Firewall hardening

Currently using the following lists to block non-wanted IP addresses:

Chain FIREHOL (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_apache src LOG flags 0 level 4 prefix "blocklist_de_apache: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_apache src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_bots src LOG flags 0 level 4 prefix "blocklist_de_bots: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_bots src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_bruteforce src LOG flags 0 level 4 prefix "blocklist_de_bruteforce: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_bruteforce src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_imap src LOG flags 0 level 4 prefix "blocklist_de_imap: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_imap src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de src LOG flags 0 level 4 prefix "blocklist_de: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_mail src LOG flags 0 level 4 prefix "blocklist_de_mail: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_mail src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_ssh src LOG flags 0 level 4 prefix "blocklist_de_ssh: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_ssh src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_strongips src LOG flags 0 level 4 prefix "blocklist_de_strongips: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_de_strongips src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_net_ua src LOG flags 0 level 4 prefix "blocklist_net_ua: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocklist_net_ua src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set bruteforceblocker src LOG flags 0 level 4 prefix "bruteforceblocker: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set bruteforceblocker src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set cruzit_web_attacks src LOG flags 0 level 4 prefix "cruzit_web_attacks: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set cruzit_web_attacks src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set cybercrime src LOG flags 0 level 4 prefix "cybercrime: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set cybercrime src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set darklist_de src LOG flags 0 level 4 prefix "darklist_de: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set darklist_de src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set dshield_top_1000 src LOG flags 0 level 4 prefix "dshield_top_1000: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set dshield_top_1000 src
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set et_compromised src LOG flags 0 level 4 prefix "et_compromised: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set et_compromised src

This is for inbound traffic. For outbound I have different set of lists.

Industrial internet failure example

Local business newspaper Kauppalehti reported that several heating systems built by company named Valtia have experienced Denial of Service attack and have stopped functioning because of that.

The reason they stopped working is because they either have not properly isolated the system or rely on public Internet network to always function.

I suspect they rely on public internet network because the paper says that the system tried to correct itself by repeatedly restarting itself, which to me sounds like some sort of dead man switch where the system is rebooted if it looses access to some remote point.

But the main problem is that they had not designed independent operation into this control system.

Independent control system takes over when external control system fails to have control. Similar system is built into automobiles where the Engine Management Unit tries to optimize different systems but in case of sensor or other failures, will still work but not as efficiently.

Imagine if nuclear power plant relied on utility power and lightning storm took out the power. It doesn’t rely on any external system but it has many layers of independent systems which can function independent of one another. Which is why we can trust the safety of nuclear power plants.

But such a mistake in a country where during winter times temperatures can reach minus 30 degrees Celsius is something that paints a blatant picture of how wrong industrial internet can go.

Tapes for security

Hadn’t thought of it before, but not having the data online is a HUGE added security bonus, because I could argue that 99,999% of all data related risks come from data being connected to the internet. It is rare that someone would want the data so bad that they would actually see the trouble and the risk to physically get the data.

I have previously used encryption to manage this problem, and sealed the data that I don’t need at any particular moment, but that still isn’t as good as having the data offline.

Also security through obscurity is better with tapes, because I could probably leave the tapes unencrypted and I could still have some confidence that whomever happened to got the data, by which ever means, they would have some trouble getting the data off the tapes.

Geoblocking the whole world

So what happens in couple of days when you block every country except with one 6 million people?

547K  279M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW match-set geoblock src

547 000 NEW packets and 279MB. How many of those are for all the old customers and for their services? Some, but could majority simply be hostile traffic? I believe so. But I still worry about the Linux kernel which is exposed. There hasn’t been serious [publicly known] problems in Linux kernel for a long time, but it doesn’t mean there can’t be in future.

Instructions

# wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
# tar xzvf all-zones.tar.gz
# ipset create geoblock hash:net family inet hashsize 262144 maxelem 262144
# for i in *.zone;do ipset -A geoblock $i;done

It will block all known IP blocks so you will cut your own connections as well. Know what you do.

