Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #705

Re: yet another IP blocklist (mine!)

Show all headers | View raw

On Fri, 28 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article
<MPG.327d9502ab733f6f989682@reader80.eternal-september.org>, Supratim Sanyal wrote:

>ibuprofin@painkiller.example.tld.invalid says...

>> Hits on 22/tcp have been relatively low for over a year (average
>> about 1.5 attempts per hour).

>iptables + ipset with public blocklists has kept port 22 spam in
>control for my internet-facing servers for over a decade now

A man page to look at (from 'tar -tvzf tcp_wrappers_7.6.tar.gz')

  -r--r--r-- 309/326  15225 1995-01-30 11:51
                     tcp_wrappers_7.6/hosts_access.5

Notice the date.  Then try 'man 5 hosts_access'   It's part of the
tcp_wrappers or lib_wrap package from the last (April 1997) release
of that now unmaintained (but still useful) program.  Look down at the
EXAMPLES section (about 9/10 of the way down the man-page).  Either you
are "MOSTLY CLOSED" or "MOSTLY OPEN".   Do you check the identity of
everyone trying to enter your house and only block them if they are on
a list?   Or do you block everyone, and only allow those on a different
list in?      Slight difference in practicality.   Mentioned, I only
allow blocks where I know authorized users might be located.  When I
(or other authorized users) were traveling to unknown places, the
firewall here would have port-knocking enabled (user tries to connect
to closed port $FOO and then $BAR - and the firewall would open from
that IP for 30 seconds to allow establishing a connection to 22/tcp). 
That trick has been in use for over 30 years.  Biggest problem with it
is that some firewalls on the Internet block outbound connections to
"unusual" ports, and that may prevent knocking port $BAZ or $QUX.

>(your experience is far longer than mine)

I actually was on DARPA net back in 1976 at NASA Ames, though it was
not a primary part of my job then.

>but these blocklists are missing a vast number of port 23 bots. 

I'm not sure it's even possible to come up with a reasonably accurate
list - it changes so frequently.   It's getting worse even now due to
the "Internet of Things" (commonly written as "IoT") which includes
all of the poorly designed devices in the modern home.   Most of the
current crop of 'bots are unprotected DVD players, Internet-enabled
cameras, and similar.  Search the Risks digest of the ACM (Association
for Computing Machinery) which you can find as the Usenet newsgroup
"news://comp.risks" on most news servers:

[euclid  news/comp.risks]$ zgrep -l IoT risks-29.[78]* | column
risks-29.72.gz     risks-29.81.gz     risks-29.85.gz
risks-29.75.gz     risks-29.82.gz     risks-29.86.gz
risks-29.80.gz     risks-29.84.gz     risks-29.88.gz
[euclid  news/comp.risks]$

It's a pretty well documented problem.   Another word to search for at
the moment is "Mirai".

   The malware, dubbed *Mirai*, spreads to vulnerable devices by
   continuously scanning the Internet for IoT systems protected by
   factory default or hard-coded usernames and passwords.

When we got our first DVD player with an network interface, I did a
quick NMAP scan of it.  After it got an IP (via DHCP), I found it was
listening for connections on two port.  One was 23/tcp, and it accepted
a login as "admin" with a password of "pass" - no, I don't think this
is going to remain connected to my network.   The second one we bought
accepted "admin" with a password of "admin".   Such clever security!
The current redeeming feature is that the 'bot software isn't loaded
to disk (or equal), and the 'bot software goes away when the device is
power-cycled.  The problem is that everyone is buying this crap, and
installing it while unaware that it's so vulnerable.

>thanks for pinging my host and discovering the unusual ICMP response.

???     Not me.

>I also see a pure DOS attempt maybe twice a day from numerous IPs in
>the same subnet (usually 20x.x.x.x/16),

Well, 20x.x* covers a lot of territory.  Looking in the Regional
Internet Registry delegation files for 10/15/16 (essentialy, the data
you see from a "whois" query), I see 10 blocks in AFRINIC, 10982 in
APNIC, 12706 in ARIN, 3487 in LACNIC, and 4 in RIPENCC with an overall
total of 167,768,528 (out of 167,772,160 possible) addresses.  Those
~27000 blocks are registered in 116 countries.  The last two log files
I have (2 24 hour periods from this month) show a relatively flat
distribution of IPs (173 of the 220 usable /8s).  No single dominant
block, although a significant (~4% ?) amount came from blocks assigned
to LG Datacom (.kr), Kyivstar (.ua), and two Brazilian telcos.

        Old guy

Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-03 11:42 -0400
  Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-04 20:32 +0000
    Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-27 20:27 -0400
      Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-28 21:10 +0000
        Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-28 18:02 -0400
          Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-29 22:24 +0000
            Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-22 18:49 -0500
              Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-24 01:13 +0000
                Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-26 17:59 -0500
                Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-28 02:10 +0000

csiph-web