Securing all those little Linux boxes of joy

In advance, I apologize for "spamming" and didn't want to post for a while. But there's a big problem in plain sight.

For the moment i still use Windows x64 to check email and use the Win-centric apps. But many times if i have an instance of Linux running on the LAN, and check email with Windows, I get a message in the Chrome saying someone's trying to hack into my stuff.
Cut to the chase, sooner or later I have to have a complete audit if everything i'm plugging in has basic security, because I don't know what is sent or what can be seen.

It's a given - the Government monitors everything (honestly I think they should just offer a free, mega-encrypted email service and be done with it) but it's the 3rd parties I worry about.

=========
-= Cloud 9 =-

Joey,

> and check email with Windows, I get a message in
> the Chrome saying someone's trying to hack into my
> stuff.

That seems strange. As a browser, how does Chrome know if some other boxes try to connect or break in? do you use Outlook or web mail on Windows?

-bodhi
===========================
Forum Wiki
bodhi's corner

Out of habit I go with Hotmail. I like the spam filtering better than the others I'd tried. For browser I use SRWare Iron, which is open-source Chrome with trackable identifiers removed. The issue seems to be chrome (Iron) says something is trying to take the "s" of https connections. It happened before I posted here but will check more in-depth next time.

It's not that I suspect any Linux apps are rogue, it's more wondering if they broadcast my usable information more conspicuously so (in my mind) the bad people can see whom to try and gain entry. It's my understanding my DSL account has a dynamic IP, and when I turn off the router for a minute some strange minor issues go away.

I can't point to specific smoking guns, but even OpenWRT seems to have a lot of entries of connections that would seem more than you'd think it should have.

Which really, now that we're the subject anyway, I might have a cool idea, just occurred to me. To make a Pogoplug that audits a home network. Maybe it's already possible in OpenWRT because there's so many packages. It's possible my Remote Desktop experiments left a hole somewhere, and I wasn't half finished even. Before examining the pitfalls, it does seem like the only way you can really monitor IP/UDP/ETC traffic would be to have a gate right in serial.

=========
-= Cloud 9 =-



Edited 2 time(s). Last edit at 05/21/2015 04:37PM by JoeyPogoPlugE02.

what router are you using? is it one of the many many compromised ones.

you could build yourself and Intrusion Detection System..... that would be one heck of a use for a pplug. a nightmare build tho.

just a couple of links as an idea lead....

https://www.ibm.com/developerworks/community/blogs/58e72888-6340-46ac-b488-d31aa4058e9c/entry/august_8_2012_12_01_pm6?lang=en

http://www.aboutdebian.com/snort.htm


http://www.computerworld.com/article/2541227/networking/building-a-cheap-and-powerful-intrusion-detection-system.html?page=2

> what router are you using? is it one of the many
> many compromised ones.

The news is causing a lot of concerns.

For now, at the least I think we should do a port scan to see if the port 20005 is opened inside and outside:

nmap -p20005 192.168.0.1    (your router local IP here)
nmap -p20005 xx.xx.xxx.xx    (your WAN IP address here)

-bodhi
===========================
Forum Wiki
bodhi's corner

Yeah the news...

Quote

Netgear told SEC that even with NetUSB functionality disabled through the router's configuration UI, the driver is still loaded, and there is no ability either to disable it or to block access to port 20005 in the firewall.

Glad my Netgear router is 100Mbit with a built-in dog whistle and runs hot, or I'd be using it.

A lot of questions get raised, such as, the overflow happens with a name longer than 64 bytes - seems to me names are always under that but the passwords are routinely higher than 64 bytes.

As an intellectual exercise I assure you I'm still having fun :-D I'm not far away, just reading, testing, digesting.

=========
-= Cloud 9 =-



Edited 1 time(s). Last edit at 05/23/2015 12:48PM by JoeyPogoPlugE02.

Gravelrash Wrote:
-------------------------------------------------------
> what router are you using? is it one of the many
> many compromised ones.
>
> you could build yourself and Intrusion Detection
> System..... that would be one heck of a use for a
> pplug. a nightmare build tho.
>
> just a couple of links as an idea lead....
>
> https://www.ibm.com/developerworks/community/blogs
> /58e72888-6340-46ac-b488-d31aa4058e9c/entry/august
> _8_2012_12_01_pm6?lang=en
>
> http://www.aboutdebian.com/snort.htm
>
>
> http://www.computerworld.com/article/2541227/netwo
> rking/building-a-cheap-and-powerful-intrusion-dete
> ction-system.html?page=2


My favorite router is a Rosewill RNX-AC750. I've got my very best 64GB PNY Turbo plugged-into a 2.0 outlet but it's way faster than anything else I've tried. Does everything I want except Jumbo frames, and a quick test at grc.com shows it's stealth on port 20005. As it's a Holiday weekend in the States (that's cleaning time) I've got wires all over and can't check my Linux installations nor other routers, but managed to get a 10MBit hub (I know, 10MBit) from Goodwill today so maybe I can still try snort at some point.

There's a LOT of reading to do lately on the subject of network monitoring. At some point I'd like at least one wireless signal permanently up, AC instead of N and Pogoplugs are Ethernet-only, accessed from the router. All the contents I'm guarding is garden-variety family media anyway, not like I'm guarding bad stuff, just hate the idea of being intruded, and by some neighborhood punk troublemaker - I have no doubt everyone can relate.

=========
-= Cloud 9 =-



Edited 1 time(s). Last edit at 05/24/2015 10:42AM by JoeyPogoPlugE02.

Quote
JoeyPogoPlugE02

Quote
Gravelrash
you could build yourself and Intrusion Detection System..... that would be one heck of a use for a pplug. a nightmare build tho.

All the contents I'm guarding is garden-variety family media anyway, not like I'm guarding bad stuff, just hate the idea of being intruded, and by some neighborhood punk troublemaker - I have no doubt everyone can relate.

For the past few months I've been successfully running a simple setup for ssh as described in http://forum.doozan.com/read.php?2,20609,20799#msg-20799 that auto-blacklists attackers for a couple of hours, long enough to make organized Asian botnets as well as juvenile miscreants lose interest (but prevents the legitimate owners from locking themselves out permanently in case of connection issues).
The state of affairs is easily visible through one of the following:

watch -d -n 2 iptables -nvxL
cat /proc/net/xt_recent/SSHbrute

Could of course be expanded to other exposed ports as well...

Nice revelations! I'll get on it ASAP

=========
-= Cloud 9 =-