Blocking IP addresses with ipset

In Chinese Hackers I mentioned that I block ssh attackers with the help of fail2ban. Unfortunately, fail2ban uses iptables to create firewall rules in “Chain f2b-SSH” for each individual IP address. For a modern processor this is no problem, even if you have thousands of these rules. While for a low powered ARM processer this can have a noticeable influence on network performance. In Using Odroid as IP Router I wrote:

Added 10-Jan-2019: I previously added ca. 3000 iptables rules for blocking IP address ranges which attacked me on port 22 (ssh). That many rules will deteriorate your network performance significantly. My download speed went down from 100 MBit/s to 20 MBit/s.

An alternate or additional approach to this slowdown due to iptables is to use ipset, Arch package ipset. ipset maintains hash tables of IP addresses or networks. At the time when I still used the Odroid, then the main sshd-server copied the blocked IP addresses to the Odroid, which in turn populated the hash table with the IP addresses to be blocked.

Setting up ipset and populating the hash tables from fail2ban can be done as below.

sqlite3 -csv /var/lib/fail2ban/fail2ban.sqlite3 "select distinct ip from bips order by ip" |    \
        perl -e 'BEGIN {print "create reisTmp hash:ip family inet hashsize 65536 maxelem 65536\n"; }
                print "add reisTmp $_" while (<>);'     \
        > ~/tmp/reisTmp

The name reisTmp is arbitrary. This way we have a file which looks like this:

create reisTmp hash:ip family inet hashsize 65536 maxelem 65536
add reisTmp 1.186.57.150
add reisTmp 1.193.76.18
add reisTmp 1.2.206.30
add reisTmp 1.202.77.210
add reisTmp 1.214.156.164
add reisTmp 1.214.245.27
. . .

This file is transfered from the sshd/fail2ban-server to our router, if required, and is the input to be run through ipset:

ipset restore -f ~klm/tmp/reisTmp
ipset swap reisTmp reisbauer
ipset destroy reisTmp

This assumes you have created a hash table in ipset called reisbauer. Again, this name is arbitrary. Above scenario assumes that populating this hash table takes some time, then just swap hash tables, which is almost instant.

To re-initiate the hash table after reboot, you use

systemctl enable ipset
systemctl start ipset

This basically does

ipset -f /etc/ipset.conf restore

Aggressive Vodafone Router

Vodafone router does not allow to turn off firewall permanently. It will insist on switching it on after 24 hours.

Version of this router in question:

Firmware version:          01.02.037.03.12.EURO.SIP
Productname:               Vodafone Docsis 3.1

This “Made in China” router using Linux 3.12.59 from 2010, is teaching the “expert user”. You have to get “expert user” if you want to switch off firewall. As of the time of writing, stable Linux kernel version is 5.5.6, longterm 5.4.22, earliest is 3.16.82. It is also using old versions of openssl and iptables.

Apparently the creators of this router never thought of any user employing Linux and iptables, or something similar.

Luckily, the router allows to forward a range of ports, thereby effectively bypassing the firewall.

See Home Router Security Report 2020 for an assessment of home-routers.

Chinese Hackers

I am running fail2ban since November 2017 and all unsuccessful attempts to log-in to sshd are monitored. Breaking down these attempts according country shows that Chinese IP addresses are coming first here.

The numbers are:

27639    China
13589    United States
8641     France
3985     India
3418     Korea
3217     Brazil
2940     Canada
2419     Germany
2157     Russian Federation
1988     Indonesia

fail2ban_breakdown_country

The distribution of total attacks per month is as depicted below:
ipBlockPerMonth
Continue reading

Remote Unlocking of Encrypted Disks

1. Problem statement. You have an encrypted disk and want to decrypt the disk during boot while not sitting in front of your computer.

Solution is sketched and indicated in dm-crypt/Specialties. Below is a little bit more explanation. For the following you must be root.

2. Required software packages. Install the following packages: dropbear from repo “Community”. Then install the following AUR-packages:

  1. mkinitcpio-netconf
  2. mkinitcpio-utils
  3. mkinitcpio-dropbear

3. Populate root_key. First mkdir /etc/dropbear and populate root_key file with public ssh keys which should be able to log into your machine, similar to authorized_keys for OpenSSH. I.e., you must know the private keys on the corresponding machines you intend to use for unlocking.

