WRTSL54GS Adventures

Another SL54 & Kamikaze 8.09

2008-11-07T04:31:25Z

Kamikaze 8.09 is almost ready, just hit RC1. Time to prep my (2nd) backup WRTSL54GS. First step is to install the serial adapter, but Linksys has thrown a curve, instead of the standard screws previously used, these are 'tamper proof' Torx-10 screws, the tamper proof versions have a small stud in the exact center of the screw to keep a normal driver from being inserted.

Small delay, I'll just need to fetch my set of security drivers from work tomorrow... ;)

Brute Force attacks, Part 2

2008-10-20T03:56:15Z

Yesterday's article, Blocking brute force attacks, helped me put a great dent in attacks here, but also caused a bit of an inconvenience. Using IPTABLES to block such attacks has the inherent drawback of using the same restriction on both successful and failed connections, and the main system I check mail on here logs into quite a few separate mail accounts locally, all requiring a separate connection, so my default filter had to allow for a rather high number of incoming connections before any could be blocked. Enter the whitelist...

Additional reading online found a number of very similar articles, again all centered around SSH attacks to the router, not a separate system behind the router. After a few rounds of testing, I finally found the trick that would work here, the completed snipped of code is below, refer to yesterday's article for a more complete firewall.user file.

The greatest challenge was in determining exactly how to whitelist internal traffic. When such traffic is logged by my servers, the connection appears to be coming from outside, so my natural assumption was to whitelist the external IP. That just didn't work. Changing the code to whitelist my internal network did the trick, a streamlined version follows. This code may likely only be necessary for mail accounts, other types of connections are not as likely to have a high number of repeat connections for valid users, internally or externally.

# POP/IMAP iptables -N pop-whitelist iptables -A pop-whitelist -s $network -m recent --remove --name POP -j ACCEPT

iptables -A forwarding_rule -p tcp --dport 110 -m state --state NEW -m recent --set --name POP iptables -A forwarding_rule -p tcp --dport 110 -m state --state NEW -j pop-whitelist iptables -A forwarding_rule -p tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name POP -j DROP

Blocking brute force attacks

2008-10-18T05:17:12Z

This one has had me baffled for a while. From time to time in my logs, I'd see repeated attempts by an unknown IP to connect to one of the services here, usually trying to log into the mail server via a POP account. Normally I'd simply update the /etc/firewall.user file to drop connections from that IP, and not worry about it, but I knew there had to be a way to stop such attacks in their tracks...

]]> Finally after getting fed up and doing some reading on connection throttling and other topics, I found a number of articles that all focused on blocking brute force dictionary attacks to the SSH service, using the ipt_recent module for iptables. Trying to adapt these by simply changing the port number didn't work, changing the rule they were applied to didn't work, many variations either caused errors in iptables, or simply failed to stop any attacks.

After more Googling, and closing in on exactly what I was searching for, I finally found an article that had much the same information as the others, but some comments there led me to the answer I needed.

The steps documented in many places for SSH will work great, but they are intended to block traffic destined for a service on the router itself. My situation was to block traffic destined for a server behind the firewall, but not on the router, a service that traffic was being forwarded to.

This is a key difference, and iptables handles these chains in different ways, and the rules I was putting in were only acting on the INPUT chain, not the forwarding_rule.

My firewall.user file was cobbled together from various places, including a number of threads on the OpenWrt forums, and so is likely a bit different from what others may have, so below is the relevant code from my file showing how my rules are defined, and more importantly, the working code that will block repeated attempts at connecting to the POP service here (port 110).

In my example, 10 connections within 60 seconds from the same IP will cause further attempts to simply drop, until the oldest connections age past 60 seconds and drop off. The second rule will drop connections with 20 attempts in 10 minutes (600 seconds), which should be enough to stifle most attacks. I plan to adapt this code to FTP and other services also.

It is important to understand how users connect to these services, and when multiple connections within a short timespan may be required, so that you can then identify what may actually constitute an attack to effectively block it.

#!/bin/sh . /etc/functions.sh

WAN=$(nvram get wan_ifname) LAN=$(nvram get lan_ifname) iptables -F input_rule iptables -F output_rule iptables -F forwarding_rule iptables -t nat -F prerouting_rule iptables -t nat -F postrouting_rule # Note: Firewall must be re-run if WAN IP address changes WANIP=`ifconfig $WAN | grep inet\ addr | sed -r 's/.*inet addr:([0-9.]+) .*/\1/'` network="192.168.1.0/24" server="192.168.1.10" server2="192.168.1.11" server3="192.168.1.9" printer="192.168.1.99" iptables -t nat -A postrouting_rule -o $WAN -j SNAT --to-source $WANIP # allow iptables -A FORWARD -i br0 -o br0 -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT # Lines below let WAN address work from LAN # POP/IMAP iptables -N POP_CHECK iptables -A forwarding_rule -p tcp --dport 110 -m state --state NEW -j POP_CHECK iptables -A POP_CHECK -m recent --set --name POP iptables -A POP_CHECK -m recent --update --seconds 60 --hitcount 10 --name POP -j DROP iptables -A POP_CHECK -m recent --update --seconds 600 --hitcount 15 --name POP -j DROP

iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 110 -j DNAT --to $server:110 iptables -A forwarding_rule -d $server -p tcp --dport 110 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 110 -j SNAT --to-source $WANIP

Kamikaze delayed...

