Ask / Submit
24

Security issue, all services exposed to mobile network! [released]

Tracked by Jolla (In release)

asked 2018-07-15 00:09:11 +0300

SaimenSays gravatar image

updated 2018-10-26 22:47:52 +0300

Today I logged in on ssh and was really shocked as I saw there were 5700 attempts to login! So tried to check where it comes from and found out that there is no firewall against rmnet0. It seems like all services are exposed to mobile network.
Im not a network security specialist, but it looks like a real risk! Who really knows which app opens ports and is therefore attakable from the whole world? What it even make worst, most users don't use strong passwords when they think they are secured by the router in their home WLAN.
And yes, there is no NAT. My provider gives me a public IP.

As iptables was installed, but not configured, I executed the following commands and hope that helps to restore a basic security:

iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i wlan0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i wlan0 -p icmp -j ACCEPT
iptables -P INPUT DROP

How is your opinion about that issue?

Edit: Using these permanent, even after reboot, works with/sbin/iptables-save > /etc/sysconfig/iptables

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by jovirkku
close date 2019-03-26 10:13:05.976305

Comments

1

Personally, i use Gauth for twofactor authentication. http://talk.maemo.org/showpost.php?p=1468523&postcount=1

Nieldk ( 2018-07-15 09:39:31 +0300 )edit
2

You can also use /etc/hosts.allow file to limit access to sshd by ip or network. I don't expect that any other ports are in listening mode in the public interface, or at least I did not have.

Manatus ( 2018-07-15 10:58:07 +0300 )edit

@Manatus: Are you sure that this works on SFOS? I do not see any tcp wrappers installed and sshd is not linked against any wrapper library?

Leon ( 2018-07-15 13:17:08 +0300 )edit

@Leon, I think I tested it in the past, but now I'm not so sure anymore... Edit: I tested it and you are correct, /etc/hosts.allow does not work. I probably thought that it wouldn't exist unless tcp wrapper was installed. :(

Manatus ( 2018-07-15 14:24:43 +0300 )edit

1 Answer

Sort by » oldest newest most voted
5

answered 2019-03-26 10:12:38 +0300

jovirkku gravatar image

The fix for this issue is included in Sailfish OS update 3.0.2.

edit flag offensive delete publish link more

Question tools

Follow
12 followers

Stats

Asked: 2018-07-15 00:09:11 +0300

Seen: 1,419 times

Last updated: Mar 26