9 Jan
2019
9 Jan
'19
3:22 p.m.
1.
As you all observed yesterday, I still run OpenWrt - currently on a Cisco Meraki MX60W
device. I also use OpenWrt to create a separate VLAN for AMPRLAN traffic (those configs
are in the Wiki). I can use routing, masquerade and NAT in another VLAN - if I need to
temporally assign a device a 44 Public IP for testing and use.
2.I am running the firewall on my tunnel, which is iptables and zone-based in OpenWrt.
Only relevant inbound ports for known services are allowed (e.g. 80/tcp for HTTP from
0.0.0.0/0 and 53/udp for DNS from 44.0.0.0/8). For additional security, I use a script ran
with ampr-ripd updates - to only allow Pings and IPENCAP traffic from the IPs located in
the Portal (script available on the Firewall Wiki page - someone offered an update to the
script, but it has not yet been tested or implemented in the one found at the Wiki).
I currently only use Apache, HTML and some PHP on the visible web server. The
"largest" concern here is the PHP-based APRS Code recovery tool (someone in this
forum previously helped me better sanitize the input, as to prevent command injections).
3.I do monitor traffic with softflowd package in OpenWrt. I collect and record the data
with NfSen (http://nfsen.sourceforge.net).
I also run snmpd for bandwidth statistics.
* Would you be willing to share the SANS IP script you have?* What threats does this list
block?
4.PFsense also implements Snort, perhaps you can route traffic through a Virtual Machine
to test?
5.When needed, I previously used a firewall rule that only allows x SYNs from given IP in
x minutes. If greater than x attempts - REJECT.
6.Regarding DNS, I do not open my server to the outside world. Only those at 44.0.0.0/8
are able to reach and use it.
9 Jan
9 Jan
6:42 p.m.
New subject: security reminder : Sharing best practices and tools ?
BTW, I use Cacti for snmp collection.
https://en.wikipedia.org/wiki/Cacti_(software)
73,
- Lynwood
KB3VWG
On 1/9/19 4:22 PM, lleachii(a)aol.com wrote:
I also run snmpd for bandwidth statistics.
10 Jan
10 Jan
7:28 p.m.
New subject: security reminder : Sharing best practices and tools ?
Rob,
I never noted I have a problem. The ipset script is the one I currently
use. As I recall, the iptables was verbatim from another operator - and
it worked as well. I can't recall who gave me that script. The ipset
script is the one I edited, per your message in 2018. I have made no
updates to the iptables script; and left lots of old notes and comments
intact - hence some of the comments may disagree.
I edited it to use ipset approximately 2 years ago, hence the remaining
while statement. I'm sure anyone utilizing the ipset script would like
it be as straightforward as possible - are you suggesting (pseudo-code
confuses me):
---
#!/bin/sh
# load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="<AMPRGW>"
cd /var/lib/ampr-ripd || exit 1
ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done
-----
I tested it and it seems to work. Also believe diffutils doesn't need to
be installed, either. I'll update the OpenWrt Wiki.
I only noted it in this particular best practices/tools thread due to
messages in SEP2018:
https://mailman.ampr.org/mailman/private/44net/2018-September/009294.html
I like to "lock down" my router as much as possible. I do understand
we've chatted in the past that my methods may be too paranoid; but I'd
prefer to have a extra step to secure the IPENCAP interface.
73,
- Lynwood
KB3VWG
11 Jan
11 Jan
5:26 p.m.
New subject: security reminder : Sharing best practices and tools ?
Lynwood helped me when I came online. I learned a lot from Lynwood, he helped me sort my
routing table out. I have not been doing a lot lately with my little piece of the AMPRnet
but it seems to work. My script isn’t exactly letter perfect but I incorporated the ipset
ipipfilter that he sent me. I’ve also used the iptables recent module to drop brute force
attempts on SSH against my 44net gateway address.
My gateway is currently a raspberry pi with a usb interface as the external interface
running in a DMZ behind a pfSense router. It works well because the only traffic that hits
my AMPR gateway is the ipip tunneled traffic thus simplifying my routing table.
