Security issue, all services exposed to mobile network! [released]
asked 2018-07-15 00:09:11 +0200
Today I logged in on ssh and was really shocked as I saw there were 5700 attempts to login! So tried to check where it comes from and found out that there is no firewall against rmnet0. It seems like all services are exposed to mobile network.
Im not a network security specialist, but it looks like a real risk! Who really knows which app opens ports and is therefore attakable from the whole world? What it even make worst, most users don't use strong passwords when they think they are secured by the router in their home WLAN.
And yes, there is no NAT. My provider gives me a public IP.
As iptables was installed, but not configured, I executed the following commands and hope that helps to restore a basic security:
iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i wlan0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i wlan0 -p icmp -j ACCEPT
iptables -P INPUT DROP
How is your opinion about that issue?
Edit:
Using these permanent, even after reboot, works with/sbin/iptables-save > /etc/sysconfig/iptables
Related: https://together.jolla.com/question/178772/security-issue-sshd-daemon-gets-activated/
Leon ( 2018-07-15 01:30:15 +0200 )editPersonally, i use Gauth for twofactor authentication. http://talk.maemo.org/showpost.php?p=1468523&postcount=1
Nieldk ( 2018-07-15 09:39:31 +0200 )editYou can also use /etc/hosts.allow file to limit access to sshd by ip or network. I don't expect that any other ports are in listening mode in the public interface, or at least I did not have.
Manatus ( 2018-07-15 10:58:07 +0200 )edit@Manatus: Are you sure that this works on SFOS? I do not see any tcp wrappers installed and sshd is not linked against any wrapper library?
Leon ( 2018-07-15 13:17:08 +0200 )edit@Leon, I think I tested it in the past, but now I'm not so sure anymore... Edit: I tested it and you are correct, /etc/hosts.allow does not work. I probably thought that it wouldn't exist unless tcp wrapper was installed. :(
Manatus ( 2018-07-15 14:24:43 +0200 )edit