PDA

Bekijk de volledige versie : ASUS systematic security proposal



r0kanon
13-01-2007, 19:29
Hello!

Today I had a jolly unpleasant experience - I could no longer log in with my root password. I tried quite a few methods but the bottom line was - ssh was working, http as well but my and default passwords were not valid. It seems my box has been had :eek: Now my ASUS sits on my table switched off and I put my old trusty DD-wrt box in its place - no HDD for now ;) .

This event made me focus on a job that I have been thinking about for a couple of months:
1) To create a more secure ASUS installation in which the focus would be not only to get the services (disk, ftp samba...) working, but rather working securely. After all ASUS security should be not very different from any other UNIX box security. My aim will be to test it esternally as well - from a friend's house.
2) In this process to create ASUS security guidelines - similar to marcnesium's and mine tutorials. Guidelines then could be discussed and improved.

I did not find a similar thread in these forums, therefore I think this could add to overall good experrience with ASUS. Of course I found http://wl500g.info/showthread.php?t=6588&highlight=security describing the horrible ASUS official firmware gap. I trust that Oleg's firmware does not have it - although I did not check as my ASUS was offline.

My proposed configuration would be:
1. Hardware:

- Firewall
- HDD
2. Software:

- Oleg's current firmware
- SSH
- cron
- samba
- vsftpd
- mc
- nano
- screen
- ntpclient
- nload
- enhanced-ctorrent
- additional security related programs discovered during this project

Notes:
* Security means that there is an easy routine how to check if anything suspicious is going on. Therefore some system of logs and log analysis must be in place. I plan to get this bit from the available literature.
* Command line access would be mainstay. Essentially I think setting up a httpd and maintaining it secure is an unnecessary task unless there is a huge advantage to that interface.
* Some of the scope of security related questions are:
- how to be sure your samba is not accessible from Internet (yes I know you can bind it to your LAN ip, but is it enough?)
- how to be sure your ftp server is difficult to hack in and how to alert yourself to serious attempts. I noticed that my ftp server got at least 300 login attempts during the first weeks, but I did not have the system to follow that up properly. I dod not worry very much as it was chrooted, but still - was it the cuplrit?
- how to make enhanced-ctorrent to be secure - run it form a non root account for starters?
- how to set up other accounts correctly so that above services needn't run as root
- etc...

I am grateful for your comments and suggestions.

Moody Blue
15-01-2007, 20:44
I dont think that a router with a torrent client installed could ever be classified as "secure" or even "reliable". A reliable router must not need to be rebooted every now and then, and to my experience this is the case when torrent clients are active inside the router.

r0kanon
16-01-2007, 23:33
well in my experience ASUS was remerkably stable with enhanced-ctorrent working on it. It was routing OK at the same time even skype quality was OK. Of course if there were more than 2 simultaneous torrents, then it would use the attached HDD for lots of swap activity, but 1 or 2 torrents were ok and I rebooted it perhaps once in 3 months. I think torrents and stability are more of a resources matter than security and ASUS is a small computer.

For security what would matter more IMHO is:
-> user under which torrent is running
-> availability or not of easy exploits for ctorrent
-> plus the overall router security like ports to be open and for what purpose and what the ramifications might be

jam
17-01-2007, 00:56
OK, I'm the bad guy who voted "not secure." I don't know all about Asus routers but I do know that electronic devices do not become secure by chance. If they become secure it's because of a lot of hard work by knowlegable people. And in view of the performance problems Asus has had recently I think we can be sure that they have not been working hard on security.

Furthermore, this root:root thing is not a back door---it's a front door. The only people who could install such a thing are people who are absolutely unconcerned about security and can't be bothered to consider how this hole could harm you.

As users of Asus equipment we have two important advantages: Linux, which provides a sound foundation which can be hardened, and the many man-years of expert effort which has gone into learning how to harden it. Besides, we don't have to make our routers impervious, we only need to make them hard enough that these script-kiddies will return to easier victims.

