Documentation:NGW/Security
From AVRFreaks Wiki
Still working on this
Contents |
[edit] Why Turn on Security
In most case you do not need it. if you are just hacking about with the NGW100 then do not read on.
If you are going to take the Software from the NGW100 and making your own card then you should read on
This Document is based on buildroot Rev 22403 (2.6.24.3) svn
$ svn info Path: . URL: svn://uclibc.org/trunk/buildroot Repository Root: svn://uclibc.org Repository UUID: 69ca8d6d-28ef-0310-b511-8ec308f3f277 Revision: 22403 Node Kind: directory Schedule: normal Last Changed Author: jacmet Last Changed Rev: 22402 Last Changed Date: 2008-06-17 09:33:02 -0400 (Tue, 17 Jun 2008)
NOTE that this is a work in progress and this is only covering off the basic. There may be holes that I have not found. If you find some please add them to this list.
[edit] Basic Security
I know that the following are basic but there are a lot of peaple that do not follow them and then wounder why they got hacked.
[edit] DO NOT USE TELNET!
Do NOT use Telnet (telnetd) your user name and password can be read with ethereal or wireshark. Use dropbear (SSH server).
[edit] DO NOT USE FTP!
Do NOT use the FTP server (proftpd) your user name and password can be read with ethereal or wireshark. And you do not have much space to save stuff in Flash, or RAM. If you need to upload files use the web page upload.
[edit] Change Root Password
Change root password from roota to 14 or more char. and use upper and lower case, use number and use the Non char on the keybord. i.e. !@#$%^&*()_-+=[{]}|\:;<>,.?/~` as most cracker programs do not use them.
- I know long password with and lot of shifting are a pain in the butt to type. I type them out one time in a text editer then just use Cut and Pasted. The trick is NOT to save the file
- Do not use words.
- Do not use the same root password for all unit. (The password will get out on the internet and then everyone is onto you unit).
- You may what to use an encoded Seiral Number and/or Mac address with other char so that each unit you sell has a diffrent password for root.
[edit] DO NOT LET END USER LOGIN
DO NOT LET END USER LOGIN The end user should be using a web page interface. You can let your staff login, but do not let the peaple you sell it to login with telnet or ssh.
[edit] run a SSH server
dropbear it is turned on by default. login using ssh (Linux) or Putty (Windows) to then access the unit.
you should stop root from login on to the ssh (use the -w on dropbear). set-up another user and login and then use the su command to change to root. Makes it harder to hack as you will need to get 2 passwords, the new users and root password.
[edit] Setup the firewall
You should run a firewall with port, IP and hardware (eth0 and eth1) accress blocking. This is done with iptables. By defualt, if iptables is NOT datafilled then all ports and hardware (eth0 and eth1) are open to all. See below for a basic firewall.
Note that if you are putting it on the internet you should stop ping as well.
[edit] Change the port number for ssh
Moving your ssh server port to a port other than 22, helps to stop people from hacking it all day. They try to connect to port 22 when it fails they move onto another IP address.
A better way is to use a list of OK IP address in the firewall then you do not need to change the port number. This needs to be done with iptables as hosts.allow is NOT in the /etc.
[edit] Turn off the RS232 port login
This one is a no brainer. Turn off the auto login.
[edit] Check on ports
With open code, you may end up with things running which you do not want or need, the best way to see what is running, is to use the netstat -a command or netstat -a -n to show the port number (It faster as well).
Note that inetd can also start stuff up as well.
~ # netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:swat 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN tcp 0 0 :::http :::* LISTEN tcp 0 0 :::ftp :::* LISTEN tcp 0 0 :::domain :::* LISTEN tcp 0 0 :::ssh :::* LISTEN tcp 0 0 :::telnet :::* LISTEN udp 0 0 0.0.0.0:943 0.0.0.0:* udp 0 0 0.0.0.0:52275 0.0.0.0:* udp 0 0 0.0.0.0:domain 0.0.0.0:* udp 0 0 0.0.0.0:bootps 0.0.0.0:* udp 0 0 0.0.0.0:sunrpc 0.0.0.0:* udp 0 0 ngw.example.net:ntp 0.0.0.0:* udp 0 0 192.168.0.120:ntp 0.0.0.0:* udp 0 0 localhost.localdomain:ntp 0.0.0.0:* udp 0 0 0.0.0.0:ntp 0.0.0.0:* udp 0 0 :::domain :::* udp 0 0 fe80::204:25ff:fe1c:60ce:ntp :::* udp 0 0 fe80::204:25ff:fe1c:60cf:ntp :::* udp 0 0 localhost:ntp :::* udp 0 0 :::ntp :::* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 8 [ ] DGRAM 110 /dev/log unix 2 [ ] DGRAM 1501 unix 2 [ ] DGRAM 264 unix 2 [ ] DGRAM 230 unix 2 [ ] DGRAM 142 unix 2 [ ] DGRAM 118 unix 2 [ ] DGRAM 114
or
~ # netstat -a -n Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 :::80 :::* LISTEN tcp 0 0 :::21 :::* LISTEN tcp 0 0 :::53 :::* LISTEN tcp 0 0 :::22 :::* LISTEN tcp 0 0 :::23 :::* LISTEN udp 0 0 0.0.0.0:943 0.0.0.0:* udp 0 0 0.0.0.0:52275 0.0.0.0:* udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 0.0.0.0:67 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* udp 0 0 10.0.0.1:123 0.0.0.0:* udp 0 0 192.168.0.120:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 :::53 :::* udp 0 0 fe80::204:25ff:fe1c:60ce:123 :::* udp 0 0 fe80::204:25ff:fe1c:60cf:123 :::* udp 0 0 ::1:123 :::* udp 0 0 :::123 :::* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 8 [ ] DGRAM 110 /dev/log unix 2 [ ] DGRAM 1501 unix 2 [ ] DGRAM 264 unix 2 [ ] DGRAM 230 unix 2 [ ] DGRAM 142 unix 2 [ ] DGRAM 118 unix 2 [ ] DGRAM 114
[edit] Check default User ID
You will find a number of user ID in the files /etc/passdw and /etc/shadow. The /etc/passdw has the user account information and the /etc/shadow has the encrypted user passwords and the passwoed life settings.
you shoud remove the users avr32 and default as they are know user ID and therefore can be cracked.
The other user ID are set-up for naming the files so you know which proc is using them and also to control access. so the sshd proc runs and sshd can not access roots files.
In most cases the shell field (Last field in /etc/passdw) should be set to /bin/false this will stop the login even if you have a good password and userID
[edit] How to config
[edit] RS232 port login
Note that this will NOT stop the u-boot from using the RS232 port. I can see how to change the outputs in the enviroment but have not played with it yet. If you have put in what you found.
So you will still see the u-boot running and the command console logs, but will not get loging
The RS232 port is config is in /etc/ with the file named inittab this is where linux pick up what to do at start up. Here is a example of the prompt for login on the RS232 port
# Inittab for the ATNGW100 development board # # Note: BusyBox init doesn't support runlevels. The runlevels field is # completely ignored by BusyBox init. If you want runlevels, use sysvinit. # # Format for each entry: <id>:<runlevels>:<action>:<process> # # id == tty to run on, or empty for /dev/console # runlevels == ignored # action == one of sysinit, respawn, askfirst, wait, and once # process == program to run # Run the rcS script after kernel is booted. ::sysinit:/etc/init.d/rcS # Run a shell on the first serial port. Comment out if you want a getty instead. #ttyS0::respawn:-/bin/sh # Run a shell on the g_serial port (USB gadget device)? This shell will spawn # error message if the device is not connected. #ttygserial::respawn:-/bin/sh # Uncomment this to run a getty on the first serial port. ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100 # Run a script on shutdown. ::shutdown:/etc/init.d/rcK
There are 2 lines in this file you need to look at both start with ttyS0 or #ttyS0. NOTE do not uncomment both.
This Line logins the RS232 port as root with no password need. COMMENT OUT
ttyS0::respawn:-/bin/sh
This line prompts for a user name and password. It is comment out in the basic load
ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100
you can comment both of them out and then user a program to ask for unit config setting. The output device is /dev/ttyS0 or you can put a fack login program which will always fail login
PUT script here
[edit] Telnet Server login
To turn off the telnet server delete S40telnetd or rename it to old_S40telnetd in directory /ext/init.d Note if the file starts with a S then it will be run at starts up.
The telnet server should not be used for login in, but you can use it as a config program.
The telnet server is config is in /etc/init.d with the file named S40telnetd (Note that the S40 may change over time. if you can not find it do a "grep telnetd *" in the /etc/init.d directory).
