Hardening web server so Allmon can be exposed to the internet

We need monitoring exposed to the internet for net control operators to see how is logged into the all start. node.

What steps do we need to do to harden apache so that exposing the Apache/allmon pages can be safely exposed to the external internet?

Thanks in advance!

The easiest way would be to setup Apache to password protect the entire webserver:

That would be sufficient for most operations.

Done that. BUT the version of apache provided with the Allstar distribution executes malformed http requests even when the query is nominally blocked.

Further the apache delivered has proxy loaded which enables malicious requests through the proxy.

The version of apache delivered with the image seems to have some potential security issues.

Can you provide some details for us? Happy to help out.

  1. Which ASL distribution are you running?
  2. Which Apache version are you running?
  3. How does the Apache version + proxy enable malicious requests?
  4. What other security issues can you describe?

Cheers,
Rob

  1. Which ASL distribution are you running? RPI2-3-4_V1.6-14-Allstar

  2. Which Apache version are you running? Apache 2.4.18 as is provided with the image

  3. How does the Apache version + proxy enable malicious requests? Malicious person can route web requests through the apache server to other servers. Among other things this can potentially allow inserting malicious code into other devices, with routers being a common attack point.

  4. What other security issues can you describe? It looks like named is enabled by default. System should use the DHCP provided DNS server (or other local network server) to maintain control of DNS. The local named running on the AllStar node has already triggered security alerts on several of my systems and appears to bog down the network with named transfers which are not needed.

Also the provided apache enables user directories and aliasing both of which are potential security issues. But disabling these modules breaks supermon.

I was seriously hacked with my first deployment of this environment and have rebuilt my network and am now carefully checking each step of the security as I move forward.

I’m not familiar with this image. Where did you get it?

Edit: This appears to be a HamVoIP image.

I obtained this from:

This is used with the SHARIPIHat system.

Ahh. You seem to be using a HamVoIP distribution. We don’t distribute or support HamVoIP, but I’m sure there are many people on their mailing list that can assist you. :slight_smile:

HamVoIP support can be found here:

http://www.hamvoip.org
http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar

My apologies. I will check there.

Ok, I can say from experience that letting the default Raspberry PI configuration for Allstar and Superman be subject to open access on the internet will allow malicious folk to cut through the security faster than a hot knife through butter.

I can also confirm that the problems I am facing occur as part of the normal Raspberry distribution of Raspian and are not limited to the VOIP distribution.

I believe I now have this under control. My steps were:

  1. scan my ip provider’s router to ensure that the management port was not accessible;e for the internet: there is a potential compromise to this router that makes it vulnerable from external access

  2. I configure this router only when it is not connected to the internet so as not to compromise the admin password: there is a password spoofing hack used to get the admin password and then compromise the router using this

  3. I placed a second internal router inside the router provided by the internet service provider

  • I created a segregated network for the Allstar node
  • I provide port forwarding rules by IP address to the Allstar node so it is not visible to unauthorized systems
  1. I disabled the volatile file system for /var/log my editing fstab
  • this ensures I have persistent logs so I can track problems as they occur
  • I need to put in log rotation: the Apache manual has a script to do this
  1. I disabled the named daemon and configured the Rapsian to use the firewall for DNS
  • DNS spoofing is a classic hack
  • the ISP is better at securing DNS services than I am
  1. I removed the mounting at start up of all apache modules involved with proxy: proxy is not needed for first order Superman operation
  • user directories and aliases are required, which is unfortunate
  1. I followed the advice of: 10 Best Practices To Secure and Harden Your Apache Web Server but am not using HTTPS

When I last opened Superman access to the internet I was attacked within minutes and hacked within probably hours. Securing apache with apache software access configuration provided only incomplete protection and was not sufficient.

This new configuration has seemed stable under test so far.

If anyone has other suggestions for hardening the system or apache, I would love to hear it!

Thanks for your patience.

I’d look at setting up a VPN

Ok, I can say from experience that letting the default Raspberry PI configuration for Allstar and Superman be subject to open access on the internet will allow malicious folk to cut through the security faster than a hot knife through butter.

When I last opened Superman access to the internet I was attacked within minutes and hacked within probably hours. Securing apache with apache software access configuration provided only incomplete protection and was not sufficient.

Interesting. I run a few HamVoIP nodes so I might see about securing these further. Thanks for the info!

named/bind is used only as a local caching forwarder, but it does listen on all ports from the looks of it. This is a HamVoIP only thing though – ASL doesn’t do this. They should probably restrict that to only listen on local though.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.