Apache MEMCACHED UDP Protection

Current a lot of sites blogging about memcached attacks on Servers here some details:

  • Memcached Servers need a installed and running Service called “memcached”
  • Websites need a php-plugin like php7.0-memcached to connect via API to the memcached Service
  • The Memcached Service uses a own Config File at debian /etc/memcached.conf
  • By default it MUST listen to localhost or socket
  • Admins MUST setup a FIREWALL like “ufw” (iptables) and MUST check own Server for OPEN PORTS with nmap
  • The Problem is that Attackers can run Scripts against to your Server in a 10^6 Range like a BOTNET !! with ONE PC cause MEMCACHED supports this high count of REQUESTS without going down.
  • DO NEVER HOLD CONFIDENTIAL DATA ON WEBSERVERS!!!

Test to open Port using nmap Port Scan with UDP Option NOT TCP:

sudo nmap -sU -p 11211 www.myserver.xyz

If the scan echo this YOU MUST check or install a FIREWALL!:
Host is up (0.10s latency).
PORT      STATE         SERVICE
11211/udp open|filtered unknown

if Echo shows this you are safe:
PORT      STATE    SERVICE
11211/udp filtered unknown

check your current Apache PHP Modules:

$sudo php -m

if memcached listed, the php api is active time to check more..

check for memcached service:

$sudo dpkg -l |grep mem

is memcached listed the service is installed, then do:
$sudo ps aux|grep mem

if the echo shows:
memcache ... /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memcached.pid

the Service is active an listening..

Sample Config:
/etc/memcached.conf

# memcached default config file
# 2003 - Jay Bonci <jaybonci@debian.org>
# This configuration file is read by the start-memcached script provided as
# part of the Debian GNU/Linux distribution.
# Run memcached as a daemon. This command is implied, and is not needed for the
# daemon to run. See the README.Debian that comes with this package for more
# information.
-d
# Log memcached's output to /var/log/memcached
logfile /var/log/memcached.log
# Be verbose
-v
# Be even more verbose (print client commands as well)
-vv
# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default
# Note that the daemon will grow to this size, but does not start out holding this much
# memory
-m 128
# Default connection port is 11211
-p 11211
# Run the daemon as root. The start-memcached will default to running as root if no
# -u command is present in this config file
-u memcache
# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1
# Limit the number of simultaneous incoming connections. The daemon default is 1024
-c 300
# Lock down all paged memory. Consult with the README and homepage before you do this
# -k
# Return error when memory is exhausted (rather than removing items)
-M
# Maximize core file limit
# -r
# Use a pidfile
-P /var/run/memcached/memcached.pid

Setup Firewall (ufw):

$sudo apt-get install ufw
$sudo ufw allow 80/tcp
$sudo ufw allow 443/tcp
$sudo ufw enable

Retest with NMAP Port Scan your OPEN Ports! Do this monthly! Cause sometimes the Firewall can have unknown Problems!!

Check the Memcached Log at /var/log/memcached.log for Events

Nextcloud Owncloud Calling Home

I did a deeper firewall test on my fresh installed OpenWRT Router and activated a “Ads Blacklist” after this my owncloud Share Login loops!

Result:

  • Seems that some IP’s of the “Update Check Tool” Servers, which is installed inside the PHP-Kit is blacklisted.
  • So it seems the Code calls home!  With this option its possible to count and collect IPs of Setups! Perhaps checkout unpatched Versions!
  • I didn’t check deeper, but the behavior was clear without viewing the codes.

After publish this Info via Twitter:

 

nextcloud owncloud calling home

REMARKS:

  • No Company / Developer works for “free”
  • After Setup of PHP-Kits do a IP Firewall Traffic checkout
  • If you don’t need the PHP Kit reachable via Internet block the IP Device at your Router from Internet Access!
  • Prefer Standard Tools like SFTP/SCP with Key Auth to transfer Files, less unsecure cause only one application active!!
  • PHP Kits Logins can often be scanned by Search Indexes by “Search by Title” of the Login Webinterface!!

For me i decided to purge the package and use System Standard Tool “SFTP with SSH Key Auth” and on my Phone a Totalcommander with SFTP Plugin!

 

 

Security: Protection Against Cryptware Wannacry

You heard perhaps last day’s about the major problems of Attacks to Systems with the “WannaCry” Crypto Ware

Howto protect yourself?