#!/bin/sh
TELNETD=/usr/sbin/telnetd
echo -n "Starting telnetd: "
if [ ! -x "${TELNETD}" ]; then
echo "missing"
exit 1
fi
if ${TELNETD} -l /bin/sh; then
echo "done"
else
echo "failed"
exit 1
fi
There is only one line here that needs to be changed. The NGW comes with the follow line. The /bin/sh login the user with out asking for a user name or password.
if ${TELNETD} -l /bin/sh; then
change this line to the following if you what a user name and password to be asked for. This is NOT recommended as the user name and password can be see with a sniffer
if ${TELNETD}; then
or change it to point to a config program like the RS232 port
if ${TELNETD} -l /your/program/path/and/name; then
Need to add a script in sh or perl or c code
[edit] FTP Server
To turn off the FTP server delete S50proftpd or rename it to old_S50proftpd in directory /ext/init.d Note if the file starts with a S then it will be run at starts up.
[edit] IPTABLES config (Firewall)
By default if you do NOT data fill iptables then all ports and hardware (eth0 and eth1) are open to all. So data fill iptables, it's not hard to do.
Note that the httpd server does have ip address control. If you are haveing problems with the web pages check /etc/httpd.conf file.
The more I look at this, the more I think the iptable information should be in another page. But for now here it is.
It is a cool tool!
Displaying what is in iptables is done with iptables -v -L --line-numbers Listing the iptables set-up with number (the numbers help when you what to delete stuff). This is what the iptables looks like before you start. It's setup by the file /etc/init.d/S22iptables (You may what to but the basic files wall after S22iptables)
~ # iptables -v -L --line-numbers Chain INPUT (policy ACCEPT 756 packets, 241K bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 39 21328 ACCEPT all -- eth0 eth1 anywhere anywhere state RELATED,ESTABLISHED 2 55 11760 ACCEPT all -- eth1 eth0 anywhere anywhere Chain OUTPUT (policy ACCEPT 622 packets, 90096 bytes) num pkts bytes target prot opt in out source destination
Basic Data file for a 2 ethernet port NGW100 with eth0 be the WAN (with firewall) and eth1 being the LAN (acess to all ports).
Note that the order matters.
# Removing all the INPUT and OUTPUT chain iptables -F INPUT iptables -F OUTPUT # Allow self access by loopback interface iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT # Accept established connections iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -i eth0 --tcp-option ! 2 -j REJECT --reject-with tcp-reset # Open secure shell port (SSH) iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT # Open HTTP port iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT # Add more port here. Same as above different dport number # LAN side setup. Has access to all ports on unit. iptables -A INPUT -p all -i eth1 -j ACCEPT iptables -A OUTPUT -p all -o eth1 -j ACCEPT # Ping on WAN side (eth0) Remove this if you do not what the Internet side to ping iptables -A INPUT -p icmp -i eth0 -j ACCEPT # Ping on LAN side (eth1) iptables -A INPUT -p icmp -i eth1 -j ACCEPT # Drop all other connection attempts. Only connections defined above are allowed. iptables -A INPUT -p all -i eth0 -j DROP
Parts of this come from the following like http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html
i.e. Should end up looking like this.
~ # iptables -v -L --line-numbers Chain INPUT (policy ACCEPT 1787 packets, 380K bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- lo any anywhere anywhere 2 271 33604 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED 3 0 0 REJECT tcp -- eth0 any anywhere anywhere tcp option=!2 reject-with tcp-reset 4 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh 5 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http 6 20 1880 ACCEPT all -- eth1 any anywhere anywhere 7 0 0 ACCEPT icmp -- eth0 any anywhere anywhere 8 0 0 ACCEPT icmp -- eth1 any anywhere anywhere 9 10 1914 DROP all -- eth0 any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 8746 6382K ACCEPT all -- eth0 eth1 anywhere anywhere state RELATED,ESTABLISHED 2 8031 1782K ACCEPT all -- eth1 eth0 anywhere anywhere Chain OUTPUT (policy ACCEPT 9205 packets, 1610K bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- any lo anywhere anywhere 2 20 2384 ACCEPT all -- any eth1 anywhere anywhere ~ #
Short form of iptables
~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT tcp -- anywhere anywhere tcp option=!2 reject-with tcp-reset ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere
Note that if you are putting it on the internet you should stop ping as well.
May need the following lines if you are running Samda. I have not tested this as I am not running Samda. (Uses up too number memory).
# Accept local Samba connection. Do not run iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
Note if you are using NFS to mount the file system and you are playing with the iptabes command
remove the lost line (DROP command) before running the iptables -F OUTPUT command or the system
will not come back from that command, as it will remove the NFS link before the DROP.
