Secure your machine…Whitelist

I previously talked about a blacklisting method to reduce the number of ssh brute force attempts against your machine.  When you follow a blacklisting methodology, in theory, it could never end which is why people are screaming ‘whitelist’ today.  If you’re not ready to deny all and not absolutely sure of which IP you’ll be riding in on (back to home base) then you may want to take a look at the options below…

Most brute forcing today usually comes from Asia or Eastern Europe — blocking continents (if you can get away with it) is great practice.  Below are some links where you can copy & paste problematic IP ranges into your .htaccess or hosts.deny file….

Apache .htaccess block format

Country IP Blocks – choose a country and select the output in many formats (CIDR, hosts.deny, etc)

Sourcefire (Snort) Network Security Seminar

Last week I attended a seminar by Sourcefire.  Their CTO, Martin Roesch, was the speaker.  The topic was “Your Network Security Isn’t Good Enough Anymore“.  This seminar was ultimately a sly sales pitch for Snort, their IDS product.  Roesch talked about how there are several equal quality IDS products available now — there is much less market differentiation between them.

Two problems:

1) No one is taking the time to properly configure / tune the IDS for the environment it’s placed in —> meaning thousands of events with many false positives.

2) The IDS events being generated are not monitored —> the average breach to compromise time is down to minutes in some cases meaning you don’t have time to wait.

The next generation Snort intends to solve both of the problems above.  Their calling their new version “Adaptive IPS” which features their real time network awareness (RNA) technology.  This RNA module constantly surveys your network taking inventory of OSes, services, protocols, and potential vulnerabilities that exist.  The RNA module then pushes configuration changes to Snort — auto tuning the IDS for your network!  I haven’t tried RNA myself but Roesch claimed several customers seeing a 90+% reduction in the number of IDS generated events.  With this dramatic reduction in events to monitor it should mean no excuses to not monitor your network.

Now, if Sourcefire can create a module that will monitor and act on events we won’t need NoCs anymore….

Great “defeating the firewall” article

I stumbled across an excellent article on freenode #security.  Does your employer use content filtering?  Are you sick of being restricted when using free wifi hotspots?  How about a hotel charging for wifi?

The article talks about methods to circumvent all of the above scenarios.  I actually do the most vanilla technique to overcome my employer’s web filter: dynamic ssh tunneling back to a server I have running at home.

Read it here:

DD-WRT and wireless observations

I installed DD-WRT over the weekend following this tutorial.  This is something I wish I would have done a lot sooner because of the additional features DD provides.  Unfortunately I have a v8 WRT54g which only has 2mb of flash memory.  This limited me to only being able to run the stripped down “micro” version. DD supports syslog but the micro version does not log firewall events.  I was hoping to pass these to my IDS.  Hopefully I can figure out a way to use iptables to replicate a span or tap port.

I tweaked the TX Power using DD.  Be warned you can overheat your router if you try to crank this up too high.  The biggest signal boost I was raising my access point 2′.  Try to keep your AP elevated as much as possible.  See my image below….


Your Thoughts: Ad-hoc Monitor Port on WRT54G

I would like to run Snort and Bot Hunter on a spare Linux machine on my home LAN.  My local network uses the very common Linksys WRT54G wireless router.  Therefore I have a switched network which makes it very difficult to perform any type of network sniffing.

I’m asking for your thoughts and feedback to solve this problem.  Right now I’ve come up with the following solutions:

  • Connect a hub to the router’s WAN port.  Connect my cable modem and linux machine to the hub.
  • Install DD-WRT on the Linksys router.  Does DD-WRT yet support span / tap (monitor) ports?
  • Install two (2) NICs on the linux machine and route my cable modem through that before connecting to the router.
  • Buy an affordable Cisco 2600 router off of eBay.

Please share your ideas and thoughts on the subject.