  • Enable the Firewall on Windows Systems!! Always!
  • Update daily the Virus Scanners and Windows Patches!
  • Disable and CLOSE Ports you never need! SMB Protocol is a open unencrypted Transfer Protocol!
  • Use a second Router with Firewall behind your ISP Router or Modem! (openwrt, pfsense)
  • Check with nmap Portscanner Tool the taken Rules and check if the work!
  • For Network Access use ALWAYS SFTP with Authentification over KEYs Logins (Two Factor: Key and Password for unlock the Keyfiles id_rsa)
  • For fresh installed Systems do a Full Backup of the Disk.
  • To Save your work files use USB Drives or USB Sticks which can be unplugged, if you don’t need them.
  • Backup weekly the Windows Disk to a external USB Disk 1TB sold for less than 50$
  • ..last but not least use a Live CD of Linux like ubuntu to access the Internet..

Update:

  • The Linux Windows Share Service called Samba is also under attack CVE-2017-7494
  • to fix enter smb.conf with a Editor:

nt pipe support = no

  • restart the Service with:

$service samba stop && service samba start

  • Don’t use reload, to be secure that the config is really reloaded!! A “systemd” Problem!
  • Check the Samba Share for write and read access!

Freifunk: Setup Router Software Bugfix

If you want to share Public Wifi at home for friends and you don’t want to share the Wifi Password, you can setup cheap a Public Openwrt Wifi Router as Access Point.

freifunk

Advantages:

  • Public Setup needs no Wifi Password
  • You are not responsible, cause the Internet is pulled thru a VPN of Freifunk Network
  • It’s anonymous!
  • It’s free of Charge!
  • Supported by a big Community
  • Can installed on very cheap old Routers like the TP-Link 841 (find the Singleband Router on Amaz or EbXX 12$ or Powerfull Dualband Router TP Link C7 at 50$)
  • Can by used at EVERY Freifunk MESH Wifi Access Network (Mobile Home Usage without Internet like LTE)
  • It’s save
  • Can be used with Solar Power or 9v Battery

Device:

freifunk router

Howto:

  • Go to the next Freifunk Community Downloads to get a Firmware , see on Sticker which Version the Router is,  select then Firmware Version, like TP 841 Vers. 8.1 needs v8 (remark there are 2 Version the .bin and the sysupgrade.bin use always the .bin=gluon-fffd-3-142-20151030150319-tp-link-tl-wr841n-nd-v8.bin)
  • Keep this Firmware on Backup !!! Its useful if the Router hangs on Changes! Or if the File is PURGED cause version Change! Older sometimes more STABLE!
  • Power up the Router, login on TP-Link Web as admin, go Firmware Update, select the gluon-file, reboot and wait.
  • Connect a PC with DHCP NET to the Router LAN (yellow Ports)
  • Set SSH-Admin Password on Advanced first, select other Tabs on Advanced to Change first things you need. Remark Enable ” MESH on WAN or LAN” disabel MESH on WIFI which is default!!! This let 2 Routers stop meshing over Wifi if you like to use a Router at Office and a Router on the Garden without LAN Cables!!
  • Select now Back to BASIC Tab and set Changes, like Geodata and Bandwith is useful, cause Geodata allow find next Router on a Meshmap!
  • Save and Exit! Remark a “long HEX KEY” MUST be shown (red framed)!! If NOT reflash the Firmware cause SETUP FAILED!!! for FACTORY RESET!
  • freifunk setup success screen
  • Test the Router after boot with Wifi Access, and Access on LAN 2-4!! LAN 1 offers only MESH Function.
  • Emergency Access is possible by power on Router wait 60seconds then press RESET for min. 10 seconds, connect a PC to LAN2 and set IP 192.168.1.2 to the PC, the Router listen on 192.168.1.1 via telnet!! To do a Software RESET enter firstboot and confirm by YES, BUT this doesn’t work clean at my Routers, i reflashed successful and this is more clean.

Administration:

  • Go to the Meshviewer Map, look for your Router Name and pick up the IPv6 address, this Map is useful to check your Setup from Internet!
  • Open a Linux Terminal ot Putty and enter ssh root@ip-v6 to reach the Router Console
  • By this Commands you can change remotely anything Freifunk-Commands-Howto

Remarks:

  • The MAJOR Advance is that EVERY Router with this OS can taken to a OTHER Area, and he can CONNECT to EVERY other Freifunk MESH NETWORKs!
  • The TP-841 Router use 9V and can be used at MOBILE HOMES at foreign Citys
  • At Home the Router offers a anonymous Office Internet Access, with Linux/TAILS on RAM very secure for researches

Bugfix:

  • If the HexKey after setup is NOT seen then the Setup is failed, i have seen this on some setups. This can be a result of Browser Javascript Errors like your Browsers uses Adblockers. To fix it take a fresh firefox default profile without any ADDONS enabled!
  • Take the gluon-fffd-3-142-20151030150319-tp-link-tl-wr841n-nd-v8.bin a NON-SYSUPGRADE .bin File which seems more clean. Its found on the Freifunk Firmware Fresh Setupon a other path.