2008-08-17T04:46:38Z

Still waiting on the Release Candidate that should have been out early this month. Lots of fixes in the new release, still no new kernel for my WRT, though. Stupid Broadcom not releasing drivers for their chipset...

New Kamikaze coming...

2008-06-25T06:55:37Z

Due in August. Time to prep my backup router...

Restricting URLs

2008-02-27T02:53:38Z

There is probably a better way to do this, but I've gotten tired of my son screwing around on the net and not doing his homework, so I've decided to block a few sites at the router. His system uses DHCP addressing, so he picks up the DNS server info from OpenWRT, which till now just passed along those requests to the configured ISP DNS servers. My other systems are on static, and have these DNS entries listed manually.

So, it seemed to be an easy process to insert a few entries into the /etc/hosts file on the router.

]]> Using the web interface, under the Network/Hosts menu, you can easily add new entries. Failing that, editing /etc/hosts by hand isn't that big a deal. The trick, of course, is what to redirect things to.

It would be easy enough to pick a 'safe' site to redirect requests to, a homework help site, the school's web site, etc. All you'd need is their IP address and then just list out the sites you want to point there. In my case, since I am already running a web server here, it seemed easy enough to just add a new VirtualHost under Apache.

Since obviously I wasn't going to purchase a new domain for this, the easiest thing to set up unique traffic seemed to be to add a second IP address on the Mac's ethernet port. In System Preferences, click Network, add a new service (the + symbol if you're running Leopard), select the Ethernet interface, and just call it Ethernet 2. Set a new static IP, save it, and you're done.

Next, in the Apache config files(/etc/apache2/extra/httpd-vhosts.conf for 10.5), set up a new virtual host using that IP address, and port 80. Then just set up where the documents for this web site are located, separate log files if you wish, then grant access for web visitors to actually reach this content. Example follows:

DocumentRoot /www/homework/Documents ErrorLog "/Users/wright/Documents/apache2/homework_error_log" CustomLog "/Users/wright/Documents/apache2/homework_access_log" combined

Options Indexes FollowSymLinks MultiViews Order allow,deny Allow from all ErrorDocument 404 /index.html

The ErrorDocument statement above will take any page that isn't found (which almost all page requests will be) and redirects this to the main page served. All that I'm using for this is a simple HTML document that displays the text 'Site Unavailable, go do your homework." Obviously you can be as fancy as you want with that.

Over on the OpenWRT side, enter the domains you wish to route to this fake web page. My etc/hosts file looks like the following:

127.0.0.1 localhost OpenWrt 192.168.1.9 youtube.com www.youtube.com

Specifically adding the www.* domain is important, otherwise those requests will hit the actual site.

Kamikaze again

2008-01-10T19:42:16Z

I'm going to take another crack at installing Kamikaze on my new spare WRTSL54GS that I picked up before the holidays. After I install a new serial jack on it, that is. :)

I've had this one just idling with power on and nothing else hooked up as a burn in test, since it's still chugging I think I'm past the issue I had with my last spare router now.

Smoked router

2007-07-28T01:16:50Z

A few weeks ago, I had purchased a spare WRTSL54GS to do testing on, and unfortunately shortly after installing a new serial port (installed almost immediately after opening the box) and then installing Kamikaze, discovered that the router had become unresponsive after just a few days.

Consulting several experts led me to believe that he router was bricked. I shipped it off to a friend to verify, and all indications are that I had experienced an actual hardware failure, possibly as a result of a power fluctuation here (something I had ignored at the time, but now seems likely to have been the culprit). It is also possible I had bad hardware from the factory, but as I had quickly modified it, I had no way of knowing if it may have been bad originally. Bummer.

Printing on home LAN via internet

2007-06-09T02:45:45Z

A bit of trickery to print to a printer on my home LAN via the internet. The example below assumes the printer is being connected to externally on port 12345, and actually accepts connections on port 9100 (HP Jet Direct).

Tested and working, but may not be perfect. OS X wasn't able to identify the printer model automatically, but setting this manually let the jobs print normally.

# Printer iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 12345 -j DNAT --to 192.168.1.99:9100 iptables -A forwarding_rule -d 192.168.1.99 -p tcp --dport 9100 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d 192.168.1.99 -m multiport --dports 9100 -j SNAT --to-source $WANIP

IP Tables

2007-05-04T04:32:08Z

For posterity, here is my working iptables config:

#!/bin/sh . /etc/functions.sh

iptables -t nat -A postrouting_rule -o $WAN -j SNAT --to-source $WANIP

There you have the basic setup. The variable WANIP will find the current IP address of the WAN interface, network is whever you have defined for your local LAN, and server is the server you're routing ports to. You could easily define server2, server3, etc, for as many systems as you want to map here.