4. Set-up networking in Grub. Edit /etc/default/grub and set

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=5a74247e-75e8-4c05-89a7-66454f96f974:cryptssd:allow-discards root=/dev/mapper/cryptssd ip=192.168.178.118:192.168.178.118:192.168.178.1:255.255.255.0:chieftec:eth0:none"

Then issue

grub-mkconfig -o /boot/grub/grub.cfg

to re-generate grub.cfg. The specification for “ip=” is given in Mounting the root filesystem via NFS (nfsroot). Its most important parts are:

  1. client-ip: IP address of the client
  2. server-ip: IP address of the NFS server
  3. gateway-ip: IP address of a gateway
  4. netmask: Netmask for local network interface
  5. hostname: Name of the client
  6. device: Name of network device to use
  7. autoconf: Method to use for autoconfiguration

5. Configure mkinitcpio. Finally, the main task. Edit /etc/mkinitcpio.conf and set

HOOKS="base udev block keymap keyboard autodetect modconf netconf dropbear encryptssh filesystems fsck"

Now call

mkinitcpio -p linux

See Arch Wiki mkinitcpio. Output of mkinitcpio looks something like this:

  -> Running build hook: [dropbear]
Key is a ssh-rsa key
Wrote key to '/etc/dropbear/dropbear_rsa_host_key'
Key is a ssh-dss key
Wrote key to '/etc/dropbear/dropbear_dss_host_key'
Key is a ecdsa-sha2-nistp256 key
Wrote key to '/etc/dropbear/dropbear_ecdsa_host_key'
dropbear_rsa_host_key : sha1!! e1:11:51:ce:0b:07:2b:c7:66:37:c0:b9:de:f3:80:56:64:69:cc:fd
dropbear_dss_host_key : sha1!! ca:75:42:85:f9:96:6d:db:fd:15:d1:7a:4a:ee:19:b1:ff:91:14:bb
dropbear_ecdsa_host_key : sha1!! b9:b3:c4:ee:c4:af:21:87:52:39:e8:b6:c2:a3:b7:53:0e:52:f1:85
   -P, --allpresets             Process all preset files in /etc/mkinitcpio.d
   -r, --moduleroot <dir>       Root directory for modules (default: /)
   -S, --skiphooks <hooks>      Skip specified hooks, comma-separated, during build
   -s, --save                   Save build directory. (default: no)
   -d, --generatedir <dir>      Write generated image into <dir>
   -t, --builddir <dir>         Use DIR as the temporary build directory
   -V, --version                Display version information and exit
   -v, --verbose                Verbose output (default: no)
   -z, --compress <program>     Use an alternate compressor on the image
  -> Running build hook: [encryptssh]
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful

Content in /etc/dropbear is then

$ ls -l /etc/dropbear
total 16
-rw------- 1 root root  458 Apr  1 13:24 dropbear_dss_host_key
-rw------- 1 root root  140 Apr  1 13:24 dropbear_ecdsa_host_key
-rw------- 1 root root  806 Apr  1 13:24 dropbear_rsa_host_key
-rw------- 1 root root 1572 Apr  1 12:25 root_key

6. Usage. Use ssh root@YourComputer to connect to your previously configured dropbear server and type in the password for the encrypted disk. The connection will then close, and dropbear disappears. By the way, dropbear does not look at your configuration for OpenSSH, so if you block root access via OpenSSH, this is of no concern for dropbear.

7. Limitations. Above set-up just works for unlocking the root-device. If there are other encrypted devices, for example devices given in /etc/crypttab, these cannot be unlocked by above procedure.

8. Further reading. See LUKS encrypted devices remote über Dropbear SSH öffnen (in German), Remote unlocking LUKS encrypted LVM using Dropbear SSH in Ubuntu Server 14.04.1 (with Static IP).

Linux pam and /etc/shells

I learned the hard way that a user in /etc/passwd not having a shell specified in /etc/shells is not able to log-on.

On Ubuntu /etc/shells looks like this:

/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/tmux
/usr/bin/screen

On Arch it looks like this:

/bin/sh
/bin/bash

So if you provide a user with shell /usr/bin/bash, he cannot log-in, thanks to pam_shells.so.

