aol.com To: 44net 44net@mailman.ampr.org Sent: Wed, Jan 9, 2019 4:22 pm Subject: Re: security reminder : Sharing best practices and tools ?
1. As you all observed yesterday, I still run OpenWrt - currently on a Cisco Meraki MX60W device. I also use OpenWrt to create a separate VLAN for AMPRLAN traffic (those configs are in the Wiki). I can use routing, masquerade and NAT in another VLAN - if I need to temporally assign a device a 44 Public IP for testing and use. 2.I am running the firewall on my tunnel, which is iptables and zone-based in OpenWrt. Only relevant inbound ports for known services are allowed (e.g. 80/tcp for HTTP from 0.0.0.0/0 and 53/udp for DNS from 44.0.0.0/8). For additional security, I use a script ran with ampr-ripd updates - to only allow Pings and IPENCAP traffic from the IPs located in the Portal (script available on the Firewall Wiki page - someone offered an update to the script, but it has not yet been tested or implemented in the one found at the Wiki).
I currently only use Apache, HTML and some PHP on the visible web server. The "largest" concern here is the PHP-based APRS Code recovery tool (someone in this forum previously helped me better sanitize the input, as to prevent command injections). 3.I do monitor traffic with softflowd package in OpenWrt. I collect and record the data with NfSen (http://nfsen.sourceforge.net). I also run snmpd for bandwidth statistics. * Would you be willing to share the SANS IP script you have?* What threats does this list block?
4.PFsense also implements Snort, perhaps you can route traffic through a Virtual Machine to test?
5.When needed, I previously used a firewall rule that only allows x SYNs from given IP in x minutes. If greater than x attempts - REJECT.
6.Regarding DNS, I do not open my server to the outside world. Only those at 44.0.0.0/8 are able to reach and use it.