# identd iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 113 -j ACCEPT iptables -A input_rule -i $WAN -p tcp --dport 113 -j ACCEPT

This is my config for identd (still not working for some reason?) to open the correct port, and set up the router itself to answer on this port (that part, at least, works).

# Lines below let WAN address work from LAN # SMTP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 25 -j DNAT --to $server:25 iptables -A forwarding_rule -d $server -p tcp --dport 25 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 25 -j SNAT --to-source $WANIP

# HTTP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 80 -j DNAT --to $server:80 iptables -A forwarding_rule -d $server -p tcp --dport 80 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 80 -j SNAT --to-source $WANIP # POP/IMAP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 110 -j DNAT --to $server:110 iptables -A forwarding_rule -d $server -p tcp --dport 110 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 110 -j SNAT --to-source $WANIP

iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 143 -j DNAT --to $server:143 iptables -A forwarding_rule -d $server -p tcp --dport 143 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 143 -j SNAT --to-source $WANIP

Opening up various ports that will be handled by 'server', and tricking things so that requests via the LAN port for the WANIP will get routed correctly, so you can use your own external domain name internally (default router config doesn't allow this to work). This was the tricky bit solved in the forum thread mentioned in my last post.

# Access webif from WAN on port 65321 iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 65321 -j DNAT --to :80 iptables -A input_rule -i $WAN -p tcp --dport 80 -j ACCEPT

This took a small bit of research. This will redirect port 65321 from the WAN side to port 80 on the router itself, in case you want the router's web interface to be accessible externally. Use this same trick if you wanted to SSH into the router, or externally access any other router specific service by remapping the port.

WRTSL54GS finally in production

2007-04-22T19:41:56Z

After a few months of tinkering with getting to know this guy, and doing my final (for now?) hardware mod and getting a proper serial connection in place, I've finally replaced my old Asante router that had served me well these last several years.

The trickiest bit was figuring out the iptables command and setting things up so that I could access my web/mail server via the LAN using the WAN address (so I could refer to it by name instead of a local IP). This posting over on the OpenWRT forums was a great help in doing exactly what I needed.

Serial upgrade complete

2007-04-22T18:34:39Z

My TTL-232R-3V3-AJ USB cables arrived last week (I ordered a spare), a quick test after installing the OS X driver indicated that I was indeed seeing a new serial port after plugging the cable in, so it was now time to replace my hacked Keyspan interface with a clean looking 3.5mm stereo audio jack on my WRT. Having it in the back with the other ports would have been ideal, but there was just no real estate left. I opted for the top case opposite the antenna jack.

I wish now that I'd had some heat shrink tubing on hand for the jack, but I'm not planning to go back to fix that unless I have to. A quick desoldering of my old cable from the underside of the board and soldering the new cable to the top of the board and I was in business.

USB Serial cable

2007-04-16T04:54:16Z

A recent post in the OpenWRT forums hilighted the TTL-232R-3V3-AJ USB cable, a TTL Level Serial Converter, or in other words, it takes a 3.3v RS-232 signal and converts it to USB, perfect for use with my WRTSL54GS, thanks to the fact that they also have Mac drivers available. This will allow me to ditch (with some slight regret) my hacked USB serial interface, and simply add a clean looking 3.5mm stereo audio connector to the side of my WRT, which this cable will plug right into.

Several versions of this cable are available for 5v and 3.3v sources, with several alternate ends, the AJ (Audio Jack) version to me seems the most flexible to adding a serial interface as it is easily removable from the unit when not needed.

OpenWRT WhiteRussian 0.9

2007-03-02T03:25:37Z

The 'final' build WhiteRussian has been out for a while now, version 0.9 is supposed to be the end of the line, with work now focusing on the Kamikaze builds. Nightly snapshots have been getting posted at openwrt.org, but I'll be sticking with the stable 0.9 release for a while.

I still need to dig in and figure out iptables, the code that controls the firewall and NAT settings, it's a lot trickier than what I'm used to, and there aren't a lot of great examples online that I've been able to find so far.

Updated Busybox

2007-01-10T04:53:44Z

I'm now running OpenWRT R6 on the router, and I also had to upgrade to the newer Busybox code from Kamikaze (available as a separate package). Apparently the code that requests a DHCP address via the WAN port generates fairly large packets, and a small number of people seem to have problems getting an IP address under certain circumstances because of this, and it looks like RoadRunner's servers are one of those cases. The new Busybox includes code to trim the packs to eliminate extra padding that really served no useful purpose, and I'm now able to pick up an IP address just fine.

That looks to be my last technical hurdle on putting this into production here. All I need to do now are fine tune my firewall rules for port handling, and I should be good to go. Now all I need is some free time to get that worked out... ;)