See man shells, man pam_shells, and authentication error with shell=/usr/bin/bash.

Also see Creating User Account With Empty Password on Linux.

Using GnuPG for encryption and decryption

On Ubuntu install with:

apt-get install gnupg

First generate private and public key:

gpg --gen-key

Generating this key can take some time, because it needs enough randomness.

Store your public key in a file:

gpg -a --export

Although it is not necessary to store this public key, you usually will provide this public key to other people, see for example my public key.

Import public keys from other people by

gpg --import my-friend.pub

Now encrypt a message for my-friend:

gpg -aesr my-friend your-file

These options have the following effect:

  • -a: create base64 encoded output (“ASCII armored”). This is not necessary, so you can skip this option. If skipped the output is binary.
  • -e: encrypt
  • -s: add signature. This is not necessary. You could drop this option from above.
  • -r: recipient, here your-friend

Decrypting a file is the easiest part. Just type

gpg encrypted-file

Short Review on Film Citizenfour

Yesterday I went to the movie with my family and watched Laura Poitras‘s film Citizenfour. The movie in Frankfurt was completely sold out, many prospects had to be sent home, because there were no more seats available. I just got a ticket because I had a high number on the waiting list. I am surprised that the movie is not shown in the “big” movies, but rather in small and lesser known movies.

Continue reading

On Password Security and Cracking

Six months ago Bruce Schneier posted an article on “Choosing Secure Passwords”. Some of the key points are (mostly copied verbatim from mentioned post):

  1. The best way to explain how to choose a good password is to explain how they are broken.
  2. Password crackers do not brute force all 8 character combinations, but rather they brute force all 6 character passwords, then they check for common passwords.
  3. A typical password consists of a root plus an appendage. The root isn’t necessarily a dictionary word, but it’s usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One cracking program I saw started with a dictionary of about 1,000 common passwords. Continue reading

Setting-Up LUKS/dm-crypt for External USB-Drive

The following commands are used to encrypt the whole USB hard-drive. This hard-drive is assumed to be on /dev/sdc. Create one partition. One can use gparted for this. Then

cryptsetup luksFormat /dev/sdc1

luksFormat is only used once.

To make this encrypted drive available as device on /dev/mapper use

cryptsetup luksOpen /dev/sdc1 SeagatePortable

Continue reading

Cisco 2014 Annual Security Report: Java continues to be most vulnerable of all web exploits

Cisco provides a report on computer security which contains a number of key findings:

  1. Java comprises 91% of all web exploits.
  2. 99% of mobile malware targets Android.
  3. Java is the exploit that criminals choose first, since it delivers the best return on investment.
  4. Continue reading

Ignoring Security Certificate Errors in Google Chrome

Unfortunately Google gets quite draconian to users: When using Google Chrome to surf a web page with a certificate problem you simply cannot view the web-site. There is no dialog, where you can say: It’s o.k., I accept the risk. This behaviour occurs at least with versions 31.0.1650.63 and 32.0.1700.77.

If you want to view web-sites with certificate problems you have to start Google Chrome like this

google-chrome --ignore-certificate-errors

More command-line arguments for Chrome can be found here: List of Chromium Command Line Switches.

One prominent example for a web-site with a certificate problem is Intel. Intel is able to power the world’s most powerful computer, Tianhe-2, with more than 3 million cores, but they are not able to get their web-site right.

Addendum 23-Mar-2014: Google Chrome 33.0.1750.152 fixed the issue. Now it is possible to say: “Proceed anyway”, and therefore accept the risk and proceed with an invalid certificate.

Reblog: Beware sexy honeybots spear phishing on social media

Most IT people know about trojan horses, virus, worms, honeypots, etc. They know about buffer overruns, SQL injection and the like. What is probably not that well known is that even “friendships” on social networks can pose some risks: They give credibility to possibly complete fake persons, see Beware sexy honeybots spear phishing on social media (Digiphile) and Fictitious femme fatale fooled cybersecurity. Also see Wikipedia: Robin Sage.

Robin Sage

Picture from Wikipedia: Non-free media information and use rationale for Robin Sage.