Our node is offline currently due to an exploit attack. Our network administrator shows heavy traffic out on port 2222 among others. We don’t use this port.
So reload the new image.
For future reloads, how best to reconstruct the local changes done to the original image to carry over the custom config files?
73,
Duane KA1LM
Best to zip up the /etc/asterisk directory.
The RC1 version disabled the exploited login.
Steve
On 6/14/2017 12:03 PM, DuaneVT . wrote:
Our node is offline currentlydue to an exploit attack. Our network administrator shows
heavy traffic out on port 2222 among others. We don’t use this
port.
So reload the new image.
For future reloads, how best toreconstruct the local changes done to the original image to
carry over the custom config files?
73,
Duane KA1LM
_______________________________________________ App_rpt-users mailing list To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button" You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
App_rpt-users@lists.allstarlink.orghttp://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
What was the exploit attack?
Was the node DMZ'ed, or had more than necessary ports open to it?
Was the standard port, 4569, opened on the WAN into the network?
On Wed, 2017-06-14 at 12:03 -0400, DuaneVT . wrote:
Our node is offline currently due to an exploit attack. Our network
administrator shows heavy traffic out on port 2222 among others. We
don't use this port.
So reload the new image.
For future reloads, how best to reconstruct the local changes done to
the original image to carry over the custom config files?
73,
Duane KA1LM_______________________________________________
App_rpt-users mailing list
App_rpt-users@lists.allstarlink.org
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-usersTo unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
Port 4569 has to be open to the world for inbound link connections, but unless you're also running Echolink, that's the only port that needs to be open to the world. My own nodes now sit behind a NAT gateway that only forwards 4569 back. The NAT gateway also serves as an OpenVPN endpoint which I connect to from home to allow SSH administration of the node.
Most likely, I would suspect it's an older install without the "debian" or "pi" user secured, and they logged into the node that way.
I need to finish my HowTo on how to properly provide security to an AllStar node that's exposed to the internet. If at all possible, people should put their nodes behind something like a PFSense firewall box, or at least behind some kind of NAT router, with only the necessary port 4569 forwarded back to the machine.
Jeremy, NQ0M
-----Original Message-----
From: App_rpt-users [mailto:app_rpt-users-bounces@lists.allstarlink.org] On Behalf Of Benjamin Naber
Sent: Thursday, June 15, 2017 3:19 PM
To: app_rpt-users@lists.allstarlink.org
Subject: Re: [App_rpt-users] DIAL node hack
What was the exploit attack?
Was the node DMZ'ed, or had more than necessary ports open to it?
Was the standard port, 4569, opened on the WAN into the network?
On Wed, 2017-06-14 at 12:03 -0400, DuaneVT . wrote:
Our node is offline currently due to an exploit attack. Our network
administrator shows heavy traffic out on port 2222 among others. We
don't use this port.
So reload the new image.
For future reloads, how best to reconstruct the local changes done to
the original image to carry over the custom config files?
73,
Duane KA1LM_______________________________________________
App_rpt-users mailing list
App_rpt-users@lists.allstarlink.org
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-usersTo unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
_______________________________________________
App_rpt-users mailing list
App_rpt-users@lists.allstarlink.org
http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
To unsubscribe from this list please visit http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
Bingo.
Tim documented this on the docs site, but many (most) people forgot to secure
it/didn't read the docs.
There is now a allstarlinux "hack" in a popular hacking/scanning toolkit. The
more blackhat toolkits automate scanning/hacking this. 44/8 has seen a bunch
of traffic for this.
73's
On 6/15/17 11:22 PM, Jeremy Utley wrote:
Most likely, I would suspect it's an older install without the "debian" or
"pi" user secured, and they logged into the node that way.
--
Bryan Fields
727-409-1194 - Voice
http://bryanfields.net