Home Routers Pose Biggest Consumer Cyberthreat

Of the small-office, home-office routers evaluated, every one could be compromised with relative ease by hijacking DNS connections, exploiting HTTPS flaws, weaknesses in Universal Plug and Play services, cross-site-scripting attacks, file-traversal and source-code vulnerabilities, weaknesses in WiFi Protected Setup (WPS), buffer overflows or simply bypassing authentication requirements.

via Home Routers Pose Biggest Consumer Cyberthreat.

During late 2013 and early 2014, gangs of Polish hackers have robbed thousands of consumers by attacking home routers and changing DNS settings so they point at the attackers’ DNS servers rather than legitimate servers.

DNS is a big problem.  Usually devices behind a SOHO router will receive their DNS info from the router via DHCP.  The router has been configured by the owner using DNS settings from their ISP or they could use one of Google’s servers like  A user of their home network should expect a higher level of security unlike the open wifi people use on the road.

The simplest remedy is never allow router management access from the Internet.  This is usually turned off by default.  Routers should be set and forget so using the maintenance interface should be a rare occurrence.  The TP-LINK outlined here requires a user to click a malicious link while in a management session according to this:

Attack Requirements

  • The victim must have an active management session with the WR1043N.
  • The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

Here again the user gets tricked into becoming compromised so this wouldn’t be a problem if the user simply entered the management interface of the router, made changes, and left. There’s no point lingering around in a management session.

A physical dedicated firewall sitting between the Internet and treating all routers as dumb access points makes for an added layer of security.  All SOHO routers are relatively cheap embedded devices.  It is impractical to even expect them to defend against all possible exploits.  By virtue of being on the Internet everyone gets constantly scanned by bots.  That only poses a problem if the bot sees a vulnerability and phones home listing your device as a possible target.

tc: Linux HTTP Outgoing Traffic Shaping (Port 80 Traffic Shaping)

I‘ve 10Mbps server port dedicated to our small business server. The server also act as a backup DNS server and I’d like to slow down outbound traffic on port 80. How do I limit bandwidth allocation to http service 5Mbps (burst to 8Mbps) at peak times so that DNS and other service will not go down due to heavy activity under Linux operating systems?

You need use the tc command which can slow down traffic for given port and services on servers and it is called traffic shaping:

via tc: Linux HTTP Outgoing Traffic Shaping (Port 80 Traffic Shaping).

netfilter/iptables project homepage

nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework. Basically, this project provides a new packet filtering framework, a new userspace utility and also a compatibility layer for {ip,ip6}tables. nftables is built upon the building blocks of the Netfilter infrastructure such as the existing hooks, the connection tracking system, the userspace queueing component and the logging subsystem.

via netfilter/iptables project homepage – The netfilter.org “nftables” project.

From: Nftables: a new packet filtering engine

Packet filtering and firewalling has a long history in Linux. The first filtering mechanism, called “ipfwadm,” was released in 1995 for the 1.2.1 kernel. This code was used until the 2.2.0 stable release (January, 1999), when the new “ipchains” module took over. While ipchains was useful, it only lasted until 2.4.0 (January, 2001), when it, too, was replaced by iptables/netfilter, which remains in the kernel now. If netfilter maintainer Patrick McHardy has his way, though, iptables, too, will be gone in the future, replaced by yet another mechanism called “nftables.” This article will give an overview of how nftables works, followed by a discussion of the motivations behind this change.

Rackspace Adds Brocade’s vRouter

The vRouter is a software-based router that runs on server hardware, so it can do other things — routing (duh) or acting as a virtual private network (VPN) gateway, for instance. The attraction to the firewall piece is that cloud customers previously had been building things like firewalls out of Linux components, says John Engates, Rackspace’s CTO.

via Light Reading – Rackspace Adds Brocade’s vRouter.

Five Ways To Better Hunt The Zebras In Your Network

There are a lot of decent threat sources out there today, and inexpensive tools that can be used to combine them with firewall data, he says.

“For someone that is low on budget, you can perform this with existing log aggregation tools, but I would not try to do this by hand,” Brazil says, who is a big proponent of security information and event monitoring (SIEM) systems.

via Five Ways To Better Hunt The Zebras In Your Network – Dark Reading.

Welcome to DenyHosts

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

If you’ve ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc…) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn’t it be better to automatically prevent that attacker from continuing to gain entry into your system?

via Welcome to DenyHosts.

Not me.  If I let ssh into the network I only allow it for the IP address I’m going to be accessing the network from.  These brute force attacks are annoying.  This little app may prove useful.  Will look into this.

Mass-blocking IP addresses with ipset

It has been shown, the hash approach as implemented by ipset clearly beats traditional mass-rule-blocking. It extends netfilter in a very useful way by decreasing the average response time. In the average over all samples made, IP sets are over 11 times faster. To conclude, let me show you another plot, this time I compared the ipset and iptables approaches within the same graph. The yellow bar shows ipset delays, the red bar does so for iptables.

via Mass-blocking IP addresses with ipset » daemonkeeper’s purgatory.