(Please trim inclusions from previous messages) _______________________________________________ Rob; On Sat, 2015-10-10 at 21:06 +0200, Rob Janssen wrote: Of course I have that filtered. That's what I do here, drop all SNMP out however it doesn't prevent the incoming floods of frames. You have to actually receive them in order to drop them... like amps need to pass 100% through a fuse/breaker to blow it. I found the source host and it's been halted. The device was a firewall of all things. In this case, the ISP was behind granting their client permission to attack. Nice policy eh? Reason: *I* was not their paying customer. I could pursue negligence if I wanted to push the issue.

(Please trim inclusions from previous messages) _______________________________________________ Gus, The secure approach to firewall rules is to set your default policy to drop, then write rules to allow the specific traffic you want (protocol/port(s), interface(s), source addr(s), dest addr(s)). For example, maybe you only allow telnet to be forwarded from your amprnet interface to your JNOS tunnel interface if it is from 44.x addresses. So you write a rule to allow that. But anything else, including telnet from anywhere else to anywhere else, would be dropped by the default policy. For the example that started this thread, if you don't use snmp, then don't write a rule. It will be dropped by the default drop policy. But maybe you want to allow snmp from a specific subnet on your own network (where your management hosts are). So you write an accept rule for that. Anything else, including snmp from other source addresses, would be dropped by the default policy. To check for abuse within the list of allowed traffic, you can use something like fail2ban. You set up match criteria (log message format, how many times, within what time period). If fail2ban finds matches, it writes a firewall rule to ban that host completely for a specified period of time. You can even have it send you email to tell you what was banned, why (which match rule plus a list the matched log entries), and include a whois output for the offending host. For example, now that JNOS can use a fixed log filename, you can set up fail2ban to scan the JNOS log for login failures and, if found, have fail2ban ban those addresses by automatically adding rules to your firewall config. The combination of default drop policy and fail2ban on the allowed traffic is very effective. Michael N6MEF > -----Original Message----- > From: 44Net [mailto:44net-bounces+n6mef=mefox.org@hamradio.ucsd.edu] On > Behalf Of Gustavo Ponza > Sent: Sunday, October 11, 2015 3:06 AM > To: 44net(a)hamradio.ucsd.edu > Subject: Re: [44net] Subject: PTD > > (Please trim inclusions from previous messages) > _______________________________________________ > Hi, > > for you experts on the matter concerned: how should be the > minimal best setup (or how about schools of thought, if any) > to protect at best our linux systems? > > In particular, as impelling request, how to prevent the following > 'non ampr' host to be indefinitely connected to my system? > > ---------------- > i0ojj:~$ nslookup 81.174.235.131 > Server: 8.8.8.8 > Address: 8.8.8.8#53 > > Non-authoritative answer: > 131.235.174.81.in-addr.arpa name = a.comgw.net. > --------------- > > Very TNX! > > 73, gus > > > On 10/10/2015 09:15 PM, Brian wrote: >> (Please trim inclusions from previous messages) >> _______________________________________________ >> Rob; >> >> On Sat, 2015-10-10 at 21:06 +0200, Rob Janssen wrote: >> >>> Please MAKE SURE that you block all incoming SNMP traffic from internet > to amprnet! >>> (especially when you are using community names like "public") >> Of course I have that filtered. >> >>> The bad guys use SNMP as an attack amplifier. >>> One time I moved a switch to another address and it became exposed, and > within 3 days I had an abuse report. >>> Now I have a general rule that drops all SNMP at our gateway. >> That's what I do here, drop all SNMP out however it doesn't prevent the >> incoming floods of frames. You have to actually receive them in order to >> drop them... like amps need to pass 100% through a fuse/breaker to blow >> it. >> >> I found the source host and it's been halted. The device was a firewall >> of all things. >> >>> (of course the real problem is the ISPs that refuse to implement BCP38, > source address filtering) >> In this case, the ISP was behind granting their client permission to >> attack. Nice policy eh? Reason: *I* was not their paying customer. >> I could pursue negligence if I wanted to push the issue. >>

(Please trim inclusions from previous messages) _______________________________________________ On Sun, October 11, 2015 4:46 pm, Gustavo Ponza wrote: Here is an example of what you can put into your autoexec.nos file: tcp access deny all <---- start by blocking everyone tcp access permit 44/8 all <---- allow all 44Net on all incoming ports -- Charles J. Hargrove - N2NOV NYC ARECS/RACES Citywide Radio Officer/Skywarn Coord. NYC-ARECS/RACES Net Mon. @ 8:30PM 147.360/107.2 PL http://www.nyc-arecs.org and http://www.nyc-skywarn.org NY-NBEMS Net Saturdays @ 10AM & USeast-NBEMS Net Wednesdays @ 7PM on 7.036 Mhz USB/1500 hz waterfall spot; Olivia 8/500 check-ins "Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders." - Ronald Reagan "The more corrupt the state, the more it legislates." - Tacitus "Molann an obair an fear" - Irish Saying (The work praises the man.) "No matter how big and powerful government gets, and the many services it provides, it can never take the place of volunteers." - Ronald Reagan "We are fast approaching the stage of ultimate inversion: the stage where the government is free to do anything it pleases, while the citizens may act only by permission." - Ayn Rand _________________________________________ 44Net mailing list 44Net(a)hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net