 CentOS7 init.d script

#!/bin/sh
#
# ipset Start ipset tables
#
# chkconfig: 2345 08 93
# description:  Starts, stops and saves ipset tables
#
# config: /etc/sysconfig/ipset
# config: /etc/sysconfig/ipset-config

# Source function library.
. /etc/init.d/functions

IPSET=ipset
IPSET_DATA=/etc/sysconfig/$IPSET
IPSET_CONFIG=/etc/sysconfig/${IPSET}-config
VAR_SUBSYS_IPSET=/var/lock/subsys/$IPSET

if [ ! -x /usr/sbin/$IPSET ]; then
    echo -n $"/usr/sbin/$IPSET does not exist."; warning; echo
    exit 0
fi

# Load firewall configuration.
[ -f "$IPSET_CONFIG" ] && . "$IPSET_CONFIG"

start() {
    # Do not start if there is no config file.
    [ -f "$IPSET_DATA" ] || return 1

    RUNNING=`$IPSET list | /usr/bin/wc -l`
    if [ $RUNNING -ne 0 ]; then
        echo -n "There are already ipsets defined, cannot start and restore."
        failure; echo; return 1
    fi

    echo -n $"Applying $IPSET rules: "

    $IPSET restore < $IPSET_DATA
    if [ $? -eq 0 ]; then
        success; echo
    else
        failure; echo; return 1
    fi

    touch $VAR_SUBSYS_IPSET
    return $ret
}

stop() {
    INUSE=0
    if [ -e /proc/net/ip_tables_names ]; then
        tables=`cat /proc/net/ip_tables_names`
        for table in $tables; do
                let INUSE+=`/sbin/iptables -L -n | /bin/grep "\bset\b" | /usr/bin/wc -l`;
        done
    fi

    if [ $INUSE -ne 0 ]; then
        echo -n "Looks like ipsets are in use by iptables, cannot stop."
        failure; echo; return 1
    fi
    if [ "x$IPSET_SAVE_ON_STOP" = "xyes" ]; then
        save
    fi

    SETS=`$IPSET list | /bin/grep "^Name" | /bin/awk '{ print $2 }'`
    for set in $SETS; do
        ipset flush $set
        ipset destroy $set
        if [ $? -ne 0 ]; then
                let ret+=$?;
                echo "Unable to remove set $set - you must fix this before restart"
        fi
    done

    rm -f $VAR_SUBSYS_IPSET
    return $ret
}

save() {
    ipsetrules=`$IPSET list | /usr/bin/wc -l`
    if [ $ipsetrules -eq 0 ]; then
        return 0
    fi

    echo -n $"Saving ipset rules to $IPSET_DATA: "
    ret=0
    TMP_FILE=`/bin/mktemp -q /tmp/$IPSET.XXXXXX` \
        && chmod 600 "$TMP_FILE" \
        && $IPSET save > $TMP_FILE 2>/dev/null \
        && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \
        || ret=1
    if [ $ret -eq 0 ]; then
        if [ -e $IPSET_DATA ]; then
            cp -f $IPSET_DATA $IPSET_DATA.save \
                && chmod 600 $IPSET_DATA.save \
                || ret=1
        fi
        if [ $ret -eq 0 ]; then
            cp -f $TMP_FILE $IPSET_DATA \
                && chmod 600 $IPSET_DATA \
                || ret=1
        fi
    fi
    [ $ret -eq 0 ] && success || failure
    echo
    rm -f $TMP_FILE
    return $ret
}

status() {
        $IPSET list

    return 0
}

restart() {
    [ "x$IPSET_SAVE_ON_RESTART" = "xyes" ] && save
    stop
    start
}

case "$1" in
    start)
        start
        RETVAL=$?
        ;;
    stop)
        stop
        RETVAL=$?
        ;;
    restart)
        restart
        RETVAL=$?
        ;;
    status)
        status
        RETVAL=$?
        ;;
    save)
        save
        RETVAL=$?
        ;;
    *)
        echo $"Usage: $0 {start|stop|restart|status|save}"
        exit 1
        ;;
esac

exit $RETVAL

Usage on iptables

# -A INPUT -p tcp -m set --match-set geoblock src -m state --state NEW -m tcp --dport 22 -j DROP

 

Covering for ransomware

Because these latest evil things have been visible in the news lately, and because I have too long once again neglected my personal data safety, I went and bought 3TB SATA disk to cover myself for such things.