The basic principles of hardening a Linux router are not difficult to understand and are well-documented on the web:
1. Run only the services you must run: firewall, NAT. Any host can run DHCP if you really believe you need it. Static addressing is much more secure, especially if combined with MAC filtering.
2. Give each service only the privileges it really needs. No more running everything as root.
3. Pay attention to the security alerts published by the distros. Because Asus does not publish such alerts, consider installing Debian or Gentoo or some other reputable distro.
4. Simplest of all: when you're not really using your equipment, turn it off. Consider the environment. Consider your electric bill. Consider your credit rating.


.

r0kanon
25-02-2007, 12:01
OK guys, it seems quite a few have looked at this, opinion of those who cared to vote is evenly divided. In a couple of weeks I will start my ASUS security project and post steps here on my way as I very likely won't have the time to do everything in one day :eek:

wirespot
07-03-2007, 17:08
I've just tested my 500gP with Nessus and the latest plugins. The only thing it had to say was that dropbear 0.47 can suffer from denial of service: if someone were to open 30 connections to it that's it, no more new connections for legitimate users. 0.48 solves this problem, we'll probably see it in the next of Oleg's firmwares.

A few details are probably in order about how my Asus is set up.

* It has Oleg's firmware, not the default one.
* The firewall configuration is the default one, to which I've added: drop FTP (port 21) from the outside (I only use it in the LAN); allow SSH, but on a non-standard port, to cut down on dumb automatic probes; allow HTTP to lighttpd for the transmission CGI, again on a non-standard port; allow a port on both TCP and UDP for transmission to get more torrent peers.
* NO access to the router web interface from the outside! I've also moved it to a non-standard port, just to be paranoid (see the interface to see how).
* NO access to the FTP server from outside (it's vsftpd and I've bound it to the LAN IP only).

Some ideas for securing the box as much as possible:

Cut down on unnecessary services. What doesn't run and doesn't listen on an outside port can't be hacked from outside the LAN (it MAY be hacked if someone exploits a vulnerable program on a computer inside the LAN, such as Internet Explorer on an unpatched Windows, so it's a neverending story). Use these commands to see what services you have: "netstat -tlnp" (also -ulnp for UDP and -xlnp for UNIX sockets). Kill daemons you don't use -- CAREFUL, see if the router still works after you do. If it does, add the kill command to the post-boot script and save to flash so it does it right after boot. From what I see, nas and snmpd are good candidates for killing. Also upnp, provided you don't use any programs on the LAN PC's that would need it (I run the torrent on the router so I don't). I think some messenger/VoIP programs may need it too.

If possible and applicable, bind programs only on the LAN interface or IP.. For instance, I've configured vsftpd to only listen on the LAN IP. DO NOT RELY ON THE FIREWALL ALONE TO BLOCK! Firewall is like duct tape, it's better to not rely on it for such things if it's possible to do it properly. The administration web interface would also be a very good idea to be bound to a LAN-only IP, but I haven't figured out how to do that yet.

The firewall could be better. I'm not 100% happy with the default settings. Sure, they're a reasonable compromise between security and functionality, but if you want as much security as possible (which is the topic of this thread) there's room for improvement: a default policy of DROP on INPUT; elimination of redundant and useless rules; and best of all, very paranoid rules, which deny everything by default and allow only a small set of ports and services. But, granted, to maintain such a firewall is impossible for the average user; everytime they install a new program that uses the net they should adjust the firewall. It takes a very knowledgeable person, and they must be willing to do it on a constant basis.

These being said, here's my current firewall adjustments, performed in /usr/local/sbin/post-firewall. I use Oleg 1.9.2.7-7g-pre1. YMMV:


## re-set default policy on input
iptables -P INPUT DROP
## Allow access to various router services from WAN
# (ssh, transmission, my own http)
for P in 22 60000 81; do
iptables -I INPUT 1 -p tcp -i "$1" --syn --dport $P -j ACCEPT
done
# (transmission on UDP)
iptables -I INPUT 1 -p udp -i "$1" --dport 60000 -j ACCEPT
## drop unneeded liberties
# delete rule that allows FTP
iptables -D INPUT -p tcp --dport 21 -j ACCEPT
# delete rule that allows http access on LAN, it's redundant
iptables -D INPUT -p tcp --dport 80 -d "$4" -j ACCEPT