Apache: Analyse Logs Spam Bots

If you admin a Apache Webserver, you see often weekly thousand of visits a day on your Blogs.

Background:
These are no real users, this visits are made by Spam Bots in my Logs like Xovi.de or xovibot.net Bots!
On info pages this Company says Admins should disallow crawl by robots.txt, but they IGNORE the settings!
This x-guys is in my opinion against German Law “Datenschutz”.

"Mozilla/5.0 (compatible; XoviBot/2.0; +http://www.xovibot.net/)"

Solution:

  • On Linux Setup a Firewall like ufw and block these IP Ranges
  • To find out the IPs do:

$sudo cat /var/log/apache2/access.log|grep xovibot.net| awk '{ print $2 }' | sort | uniq -c | sort -n > x.log

  • Now read x.log with cat

46 212.224.119.143
52 185.53.44.101
54 212.224.119.140
59 185.53.44.104
62 212.224.119.142
71 185.53.44.102
75 185.53.44.103
80 185.53.44.67
80 212.224.119.141
83 185.53.44.68
87 185.53.44.43
87 185.53.44.69
96 185.53.44.70
106 185.53.44.73
108 185.53.44.51
110 185.53.44.74
113 185.53.44.55
116 185.53.44.45
116 185.53.44.53
120 185.53.44.56
131 185.53.44.71
132 185.53.44.97
137 185.53.44.46
137 212.224.119.144
141 212.224.119.182
142 185.53.44.47
146 185.53.44.41
150 185.53.44.93
152 185.53.44.188
152 185.53.44.203
152 185.53.44.64
152 185.53.44.99
153 185.53.44.184
154 185.53.44.181
154 185.53.44.82
155 212.224.119.139
156 185.53.44.92
158 185.53.44.160
159 185.53.44.202
160 185.53.44.177
160 185.53.44.178
161 185.53.44.175
163 185.53.44.187
165 185.53.44.186
166 185.53.44.189
168 185.53.44.200
172 185.53.44.90
173 185.53.44.159
173 185.53.44.72
175 185.53.44.98
176 185.53.44.96
177 185.53.44.149
179 185.53.44.157
179 185.53.44.183
183 185.53.44.148
185 185.53.44.158
185 185.53.44.63
186 185.53.44.152
188 185.53.44.201
191 185.53.44.176
191 185.53.44.80
193 185.53.44.61
193 185.53.44.94
202 185.53.44.62

  • And insert the IP ranges of them into the ufw settings by:

$sudo ufw insert 1 deny from 185.53.44.0/24 to any       # insert rule
$sudo service ufw force-reload                           # force update firewall
$sudo ufw status numbered                                # test status

  • Where the “insert 1” is important cause ufw must see first the deny entry
  • Check the logs manual weekly again with the “cat” filter.. Kick them out!
  • Remark: This Howto works with every bot entry! There are more Marketing Scan Bots on the net!

More Infos:
http://webrobots.de/xovibot/

Openwrt: Turn older Router into Wifi Accesspoint Repeater Extender Solar Powered

At the Summer Time you need perhaps a Wifi Extender for your Garden??

Solution:

  • TP Link 841/N (low power/Battery 9V/Solar /Type-N-allows external planar Antennas!!), 3600+4300 (USB-NAS/CIFS/SFTP/Classroom Library with USB Strorage)
  • Openwrt 15.XX Calmer as OS with Firewall, Webinterface and REALTIME Monitor for Traffic and Connections!
  • Easy Setup, replace the OS by the TP-Link-Updater, reboot and Login to Openwrt
  • You got professional Options!
  • works as Firewall, Extender, Repeater, WIFI-to-WIFI Bridge, LAN-to-WIFI Bridge, NTP-Server, DNS/DHCP Server
  • can isolate connected WIFI Clients
  • can handle different WIFI SSIDs / Networks on same Hardware
  • modded Hardware can be used with 5Volts of Power! (841 removed Resistor)
  • runs Freifunk OS for Public Free WIFI Guestnet (without Password Login and VPN to Public Internet Gateways for anonymous Web Access)
  • free security updates, backup and restore of settings!
  • free support by published Wikis, many Manuals on Internet and of course by me
  • free Download od the Sofware at openwrt.org

freifunk