Background

For long time I have had in back of my head the understanding that I need to get my data out of my place and have it somewhere safe. Fires and other disasters happen and for too long I have had no protection against such.

And now because these things are becoming a real danger, and because there even is Linux ransomware in existence, I decided that I simply have to get a disk and have it sit at work.

Because it doesn’t matter if that data is 6 months old because if something should happen, it would not be 6 months worth of lost data, or hundreds or thousand of euros, but 15 years of lost data, which is quite a heavy blow.

Initially I wanted to have large enough disk to have the data twice there, each on different filesystem (ext4, xfs for example), in case filesystem would somehow get corrupt, but 3TB doesn’t seem to be quite large enough for that.

The setup

The disk is humble Verbatim branded Toshiba, and it was 35 € cheaper than same sized Seagate – the age old classic manufacturer, be that good or bad thing; but since I have Toshiba disk on my old laptop, and it has been to hell and back, and it still works, Toshiba has sort of won my respect, and I have no doubts this budget disk of theirs will be just the right choice for cold storage data.

I try to refresh the data twice a year but no more often than that. 6 months of data loss would be sad but it wouldn’t break the world.

Also decided to play it safer and take a backup of LUKS header, so that if that somehow gets corrupted, there is at least some chance of me restoring the data. https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/

Network modernization (OpenvSwitch)

So current networking scheme is 100% pure Linux, or  very naive implementetion in some sense. It is very laborsome as it gets more complicated and changes require a lot of changes to lot of places and it is very prone to failing if wrong or incorrect changes are made.

So as pfSense was previously mentioned as a possible system of choice for firewalling, currently looking into OpenvSwitch if it could be something that should be deployed. I am not completely sure what OpenvSwitch is so I am studying it to get an idea if it would be a good choice.

I was today also looking for standalone gigabit switches but using those would sort of void the whole idea of having a dedicated Linux machine, plus it would add costs. So if OpenvSwitch could simplify this configuration and turn the dedicated Linux machine with 12 gigabit NICs into powerful router, then that would be perfect.

The question whether I can then add pfSense on top of that, or if OpenvSwitch itself has these sort of functions within it, still remains open. Technically my firewalling is nothing but iptables so it wouldn’t require that much; all I need is flexibility for rules, QoS, VLAN, and possible Link aggregation.

Three years old talk but since it is introduction, the system should have not changes too much on its principles.

Also web based management would be a big plus.

Back to EU for time being

After realizing that all my e-mail communication will be going through Russia and will therefore be available for the FSB I decided to stay within the EU for now.

I wish all communication was encrypted. Sadly that is not the case and it seems it will not be the case for as long as e-mail is available. One option would be to not use e-mail but that is still practically almost impossible.

OVH provides cheap VPS but they cannot provide IPv6.

New provider

HostHatch

Still cheaper than DigitalOcean and more memory too. Offers IPv6 as well.

snap911

Affordable prices.

Sweden is quite reputable nation still, despite the Julian Assange case, and is close to me so latencies and speeds should be good. The company, though is American so that’s probably some sort of downside. Technically I believe they are forced to follow Swedish laws as they operate within Sweden, but data could still be moved and no one would know. But this is the era we live in. Everything is public for someone.

Services moved

Everything is now running through this new VPS in Sweden. Should in fact be faster for everyone as there is now more memory for front-end caching.