1. As you all observed yesterday, I still run OpenWrt - currently on a Cisco Meraki MX60W device. I also use OpenWrt to create a separate VLAN for AMPRLAN traffic (those configs are in the Wiki). I can use routing, masquerade and NAT in another VLAN - if I need to temporally assign a device a 44 Public IP for testing and use. 2.I am running the firewall on my tunnel, which is iptables and zone-based in OpenWrt. Only relevant inbound ports for known services are allowed (e.g. 80/tcp for HTTP from 0.0.0.0/0 and 53/udp for DNS from 44.0.0.0/8). For additional security, I use a script ran with ampr-ripd updates - to only allow Pings and IPENCAP traffic from the IPs located in the Portal (script available on the Firewall Wiki page - someone offered an update to the script, but it has not yet been tested or implemented in the one found at the Wiki).
I currently only use Apache, HTML and some PHP on the visible web server. The "largest" concern here is the PHP-based APRS Code recovery tool (someone in this forum previously helped me better sanitize the input, as to prevent command injections). 3.I do monitor traffic with softflowd package in OpenWrt. I collect and record the data with NfSen (http://nfsen.sourceforge.net). I also run snmpd for bandwidth statistics. * Would you be willing to share the SANS IP script you have?* What threats does this list block?
4.PFsense also implements Snort, perhaps you can route traffic through a Virtual Machine to test?
5.When needed, I previously used a firewall rule that only allows x SYNs from given IP in x minutes. If greater than x attempts - REJECT.
6.Regarding DNS, I do not open my server to the outside world. Only those at 44.0.0.0/8 are able to reach and use it.
BTW, I use Cacti for snmp collection.
https://en.wikipedia.org/wiki/Cacti_(software)
73,
- Lynwood KB3VWG
On 1/9/19 4:22 PM, lleachii@aol.com wrote:
I also run snmpd for bandwidth statistics.
Rob,
I never noted I have a problem. The ipset script is the one I currently use. As I recall, the iptables was verbatim from another operator - and it worked as well. I can't recall who gave me that script. The ipset script is the one I edited, per your message in 2018. I have made no updates to the iptables script; and left lots of old notes and comments intact - hence some of the comments may disagree.
I edited it to use ipset approximately 2 years ago, hence the remaining while statement. I'm sure anyone utilizing the ipset script would like it be as straightforward as possible - are you suggesting (pseudo-code confuses me):
---
#!/bin/sh # load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="<AMPRGW>"
cd /var/lib/ampr-ripd || exit 1
ipset -N ipipfilter hash:ip 2>/dev/null ipset flush ipipfilter ipset -A ipipfilter $AMPRGW
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip do ipset -A ipipfilter $ip done
-----
I tested it and it seems to work. Also believe diffutils doesn't need to be installed, either. I'll update the OpenWrt Wiki.
I only noted it in this particular best practices/tools thread due to messages in SEP2018: https://mailman.ampr.org/mailman/private/44net/2018-September/009294.html
I like to "lock down" my router as much as possible. I do understand we've chatted in the past that my methods may be too paranoid; but I'd prefer to have a extra step to secure the IPENCAP interface.
73,
- Lynwood KB3VWG
Lynwood helped me when I came online. I learned a lot from Lynwood, he helped me sort my routing table out. I have not been doing a lot lately with my little piece of the AMPRnet but it seems to work. My script isn’t exactly letter perfect but I incorporated the ipset ipipfilter that he sent me. I’ve also used the iptables recent module to drop brute force attempts on SSH against my 44net gateway address.
My gateway is currently a raspberry pi with a usb interface as the external interface running in a DMZ behind a pfSense router. It works well because the only traffic that hits my AMPR gateway is the ipip tunneled traffic thus simplifying my routing table.
Sent from my iPad
Tom/N2XU
On Jan 10, 2019, at 7:28 PM, LLEACHII--- via 44Net 44net@mailman.ampr.org wrote:
Rob,
I never noted I have a problem. The ipset script is the one I currently use. As I recall, the iptables was verbatim from another operator - and it worked as well. I can't recall who gave me that script. The ipset script is the one I edited, per your message in 2018. I have made no updates to the iptables script; and left lots of old notes and comments intact - hence some of the comments may disagree.
I edited it to use ipset approximately 2 years ago, hence the remaining while statement. I'm sure anyone utilizing the ipset script would like it be as straightforward as possible - are you suggesting (pseudo-code confuses me):
#!/bin/sh # load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="<AMPRGW>"
cd /var/lib/ampr-ripd || exit 1
ipset -N ipipfilter hash:ip 2>/dev/null ipset flush ipipfilter ipset -A ipipfilter $AMPRGW
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip do ipset -A ipipfilter $ip done
I tested it and it seems to work. Also believe diffutils doesn't need to be installed, either. I'll update the OpenWrt Wiki.
I only noted it in this particular best practices/tools thread due to messages in SEP2018: https://mailman.ampr.org/mailman/private/44net/2018-September/009294.html
I like to "lock down" my router as much as possible. I do understand we've chatted in the past that my methods may be too paranoid; but I'd prefer to have a extra step to secure the IPENCAP interface.
73,
- Lynwood
KB3VWG
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
All, I implemented the code update. It's been added to Firewall Wiki under the ipset-based script. http://wiki.ampr.org/wiki/Firewalls#ipset
Thanks Rob! https://mailman.ampr.org/mailman/private/44net/2018-September/009316.html
- Lynwood KB3VWG
someone offered an update to the script, but it has not yet been tested or implemented in the one found at the Wiki
-----Original Message----- From: lleachii lleachii@aol.com To: 44net 44net@mailman.ampr.org Sent: Wed, Jan 9, 2019 4:22 pm Subject: Re: security reminder : Sharing best practices and tools ?
1. As you all observed yesterday, I still run OpenWrt - currently on a Cisco Meraki MX60W device. I also use OpenWrt to create a separate VLAN for AMPRLAN traffic (those configs are in the Wiki). I can use routing, masquerade and NAT in another VLAN - if I need to temporally assign a device a 44 Public IP for testing and use. 2.I am running the firewall on my tunnel, which is iptables and zone-based in OpenWrt. Only relevant inbound ports for known services are allowed (e.g. 80/tcp for HTTP from 0.0.0.0/0 and 53/udp for DNS from 44.0.0.0/8). For additional security, I use a script ran with ampr-ripd updates - to only allow Pings and IPENCAP traffic from the IPs located in the Portal (script available on the Firewall Wiki page - someone offered an update to the script, but it has not yet been tested or implemented in the one found at the Wiki).
I currently only use Apache, HTML and some PHP on the visible web server. The "largest" concern here is the PHP-based APRS Code recovery tool (someone in this forum previously helped me better sanitize the input, as to prevent command injections). 3.I do monitor traffic with softflowd package in OpenWrt. I collect and record the data with NfSen (http://nfsen.sourceforge.net). I also run snmpd for bandwidth statistics. * Would you be willing to share the SANS IP script you have?* What threats does this list block?
4.PFsense also implements Snort, perhaps you can route traffic through a Virtual Machine to test?
5.When needed, I previously used a firewall rule that only allows x SYNs from given IP in x minutes. If greater than x attempts - REJECT.
6.Regarding DNS, I do not open my server to the outside world. Only those at 44.0.0.0/8 are able to reach and use it.
-
lleachii@aol.com -
Tom Cardinal