Sent from my iPad
Tom/N2XU
On Jan 10, 2019, at 7:28 PM, LLEACHII--- via 44Net
<44net(a)mailman.ampr.org> wrote:
Rob,
I never noted I have a problem. The ipset script is the one I currently use. As I recall,
the iptables was verbatim from another operator - and it worked as well. I can't
recall who gave me that script. The ipset script is the one I edited, per your message in
2018. I have made no updates to the iptables script; and left lots of old notes and
comments intact - hence some of the comments may disagree.
I edited it to use ipset approximately 2 years ago, hence the remaining while statement.
I'm sure anyone utilizing the ipset script would like it be as straightforward as
possible - are you suggesting (pseudo-code confuses me):
---
#!/bin/sh
# load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="<AMPRGW>"
cd /var/lib/ampr-ripd || exit 1
ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done
-----
I tested it and it seems to work. Also believe diffutils doesn't need to be
installed, either. I'll update the OpenWrt Wiki.
I only noted it in this particular best practices/tools thread due to messages in
SEP2018: https://mailman.ampr.org/mailman/private/44net/2018-September/009294.html
I like to "lock down" my router as much as possible. I do understand we've
chatted in the past that my methods may be too paranoid; but I'd prefer to have a
extra step to secure the IPENCAP interface.
73,
- Lynwood
KB3VWG
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
10 Jan
10 Jan
12:24 p.m.
New subject: security reminder : Sharing best practices and tools ?
All,
I implemented the code update. It's been added to Firewall Wiki under the ipset-based
script.
http://wiki.ampr.org/wiki/Firewalls#ipset
Thanks Rob!
https://mailman.ampr.org/mailman/private/44net/2018-September/009316.html
- Lynwood
KB3VWG
someone offered an update to the script, but it has not yet been tested or implemented in
the one found at the Wiki
-----Original Message-----
From: lleachii <lleachii(a)aol.com>
To: 44net <44net(a)mailman.ampr.org>
Sent: Wed, Jan 9, 2019 4:22 pm
Subject: Re: security reminder : Sharing best practices and tools ?
1.
As you all observed yesterday, I still run OpenWrt - currently on a Cisco Meraki MX60W
device. I also use OpenWrt to create a separate VLAN for AMPRLAN traffic (those configs
are in the Wiki). I can use routing, masquerade and NAT in another VLAN - if I need to
temporally assign a device a 44 Public IP for testing and use.
2.I am running the firewall on my tunnel, which is iptables and zone-based in OpenWrt.
Only relevant inbound ports for known services are allowed (e.g. 80/tcp for HTTP from
0.0.0.0/0 and 53/udp for DNS from 44.0.0.0/8). For additional security, I use a script ran
with ampr-ripd updates - to only allow Pings and IPENCAP traffic from the IPs located in
the Portal (script available on the Firewall Wiki page - someone offered an update to the
script, but it has not yet been tested or implemented in the one found at the Wiki).
I currently only use Apache, HTML and some PHP on the visible web server. The
"largest" concern here is the PHP-based APRS Code recovery tool (someone in this
forum previously helped me better sanitize the input, as to prevent command injections).
3.I do monitor traffic with softflowd package in OpenWrt. I collect and record the data
with NfSen (http://nfsen.sourceforge.net).
I also run snmpd for bandwidth statistics.
* Would you be willing to share the SANS IP script you have?* What threats does this list
block?
4.PFsense also implements Snort, perhaps you can route traffic through a Virtual Machine
to test?
5.When needed, I previously used a firewall rule that only allows x SYNs from given IP in
x minutes. If greater than x attempts - REJECT.
6.Regarding DNS, I do not open my server to the outside world. Only those at 44.0.0.0/8
are able to reach and use it.
2143
days inactive
2145
days old
4 comments
2 participants
participants (2)
-
lleachii@aol.com -
Tom Cardinal